PGP key for vulnerability reports

Elliott Sales de Andrade qulogic at pidgin.im
Sat Jan 11 02:21:10 EST 2014 

On 11 January 2014 01:23, Mark Doliner <mark at kingant.net> wrote:

> (replying only to ourselves)
>
> Oh boy there are a lot of open questions here.
>
>
> THE PROBLEM
> On Windows XP I was able to launch notepad by sending myself a file://
> link. There was no prompt from my default browser. I didn't test with
> a jar, but I'm willing to believe that it's possible. And it does seem
> likely that lay people could be tricked into launching a file:// link
> to a malicious jar file on a remote server. I think we should do a
> better job to protect our users from that.
>
>
> WHAT'S THE IDEAL BEHAVIOR?
> So. What should we do? I feel like maybe the ideal behavior is to show
> a prompt, "WARNING: You're about to run the file C:\whatever.exe. This
> could potentially contain a virus or otherwise harm your computer. Are
> you sure you want to continue?" I feel like that mimics the behavior
> of web browsers in MS Windows when downloading and running random
> stuff from the Internet.
>
> How do other people feel about that as a long term goal for the ideal
> behavior? Anyone have other suggestions?
>
>
> WHAT OSes ARE AFFECTED?
> Only MS Windows? OS X? Linux?
>
>
> HOW DO WE FIX IN MS WINDOWS?
> We're talking about links launched from GtkIMHtml, right? And this is
> handled by pidgin/gtkutils.c file_open_uri()?
>
> Is there a standard "are you sure you want to exec this?" dialog?
>
> If not, I kinda don't think we should make our own for 2.x.y. I'm ok
> with disabling file:// links there. Is that as simple as commenting
> out this line in pidgin/gtkutils.c:
> gtk_imhtml_class_register_protocol("file://", NULL, NULL);
>
>
I think the reason that this protocol handler was installed was to link the
"You have just received this file." links (the line is not quite that, but
I hope you know what I mean.) It was never intended for links that were
sent over the IM side itself.

I'm not sure how possible this is within the realm of GtkIMHtml, but what
we'd need to do is test if the message containing the link is a "system"
message (i.e., an authentic message from libpurple/Pidgin.) If it's not a
system message, then go with the usual purple_notify_uri (I'm assuming it's
safe, though I did not test.). That should mitigate this problem somewhat.

Now, whether we'd want to test the file type of the files that are received
may be a different discussion...


> SIDE QUESTION
> Do we have this problem with purple_notify_uri(), too? Or are those
> safe because we specifically launch the browser?
>


-- 
Elliott aka QuLogic
Pidgin developer
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://pidgin.im/cgi-bin/mailman/private/security/attachments/20140111/427e8f2f/attachment.html>

More information about the security mailing list