| commit | 0cfc123862628d36e35eb730b7978dc316233a03 | |
| author | Jakub Adam <jakub.adam@ktknet.cz> | |
| Thu, 20 Jul 2017 17:35:37 +0000 (20 19:35 +0200) | ||
| committer | Jakub Adam <jakub.adam@ktknet.cz> | |
| Wed, 26 Jul 2017 09:43:10 +0000 (26 11:43 +0200) | ||
| tree | 2436904324ef207a726913cc73dcffca73c033b4 | treesnapshot (tar.gz zip) |
| parent | 5c8efaa250586d7bdee02bad0d4b0bddb2a0950d | commitdiff |
buddy: don't load images from web by default
As pointed out on #pidgin freenode, downloading photos from custom web
URIs may pose a security risk as people may abuse the functionality by
setting remote-execution vulnerability exploits as a profile picture,
or simply for IP harvesting. Therefore, don't let Sipe download pictures
from unknown sites by default. Purple backend users can enable custom
photos (with all the potential consequences) in account settings.
This change shouldn't affect Office 365 buddy icons implemented in 9cbc1179
as those have type="exchange" in <photo> contact card element.
As pointed out on #pidgin freenode, downloading photos from custom web
URIs may pose a security risk as people may abuse the functionality by
setting remote-execution vulnerability exploits as a profile picture,
or simply for IP harvesting. Therefore, don't let Sipe download pictures
from unknown sites by default. Purple backend users can enable custom
photos (with all the potential consequences) in account settings.
This change shouldn't affect Office 365 buddy icons implemented in 9cbc1179
as those have type="exchange" in <photo> contact card element.