Command injection through URL in Pidgin
Tomasz Wasilczyk
twasilczyk at pidgin.im
Mon Jan 13 07:24:26 EST 2014
W dniu 13.01.2014 03:29, Mark Doliner pisze:
> I still have this question:
>
> On Sun, Jun 23, 2013 at 6:53 PM, Mark Doliner <mark at kingant.net> wrote:
>> One more question: How did you decide
>> whether to use uri or uri_escaped for the various browsers? Obviously
>> you would use uri_escaped for xdg-open, since that's the thing we're
>> trying to fix here. I guess you don't need uri_escaped with Chrome
>> because it doesn't do silly things with passing the argument on the
>> command line? Is there harm to using uri_escaped? If we're trying to
>> be preventative then maybe we should ALWAYS use uri_escaped, in case a
>> browser starts doing silly things in the future?
If I remember correctly, providing uri_escaped version to these browsers
results in opening double-escaped (malformed) URIs.
In fact, we shouldn't *need* to take care of it, because we provide
these URIs in a safe way (by g_spawn_[a]sync). The bug we patched is the
xdg-open bug, in its *internal* processing. Chrome, for the instance,
shouldn't ever do it, because it's not a bash script.
Tomek
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4225 bytes
Desc: Kryptograficzna sygnatura S/MIME
URL: <https://pidgin.im/cgi-bin/mailman/private/security/attachments/20140113/5c6243fe/attachment.bin>
More information about the security
mailing list