Command injection through URL in Pidgin
tomkiewi at gmail.com
Fri Jun 14 18:28:10 EDT 2013
I did a proof-of-concept implementation. I haven't had time to review
it, because I'm going out of town for another few days, but feel free
to comment the idea.
- store all arguments as a GList of const gchar* (and then convert it to argv)
- pass original uri to known browsers, escaped one for unknown (and
Did I missed something? Should I add more characters to don't-escape list?
2013/6/14 Ethan Blanton <elb at pidgin.im>:
> Tomasz Wasilczyk spake unto us the following wisdom:
>> $ hg clone ssh://hg.pidgin.im/private/main private-main
>> running ssh hg.pidgin.im 'hg -R private/main serve --stdio'
>> remote: mercurial-server: access denied
>> abort: no suitable response from remote hg!
>> Do I have proper access rights for this repository?
> You do now. Your key hadn't been moved from CPW to dev. I just
> pushed that change.
More information about the security