3
0
mirror of https://github.com/pragma-/pbot.git synced 2024-12-22 18:52:40 +01:00

Disallow invoking of commands with requires_cap from unlocked factoids

As a security measure to prevent users from creating or modifying factoids to
sneak in commands to trick chanops/admins/botowners/etc into executing those
commands, the command interpreter will now check if the command has been
invoked in the context of a factoid. If so, the factoid must be locked.
This commit is contained in:
Pragmatic Software 2024-11-05 16:48:59 -08:00
parent 10374b47c9
commit 650bf40a24
No known key found for this signature in database
GPG Key ID: CC916B6E3C84ECCE
3 changed files with 12 additions and 1 deletions

View File

@ -192,6 +192,10 @@ sub interpreter($self, $context) {
return "/msg $context->{nick} The $keyword command requires the can-$keyword capability, which your user account does not have.";
}
}
if ($context->{factoid} && !$context->{locked}) {
return "/msg $context->{nick} The $keyword command requires the can-$keyword capability and cannot be invoked from an unlocked factoid.";
}
}
if ($self->get_meta($keyword, 'condense-whitespace')) {

View File

@ -182,6 +182,7 @@ sub interpreter($self, $context) {
$context->{original_keyword} = $original_keyword;
$context->{channel_name} = $channel_name;
$context->{trigger_name} = $trigger_name;
$context->{factoid} = 1;
if ($context->{embedded} and $self->{pbot}->{factoids}->{data}->{storage}->get_data($channel, $keyword, 'noembed')) {
$self->{pbot}->{logger}->log("Factoids: interpreter: ignoring $channel.$keyword due to noembed.\n");
@ -194,6 +195,12 @@ sub interpreter($self, $context) {
}
}
if ($self->{pbot}->{factoids}->{data}->{storage}->get_data($channel, $keyword, 'locked')) {
$context->{locked} = 1;
} else {
$context->{locked} = 0;
}
# rate-limiting
if ($context->{interpret_depth} <= 1
and $self->{pbot}->{factoids}->{data}->{storage}->get_data($channel, $keyword, 'last_referenced_in') eq $context->{from})

View File

@ -25,7 +25,7 @@ use PBot::Imports;
# These are set by the /misc/update_version script
use constant {
BUILD_NAME => "PBot",
BUILD_REVISION => 4835,
BUILD_REVISION => 4837,
BUILD_DATE => "2024-11-05",
};