[Pkg-privacy-commits] [irssi-plugin-otr] 01/18: Remove linebreaks from libotr messages to avoid sending random IRC commands.

Antoine Beaupré anarcat at moszumanska.debian.org
Tue Mar 29 14:20:54 UTC 2016 

This is an automated email from the git hooks/post-receive script.

anarcat pushed a commit to branch debian
in repository irssi-plugin-otr.

commit 23fd799c1bcdcc567a7ee75e1a08ff01836962cf
Author: Lasse Karkkainen <tronic+ndrm at trn.iki.fi>
Date:   Thu May 29 09:01:39 2014 +0300

    Remove linebreaks from libotr messages to avoid sending random IRC commands.
    
    When OTR session is initiated by sending ?OTR? message, Unknown command
    errors are printed on Irssi status because only the first line gets sent
    as PRIVMSG and the human-readable HTML-formattad instruction message gets
    spit out as raw commands to the IRC server.
    
    This patch works around the problem by converting any line break characters
    (not allowed by IRC protocol) into spaces, thus also avoiding possible
    security issues with any other unexpected output from libotr even if this
    particular message string is fixed (like I intend to do in my next patch).
---
 src/otr.c   |  3 +++
 src/utils.c | 11 +++++++++++
 src/utils.h |  1 +
 3 files changed, 15 insertions(+)

diff --git a/src/otr.c b/src/otr.c
index 840c1b3..af3f468 100644
--- a/src/otr.c
+++ b/src/otr.c
@@ -364,6 +364,9 @@ int otr_send(SERVER_REC *irssi, const char *msg, const char *to, char **otr_msg)
 		goto error;
 	}
 
+	/* Remove newlines. */
+	if (otr_msg) utils_escape_message(*otr_msg);
+
 	IRSSI_DEBUG("Message sent...");
 
 	/* Add peer context to OTR context if none exists. */
diff --git a/src/utils.c b/src/utils.c
index ceae3e9..e3470bf 100644
--- a/src/utils.c
+++ b/src/utils.c
@@ -74,6 +74,17 @@ char *utils_trim_string(char *s)
 }
 
 /*
+ * Convert invalid characters (newlines from libotr) into spaces
+ */
+char *utils_escape_message(char *s) {
+	size_t i;
+	for (i = 0; s[i]; ++i) {
+		if (s[i] == '\n' || s[i] == '\r') s[i] = ' ';
+	}
+	return s;
+}
+
+/*
  * Extract question and secret for an SMP authentication.
  *
  * Return 0 and set question/secret on success. Else, return negative value and
diff --git a/src/utils.h b/src/utils.h
index 2d2a526..cbd5722 100644
--- a/src/utils.h
+++ b/src/utils.h
@@ -29,5 +29,6 @@ void utils_string_to_upper(char *string);
 int utils_auth_extract_secret(const char *_data, char **secret);
 void utils_hash_parts_to_readable_hash(const char **parts, char *dst);
 char *utils_trim_string(char *s);
+char *utils_escape_message(char *s);
 
 #endif /* IRSSI_OTR_UTILS_H */

-- 
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/pkg-privacy/packages/irssi-plugin-otr.git

More information about the Pkg-privacy-commits mailing list