[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Security: Be careful with StarDict!

On 2025-08-04 08:43:54 +0200, Klaus Singvogel wrote:
> Hi Vincent,
> 
> Vincent Lefevre wrote:
> > Be careful with StarDict! By default, when the application is running,
> > it sends whatever the user selects (from other applications) to
> > Chinese servers!
> 
> Thanks for your warning.
> 
> Do you have more details?
> ▷ Which function in the code?

This is due to some plugin(s). At least the stardict_youdaodict plugin.

> ▷ Which Chinese server?

dict.youdao.com and dict.cn.

For instance, when I select "relation" in some application,
an strace on stardict shows:

911565 write(16, "GET HTTP://dict.youdao.com/fsearch?q=relation HTTP/1.0\r\nUser-Agent: Mozilla/4.0(compatible;MSIE 5.00;Windows 98)\r\nAccept: */*\r\nHost: dict.youdao.com\r\nConnection: close\r\n\r\n", 171) = 171

and

911565 write(17, "GET HTTP://dict.cn/ws.php?utf8=true&q=relation HTTP/1.0\r\nUser-Agent: Mozilla/4.0(compatible;MSIE 5.00;Windows 98)\r\nAccept: */*\r\nHost: dict.cn\r\nConnection: close\r\n\r\n", 164) = 164

Note also that this is transmitted via HTTP only, thus not encrypted
on the network. So someone closer to the user might also be able to
see the data.

> Reason is, that many years ago this misbehaviour was already fixed.
> • https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=534731

Here, this is even worse (or bug 534731 was incomplete): one does not
have to copy data to the clipboard. User selections are immediately
scanned (the PRIMARY selection, I suppose).

-- 
Vincent Lefèvre <vincent@vinc17.net> - Web: <https://www.vinc17.net/>
100% accessible validated (X)HTML - Blog: <https://www.vinc17.net/blog/>
Work: CR INRIA - computer arithmetic / Pascaline project (LIP, ENS-Lyon)
Reply to: