summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorGiuseppe Bilotta <giuseppe.bilotta@gmail.com>2010-02-10 01:25:08 +0100
committerGiuseppe Bilotta <giuseppe.bilotta@gmail.com>2010-02-10 01:28:43 +0100
commita9565be1c9d5549b1cbc058bb0a097011e1dd778 (patch)
tree86b90a3dce1d690a9f89e903e5e14ac424ea7982
parent66320ea8e89492b6815bcd4a2f942c7cd70afa44 (diff)
react: restrict command reactions by default
Anybody can create a dangerous reaction, and then trick the owner into triggering it. Credits to apoc for spotting this.
-rw-r--r--data/rbot/plugins/reaction.rb20
1 files changed, 16 insertions, 4 deletions
diff --git a/data/rbot/plugins/reaction.rb b/data/rbot/plugins/reaction.rb
index 6636cfb4..0de9b847 100644
--- a/data/rbot/plugins/reaction.rb
+++ b/data/rbot/plugins/reaction.rb
@@ -301,6 +301,12 @@ class ReactionPlugin < Plugin
}
end
+ def can_add?(m, reaction)
+ return false if reaction.act == :ruby and @bot.auth.permit?(m.source, "reaction::react::ruby", m.channel)
+ return false if reaction.act == :cmd and @bot.auth.permit?(m.source, "reaction::react::cmd", m.channel)
+ return true
+ end
+
def handle_add(m, params)
trigger = params[:trigger].to_s
reply = params[:reply].to_s
@@ -324,19 +330,23 @@ class ReactionPlugin < Plugin
found = reaction.find_reply(reply)
if found
# ruby replies need special permission
- if found.act != :ruby or @bot.auth.permit?(m.source, "reaction::react::ruby", m.channel)
+ if can_add?(m, found)
found.pct = pct
found.author = m.sourcenick
found.date = Time.now
found.channel = m.channel
else
- m.reply _("Sorry, you're not allowed to change ruby replies here")
+ m.reply _("Sorry, you're not allowed to change %{act} replies here") % {
+ :act => found.act
+ }
return
end
else
found = reaction.add_reply(reply, pct, m.sourcenick, Time.now, m.channel)
- if found.act == :ruby and not @bot.auth.permit?(m.source, "reaction::react::ruby", m.channel)
- m.reply _("Sorry, you're not allowed to add ruby replies here")
+ if can_add?(m, found)
+ m.reply _("Sorry, you're not allowed to add %{act} replies here") % {
+ :act => found.act
+ }
reaction.rm_reply(reaction.replies.length)
if new_reaction
@reactions.delete(reaction)
@@ -438,6 +448,8 @@ plugin.map plugin.add_syntax, :action => 'handle_add',
# ruby reactions are security holes, so give stricter permission
plugin.default_auth('react::ruby', false)
+# cmd reactions can be security holes too
+plugin.default_auth('react::cmd', false)
plugin.map 'reaction list [:page]', :action => 'handle_list',
:requirements => { :page => /^\d+$/ }