qulogic/pidgin

Stop using g_uri_escape_string() to escape the URI before launching it.
release-2.x.y
2014-01-13, Mark Doliner
41e1147347a5
Stop using g_uri_escape_string() to escape the URI before launching it.

This was wrong. Take this URL as an example:
https://developer.pidgin.im/search?q=brains&noquickjump=1&wiki=on

When escaped with g_uri_escape_string() it becomes:
https://developer.pidgin.im/search%3Fq%3Dbrains%26noquickjump%3D1%26wiki%3Don

?, = and & are replaced with %3F, %3D and %26 which means they are considered part of the path component rather than query args. I tested and I get 404s when launching that URL with Firefox, Google Chrome, and these manual commands: gnome-open, xdg-open, firefox, google-chrome.

Strangely I DON'T get a 404 when I launch the URL with Konqueror. The original unescaped URL loads. I consider this to be a bug in Konqueror. They would fail to load when launched with a URL that has a question mark as part of the path component because they would convert the remaining path into the query string.

So I ripped out uri_escaped and used uri in its place everywhere.

This bug never got released. We changed the behavior because someone reported
to us that this URL:
http://example.org/$(xterm)
caused xterm to be executed on his system. Obviously that's bad if that
happens, but I don't think it's a bug in Pidgin. We're correctly escaping
all arguments that we pass to the browser command. If a system unescapes those
at some point and execs them, then that system is dangerously broken.

I tested this newest code with Firefox, Google Chrome, Konqueror, and the
manual commands gnome-open and xdg-open and they all work perfectly for me.
/**
* @file ntlm.h
*/
/* purple
*
* Copyright (C) 2005, Thomas Butter <butter@uni-mannheim.de>
*
* ntlm structs are taken from NTLM description on
* http://www.innovation.ch/java/ntlm.html
*
* This program is free software; you can redistribute it and/or modify
* it under the terms of the GNU General Public License as published by
* the Free Software Foundation; either version 2 of the License, or
* (at your option) any later version.
*
* This program is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU General Public License for more details.
*
* You should have received a copy of the GNU General Public License
* along with this program; if not, write to the Free Software
* Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02111-1301 USA
*/
#ifndef _PURPLE_NTLM_H
#define _PURPLE_NTLM_H
#ifdef __cplusplus
extern "C" {
#endif
/**
* Generates the base64 encoded type 1 message needed for NTLM authentication
*
* @param hostname Your hostname
* @param domain The domain to authenticate to
* @return base64 encoded string to send to the server. This should
* be g_free'd by the caller.
*/
gchar *purple_ntlm_gen_type1(const gchar *hostname, const gchar *domain);
/**
* Parses the ntlm type 2 message
*
* @param type2 String containing the base64 encoded type2 message
* @param flags If not @c NULL, this will store the flags for the message
*
* @return The nonce for use in message type3. This is a statically
* allocated 8 byte binary string.
*/
guint8 *purple_ntlm_parse_type2(const gchar *type2, guint32 *flags);
/**
* Generates a type3 message
*
* @param username The username
* @param passw The password
* @param hostname The hostname
* @param domain The domain to authenticate against
* @param nonce The nonce returned by purple_ntlm_parse_type2
* @param flags Pointer to the flags returned by purple_ntlm_parse_type2
* @return A base64 encoded type3 message. This should be g_free'd by
* the caller.
*/
gchar *purple_ntlm_gen_type3(const gchar *username, const gchar *passw, const gchar *hostname, const gchar *domain, const guint8 *nonce, guint32 *flags);
#ifdef __cplusplus
}
#endif
#endif /* _PURPLE_NTLM_H */