From 27bef508bbe0966ecb49a1cf4e27e587d829740a Mon Sep 17 00:00:00 2001
From: Mikaela Suomalainen <mikaela.suomalainen@outlook.com>
Date: Sun, 29 Jun 2014 18:59:32 +0300
Subject: [PATCH] Supybot: multiple fixes.

---
 Supybot.html    |  84 +++++++++++++++--------------
 Supybot.html.md | 137 +++++++++++++++++++++++++-----------------------
 2 files changed, 116 insertions(+), 105 deletions(-)

diff --git a/Supybot.html b/Supybot.html
index a3b798c62..9f177ba04 100644
--- a/Supybot.html
+++ b/Supybot.html
@@ -6,14 +6,20 @@
 Security issues of Supybot
 </title>
 <link rel="stylesheet" type="text/css" href="css.css" />
+<script>
+(function(i,s,o,g,r,a,m){i['GoogleAnalyticsObject']=r;i[r]=i[r]||function(){
+(i[r].q=i[r].q||[]).push(arguments)},i[r].l=1*new Date();a=s.createElement(o),
+m=s.getElementsByTagName(o)[0];a.async=1;a.src=g;m.parentNode.insertBefore(a,m)
+})(window,document,'script','//www.google-analytics.com/analytics.js','ga');
+ga('create', 'UA-40171169-1', 'mkaysi.github.io');
+ga('send', 'pageview');
+</script>
 </head>
 <body>
 
