Le mercredi 27 juin 2012 à 11:53 +0100, Simon McVittie a écrit : > On 27/06/12 10:56, Mithun Shitole wrote: > > Thanks for the suggestion. I have successfully modified a adium theme > > to show images. > [...] > > Are there any security concerns with this approach? > > I'm concerned about the privacy implications of this feature. If the > owner of example.com wants to find out whether/when you are online, they > can send you an IM containing a unique image URL, perhaps something like > this: > > http://example.com/track/f8177982-3da3-4936-886d-bd8c84dce6f9.jpg > > and then consult the example.com server logs to find out whether/when > Empathy retrieves that URL. For maximum evil, the image it served would > be a 1x1 pixel transparent GIF or PNG, and the text of the message would > look like something innocent (either a message sent to the wrong > recipient by mistake, or spam). > > To do this, they do not need to be on your contact list or otherwise > have your permission. > > This would be partially addressed by only showing the image inline if > the message's sender has been given permission to see your presence > (publish = Yes on the ContactList interface). > > There are also potential security implications if the image-loading > library has an exploitable bug (although that would normally be > considered to be a security bug anyway), or if dereferencing the URL > causes code execution or side-effects. For instance, you don't want to > display a "javascript:" URL, and you might not want to display this: > > https://broken.example.org/delete-all-data.php?confirm=yes&x=.jpg > > (Admittedly, that site is already broken if it contravenes the HTTP spec > by giving a HTTP GET "unsafe" side-effects, because of e.g. prefetching.)
I would just have an expander, it will load the image only when you click to "expand" the url or something like that. Regards, Xavier Claessens. _______________________________________________ telepathy mailing list [email protected] http://lists.freedesktop.org/mailman/listinfo/telepathy
