[OTR-dev] /me bug

Jurre van Bergen drwhax at 2600nl.net
Tue Sep 10 14:02:33 EDT 2013


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 09/10/2013 07:46 PM, Jacob Appelbaum wrote:
> Heya,
>
> There exists an information leak in Pidgin/Pidgin-OTR where Pidgin
> doesn't allow Pidgin-OTR to encrypt a specific message before it is sent
> to the network. Specifically on IRC networks, users who emote through
> the use of a message such as `/me thinks this is a bug` - will leak the
> full text of their /me command.
>
> This is annoying and it would be nice if Pidgin didn't treat /me
> messages in this way. It appears that around the same time as learning
> about this bug, I found a bug report with a fix for Pidgin itself.
>
> If there are any Pidgin/Pidgin-OTR users on this list who also use IRC
> with Pidgin, it would be great to see if the following patch fixes the
> behavior of /me on irc:
>
>   https://developer.pidgin.im/ticket/15750
>
> This could also be fixed inside of Pidgin-otr - though I think the right
> place is inside of Pidgin itself. It would be useful if IRC using
> Pidgin-OTR developers could test the patch attached to ticket 15750 on
> the Pidgin bug tracker.
>
> Useful questions to answer:
>
> Does it solve the /me info leak for you? Does it cause any adverse
> issues? Does it make sense to put this into Pidgin-OTR?
>
> All the best,
> Jake
>

I tested this patch a few weeks ago and it doesn't fix the current issue
in IRC while being in an OTR conversation.

Jurre

- -- 
Give a man a fish and you feed him for a day; teach a man to fish and
you feed him for life.

http://jurrevanbergen.nl/
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)

iQEcBAEBAgAGBQJSL165AAoJELc5KWfqgB0CAO8H/2wmUTBO2JcWc8fOU57h48/p
+en2r0RpVm0e7oP/KLVIm5mOGRJKuQTPpNa3zzj1w93bCRyr7sjpzwHi2boE8w1o
tay2w91QhBbMrETyCaE1ovGvDKDQRS4+YCcgW3uGFIqVHVfbp2nVa7PQe021987M
wAVH0XhXzAkOmygf6G6il+YXkXwQpPZA8itspm/sYAJNFvo8wW1FQYFWhxajRJEN
waIz4oiQYuRsXjW7K8XQJSl/X9FU1IgBQ0gCqpt1qNO7ztAyA5eQ8kO1WwktRm+T
0cXhK69MgGYbXmp+dulNFAzjIU9peuKPWk8iaJT0/y2lR8wKqUXZaMqmD4yLgL0=
=A3Vv
-----END PGP SIGNATURE-----




More information about the OTR-dev mailing list