-<h2 id="latest-version-of-supybot-was-released-in-2009">Latest version of Supybot was released in 2009</h2>
-<p>All activity happens in git repository of Supybot nowadays and it happens seldomly. The version, which was released in 2009 is 0.83.4.1.</p>
-<p>It's available from <a href="http://supybot.sf.net/">SourceForge</a>, Debian repositories, Ubuntu repositories and repositories of many other Linux distributions.</p>
-<h2 id="has-critical-issues">0.83.4.1 has critical issues</h2>
-<p>What issues?</p>
+<p>All activity happens in git repository of Supybot nowadays and it happens seldomly. The latest version, which was released in 2009 is 0.83.4.1 has multiple security issues documented here. This version is available from Debian repositories, Ubuntu repositories and repositories of many other Linux distributions.</p>
+<p><strong>Note: Development has moved from SourceForge to GitHub so I won't refer to the old SF page.</strong></p>
+<h2 id="the-issues-of-0.83.4.1.">The issues of 0.83.4.1.</h2>
 <h3 id="anyone-can-crash-it-and-computer-where-its-running-on">1. Anyone can crash it and computer where it's running on</h3>
 <p>And this is very easy. Just run the command</p>
 <pre><code>!misc last --regexp m/(.*\w){512}/</code></pre>
@@ -23,38 +29,44 @@ Security issues of Supybot
 <p>Everyone can also make the bot count an equation, which brings it and the host computer down.</p>
 <p>For example:</p>
 <pre><code>!math calc factorial(999999)</code></pre>
+<p>This requires Math plugin which comes with Supybot, but isn't load by default.</p>
 <h3 id="anyone-can-access-network-services-via-the-bot.">3. Anyone can access network services via the bot.</h3>
 <p>I don't have example command for this, but it happens by nesting &quot;format cut&quot; and &quot;misc tell&quot;.</p>
 <p>What does this mean? Anyone can tell the bot to ghost someone else on same account, take over a channel by telling the bot to give flags (if it has correct flags), change password of the account and everything else what you do with network services.</p>
-<h3 id="web-page-with-special-characters-in-title-can-be-used-to-send-dccctcp-commands.">4. Web page with special characters in title can be used to send DCC/CTCP commands.</h3>
-<p>This doesn't mean only things like CTCP actions (also known as /me), but known problems with old routers ( FF ? DCC SEND “ff???f??????????????” 0 0 0 ) which make them reconnect to the internet.</p>
+### 4. Web page with special characters in
+<title> 
+<p>can be used to send DCC/CTCP commands.</p>
+<p>This doesn't mean only things like CTCP actions (also known as /me), but known problems with old routers ( <code>FF ? DCC SEND “ff???f??????????????” 0 0 0</code> ) which make them reconnect to the internet.</p>
 <p>Usage:</p>
 <pre><code>!web title &lt;malicious.page.here&gt;
 !web fetch &lt;malicious.page.here&gt;</code></pre>
-<p>Note that web fetch is disabled by default.</p>
-<h1 id="are-these-issues-publicly-known">Are these issues publicly known?</h1>
-<p><STRONG>Of course they are.</strong> They have been reported to</p>
-<ol class="incremental" style="list-style-type: decimal">
-<li><a href="http://ubuntu.com/">Ubuntu</a>, <a href="http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=672214">issue 1</a> and <a href="http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=672215">issue 2</a></li>
-</ol>
-<ol class="incremental" start="2" style="list-style-type: decimal">
-<li><a href="http://debian.org/">Debian</a>, <a href="http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=672214">issue 1</a> and <a href="http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=672215">issue 2</a>.</li>
-</ol>
+<h3 id="are-these-issues-publicly-known">Are these issues publicly known?</h3>
+<p><strong>Of course they are.</strong> They have been reported to</p>
+<ul class="incremental">
+<li><a href="https://ubuntu.com">Ubuntu</a>
+<ul class="incremental">
+<li><a href="http://pad.lv/996947]">issue 1</a></li>
+<li><a href="http://pad.lv/996950">issue 2</a></li>
+</ul></li>
+<li><a href="https://debian.org/">Debian</a>
+<ul class="incremental">
+<li><a href="https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=672214">issue 1</a></li>
+<li><a href="https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=672215">issue 2</a></li>
+</ul></li>
+<li><a href="ircs://chat.freenode.net:6697/#supybot">#supybot</a></li>
+</ul>
 <p>The first issue has been also used to take down some of <a href="https://wiki.ubuntu.com/IRC/Bots">Ubuntu IRC bots</a> several times. At least UbotX (I don't remember the number) and meetingology.</p>
-<ol class="incremental" start="3" style="list-style-type: decimal">
-<li>to their IRC channel.</li>
-</ol>
-<p>Some of them are fixed in git repository, but most people aren't using it.</p>
-<h2 id="how-to-avoid-them">How to avoid them?</h2>
-<p>You can add anticapability for these commands using &quot;owner defaultcapability&quot;, but that is only a temporary solution. There can also be other issues.</p>
-<p>There are also two active Supybot forks, known as <a href="https://github.com/ProgVal/Limnoria">Limnoria</a> and <a href="http://sourceforge.net/apps/mediawiki/gribble/index.php?title=Main_Page">Gribble</a>, which are actively developed and have fixed these issues. If you want permanent solution, you should install either of them.</p>
-<p>I recommend <a href="https://github.com/ProgVal/Limnoria">Limnoria</a>, because it seems to be more active (activity of <a href="http://sourceforge.net/apps/mediawiki/gribble/index.php?title=Main_Page">Gribble</a> isn't announced anywhere) and it has additional commands, translations and new plugin called <a href="https://github.com/ProgVal/Limnoria/tree/master/plugins/PluginDownloader">PluginDownloader</a>, which makes installing of 3rd party plugins easy. Ohloh supports comparing different projescts, <a href="https://www.ohloh.net/p/compare?project_0=Limnoria&amp;project_1=Gribble%3A+Support+Bottie&amp;project_2=Supybot">here is comparsion of Limnoria, Gribble and Supybot</a>.</p>
-<p><strong>If you use Debian/Ubuntu or any Debian based distribution, you can get <a href="http://builds.progval.net/limnoria/limnoria-master-HEAD.deb">stable version of Limnoria here</a> or <a href="http://builds.progval.net/limnoria/limnoria-testing-HEAD.deb">testing version here</a>.</strong></p>
-<p>The links above should always be the latest version of Limnoria and they are updated daily.</p>
-<p><a href="http://sourceforge.net/apps/mediawiki/gribble/index.php?title=Gribble_Project_Git_Repository">Gribble modifications when compared to Supybot.</a></p>
-<p><a href="https://github.com/ProgVal/Limnoria/wiki/LGC">Limnoria modifications when compared to Gribble.</a> Features of Gribble have been fully merged to Limnoria.</p>
+<p>Some of these issues are fixed in git repository, but most people aren't using it. If you wish to start using it, please scroll down to installation instructions lower this page even though <a href="https://github.com/ProgVal/Limnoria">Limnoria</a> and <a href="http://github.com/nanotube/supybot_fixed">gribble</a> are more recommended.</p>
+<h3 id="how-to-avoid-them">How to avoid them?</h3>
+<p>You can add anticapability for these commands using <code>owner defaultcapability</code>, but that is only a temporary solution. There can also be other issues.</p>
+<p>There are also two active Supybot forks, known as <a href="https://github.com/ProgVal/Limnoria">Limnoria</a> and <a href="http://github.com/nanotube/supybot_fixed">Gribble</a>, which are actively developed and have fixed these issues. If you want permanent solution, you should install either of them.</p>
+<p>I recommend <a href="https://github.com/ProgVal/Limnoria">Limnoria</a>, because it seems to be more active (activity of <a href="http://github.com/nanotube/supybot_fixed">Gribble</a> isn't announced anywhere) and it has additional commands, translations and new plugin called <a href="https://github.com/ProgVal/Limnoria/tree/master/plugins/PluginDownloader">PluginDownloader</a>, which makes installing of 3rd party plugins easy.</p>
+<p>Ohloh supports comparing different projects, <a href="https://www.ohloh.net/p/compare?project_0=Limnoria&amp;project_1=Gribble%3A+Support+Bottie&amp;project_2=Supybot">here is comparsion of Limnoria, Gribble and Supybot</a>.</p>
+<p><a href="https://sourceforge.net/p/gribble/wiki/Gribble_Project_Git_Repository/">Gribble modifications when compared to stock Supybot</a></p>
+<p><strong>SourceForge and that link are a little broken, when they are moved elsewhere, please remove this notice!</strong></p>
+<p><a href="https://github.com/ProgVal/Limnoria/wiki/LGC">Limnoria modifications when compared to Gribble.</a> Features of Gribble are fully merged to Limnoria.</p>
 <p>Your current botname.conf is <strong>100% compatible with forks</strong>.</p>
-<p><a href="irc://irc.freenode.net/#supybot,#gribble,#limnoria">Join Supybot channels on freenode!</a></p>
+<p><a href="ircs://chat.freenode.net:6697/#supybot,#gribble,#limnoria">Join Supybot channels on freenode!</a></p>
 <h2 id="installing-forks">Installing forks</h2>
 <h3 id="for-all-of-them.">For all of them.</h3>
 <p>You should install <a href="http://pip.readthedocs.org/en/latest/reference/pip_install.html">pip</a> (usually python-pip in repositories) and <a href="http://git-scm.com/">git</a>.</p>
@@ -73,17 +85,9 @@ Security issues of Supybot
 <p>The first command installs requirements of Limnoria and the second Limnoria itself. Only Limnoria has requirements.txt file at the moment.</p>
 <pre><code>sudo pip install -r https://raw.githubusercontent.com/ProgVal/Limnoria/master/requirements.txt
 sudo pip install git+https://github.com/ProgVal/Limnoria.git@master</code></pre>
-<p><a href="">Changelog of this page.</a>https://github.com/Mkaysi/Limnoria/commits/gh-pages/Supybot.html</p>
-<script>
-  (function(i,s,o,g,r,a,m){i['GoogleAnalyticsObject']=r;i[r]=i[r]||function(){
-    (i[r].q=i[r].q||[]).push(arguments)},i[r].l=1*new Date();a=s.createElement(o),
-      m=s.getElementsByTagName(o)[0];a.async=1;a.src=g;m.parentNode.insertBefore(a,m)
-        })(window,document,'script','//www.google-analytics.com/analytics.js','ga');
-
-          ga('create', 'UA-40171169-1', 'mkaysi.github.io');
-            ga('send', 'pageview');
-
-            </script>
+<hr/>
+<a href="">Changelog of this page.</a>https://github.com/Mkaysi/Limnoria/commits/gh-pages/Supybot.html
+<hr/>
 </body>
 </html>
 
