PGP key for vulnerability reports

Mark Doliner mark at kingant.net
Sat Jan 11 01:23:37 EST 2014


(replying only to ourselves)

Oh boy there are a lot of open questions here.


THE PROBLEM
On Windows XP I was able to launch notepad by sending myself a file://
link. There was no prompt from my default browser. I didn't test with
a jar, but I'm willing to believe that it's possible. And it does seem
likely that lay people could be tricked into launching a file:// link
to a malicious jar file on a remote server. I think we should do a
better job to protect our users from that.


WHAT'S THE IDEAL BEHAVIOR?
So. What should we do? I feel like maybe the ideal behavior is to show
a prompt, "WARNING: You're about to run the file C:\whatever.exe. This
could potentially contain a virus or otherwise harm your computer. Are
you sure you want to continue?" I feel like that mimics the behavior
of web browsers in MS Windows when downloading and running random
stuff from the Internet.

How do other people feel about that as a long term goal for the ideal
behavior? Anyone have other suggestions?


WHAT OSes ARE AFFECTED?
Only MS Windows? OS X? Linux?


HOW DO WE FIX IN MS WINDOWS?
We're talking about links launched from GtkIMHtml, right? And this is
handled by pidgin/gtkutils.c file_open_uri()?

Is there a standard "are you sure you want to exec this?" dialog?

If not, I kinda don't think we should make our own for 2.x.y. I'm ok
with disabling file:// links there. Is that as simple as commenting
out this line in pidgin/gtkutils.c:
gtk_imhtml_class_register_protocol("file://", NULL, NULL);


SIDE QUESTION
Do we have this problem with purple_notify_uri(), too? Or are those
safe because we specifically launch the browser?


More information about the security mailing list