Command injection through URL in Pidgin
Tomasz Wasilczyk
tomkiewi at gmail.com
Fri Jun 14 12:01:40 EDT 2013
$ hg clone ssh://hg.pidgin.im/private/main private-main
running ssh hg.pidgin.im 'hg -R private/main serve --stdio'
remote: mercurial-server: access denied
abort: no suitable response from remote hg!
Do I have proper access rights for this repository?
Tomek
2013/6/10 Tomasz Wasilczyk <tomkiewi at gmail.com>:
> 2013/6/10 Mark Doliner <mark at kingant.net>:
>> On Sun, Jun 9, 2013 at 12:16 PM, Ethan Blanton <elb at pidgin.im> wrote:
>>> I think we have resolved that this is not a security issue from the
>>> Pidgin side, but that there are some helpful changes we can make to
>>> our URL-handling code to make it less likely that such bugs will
>>> affect others in the future. Unless anyone has any objections, I
>>> suggest that we go ahead and make those changes (move to g_sync_spawn
>>> or equivalent, URL-encode URL characters other than a shell safelist
>>> similar to [A-Za-z0-9_:/.,+-]), but that they are not put on a fast
>>> track or embargoed. Thoughts?
>>
>> I agree with this. Tomasz, are you comfortable including this as part
>> of your security work?
>>
>> Also I suggest committing the fixes to the release-2.x.y branch of the
>> ssh://hg.pidgin.im/private/main repository. I don't think we need to
>> request a CVE for this, but we might as well wait to make the changes
>> public until we release 2.10.8.
>
> I'll handle this.
>
> Tomek
More information about the security
mailing list