diff --git a/Supybot.html.md b/Supybot.html.md
index 5ac39808b..15c205421 100644
--- a/Supybot.html.md
+++ b/Supybot.html.md
@@ -8,20 +8,27 @@
 <link rel="canonical" href="https://mkaysi.github.io/limnoria/Supybot.html">
 <title>Security issues of Supybot</title>
 <link rel="stylesheet" type="text/css" href="css.css" />
+<script>
+(function(i,s,o,g,r,a,m){i['GoogleAnalyticsObject']=r;i[r]=i[r]||function(){
+(i[r].q=i[r].q||[]).push(arguments)},i[r].l=1*new Date();a=s.createElement(o),
+m=s.getElementsByTagName(o)[0];a.async=1;a.src=g;m.parentNode.insertBefore(a,m)
+})(window,document,'script','//www.google-analytics.com/analytics.js','ga');
+ga('create', 'UA-40171169-1', 'mkaysi.github.io');
+ga('send', 'pageview');
+</script>
 </head>
 <body>
 
-## Latest version of Supybot was released in 2009
+All activity happens in git repository of Supybot nowadays and it happens 
+seldomly. The latest version, which was released in 2009 is 0.83.4.1 
+has multiple security issues documented here. This version is available 
+from Debian repositories, Ubuntu repositories and repositories of many 
+other Linux distributions.
 
