[OTR-dev] /me bug
Jacob Appelbaum
jacob at appelbaum.net
Tue Sep 10 13:46:24 EDT 2013
Heya,
There exists an information leak in Pidgin/Pidgin-OTR where Pidgin
doesn't allow Pidgin-OTR to encrypt a specific message before it is sent
to the network. Specifically on IRC networks, users who emote through
the use of a message such as `/me thinks this is a bug` - will leak the
full text of their /me command.
This is annoying and it would be nice if Pidgin didn't treat /me
messages in this way. It appears that around the same time as learning
about this bug, I found a bug report with a fix for Pidgin itself.
If there are any Pidgin/Pidgin-OTR users on this list who also use IRC
with Pidgin, it would be great to see if the following patch fixes the
behavior of /me on irc:
https://developer.pidgin.im/ticket/15750
This could also be fixed inside of Pidgin-otr - though I think the right
place is inside of Pidgin itself. It would be useful if IRC using
Pidgin-OTR developers could test the patch attached to ticket 15750 on
the Pidgin bug tracker.
Useful questions to answer:
Does it solve the /me info leak for you? Does it cause any adverse
issues? Does it make sense to put this into Pidgin-OTR?
All the best,
Jake
More information about the OTR-dev
mailing list