PGP key for vulnerability reports
Eion Robb
eion at robbmob.com
Sat Jan 11 03:35:56 EST 2014
I could swear I wrote a patch for this a few months back that just did an
"open in folder" kind of thing with explorer. Was that just for the
purple_notify_uri() stuff though and not anything else?
On 11 January 2014 20:21, Elliott Sales de Andrade <qulogic at pidgin.im>wrote:
> On 11 January 2014 01:23, Mark Doliner <mark at kingant.net> wrote:
>
>> (replying only to ourselves)
>>
>> Oh boy there are a lot of open questions here.
>>
>>
>> THE PROBLEM
>> On Windows XP I was able to launch notepad by sending myself a file://
>> link. There was no prompt from my default browser. I didn't test with
>> a jar, but I'm willing to believe that it's possible. And it does seem
>> likely that lay people could be tricked into launching a file:// link
>> to a malicious jar file on a remote server. I think we should do a
>> better job to protect our users from that.
>>
>>
>> WHAT'S THE IDEAL BEHAVIOR?
>> So. What should we do? I feel like maybe the ideal behavior is to show
>> a prompt, "WARNING: You're about to run the file C:\whatever.exe. This
>> could potentially contain a virus or otherwise harm your computer. Are
>> you sure you want to continue?" I feel like that mimics the behavior
>> of web browsers in MS Windows when downloading and running random
>> stuff from the Internet.
>>
>> How do other people feel about that as a long term goal for the ideal
>> behavior? Anyone have other suggestions?
>>
>>
>> WHAT OSes ARE AFFECTED?
>> Only MS Windows? OS X? Linux?
>>
>>
>> HOW DO WE FIX IN MS WINDOWS?
>> We're talking about links launched from GtkIMHtml, right? And this is
>> handled by pidgin/gtkutils.c file_open_uri()?
>>
>> Is there a standard "are you sure you want to exec this?" dialog?
>>
>> If not, I kinda don't think we should make our own for 2.x.y. I'm ok
>> with disabling file:// links there. Is that as simple as commenting
>> out this line in pidgin/gtkutils.c:
>> gtk_imhtml_class_register_protocol("file://", NULL, NULL);
>>
>>
> I think the reason that this protocol handler was installed was to link
> the "You have just received this file." links (the line is not quite that,
> but I hope you know what I mean.) It was never intended for links that were
> sent over the IM side itself.
>
> I'm not sure how possible this is within the realm of GtkIMHtml, but what
> we'd need to do is test if the message containing the link is a "system"
> message (i.e., an authentic message from libpurple/Pidgin.) If it's not a
> system message, then go with the usual purple_notify_uri (I'm assuming it's
> safe, though I did not test.). That should mitigate this problem somewhat.
>
> Now, whether we'd want to test the file type of the files that are
> received may be a different discussion...
>
>
>> SIDE QUESTION
>> Do we have this problem with purple_notify_uri(), too? Or are those
>> safe because we specifically launch the browser?
>>
>
>
> --
> Elliott aka QuLogic
> Pidgin developer
>
> _______________________________________________
> security mailing list
> security at pidgin.im
> https://pidgin.im/cgi-bin/mailman/listinfo/security
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://pidgin.im/cgi-bin/mailman/private/security/attachments/20140111/f0ee081c/attachment.html>
More information about the security
mailing list