-All activity happens in git repository of Supybot nowadays and it happens seldomly. The version, which was released in 2009 is 0.83.4.1. 
+**Note: Development has moved from SourceForge to GitHub so I won't refer 
+to the old SF page.**
 
-It's available from [SourceForge], Debian repositories, Ubuntu repositories and repositories of many other Linux distributions.
-
-[SourceForge]:http://supybot.sf.net/
-
-## 0.83.4.1 has critical issues
-
-What issues?
+## The issues of 0.83.4.1.
 
 ### 1. Anyone can crash it and computer where it's running on
 
@@ -33,11 +40,13 @@ And this is very easy. Just run the command
 
 where ! is the prefix character.
 
-Misc is loaded by default and cannot be unloaded without modifying the config.
+Misc is loaded by default and cannot be unloaded without modifying the 
+config.
 
 ### 2. The previous wasn't the only way to do this
 
-Everyone can also make the bot count an equation, which brings it and the host computer down. 
+Everyone can also make the bot count an equation, which brings it and the 
+host computer down. 
 
 For example:
 
@@ -45,16 +54,25 @@ For example:
 !math calc factorial(999999)
 ```
 
+This requires Math plugin which comes with Supybot, but isn't load by 
+default.
+
 ### 3. Anyone can access network services via the bot.
 
-I don't have example command for this, but it happens by nesting "format cut" and "misc tell". 
+I don't have example command for this, but it happens by nesting 
+"format cut" and "misc tell". 
 
-What does this mean? Anyone can tell the bot to ghost someone else on same account, take over a channel by telling the bot to give flags (if it has correct flags), change password of the account and everything else what you do with network services.
+What does this mean? Anyone can tell the bot to ghost someone else on same 
+account, take over a channel by telling the bot to give flags 
+(if it has correct flags), change password of the account and everything 
+else what you do with network services.
 
-### 4. Web page with special characters in title can be used to send DCC/CTCP commands.
+### 4. Web page with special characters in <title> can be used to send 
+DCC/CTCP commands.
 
-This doesn't mean only things like CTCP actions (also known as /me), but known problems with old routers ( FF ? DCC SEND “ff???f??????????????” 0 0 0 ) which make 
-them reconnect to the internet.
+This doesn't mean only things like CTCP actions (also known as /me), 
+but known problems with old routers ( `FF ? DCC SEND “ff???f??????????????” 0 0 0` ) 
+which make them reconnect to the internet.
 
 Usage:
 
@@ -63,62 +81,60 @@ Usage:
 !web fetch <malicious.page.here>
 ```
 
-Note that web fetch is disabled by default.
+### Are these issues publicly known?
 
-# Are these issues publicly known?
+**Of course they are.** They have been reported to
 
-<STRONG>Of course they are.</strong> They have been reported to
+* [Ubuntu](https://ubuntu.com)
+    * [issue 1](http://pad.lv/996947])
+    * [issue 2](http://pad.lv/996950)
+* [Debian](https://debian.org/)
+    * [issue 1](https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=672214)
+    * [issue 2](https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=672215)
+* [#supybot](ircs://chat.freenode.net:6697/#supybot)
 
-1. [Ubuntu], [issue 1] and [issue 2]
 
-[Ubuntu]:http://ubuntu.com/
-[issue 1]:https://bugs.launchpad.net/ubuntu/+source/supybot/+bug/996947
-[issue 2]:https://bugs.launchpad.net/ubuntu/+source/supybot/+bug/996950
+The first issue has been also used to take down some of 
+[Ubuntu IRC bots](https://wiki.ubuntu.com/IRC/Bots) several times. 
+At least UbotX (I don't remember the number) and meetingology.
 
-2. [Debian], [issue 1] and [issue 2].
+Some of these issues are fixed in git repository, but most people aren't 
+using it. If you wish to start using it, please scroll down to 
+installation instructions lower this page even though [Limnoria] and 
+[gribble] are more recommended.
 
-[Debian]:http://debian.org/
-[issue 1]:http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=672214
-[issue 2]:http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=672215
+### How to avoid them?
 
-The first issue has been also used to take down some of [Ubuntu IRC bots] several times. At least UbotX (I don't remember the number) and meetingology.
+You can add anticapability for these commands using 
+`owner defaultcapability`, but that is only a temporary solution. 
+There can also be other issues.
 
-[Ubuntu IRC bots]:https://wiki.ubuntu.com/IRC/Bots
+There are also two active Supybot forks, known as [Limnoria] and 
+[Gribble], which are actively developed and have fixed these issues. 
+If you want permanent solution, you should install either of them.
 
