Command injection through URL in Pidgin

Mark Doliner mark at
Sun Jan 12 21:29:36 EST 2014

FYI the few remaining requests from my last email are all taken care
of now (either by Tomasz or by me) except this one:

> - Can you move the declaration of usercmd_argv inside the else-if
> block where it's used?

And we shouldn't do that because it's incorrect because the memory is
referenced by args, which is used outside the if block.

I still have this question:

On Sun, Jun 23, 2013 at 6:53 PM, Mark Doliner <mark at> wrote:
> One more question: How did you decide
> whether to use uri or uri_escaped for the various browsers? Obviously
> you would use uri_escaped for xdg-open, since that's the thing we're
> trying to fix here. I guess you don't need uri_escaped with Chrome
> because it doesn't do silly things with passing the argument on the
> command line? Is there harm to using uri_escaped? If we're trying to
> be preventative then maybe we should ALWAYS use uri_escaped, in case a
> browser starts doing silly things in the future?

More information about the security mailing list