diff options
author | Giuseppe Bilotta <giuseppe.bilotta@gmail.com> | 2010-02-10 01:25:08 +0100 |
---|---|---|
committer | Giuseppe Bilotta <giuseppe.bilotta@gmail.com> | 2010-02-10 01:28:43 +0100 |
commit | a9565be1c9d5549b1cbc058bb0a097011e1dd778 (patch) | |
tree | 86b90a3dce1d690a9f89e903e5e14ac424ea7982 | |
parent | 66320ea8e89492b6815bcd4a2f942c7cd70afa44 (diff) |
react: restrict command reactions by default
Anybody can create a dangerous reaction, and then trick the owner into
triggering it.
Credits to apoc for spotting this.
-rw-r--r-- | data/rbot/plugins/reaction.rb | 20 |
1 files changed, 16 insertions, 4 deletions
diff --git a/data/rbot/plugins/reaction.rb b/data/rbot/plugins/reaction.rb index 6636cfb4..0de9b847 100644 --- a/data/rbot/plugins/reaction.rb +++ b/data/rbot/plugins/reaction.rb @@ -301,6 +301,12 @@ class ReactionPlugin < Plugin } end + def can_add?(m, reaction) + return false if reaction.act == :ruby and @bot.auth.permit?(m.source, "reaction::react::ruby", m.channel) + return false if reaction.act == :cmd and @bot.auth.permit?(m.source, "reaction::react::cmd", m.channel) + return true + end + def handle_add(m, params) trigger = params[:trigger].to_s reply = params[:reply].to_s @@ -324,19 +330,23 @@ class ReactionPlugin < Plugin found = reaction.find_reply(reply) if found # ruby replies need special permission - if found.act != :ruby or @bot.auth.permit?(m.source, "reaction::react::ruby", m.channel) + if can_add?(m, found) found.pct = pct found.author = m.sourcenick found.date = Time.now found.channel = m.channel else - m.reply _("Sorry, you're not allowed to change ruby replies here") + m.reply _("Sorry, you're not allowed to change %{act} replies here") % { + :act => found.act + } return end else found = reaction.add_reply(reply, pct, m.sourcenick, Time.now, m.channel) - if found.act == :ruby and not @bot.auth.permit?(m.source, "reaction::react::ruby", m.channel) - m.reply _("Sorry, you're not allowed to add ruby replies here") + if can_add?(m, found) + m.reply _("Sorry, you're not allowed to add %{act} replies here") % { + :act => found.act + } reaction.rm_reply(reaction.replies.length) if new_reaction @reactions.delete(reaction) @@ -438,6 +448,8 @@ plugin.map plugin.add_syntax, :action => 'handle_add', # ruby reactions are security holes, so give stricter permission plugin.default_auth('react::ruby', false) +# cmd reactions can be security holes too +plugin.default_auth('react::cmd', false) plugin.map 'reaction list [:page]', :action => 'handle_list', :requirements => { :page => /^\d+$/ } |