[Telepathy] Showing actual image in chat window

[Xavier Claessens]

Le mercredi 27 juin 2012 à 11:53 +0100, Simon McVittie a écrit :
> On 27/06/12 10:56, Mithun Shitole wrote:
> > Thanks for the suggestion. I have successfully modified a adium theme
> > to show images.
> [...]
> > Are there any security concerns with this approach?
> 
> I'm concerned about the privacy implications of this feature. If the
> owner of example.com wants to find out whether/when you are online, they
> can send you an IM containing a unique image URL, perhaps something like
> this:
> 
>     http://example.com/track/f8177982-3da3-4936-886d-bd8c84dce6f9.jpg
> 
> and then consult the example.com server logs to find out whether/when
> Empathy retrieves that URL. For maximum evil, the image it served would
> be a 1x1 pixel transparent GIF or PNG, and the text of the message would
> look like something innocent (either a message sent to the wrong
> recipient by mistake, or spam).
> 
> To do this, they do not need to be on your contact list or otherwise
> have your permission.
> 
> This would be partially addressed by only showing the image inline if
> the message's sender has been given permission to see your presence
> (publish = Yes on the ContactList interface).
> 
> There are also potential security implications if the image-loading
> library has an exploitable bug (although that would normally be
> considered to be a security bug anyway), or if dereferencing the URL
> causes code execution or side-effects. For instance, you don't want to
> display a "javascript:" URL, and you might not want to display this:
> 
>     https://broken.example.org/delete-all-data.php?confirm=yes&x=.jpg
> 
> (Admittedly, that site is already broken if it contravenes the HTTP spec
> by giving a HTTP GET "unsafe" side-effects, because of e.g. prefetching.)

I would just have an expander, it will load the image only when you
click to "expand" the url or something like that.

Regards,
Xavier Claessens.