Command injection through URL in Pidgin

Tomasz Wasilczyk twasilczyk at
Mon Jan 13 07:24:26 EST 2014

W dniu 13.01.2014 03:29, Mark Doliner pisze:
> I still have this question:
> On Sun, Jun 23, 2013 at 6:53 PM, Mark Doliner <mark at> wrote:
>> One more question: How did you decide
>> whether to use uri or uri_escaped for the various browsers? Obviously
>> you would use uri_escaped for xdg-open, since that's the thing we're
>> trying to fix here. I guess you don't need uri_escaped with Chrome
>> because it doesn't do silly things with passing the argument on the
>> command line? Is there harm to using uri_escaped? If we're trying to
>> be preventative then maybe we should ALWAYS use uri_escaped, in case a
>> browser starts doing silly things in the future?

If I remember correctly, providing uri_escaped version to these browsers 
results in opening double-escaped (malformed) URIs.

In fact, we shouldn't *need* to take care of it, because we provide 
these URIs in a safe way (by g_spawn_[a]sync). The bug we patched is the 
xdg-open bug, in its *internal* processing. Chrome, for the instance, 
shouldn't ever do it, because it's not a bash script.


-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4225 bytes
Desc: Kryptograficzna sygnatura S/MIME
URL: <>

More information about the security mailing list