Command injection through URL in Pidgin

Mark Doliner mark at kingant.net
Tue Jan 14 00:45:54 EST 2014


Thanks for the response. I had a worry that our extra escaping might
cause problems if the bad browsers (whatever they may be) ever fixed
their stuff. Turns out it's worse than that--I think the new escaping
behavior is actually wrong.

Take this URL as an example:
https://developer.pidgin.im/search?q=brains&noquickjump=1&wiki=on

When escaped with g_uri_escape_string() it becomes:
https://developer.pidgin.im/search%3Fq%3Dbrains%26noquickjump%3D1%26wiki%3Don

?, = and & are replaced with %3F, %3D and %26 which means they are
considered part of the path component rather than query args. I tested
and I get 404s when launching that URL with Firefox, Google Chrome,
and these manual commands: gnome-open, xdg-open, firefox,
google-chrome.

Strangely I DON'T get a 404 when I launch the URL with Konqueror. The
original unescaped URL loads. I consider this to be a bug in
Konqueror. They would fail to load when launched with a URL that has a
question mark as part of the path component because they would convert
the remaining path into the query string.

So I ripped out uri_escaped and used uri in its place everywhere. This
is committed and pushed the private 2.x.y repo. Please let me know if
you see any problems with my code or with my logic.

Thanks,
Mark


More information about the security mailing list