Re: [Telepathy] Showing actual image in chat window
Le mercredi 27 juin 2012 à 11:53 +0100, Simon McVittie a écrit : > On 27/06/12 10:56, Mithun Shitole wrote: > > Thanks for the suggestion. I have successfully modified a adium theme > > to show images. > [...] > > Are there any security concerns with this approach? > > I'm concerned about the privacy implications of this feature. If the > owner of example.com wants to find out whether/when you are online, they > can send you an IM containing a unique image URL, perhaps something like > this: > > http://example.com/track/f8177982-3da3-4936-886d-bd8c84dce6f9.jpg > > and then consult the example.com server logs to find out whether/when > Empathy retrieves that URL. For maximum evil, the image it served would > be a 1x1 pixel transparent GIF or PNG, and the text of the message would > look like something innocent (either a message sent to the wrong > recipient by mistake, or spam). > > To do this, they do not need to be on your contact list or otherwise > have your permission. > > This would be partially addressed by only showing the image inline if > the message's sender has been given permission to see your presence > (publish = Yes on the ContactList interface). > > There are also potential security implications if the image-loading > library has an exploitable bug (although that would normally be > considered to be a security bug anyway), or if dereferencing the URL > causes code execution or side-effects. For instance, you don't want to > display a "javascript:" URL, and you might not want to display this: > > https://broken.example.org/delete-all-data.php?confirm=yes&x=.jpg > > (Admittedly, that site is already broken if it contravenes the HTTP spec > by giving a HTTP GET "unsafe" side-effects, because of e.g. prefetching.) I would just have an expander, it will load the image only when you click to "expand" the url or something like that. Regards, Xavier Claessens. ___ telepathy mailing list telepathy@lists.freedesktop.org http://lists.freedesktop.org/mailman/listinfo/telepathy
Re: [Telepathy] Showing actual image in chat window
On 27/06/12 10:56, Mithun Shitole wrote: > Thanks for the suggestion. I have successfully modified a adium theme > to show images. [...] > Are there any security concerns with this approach? I'm concerned about the privacy implications of this feature. If the owner of example.com wants to find out whether/when you are online, they can send you an IM containing a unique image URL, perhaps something like this: http://example.com/track/f8177982-3da3-4936-886d-bd8c84dce6f9.jpg and then consult the example.com server logs to find out whether/when Empathy retrieves that URL. For maximum evil, the image it served would be a 1x1 pixel transparent GIF or PNG, and the text of the message would look like something innocent (either a message sent to the wrong recipient by mistake, or spam). To do this, they do not need to be on your contact list or otherwise have your permission. This would be partially addressed by only showing the image inline if the message's sender has been given permission to see your presence (publish = Yes on the ContactList interface). There are also potential security implications if the image-loading library has an exploitable bug (although that would normally be considered to be a security bug anyway), or if dereferencing the URL causes code execution or side-effects. For instance, you don't want to display a "javascript:" URL, and you might not want to display this: https://broken.example.org/delete-all-data.php?confirm=yes&x=.jpg (Admittedly, that site is already broken if it contravenes the HTTP spec by giving a HTTP GET "unsafe" side-effects, because of e.g. prefetching.) S ___ telepathy mailing list telepathy@lists.freedesktop.org http://lists.freedesktop.org/mailman/listinfo/telepathy
Re: [Telepathy] Showing actual image in chat window
Le mercredi 27 juin 2012 à 15:26 +0530, Mithun Shitole a écrit : > On Wed, May 2, 2012 at 1:12 PM, Danielle Madeley > wrote: > > On Wed, 2012-05-02 at 09:38 +0200, Guillaume Desmottes wrote: > > > >> If you just want to play with the code and try a quick hack, this > >> shouldn't be hard to do by hacking the Adium theme code > >> libempathy-gtk/empathy-theme-adium.c > >> But of course you'll have to use an Adium theme to test. > > > > You could probably do this in Javascript in an Adium theme. Although > > I've never tried to hit the network from an Adium theme. > > > > Thanks for the suggestion. I have successfully modified a adium theme > to show images. It works great. > You can find code here https://gist.github.com/3003033 . That's an amazing idea! I've a few comments though: 1) Empathy ships a default template but each theme could ship their own. So adding custom JS into the template is not a good idea, it won't apply to all themes. The same idea is totally doable as C code in empathy-theme-adium.c. We already have there code that parses messaege to detect URL and transform them with a tag. Must be trivial to check if the URL already detected has ".jpg" suffix and then add an tag. The magic happens in empathy_string_replace_link() in empathy-webkit-utils.c and empathy-string-parser.c. 2) You should add tag as well, so clicking the image still open the URL for full size. 3) max-width depends on the size of the chat window. 4) For video shouldn't you put tag instead of ? I don't know how that works... 5) Bonus point for supporting embedding youtube player!!! 6) I guess enabling that should be an option in empathy preferences. Regards, Xavier Claessens. ___ telepathy mailing list telepathy@lists.freedesktop.org http://lists.freedesktop.org/mailman/listinfo/telepathy
