Opened 8 years ago

Closed 8 years ago

Last modified 8 years ago

#11506 closed defect (fixed)

Remote image fetching when decoding HTML from XMPP reveals IP address

Reported by: am Owned by: evands
Milestone: Component: Adium Core
Version: 1.4hg Severity: regression
Keywords: Cc:
Patch Status:


In [25376], Evan wrote that AIHTMLDecoder automatically fetches images referenced in HTML it is asked to decode. Since AIHTMLDecoder is used for XMPP, this is a problem. XMPP strictly avoids giving out the user's IP address. If an attacker embeds an image to a server where the attacker has access to the web server logs, the user's IP is leaked automatically.

Ideally, something like in Apple Mail should be used (where the user can decide whether to download the images by pressing a button in the message view).

Change History (6)

comment:1 Changed 8 years ago by Robby

  • Milestone set to Adium 1.4

comment:2 Changed 8 years ago by zacw

  • Summary changed from IP leak in [25376]? to Remote image fetching when decoding HTML from XMPP reveals IP address


The relevant code:

		if ([arg caseInsensitiveCompare:@"src"] == NSOrderedSame) {
			NSString	*src = [inArgs objectForKey:arg];
			NSURL		*url;
			if ([src rangeOfString:@"://"].location != NSNotFound) {
				url = (baseURL ?
					   [NSURL URLWithString:src relativeToURL:[NSURL URLWithString:baseURL]] :
					   [NSURL URLWithString:src]);
			} else {
				url = [NSURL fileURLWithPath:(baseURL ?
											  [baseURL stringByAppendingPathComponent:src] :
			if (url && ![url isFileURL]) {
				NSData *data = [NSData dataWithContentsOfURL:url];
				//Arbitrary image extension; it just needs to have one.
				src = [[NSTemporaryDirectory() stringByAppendingPathComponent:[NSString randomStringOfLength:8]] stringByAppendingPathExtension:@"png"];
				[data writeToFile:src
			} else {
				src = [url path];
				if (inBaseURL && ![[NSFileManager defaultManager] fileExistsAtPath:src])
					src = [inBaseURL stringByAppendingPathComponent:src];

			[attachment setPath:src];

comment:3 Changed 8 years ago by zacw

  • Severity changed from normal to major

comment:4 Changed 8 years ago by zacw

  • Severity changed from major to regression

Going to go ahead and bump this up to regression. Will probably have to add yet-another-HTML-decoder-option to prevent it for normal messages. Alternatively, does the facebook prpl (which I believe is why this was added) still need the external fetching now that we use the pidgin plugin?

comment:5 Changed 8 years ago by Zachary West <zacw@…>

  • Resolution set to fixed
  • Status changed from new to closed

(In d346422b5e36) Replace remote-<img/> tags with a link to their destination. Fixes #11506 (which existed before Evan's change, I think).

comment:6 Changed 8 years ago by Robby

  • Milestone Adium 1.4 deleted
Note: See TracTickets for help on using tickets.