[OTR-dev] /me bug

Ian Goldberg ian at cypherpunks.ca
Tue Sep 10 16:28:49 EDT 2013

On Tue, Sep 10, 2013 at 05:46:24PM +0000, Jacob Appelbaum wrote:
> Heya,
> There exists an information leak in Pidgin/Pidgin-OTR where Pidgin
> doesn't allow Pidgin-OTR to encrypt a specific message before it is sent
> to the network. Specifically on IRC networks, users who emote through
> the use of a message such as `/me thinks this is a bug` - will leak the
> full text of their /me command.
> This is annoying and it would be nice if Pidgin didn't treat /me
> messages in this way. It appears that around the same time as learning
> about this bug, I found a bug report with a fix for Pidgin itself.
> If there are any Pidgin/Pidgin-OTR users on this list who also use IRC
> with Pidgin, it would be great to see if the following patch fixes the
> behavior of /me on irc:
>   https://developer.pidgin.im/ticket/15750
> This could also be fixed inside of Pidgin-otr - though I think the right
> place is inside of Pidgin itself. It would be useful if IRC using
> Pidgin-OTR developers could test the patch attached to ticket 15750 on
> the Pidgin bug tracker.
> Useful questions to answer:
> Does it solve the /me info leak for you? Does it cause any adverse
> issues? Does it make sense to put this into Pidgin-OTR?
> All the best,
> Jake

If I understand the bug correctly, it's totally a prpl-irc bug, and
there's nothing pidgin-otr could even do about it: pidgin-otr never gets
invoked for that message at all by prpl-irc.  (Note that using /me on,
say, AIM, works fine.)

   - Ian

More information about the OTR-dev mailing list