Gajim - 2016-12-12

  1. Br0nek .
  2. Martin How robust are PIL and GdkPixbuf against malicious images? Images are a popular attack vector. And they spread faster than light, esp. when showing cute cats and wise words.
  3. cuc hm it would be great if one could activate/deactivate it ondemand like: trusted contacts vs public mucs
  4. linus That's a good question
  5. linus I don't like the general security model of URL_image_preview anyway, it sends HTTP requests to any URL that is sent. Somewhat of a privacy issue
  6. Martin @cuc: I don't think, that handling trusted contacts and MUCs is useful for this attack scenario. The person who sends you an image link might be unaware of problems with the image. Or the image you get is not the same anymore.
  7. cuc for this specific scenario maybe not, but i would not say its useless...
  8. cuc loading anything from untrusted sources could always end in a disaster
  9. Martin @linus, @cuc: Yes, the preview should not happen automatically. First, there should be a link and a "download" or "preview" button. Also, any image downloads should be limited in size, in case one is online via mobile or other slow/expensive connection.
  10. cuc like in conversatisions that is
  11. cuc conversations
  12. Alex Hi, I played around with emoticons and it looks like I've broken Gajim. Would you have a suggestion how to fix this? Gajim doesn't start at all. Here is the debug. thanks.
  13. Alex this is the last line of the debug: ImportError: No module named emoticons
  14. Alex I guess it would be good if I could start Gajim without Plugins but I don't know how
  15. linus Alex: which OS are you on?
  16. Alex I solved it by simply restoring the backup I made of the emoticons folder in question
  17. linus Oh ok
  18. Alex hehe, thanks linus :-)
  19. Alex It was not an answer to your message. I just wanted to send it anyways to the room...
  20. lovetox i agree its not optimal right now, feel free to make it more secure.
  21. lovetox though i see this problem only with mucs and contacts not in your roster
  22. lovetox as for contacts in your roster
  23. lovetox no security mechansim will save you
  24. lovetox if your brother / mother / friend send you a malisious picture, via jingle, httpupload, or any other way
  25. lovetox it doesnt matter if gajim displays it instantly or shows you a preview button or a download button
  26. lovetox in 99% of all cases you will open that file
  27. lovetox because it comes from a trusted source
  28. lovetox also if we talk attack vectors i think pixbuf and PIL is probably a very low value target, instead of firefox/chrome/IE, which you open links normally with
  29. lovetox though i dont know which image lib these browsers use :)
  30. lovetox and on that matter in general, how do other chatapplication handle this? never saw a download button in whatsapp
  31. lovetox image preview should probably be disabled completly for mucs and contacts not in your roster
  32. lovetox and @Martin, the size is already limited, by default to 5 MB
  33. Holger When registering an account using the GTK+3 version, the password field is listed above the username field:
  34. Holger
  35. lovetox weird
  36. lovetox thanks