From 38ff1a113771f344ad04d9047e20e9f69212ac63 Mon Sep 17 00:00:00 2001
From: Daniel Folkinshteyn <nanotube@users.sourceforge.net>
Date: Sat, 25 Feb 2012 12:28:27 -0500
Subject: [PATCH] Seen: require caller to be in target channel when using
 commands in this plugin.

This fixes information leakage from private channels.

Conflicts:
	plugins/Seen/plugin.py
---
 plugins/Seen/plugin.py | 14 ++++++++++++++
 1 file changed, 14 insertions(+)

diff --git a/plugins/Seen/plugin.py b/plugins/Seen/plugin.py
index 58ff91583..3fc0c5eab 100644
--- a/plugins/Seen/plugin.py
+++ b/plugins/Seen/plugin.py
@@ -221,6 +221,9 @@ class Seen(callbacks.Plugin):
         saying. <channel> is only necessary if the message isn't sent on the
         channel itself. <nick> may contain * as a wildcard.
         """
+        if msg.nick not in irc.state.channels[channel].users:
+            irc.error(format('You must be in %s to use this command.', channel))
+            return
         self._seen(irc, channel, name)
     seen = wrap(seen, ['channel', 'something'])
 
@@ -235,6 +238,9 @@ class Seen(callbacks.Plugin):
         and returns the last time user was active in <channel>.  <channel> is
         only necessary if the message isn't sent on the channel itself.
         """
+        if msg.nick not in irc.state.channels[channel].users:
+            irc.error(format('You must be in %s to use this command.', channel))
+            return
         if name and optlist:
             raise callbacks.ArgumentError
         elif name:
@@ -269,6 +275,9 @@ class Seen(callbacks.Plugin):
         Returns the last thing said in <channel>.  <channel> is only necessary
         if the message isn't sent in the channel itself.
         """
+        if msg.nick not in irc.state.channels[channel].users:
+            irc.error(format('You must be in %s to use this command.', channel))
+            return
         self._last(irc, channel)
     last = wrap(last, ['channel'])
 
@@ -295,6 +304,9 @@ class Seen(callbacks.Plugin):
         <channel> is only necessary if the message isn't sent in the channel
         itself.
         """
+        if msg.nick not in irc.state.channels[channel].users:
+            irc.error(format('You must be in %s to use this command.', channel))
+            return
         self._user(irc, channel, user)
     user = wrap(user, ['channel', 'otherUser'])
 
@@ -313,6 +325,8 @@ class Seen(callbacks.Plugin):
             irc.error(format(_('%s must be in %s to use this command.'),
                 ('You' if nick == msg.nick else nick), channel))
             return
+        if nick is None:
+            nick = msg.nick
         end = None # By default, up until the most recent message.
         for (i, m) in utils.seq.renumerate(irc.state.history):
             if end is None and m.command == 'JOIN' and \