-3. to their IRC channel.
+I recommend [Limnoria], because it seems to be more active 
+(activity of [Gribble] isn't announced anywhere) and it has additional 
+commands, translations and new plugin called [PluginDownloader], which 
+makes installing of 3rd party plugins easy. 
 
-Some of them are fixed in git repository, but most people aren't using it.
+Ohloh supports comparing different projects, [here is comparsion of Limnoria, Gribble and Supybot](https://www.ohloh.net/p/compare?project_0=Limnoria&project_1=Gribble%3A+Support+Bottie&project_2=Supybot).
 
-## How to avoid them?
+[Gribble modifications when compared to stock Supybot](https://sourceforge.net/p/gribble/wiki/Gribble_Project_Git_Repository/)
 
-You can add anticapability for these commands using "owner defaultcapability", but that is only a temporary solution. There can also be other issues.
+**SourceForge and that link are a little broken, when they are moved 
+elsewhere, please remove this notice!**
 
-There are also two active Supybot forks, known as [Limnoria] and [Gribble], which are actively developed and have fixed these issues. If you want permanent solution, you should install either of them.
+[Limnoria modifications when compared to Gribble.](https://github.com/ProgVal/Limnoria/wiki/LGC) 
+Features of Gribble are fully merged to Limnoria.
 
-I recommend [Limnoria], because it seems to be more active (activity of [Gribble] isn't announced anywhere) and it has additional commands, translations and new plugin called [PluginDownloader], which makes installing of 3rd party plugins easy. Ohloh supports comparing different projescts, [here is comparsion of Limnoria, Gribble and Supybot](https://www.ohloh.net/p/compare?project_0=Limnoria&project_1=Gribble%3A+Support+Bottie&project_2=Supybot).
+Your current botname.conf is **100% compatible with forks**.
 
-<strong>If you use Debian/Ubuntu or any Debian based distribution, you can get [stable version of Limnoria here] or [testing version here].</strong>
-
-The links above should always be the latest version of Limnoria and they are updated daily.
-
-[stable version of Limnoria here]:http://builds.progval.net/limnoria/limnoria-master-HEAD.deb
-[testing version here]:http://builds.progval.net/limnoria/limnoria-testing-HEAD.deb
-
-[Gribble modifications when compared to Supybot.]   
-
-[Limnoria modifications when compared to Gribble.] Features of Gribble have been fully merged to Limnoria.
-
-[Gribble modifications when compared to Supybot.]:http://sourceforge.net/apps/mediawiki/gribble/index.php?title=Gribble_Project_Git_Repository
-[Limnoria modifications when compared to Gribble.]:https://github.com/ProgVal/Limnoria/wiki/LGC
-
-Your current botname.conf is <strong>100% compatible with forks</strong>.
-
-[Join Supybot channels on freenode!]
+[Join Supybot channels on freenode!](ircs://chat.freenode.net:6697/#supybot,#gribble,#limnoria)
 
 [Limnoria]:https://github.com/ProgVal/Limnoria
-[Gribble]:http://sourceforge.net/apps/mediawiki/gribble/index.php?title=Main_Page
+[Gribble]:http://github.com/nanotube/supybot_fixed
 [PluginDownloader]:https://github.com/ProgVal/Limnoria/tree/master/plugins/PluginDownloader
-[Join Supybot channels on freenode!]:irc://irc.freenode.net/#supybot,#gribble,#limnoria
 
 ## Installing forks
 
@@ -173,17 +189,8 @@ sudo pip install -r https://raw.githubusercontent.com/ProgVal/Limnoria/master/re
 sudo pip install git+https://github.com/ProgVal/Limnoria.git@master
 ```
 
+<hr/>
 [Changelog of this page.]()https://github.com/Mkaysi/Limnoria/commits/gh-pages/Supybot.html
-
-<script>
-  (function(i,s,o,g,r,a,m){i['GoogleAnalyticsObject']=r;i[r]=i[r]||function(){
-    (i[r].q=i[r].q||[]).push(arguments)},i[r].l=1*new Date();a=s.createElement(o),
-      m=s.getElementsByTagName(o)[0];a.async=1;a.src=g;m.parentNode.insertBefore(a,m)
-        })(window,document,'script','//www.google-analytics.com/analytics.js','ga');
-
-          ga('create', 'UA-40171169-1', 'mkaysi.github.io');
-            ga('send', 'pageview');
-
-            </script>
+<hr/>
 </body>
 </html>