Command injection through URL in Pidgin
mark at kingant.net
Tue Jan 14 01:15:14 EST 2014
Hey John, just wanted to update you on our status.
Tomasz cleaned up our browser launching code quite a bit. Again, on
correctly-functioning systems our previous code worked fine and there
was no problem (we WERE correctly shell escaping the URL before
passing it to the browser).
We added code so now we'll proactively percent-encode characters like
$ and ! to make it less likely that they'll cause problems with
whatever script is used to launch a browser.
This should get released in about 2 weeks.
More information about the security