Command injection through URL in Pidgin

Tomasz Wasilczyk tomkiewi at
Fri Jun 14 18:28:10 EDT 2013

I did a proof-of-concept implementation. I haven't had time to review
it, because I'm going out of town for another few days, but feel free
to comment the idea.

- store all arguments as a GList of const gchar* (and then convert it to argv)
- pass original uri to known browsers, escaped one for unknown (and
xdg-open &co)

The patch:

Did I missed something? Should I add more characters to don't-escape list?


2013/6/14 Ethan Blanton <elb at>:
> Tomasz Wasilczyk spake unto us the following wisdom:
>> $ hg clone ssh:// private-main
>> running ssh 'hg -R private/main serve --stdio'
>> remote: mercurial-server: access denied
>> abort: no suitable response from remote hg!
>> Do I have proper access rights for this repository?
> You do now.  Your key hadn't been moved from CPW to dev.  I just
> pushed that change.
> Ethan

More information about the security mailing list