diff options
author | Sébastien Helleu <flashcode@flashtux.org> | 2022-09-10 13:42:35 +0200 |
---|---|---|
committer | Sébastien Helleu <flashcode@flashtux.org> | 2022-09-10 13:43:45 +0200 |
commit | 9cb68b13a94175b6fc64a9d9f20b2b923a1c0b09 (patch) | |
tree | 7ba5a074e5076627905279ae4842f54551a5a8c0 | |
parent | 5070a6330c09d8025ce1209686cac071753589ef (diff) | |
download | weechat-9cb68b13a94175b6fc64a9d9f20b2b923a1c0b09.zip |
irc: replace chars "\01" by spaces in CTCP replies (closes #1819)
This prevents any attack due to an external security issue in the Linux
netfilter implementation (nf_conntrack_irc).
See: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-2663
-rw-r--r-- | ChangeLog.adoc | 1 | ||||
-rw-r--r-- | src/plugins/irc/irc-ctcp.c | 115 |
2 files changed, 69 insertions, 47 deletions
diff --git a/ChangeLog.adoc b/ChangeLog.adoc index 32f2e9d38..a434a2a58 100644 --- a/ChangeLog.adoc +++ b/ChangeLog.adoc @@ -40,6 +40,7 @@ Bug fixes:: * irc: fix extract of isupport value when it is last in list and without value (issue #1807) * irc: fix target buffer of generic errors when they contain a target nick (issue #1814) * irc: fix display of message 350 (whois, gateway) (issue #1815) + * irc: replace chars "\01" by spaces in CTCP replies (issue #1819) * guile: fix function hdata_get_string * javascript: fix return of long value in functions infolist_time, hdata_long and hdata_time * php: fix function hdata_compare diff --git a/src/plugins/irc/irc-ctcp.c b/src/plugins/irc/irc-ctcp.c index 23323d017..2faab81e3 100644 --- a/src/plugins/irc/irc-ctcp.c +++ b/src/plugins/irc/irc-ctcp.c @@ -270,15 +270,32 @@ irc_ctcp_reply_to_nick (struct t_irc_server *server, { struct t_hashtable *hashtable; int number; - char hash_key[32]; + char hash_key[32], *str_args_color, *dup_ctcp, *dup_args; const char *str_args; - char *str_args_color, *ctcp_upper; - ctcp_upper = strdup (ctcp); - if (!ctcp_upper) - return; + dup_ctcp = NULL; + dup_args = NULL; + hashtable = NULL; + + /* + * replace any "\01" by a space to prevent any firewall attack via + * nf_conntrack_irc (CVE-2022-2663) + */ + dup_ctcp = weechat_string_replace (ctcp, "\01", " "); + if (!dup_ctcp) + goto end; + weechat_string_toupper (dup_ctcp); - weechat_string_toupper (ctcp_upper); + if (arguments) + { + /* + * replace any "\01" by a space to prevent any firewall attack via + * nf_conntrack_irc (CVE-2022-2663) + */ + dup_args = weechat_string_replace (arguments, "\01", " "); + if (!dup_args) + goto end; + } hashtable = irc_server_sendf ( server, @@ -286,53 +303,57 @@ irc_ctcp_reply_to_nick (struct t_irc_server *server, NULL, "NOTICE %s :\01%s%s%s\01", nick, - ctcp_upper, - (arguments) ? " " : "", - (arguments) ? arguments : ""); + dup_ctcp, + (dup_args) ? " " : "", + (dup_args) ? dup_args : ""); + if (!hashtable) + goto end; - if (hashtable) + if (weechat_config_boolean (irc_config_look_display_ctcp_reply)) { - if (weechat_config_boolean (irc_config_look_display_ctcp_reply)) + number = 1; + while (1) { - number = 1; - while (1) - { - snprintf (hash_key, sizeof (hash_key), "args%d", number); - str_args = weechat_hashtable_get (hashtable, hash_key); - if (!str_args) - break; - str_args_color = irc_color_decode (str_args, 1); - if (!str_args_color) - break; - weechat_printf_date_tags ( - irc_msgbuffer_get_target_buffer ( - server, nick, NULL, "ctcp", - (channel) ? channel->buffer : NULL), - 0, - irc_protocol_tags ( - command, - tags, - "irc_ctcp,irc_ctcp_reply,self_msg,notify_none," - "no_highlight", - NULL, NULL), - _("%sCTCP reply to %s%s%s: %s%s%s%s%s"), - weechat_prefix ("network"), - irc_nick_color_for_msg (server, 0, NULL, nick), - nick, - IRC_COLOR_RESET, - IRC_COLOR_CHAT_CHANNEL, - ctcp_upper, - (str_args_color[0]) ? IRC_COLOR_RESET : "", - (str_args_color[0]) ? " " : "", - str_args_color); - free (str_args_color); - number++; - } + snprintf (hash_key, sizeof (hash_key), "args%d", number); + str_args = weechat_hashtable_get (hashtable, hash_key); + if (!str_args) + break; + str_args_color = irc_color_decode (str_args, 1); + if (!str_args_color) + break; + weechat_printf_date_tags ( + irc_msgbuffer_get_target_buffer ( + server, nick, NULL, "ctcp", + (channel) ? channel->buffer : NULL), + 0, + irc_protocol_tags ( + command, + tags, + "irc_ctcp,irc_ctcp_reply,self_msg,notify_none," + "no_highlight", + NULL, NULL), + _("%sCTCP reply to %s%s%s: %s%s%s%s%s"), + weechat_prefix ("network"), + irc_nick_color_for_msg (server, 0, NULL, nick), + nick, + IRC_COLOR_RESET, + IRC_COLOR_CHAT_CHANNEL, + dup_ctcp, + (str_args_color[0]) ? IRC_COLOR_RESET : "", + (str_args_color[0]) ? " " : "", + str_args_color); + free (str_args_color); + number++; } - weechat_hashtable_free (hashtable); } - free (ctcp_upper); +end: + if (dup_ctcp) + free (dup_ctcp); + if (dup_args) + free (dup_args); + if (hashtable) + weechat_hashtable_free (hashtable); } /* |