Mercurial > pidgin.yaz
view pidgin/gtkprivacy.h @ 30702:6829b27ee4c8
This patch attempts to fix four bugs in the oscar protocol plugin that
were introduced with the X-Status code in Pidgin 2.7.0.
Problem #1 (the remotely-triggerable crash):
The crash happens when a buddy sets an xstatus message containing <desc>
but no closing </desc>, or <title> but no closing </title>. The fix
is to check the result of strstr(closing_tag_name) and do nothing if it
is NULL. This is CVE-2010-2528.
Problem #2:
Fixes potential incorrect parsing of the xstatus string that could result
in an incorrect message being displayed to the libpurple user. Happens if
an xstatus message contains </desc> before <desc>, or </title> before
<title>. The fix is to start looking for the closing tag at the end
of the beginning tag rather than at the beginning of the xstatus xml.
Probably not a security problem, but definitely a bug.
Problem #3:
Fixes potential incorrect parsing of the xstatus string that could result
in the title not being shown to the libpurple user. Happens if the close
title tag appears after the desc tag in the xstatus xml, because we add a
null character at the beginning of the close title tag, so strstr() for
the desc tag would stop searching there. Probably not a security problem,
but definitely a bug.
Problem #4:
Fixes potential incorrect display of the xstatus string that could result
in an incorrect message being displayed to the libpurple user. Happens
because we reusing the 'xml' string when preparing the string for the user,
but we copy values from xml to xml. If those values overlap with themselves
or with each other then an incorrect value could be displayed. Probably not
a security problem, but definitely a bug.
| author | Mark Doliner <mark@kingant.net> |
|---|---|
| date | Wed, 21 Jul 2010 02:49:23 +0000 |
| parents | 6bf32c9e15a7 |
| children |
line wrap: on
line source
/** * @file gtkprivacy.h GTK+ Privacy UI * @ingroup pidgin */ /* pidgin * * Pidgin is the legal property of its developers, whose names are too numerous * to list here. Please refer to the COPYRIGHT file distributed with this * source distribution. * * This program is free software; you can redistribute it and/or modify * it under the terms of the GNU General Public License as published by * the Free Software Foundation; either version 2 of the License, or * (at your option) any later version. * * This program is distributed in the hope that it will be useful, * but WITHOUT ANY WARRANTY; without even the implied warranty of * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the * GNU General Public License for more details. * * You should have received a copy of the GNU General Public License * along with this program; if not, write to the Free Software * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02111-1301 USA */ #ifndef _PIDGINPRIVACY_H_ #define _PIDGINPRIVACY_H_ #include "privacy.h" /** * Initializes the GTK+ privacy subsystem. */ void pidgin_privacy_init(void); /** * Shows the privacy dialog. */ void pidgin_privacy_dialog_show(void); /** * Hides the privacy dialog. */ void pidgin_privacy_dialog_hide(void); /** * Requests confirmation to add a user to the allow list for an account, * and then adds it. * * If @a name is not specified, an input dialog will be presented. * * @param account The account. * @param name The name of the user to add. */ void pidgin_request_add_permit(PurpleAccount *account, const char *name); /** * Requests confirmation to add a user to the block list for an account, * and then adds it. * * If @a name is not specified, an input dialog will be presented. * * @param account The account. * @param name The name of the user to add. */ void pidgin_request_add_block(PurpleAccount *account, const char *name); /** * Returns the UI operations structure for the GTK+ privacy subsystem. * * @return The GTK+ UI privacy operations structure. */ PurplePrivacyUiOps *pidgin_privacy_get_ui_ops(void); #endif /* _PIDGINPRIVACY_H_ */