[Pidgin] #6499: Yahoo packets, with service YAHOO_SERVICE_PICTURE, accepted from nonbuddies.
Pidgin
trac at pidgin.im
Sun Aug 3 11:00:30 EDT 2008
#6499: Yahoo packets, with service YAHOO_SERVICE_PICTURE, accepted from
nonbuddies.
----------------------------+-----------------------------------------------
Reporter: wizardyesterday | Owner: marv
Type: patch | Status: new
Priority: minor | Component: Yahoo!
Version: 2.4.3 | Keywords: YAHOO_SERVICE_PICTURE
Pending: 0 |
----------------------------+-----------------------------------------------
I've made a modification to yahoo_process_picture() such that buddy icon
downloads/uploads only occur if the privacy criteria are accepted. This
can allow (and has allowed) someone to create a packet, with
YAHOO_SERVICE_PICTURE, to insert their own IP address where to retrieve
the buddy icon from that IP address and cause the chat client to visit
that "website" to retrieve the picture. The result was the posting of IP
addresses to yahoo chatrooms.
Having a user's IP address posted to a chatroom isn't the most terrible
thing... just more of an annoyance.
This change has the added benefit that others cannot view your yahoo buddy
icon if privacy settings are appropriately set.
Also, remove my first name and initial as appropriate from the file. I
need not take credit for this change.
--
Ticket URL: <http://developer.pidgin.im/ticket/6499>
Pidgin <http://pidgin.im>
Pidgin
More information about the Tracker
mailing list