Channelstats: require caller to be in target channel when using commands in this plugin.

This fixes information leakage from private channels.
2012-02-25 12:35:55 -05:00 · 2012-02-25 12:35:55 -05:00 · ce121459f7
parent 7283235caf
commit ce121459f7
1 changed files with 9 additions and 0 deletions
--- a/plugins/ChannelStats/plugin.py
+++ b/plugins/ChannelStats/plugin.py
@ -245,6 +245,9 @@ class ChannelStats(callbacks.Plugin):
        necessary if the message isn't sent on the channel itself.  If <name>
        isn't given, it defaults to the user sending the command.
        """
+        if msg.nick not in irc.state.channels[channel].users:
+            irc.error(format('You must be in %s to use this command.', channel))
+            return
        if name and ircutils.strEqual(name, irc.nick):
            id = 0
        elif not name:
@ -304,6 +307,9 @@ class ChannelStats(callbacks.Plugin):
        'kicks', 'kicked', 'topics', and 'modes'.  Any simple mathematical
        expression involving those variables is permitted.
        """
+        if msg.nick not in irc.state.channels[channel].users:
+            irc.error(format('You must be in %s to use this command.', channel))
+            return
        # XXX I could do this the right way, and abstract out a safe eval,
        #     or I could just copy/paste from the Math plugin.
        if expr != expr.translate(utils.str.chars, '_[]'):
@ -345,6 +351,9 @@ class ChannelStats(callbacks.Plugin):
        Returns the statistics for <channel>.  <channel> is only necessary if
        the message isn't sent on the channel itself.
        """
+        if msg.nick not in irc.state.channels[channel].users:
+            irc.error(format('You must be in %s to use this command.', channel))
+            return
        try:
            stats = self.db.getChannelStats(channel)
            curUsers = len(irc.state.channels[channel].users)