purple_util_fetch_url vulnerability

Daniel Atallah daniel.atallah at gmail.com
Sat Mar 16 14:31:27 EDT 2013


On Thu, Feb 21, 2013 at 12:20 PM, Daniel Atallah
<daniel.atallah at gmail.com> wrote:
> I've attached a patch that should resolve this issue (and corrects a couple
> other things that I noticed when looking into it).
>
> It's potentially slightly controversial because it enforces a max download
> of 512KiB when no explicit maximum download length has been specified to the
> API.
> Ideally everything should use an explicit length for the maximum amount of
> data that would be reasonable to download over HTTP.

I've pushed a slightly improved version of the attached patch to the
private main repo as cd529e1158d3.

> The following areas in-tree currently don't have an explicit length
> specified - I'm planning to make the specified size changes:
> Release Notification Plugin (100K)
> Gadu-Gadu Avatar Download
> Jabber Google Jingle Relay Token retrieval (20K(?))
> MXit inline image download
> MXit Login token
> MXit Challenge information
> MXit Packet Download
> Oscar Session Cookie retrieval (20K(?))
> Yahoo Token retrieval (20K(?))
> Yahoo Alias Downloading (512KiB)

I haven't yet pushed these changes (they're less important with the
patch applied, but ideally should still be cleaned up).

-D


More information about the security mailing list