Misc.last: Prevent potential information leaks

Add required predicates which 1) Do not retrieve messages from a channel the calling user isn't in 2) Do not retrieve messages from a +s channel unless the calling user is in a query or in that channel Signed-off-by: James Vega <jamessan@users.sourceforge.net>
2024-11-14 14:49:21 +01:00 · 2009-03-08 01:09:25 -05:00 · 2009-03-08 01:09:25 -05:00 · f539e65b8e
commit f539e65b8e
parent 856f372303
1 changed files with 14 additions and 0 deletions
--- a/plugins/Misc/plugin.py
+++ b/plugins/Misc/plugin.py
@ -1,5 +1,6 @@
 ###
 # Copyright (c) 2002-2005, Jeremiah Fincher
+# Copyright (c) 2009, James Vega
 # All rights reserved.
 #
 # Redistribution and use in source and binary forms, with or without
@ -323,6 +324,19 @@ class Misc(callbacks.Plugin):
            # the channel we've been instructed to look at.
            iterable.next()
        predicates = list(utils.iter.flatten(predicates.itervalues()))
+        # Make sure the user can't get messages from channels they aren't in
+        def userInChannel(m):
+            return m.args[0] in irc.state.channels \
+                    and msg.nick in irc.state.channels[m.args[0]].users
+        predicates.append(userInChannel)
+        # Make sure the user can't get messages from a +s channel unless
+        # they're calling the command from that channel or from a query
+        def notSecretMsg(m):
+            return not irc.isChannel(msg.args[0]) \
+                    or msg.args[0] == m.args[0] \
+                    or (m.args[0] in irc.state.channels \
+                        and 's' not in irc.state.channels[m.args[0]].modes)
+        predicates.append(notSecretMsg)
        resp = []
        if irc.nested and not \
          self.registryValue('last.nested.includeTimestamp'):