Eggdev: The state of eggdrop1.9

Derek Kuliñski takeda at eggheads.w.pl
Fri May 11 23:17:17 CST 2007


Hello Sven,

Tuesday, April 24, 2007, 4:10:48 PM, you wrote:

> Looks nice, but it would allow binary data in every kind of botnet
> event. Having newlines in nicks, botnames and stuff might just be
> annoying for the users, but could be an endless source of exploits for
> careless script writers. Imagine a simple script that announces a user
> or bot quitting the partyline to an IRC channel:
> Bot test left the botnet: Haha!\nPRIVMSG #channel :Ha, exploit!

I don't think this should be a reason to cripple the botnet protocol.
This is unavoidable, there are a lot of scripts (usually involving
timers) that can kill bot uppon receiving text with "[die]" string.

Let make botnet protocol pass values as they are, and add special
functions (it would also be good  to provide them from scripting
languages) that would sanitize the string e.g. special function
ircsanitize that would remove all dangerous characters that shouldn't
be sent to an IRC server.

BTW: I belive putserv/putquick/puthelp are already trimming \n.
putdccraw doesn't but that's why it's called "raw" :)

-- 
Best regards,
 Derek                            mailto:takeda at eggheads.w.pl
http://eggdrop.takeda.tk - eggdrop help forum




More information about the Eggdev mailing list