Re: [Telepathy] Showing actual image in chat window
Le Wednesday 27 June 2012 à 15:26 +0530, Mithun Shitole a écrit : > Thanks for the suggestion. I have successfully modified a adium theme > to show images. It works great. > You can find code here https://gist.github.com/3003033 . > > I tried videos too but it just plays audio. > > Are there any security concerns with this approach? Oh that's cool ! Danielle is porting the old chat themes to Adium ( https://bugzilla.gnome.org/show_bug.cgi?id=645921 ) maybe that's something we could include? Also, we'd like to have a nice new GNOME 3 spirit default theme ( https://bugzilla.gnome.org/show_bug.cgi?id=645920 ) maybe that's something you'd be interested working on? G. ___ telepathy mailing list telepathy@lists.freedesktop.org http://lists.freedesktop.org/mailman/listinfo/telepathy
Re: [Telepathy] Showing actual image in chat window
On Wed, May 2, 2012 at 1:12 PM, Danielle Madeley wrote: > On Wed, 2012-05-02 at 09:38 +0200, Guillaume Desmottes wrote: > >> If you just want to play with the code and try a quick hack, this >> shouldn't be hard to do by hacking the Adium theme code >> libempathy-gtk/empathy-theme-adium.c >> But of course you'll have to use an Adium theme to test. > > You could probably do this in Javascript in an Adium theme. Although > I've never tried to hit the network from an Adium theme. > Thanks for the suggestion. I have successfully modified a adium theme to show images. It works great. You can find code here https://gist.github.com/3003033 . I tried videos too but it just plays audio. Are there any security concerns with this approach? ___ telepathy mailing list telepathy@lists.freedesktop.org http://lists.freedesktop.org/mailman/listinfo/telepathy
Re: [Telepathy] Showing actual image in chat window
Le mercredi 02 mai 2012 à 17:42 +1000, Danielle Madeley a écrit : > On Wed, 2012-05-02 at 09:38 +0200, Guillaume Desmottes wrote: > > > If you just want to play with the code and try a quick hack, this > > shouldn't be hard to do by hacking the Adium theme code > > libempathy-gtk/empathy-theme-adium.c > > But of course you'll have to use an Adium theme to test. > > You could probably do this in Javascript in an Adium theme. Although > I've never tried to hit the network from an Adium theme. It works just fine, back in the days it didn't escape received msg, you could send a and display a full web page into anyone's chat window :D ___ telepathy mailing list telepathy@lists.freedesktop.org http://lists.freedesktop.org/mailman/listinfo/telepathy
Re: [Telepathy] Showing actual image in chat window
On Wed, 2012-05-02 at 09:38 +0200, Guillaume Desmottes wrote: > If you just want to play with the code and try a quick hack, this > shouldn't be hard to do by hacking the Adium theme code > libempathy-gtk/empathy-theme-adium.c > But of course you'll have to use an Adium theme to test. You could probably do this in Javascript in an Adium theme. Although I've never tried to hit the network from an Adium theme. -- Danielle Madeley Senior Software Engineer, Collabora Ltd. www.collabora.co.uk ___ telepathy mailing list telepathy@lists.freedesktop.org http://lists.freedesktop.org/mailman/listinfo/telepathy
Re: [Telepathy] Showing actual image in chat window
Le Tuesday 01 May 2012 à 19:42 +0530, Mithun Shitole a écrit : > Hi, Hi there, > I have downloaded the empathy source and compiled it successfully. > > I want to add a small feature where if message contains image link, > actual image should be displayed instead of link. > > What I think is I need to check if there is link in message body and > then put a tag around it. How would you detect that a link is actually an image and not, say, a webpage? I think the proper way to do this is to use formatted messages but that's currently not implemented in Telepathy: https://bugs.freedesktop.org/show_bug.cgi?id=15449 If you just want to play with the code and try a quick hack, this shouldn't be hard to do by hacking the Adium theme code libempathy-gtk/empathy-theme-adium.c But of course you'll have to use an Adium theme to test. Regards, G. ___ telepathy mailing list telepathy@lists.freedesktop.org http://lists.freedesktop.org/mailman/listinfo/telepathy
[Telepathy] Showing actual image in chat window
Hi, I have downloaded the empathy source and compiled it successfully. I want to add a small feature where if message contains image link, actual image should be displayed instead of link. What I think is I need to check if there is link in message body and then put a tag around it. But i am not able to find the relevent part of the code. I am new to gtk c programming. Thanks, Mithun ___ telepathy mailing list telepathy@lists.freedesktop.org http://lists.freedesktop.org/mailman/listinfo/telepathy
