Command injection through URL in Pidgin

Tomasz Wasilczyk tomkiewi at gmail.com
Fri Jun 14 18:28:10 EDT 2013


I did a proof-of-concept implementation. I haven't had time to review
it, because I'm going out of town for another few days, but feel free
to comment the idea.

Concept:
- store all arguments as a GList of const gchar* (and then convert it to argv)
- pass original uri to known browsers, escaped one for unknown (and
xdg-open &co)

The patch:
https://dl.dropboxusercontent.com/u/5448886/contrib/pidgin-uri-notification.patch

Did I missed something? Should I add more characters to don't-escape list?

Tomek

2013/6/14 Ethan Blanton <elb at pidgin.im>:
> Tomasz Wasilczyk spake unto us the following wisdom:
>> $ hg clone ssh://hg.pidgin.im/private/main private-main
>> running ssh hg.pidgin.im 'hg -R private/main serve --stdio'
>> remote: mercurial-server: access denied
>> abort: no suitable response from remote hg!
>>
>> Do I have proper access rights for this repository?
>
> You do now.  Your key hadn't been moved from CPW to dev.  I just
> pushed that change.
>
> Ethan


More information about the security mailing list