Eggdev: The state of eggdrop1.9
takeda at eggheads.w.pl
Fri May 11 23:17:17 CST 2007
Tuesday, April 24, 2007, 4:10:48 PM, you wrote:
> Looks nice, but it would allow binary data in every kind of botnet
> event. Having newlines in nicks, botnames and stuff might just be
> annoying for the users, but could be an endless source of exploits for
> careless script writers. Imagine a simple script that announces a user
> or bot quitting the partyline to an IRC channel:
> Bot test left the botnet: Haha!\nPRIVMSG #channel :Ha, exploit!
I don't think this should be a reason to cripple the botnet protocol.
This is unavoidable, there are a lot of scripts (usually involving
timers) that can kill bot uppon receiving text with "[die]" string.
Let make botnet protocol pass values as they are, and add special
functions (it would also be good to provide them from scripting
languages) that would sanitize the string e.g. special function
ircsanitize that would remove all dangerous characters that shouldn't
be sent to an IRC server.
BTW: I belive putserv/putquick/puthelp are already trimming \n.
putdccraw doesn't but that's why it's called "raw" :)
Derek mailto:takeda at eggheads.w.pl
http://eggdrop.takeda.tk - eggdrop help forum
More information about the Eggdev