From bdc4f4009052df3a6e7a0532ba6b2859b34cf9e2 Mon Sep 17 00:00:00 2001 From: danieldg Date: Tue, 15 Sep 2009 16:24:17 +0000 Subject: Fix quoting in permchannels DB, discovered by jackmcbarn (could result in command execution) git-svn-id: http://svn.inspircd.org/repository/trunk/inspircd@11726 e03df62e-2008-0410-955e-edbf42e46eb7 --- src/modules/m_permchannels.cpp | 37 ++++++++++++++++++++++++++++++++----- 1 file changed, 32 insertions(+), 5 deletions(-) diff --git a/src/modules/m_permchannels.cpp b/src/modules/m_permchannels.cpp index e27b2cf9c..a0b2adea2 100644 --- a/src/modules/m_permchannels.cpp +++ b/src/modules/m_permchannels.cpp @@ -43,16 +43,43 @@ static bool WriteDatabase() } // Now, let's write. - Channel *c = NULL; - for (chan_hash::const_iterator i = ServerInstance->chanlist->begin(); i != ServerInstance->chanlist->end(); i++) { - c = i->second; + Channel* chan = i->second; + if (!chan->IsModeSet('P')) + continue; - if (c->IsModeSet('P')) + char line[1024]; + const char* items[] = { - fprintf(f, "\n", c->name.c_str(), c->topic.c_str(), c->ChanModes(true)); + "\n" + }; + + int lpos = 0, item = 0, ipos = 0; + while (lpos < 1022 && item < 7) + { + char c = items[item][ipos++]; + if (c == 0) + { + // end of this string; hop to next string, insert a quote + item++; + ipos = 0; + c = '"'; + } + else if (c == '\\' || c == '"') + { + line[lpos++] = '\\'; + } + line[lpos++] = c; } + line[--lpos] = 0; + fputs(line, f); } int write_error = 0; -- cgit v1.2.3