[prev in list] [next in list] [prev in thread] [next in thread] 

List:       irssi-users
Subject:    Re: Better user input filtering for a bot?
From:       Wouter Coekaerts <wouter () coekaerts ! be>
Date:       2011-02-13 20:36:30
Message-ID: AANLkTi=YAx0V3mzkU4=6+Oq1c1H5=psVTbTsJQULY-gq () mail ! gmail ! com
[Download RAW message or body]

On Sat, Feb 12, 2011 at 7:42 PM, un dead <q3urt.undead@gmail.com> wrote:
> Anyway, I need a better filter function for user input.  Does anyone
> have something that I could use (FreeBSD license compatible)?  I want
> to accept as much user information as possible without making the bot
> vulnerable.  For instance, it has to filter newlines just in case an
> user somehow inserts one because that can cause it to insert commands.
>  The problem is that I don't know all of the possible vulnerable
> character sequences for irssi.  Newline appears to be one.

If your input is coming from IRC, then of course it can't contain a
newline to start, so nothing to do.
Otherwise both \r and \n need to be filtered out.
Since Irssi 0.8.11 irssi automatically filters out these in
server->command, but apparently not in server->send_message which
you're using.

Another character to be careful with is \x01 (ctrl-A), as it is used
for ctcp. Most clients only treat it as special if it's the first
character of a line, some others (eggdrop if I remember correctly)
treat it anywhere in the message, so best to be safe and strip it
anywhere.

Of course, if you're passing the text to anything else (e.g. to Irssi
commands such as eval or exec), there's more filtering to do.
Except for that, security-wise there's really nothing that needs
filtering (as long as you're not using them as arguments to commands
like eval or exec).

> You could consider color/formatting another since it can break what I try to do.

It's surprisingly difficult to find an overview of all characters
involved in formatting. Googling around, most regexps to strip colors
are missing a few (maybe because not all clients recognize them).
Looking at it again, even the regex I wrote in trigger.pl's examples
isn't complete. Taking a shot at building a more complete list:
\x02: bold
\x03: start color code. You may also want to strip out the color after
it, e.g. with regex \x03\d?\d?(,\d\d?)?
\x04: irssi's internal formatting
\x06: flash
\x0f : reset all colors
\x16: invert
\x1b: start of ansi color code. I don't have a regexp to also filter
out the rest of such a color code
\x1f: underline


Combining all of the above (untested):
\r|\n|\x01|\x02|\x03\d?\d?(,\d\d?)?|\x04|\x06|\x0f|\x16|\x1b|\x1f

Corrections/additions to that are welcome :)

Regards,

Wouter.


[prev in list] [next in list] [prev in thread] [next in thread]