Pidgin opens local executables when clicked on file:// links

Bug #397323 reported by fx5
8
This bug affects 1 person
Affects Status Importance Assigned to Milestone
pidgin (Ubuntu)
Invalid
Undecided
Unassigned

Bug Description

Binary package hint: pidgin

Pidgin opens file:// links to local executables (at with XMPP) using Ubuntu Jaunty.

E.g. the these links are harmful:

Go to <a href="file:///usr/bin/xkill">www.ubuntu.com</a>
Go to <a href="file:///usr/bin/x11vnc">www.ubuntu.com</a>
Go to <a href="file:///usr/bin/x-session-manager">www.ubuntu.com</a>

and so on. This works also:

Go to <a href="/usr/bin/xkill">www.ubuntu.com</a>

Same problem with gajim. Since both problems are introduced with jaunty it might be the same bug?

Revision history for this message
Kees Cook (kees) wrote :

pidgin reports:

Error showing url: No application is registered as handling this file

I cannot reproduce what you're describing...

Changed in pidgin (Ubuntu):
status: New → Incomplete
Revision history for this message
Kees Cook (kees) wrote :

Can you attach the output of the following command, please:

gconftool -R /desktop/gnome/url-handlers

Revision history for this message
fx5 (packaging) wrote :

Sure

Revision history for this message
fx5 (packaging) wrote :

I'm don't know why you were unable to reproduce this issue. I asked a few other jabber-users to try it, all of them were able to reproduce it. It works in Multi-User-Chats, too. But i noticed that this doesn't happen when i use otr-encryption.

Revision history for this message
Kees Cook (kees) wrote :

Is it strictly Jabber? Even with Jabber connections, I cannot reproduce it.

visibility: private → public
Kees Cook (kees)
security vulnerability: yes → no
Revision history for this message
fx5 (packaging) wrote :

I can send you such messages, when you tell me your jid, of course.

The bug seems to be fixed in 10.04: "gnome-open file:///usr/bin/xterm" doesn't open xterm here any more.

Revision history for this message
Victor Vargas (kamus) wrote :

According to your last message this issue was solved (at least) in new release of pidgin included in Ubuntu Lucid, so for now I will close your report but if you encounter that this issue reappears please reopened again. Thanks again.

Changed in pidgin (Ubuntu):
status: Incomplete → Invalid
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.