diff options
| author | Sébastien Helleu <flashcode@flashtux.org> | 2019-03-11 20:49:35 +0100 |
|---|---|---|
| committer | Sébastien Helleu <flashcode@flashtux.org> | 2019-03-11 21:12:23 +0100 |
| commit | 92e176ab895b9fdb5f15e3b3ade369c61cbb203f (patch) | |
| tree | 119fb4bf4abe276e2e3cc55b76b71fd649046331 /src | |
| parent | e44c4904c3b6c36b38131e678f7710401550fbe4 (diff) | |
| download | weechat-92e176ab895b9fdb5f15e3b3ade369c61cbb203f.zip | |
relay: use empty value by default for option relay.weechat.commands (issue #928)
The relay client is supposed to be safe by default, and the relay connection
should be protected by the different ways (restriction on IP address, SSL,
strong password, Time-based One-Time Password, local bind address and use of
SSH tunnel…).
So this option lets the user add extra security by allowing only some
commands (whitelist), or allowing any commands except a list of given
commands (blacklist).
Diffstat (limited to 'src')
| -rw-r--r-- | src/plugins/relay/relay-config.c | 32 | ||||
| -rw-r--r-- | src/plugins/relay/weechat/relay-weechat-protocol.c | 33 |
2 files changed, 27 insertions, 38 deletions
diff --git a/src/plugins/relay/relay-config.c b/src/plugins/relay/relay-config.c index 66e7de8cd..065b342b9 100644 --- a/src/plugins/relay/relay-config.c +++ b/src/plugins/relay/relay-config.c @@ -1039,33 +1039,11 @@ relay_config_init () "data (text or command) is received from a client; " "\"*\" means any command, a name beginning with \"!\" is " "a negative value to prevent a command from being executed, " - "wildcard \"*\" is allowed in names; by default some commands " - "are not allowed (they could lead to denial of service or remote " - "code execution if the client is not trusted)"), - NULL, 0, 0, - "*," - "!exec," - "!fset," - "!guile," - "!javascript," - "!key," - "!lua," - "!perl," - "!php," - "!plugin," - "!python," - "!quit," - "!repeat," - "!ruby," - "!script," - "!secure," - "!set," - "!tcl," - "!trigger," - "!unset," - "!upgrade," - "!wait", - NULL, 0, + "wildcard \"*\" is allowed in names; this option should be set if " + "the relay client is not safe (someone could use it to run " + "commands); for example \"*,!exec,!quit\" allows any command " + "except /exec and /quit"), + NULL, 0, 0, "", NULL, 0, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL); diff --git a/src/plugins/relay/weechat/relay-weechat-protocol.c b/src/plugins/relay/weechat/relay-weechat-protocol.c index ed1a34d9e..184024927 100644 --- a/src/plugins/relay/weechat/relay-weechat-protocol.c +++ b/src/plugins/relay/weechat/relay-weechat-protocol.c @@ -402,6 +402,7 @@ relay_weechat_protocol_input_timer_cb (const void *pointer, int remaining_calls) { char **timer_args; + const char *ptr_weechat_commands; int i; struct t_gui_buffer *ptr_buffer; struct t_hashtable *options; @@ -420,18 +421,28 @@ relay_weechat_protocol_input_timer_cb (const void *pointer, ptr_buffer = weechat_buffer_search ("==", timer_args[0]); if (ptr_buffer) { - options = weechat_hashtable_new (8, - WEECHAT_HASHTABLE_STRING, - WEECHAT_HASHTABLE_STRING, - NULL, NULL); - if (options) + ptr_weechat_commands = weechat_config_string ( + relay_config_weechat_commands); + if (ptr_weechat_commands && ptr_weechat_commands[0]) { - weechat_hashtable_set ( - options, - "commands", - weechat_config_string (relay_config_weechat_commands)); - weechat_command_options (ptr_buffer, timer_args[1], options); - weechat_hashtable_free (options); + options = weechat_hashtable_new (8, + WEECHAT_HASHTABLE_STRING, + WEECHAT_HASHTABLE_STRING, + NULL, NULL); + if (options) + { + weechat_hashtable_set ( + options, + "commands", + weechat_config_string (relay_config_weechat_commands)); + weechat_command_options (ptr_buffer, timer_args[1], + options); + weechat_hashtable_free (options); + } + } + else + { + weechat_command (ptr_buffer, timer_args[1]); } } } |