Unproxied http request
An unproxied call to urllib2.Request in ./src/htmltextview.py is made on line 500 in the HtmlHandler class:
req = urllib2.Request(attrs['src'])
This can be used for all sorts of nasty shit. First of all the attrs['src'] should be sanitized, but the urllib2 should also use the proxy context of the current account.
Steps to reproduce
Send an image with a url
I'd like to suggest that using a SOCKS proxy with urllib2 is a better idea - something like this: https://github.com/ln5/twisted-socks
Using curl means that the client isn't pure python and that's part of the appeal with Gajim - I trust python code for parsing urls a lot more than C code.
It seems possible to set a SOCKS proxy with urllib2: http://stackoverflow.com/questions/2537726/using-urllib2-with-socks-proxy http://stackoverflow.com/questions/2317849/how-can-i-use-a-socks-4-5-proxy-with-urllib2
Anything that results in pure python seems like a better choice - it keeps the attack surface smaller.
Replying to [comment:3 asterix]:
socksipy doesn't support authentication with HTTP proxies, it's blocker: While you connect Gajim is blocked, and it's
Do you mean that a user might be behind an HTTP proxy and they need to connect to the SOCKS proxy after the HTTP proxy?
I'm not sure that this use case is very common?
not maintained since 2006.
It works and is finished, I believe.
Could you try to use the attached patch and tell me if that works?
Yes, I can try later today and report back.