Comment 2 for bug 501089

Revision history for this message
Isaac Clerencia (isaaccp) wrote :

Uhm, so apparently this bug is private, so I'll continue ... the problem is related to the support for custom smileys.

Usually you tell your peer, I am using a custom smiley, its name is 'foo.png' and you can request it if you want. The other part then will request it if it wants it.

The problem is that the other part can request any other file instead of 'foo.png', and libpurple won't check the SHA1 hash and will even allow the file path to include '../..'.

It only works if the customs smileys are activated (i.e., if you have ever declared a custom smiley, so I'd say most people are not affected). And in this case any MSN client can just start sending request for files to Pidgin and it will serve them without even notifying the user in any way.

I am attaching a sample script using python-papyon that exploits this bug (not an elegant script, but works).