Opened 11 years ago

Closed 11 years ago

#1278 closed Defect (Invalid)

colloquy automatically displays some urls (at least images and pdfs) when present in chat content

Reported by: chris..s Owned by: timothy
Component: Colloquy (Mac) Version: 2.1 (Mac)
Severity: Trivial Keywords: inline images security style css


If someone (anyone) speaks a url for a file of certain types* colloquy will display that file immediately. This is a security risk. Its conceivable that a malicious user could post a link to a specially crafted file into a chatroom to trigger a vulnerability via any attached colloquy client.

Presumably this behaviour is a deliberate feature however, at a minimum it should be possible to disable this behaviour in colloquy's prefernces and ideally that preference would be off by default.

  • types include, pdf, jpg, png & gif. There may be others.

Change History (4)

comment:1 Changed 11 years ago by encro

  • Keywords inline images security style css added
  • Severity changed from major to trivial

This is invalid as is style dependent.

If you don't want this behaviour change to a different style or alter the css to not render inline.

comment:2 Changed 11 years ago by encro

I agree on a preference to override the style settings though :)

comment:3 Changed 11 years ago by chris..s

Thanks for the advice, I am using the "Fiat" style which uses xsl to manipulate colloquy's xml. I was able to edit the file and disable the portions which cause the image urls to be loaded.

This particular style is shipped with Colloquy. I don't reckon that's good, at least not with the image loading portions active.

comment:4 Changed 11 years ago by Rinoa

  • Resolution set to invalid
  • Status changed from new to closed

This is only an issue if you have a style that has inline images. Some people prefer inline images. Switch styles or modify the style to remove the issue.

Note: See TracTickets for help on using tickets.