Command injection through URL in Pidgin

Mark Doliner mark at kingant.net
Tue Jan 14 01:13:12 EST 2014


Ok, maybe removing all escaping was a bit extreme.

Reading back over this email thread we had wanted to percent-encode
some characters to guard against $(xterm) causing xterm to start on
horrendously broken systems.

I realized we can still do that, we just need to be better about what
characters we escape. So I brought back Tomasz's code, added a few
characters to the allowed list, and we now use the escaped URI when
starting ALL browsers. Works fine for me. Here's the escape command
we're using:
> g_uri_escape_string(uri, ":;/%#,+?=&@", FALSE);

So that list of characters (plus alphanumeric, hyphen, underscore,
tilde) are all allowed in the URL.

Committed and pushed to the private repo. Please let me know if you
see any problems with my new code or my revised logic.


More information about the security mailing list