Miranda NG Official Community Forum

Forum for English speaking Miranda NG users => Bug reports => Topic started by: Testertime on 08 03 2015, 19:00:33

Title: BIG flaw in OTR plugin: Unverified fingerprints are verified after a restart
Post by: Testertime on 08 03 2015, 19:00:33
Hello! I have found a bug in the OTR plugin (wiki.miranda-ng.org/index.php?title=Plugin:MirOTR/en) which isn't very cool, and at first I was confused about it, but found out that it's a bug after all. If someone contacts me and has a new OTR fingerprint, and I'm not verifying it, it is verified after a Miranda NG restart anyway. (look at "Options", "OTR" and "Fingerprints")
I'm using the latest stable version of Miranda NG and the OTR plugin. I had tested the latest unstable development version of Miranda NG and the OTR plugin, but it's the same there. I can confirm the bug both in Windows 7 and Windows XP.

You can also test it by setting a fingerprint to "unknown", and after a program restart it's verified again. Pretty strange. Does anyone have seen this bug before? :-[

Thank you in advance!
Title: Re: BIG flaw in OTR plugin: Unverified fingerprints are verified after a restart
Post by: Robyer on 08 03 2015, 20:18:47
Hi Testertime,
I checked it and it's not really a security flaw, but just Miranda's options problem. Really that fingerprint is still untrusted (you can check it by opening /Profiles/<profile>/MirOTR/otr.fingerprints file). It was just wrongly showing it in that list in options. I've just fixed (http://trac.miranda-ng.org/changeset/12371/) that. ;)
Title: Re: BIG flaw in OTR plugin: Unverified fingerprints are verified after a restart
Post by: Testertime on 08 03 2015, 23:20:29
Thanks a lot for this very quick answer AND fix! ;D I'm very impressed, and excited to see when it's available at the plugin wiki page. Doesn't seem to have an updated version so far. And good to know that it was only an interface bug.
Title: Re: BIG flaw in OTR plugin: Unverified fingerprints are verified after a restart
Post by: Robyer on 09 03 2015, 03:33:52
when it's available at the plugin wiki page. Doesn't seem to have an updated version so far.

Development builds are compiled every day in night time, so today it should be available via Plugin Updater or manual download. :)
Title: Re: BIG flaw in OTR plugin: Unverified fingerprints are verified after a restart
Post by: Testertime on 09 03 2015, 23:24:07
I have downloaded the "current" OTR plugin package again, and I can confirm your fix as well now. I'm still amazed of your fast response and fix, I wish I could donate for it now. ;D But a last question, when is it going to be in the stable version?

Thank you again!
Title: Re: BIG flaw in OTR plugin: Unverified fingerprints are verified after a restart
Post by: watcher on 10 03 2015, 08:10:13
Testertime, well - when stable version is released  ;D It might take some time.
Title: Re: BIG flaw in OTR plugin: Unverified fingerprints are verified after a restart
Post by: Robyer on 10 03 2015, 11:33:33
I'm still amazed of your fast response and fix, I wish I could donate for it now. ;D

If you want to donate to ME, now you can use link in my signature. Project Miranda NG as a whole doesn't receive donations, but you can donate your own time to help with various stuff :)

And about new stable answered watcher already. Once in a while whole development branch become stable, it's just like that :D
Title: Re: BIG flaw in OTR plugin: Unverified fingerprints are verified after a restart
Post by: Testertime on 10 03 2015, 15:19:55
Good to know again! Thank you both Robyer and watcher for your friendly and helpful answers.

And Robyer, you got a small appreciation from me. It's not the world, but I hope it's a very good sign for you that I'm thankful that people with your knowledge care about this project and bug reports. I can't help with coding, but I will at least let you know if I'm seeing a bug again.
Title: Re: BIG flaw in OTR plugin: Unverified fingerprints are verified after a restart
Post by: Robyer on 11 03 2015, 17:51:46
And Robyer, you got a small appreciation from me.
Thank you, I appreciate it :)