From 45ecc205ff8a2e166d66b7e5f09bd3fc4064f428 Mon Sep 17 00:00:00 2001 From: StalkR Date: Wed, 6 Mar 2013 22:46:10 +0100 Subject: [PATCH] client: commands: protection against IRC command injection --- client/commands.go | 39 +++++++++++++++++++++++---------------- 1 file changed, 23 insertions(+), 16 deletions(-) diff --git a/client/commands.go b/client/commands.go index a47c687..8cdecb4 100644 --- a/client/commands.go +++ b/client/commands.go @@ -9,23 +9,30 @@ import "strings" // the symbol table and add methods/functions on the fly // [ CMD, FMT, FMTARGS ] etc. +// safe removes CR/LF to avoid IRC command injection. +func safe(s string) string { + s = strings.Replace(s, "\r", "", -1) + s = strings.Replace(s, "\n", "", -1) + return s +} + // Raw() sends a raw line to the server, should really only be used for // debugging purposes but may well come in handy. func (conn *Conn) Raw(rawline string) { conn.out <- rawline } // Pass() sends a PASS command to the server -func (conn *Conn) Pass(password string) { conn.out <- "PASS " + password } +func (conn *Conn) Pass(password string) { conn.out <- safe("PASS " + password) } // Nick() sends a NICK command to the server -func (conn *Conn) Nick(nick string) { conn.out <- "NICK " + nick } +func (conn *Conn) Nick(nick string) { conn.out <- safe("NICK " + nick) } // User() sends a USER command to the server func (conn *Conn) User(ident, name string) { - conn.out <- "USER " + ident + " 12 * :" + name + conn.out <- safe("USER " + ident + " 12 * :" + name) } // Join() sends a JOIN command to the server -func (conn *Conn) Join(channel string) { conn.out <- "JOIN " + channel } +func (conn *Conn) Join(channel string) { conn.out <- safe("JOIN " + channel) } // Part() sends a PART command to the server with an optional part message func (conn *Conn) Part(channel string, message ...string) { @@ -33,7 +40,7 @@ func (conn *Conn) Part(channel string, message ...string) { if msg != "" { msg = " :" + msg } - conn.out <- "PART " + channel + msg + conn.out <- safe("PART " + channel + msg) } // Kick() sends a KICK command to remove a nick from a channel @@ -42,7 +49,7 @@ func (conn *Conn) Kick(channel, nick string, message ...string) { if msg != "" { msg = " :" + msg } - conn.out <- "KICK " + channel + " " + nick + msg + conn.out <- safe("KICK " + channel + " " + nick + msg) } // Quit() sends a QUIT command to the server with an optional quit message @@ -51,20 +58,20 @@ func (conn *Conn) Quit(message ...string) { if msg == "" { msg = conn.cfg.QuitMessage } - conn.out <- "QUIT :" + msg + conn.out <- safe("QUIT :" + msg) } // Whois() sends a WHOIS command to the server -func (conn *Conn) Whois(nick string) { conn.out <- "WHOIS " + nick } +func (conn *Conn) Whois(nick string) { conn.out <- safe("WHOIS " + nick) } //Who() sends a WHO command to the server -func (conn *Conn) Who(nick string) { conn.out <- "WHO " + nick } +func (conn *Conn) Who(nick string) { conn.out <- safe("WHO " + nick) } // Privmsg() sends a PRIVMSG to the target t -func (conn *Conn) Privmsg(t, msg string) { conn.out <- "PRIVMSG " + t + " :" + msg } +func (conn *Conn) Privmsg(t, msg string) { conn.out <- safe("PRIVMSG " + t + " :" + msg) } // Notice() sends a NOTICE to the target t -func (conn *Conn) Notice(t, msg string) { conn.out <- "NOTICE " + t + " :" + msg } +func (conn *Conn) Notice(t, msg string) { conn.out <- safe("NOTICE " + t + " :" + msg) } // Ctcp() sends a (generic) CTCP message to the target t // with an optional argument @@ -100,7 +107,7 @@ func (conn *Conn) Topic(channel string, topic ...string) { if t != "" { t = " :" + t } - conn.out <- "TOPIC " + channel + t + conn.out <- safe("TOPIC " + channel + t) } // Mode() sends a MODE command to the server. This one can get complicated if @@ -115,7 +122,7 @@ func (conn *Conn) Mode(t string, modestring ...string) { if mode != "" { mode = " " + mode } - conn.out <- "MODE " + t + mode + conn.out <- safe("MODE " + t + mode) } // Away() sends an AWAY command to the server @@ -126,15 +133,15 @@ func (conn *Conn) Away(message ...string) { if msg != "" { msg = " :" + msg } - conn.out <- "AWAY" + msg + conn.out <- safe("AWAY" + msg) } // Invite() sends an INVITE command to the server func (conn *Conn) Invite(nick, channel string) { - conn.out <- "INVITE " + nick + " " + channel + conn.out <- safe("INVITE " + nick + " " + channel) } // Oper() sends an OPER command to the server func (conn *Conn) Oper(user, pass string) { - conn.out <- "OPER " + user + " " + pass + conn.out <- safe("OPER " + user + " " + pass) }