linuxdcpp-team team mailing list archive

Thread
Date

[Bug 1189975] Re: Forbidden commands in ADC

To: linuxdcpp-team@xxxxxxxxxxxxxxxxxxx
From: maksis <maksis@xxxxxxxxxxxxxxxxxxxxxx>
Date: Fri, 14 Jun 2013 17:04:59 -0000
Reply-to: Bug 1189975 <1189975@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx

As it seems that no one is unable to confirm this, I made an user command that will make all DC++ users unable to send main chat messages:
BSTA %[mySID] 225 Chatting\sdisabled FCBMSG


I also quickly looked at the other command handling code and that isn't the only command that isn't validated properly...


Disconnect all users by causing a decompression error:
BZON %[mySID] 123

Prompt all users for a password and prevent them from sending any outgoing commands after that (ADCH++ won't broadcast this but Flexhub and uhub will do that):
BGPA %[mySID] 123

Reset the session password from all users:
BSTA %[mySID] 223 Session\spass\sreset

-- 
You received this bug notification because you are a member of
Dcplusplus-team, which is subscribed to DC++.
https://bugs.launchpad.net/bugs/1189975

Title:
  Forbidden commands in ADC

Status in DC++:
  New

Bug description:
  When DC++ receives a STA message with code 25, it adds the command in
  to the list of forbidden outgoing commands. However, the client
  doesn't check that the STA message originates from the hub, so any
  other client could send malicious STA messages and prevent DC++ from
  sending any outgoing command via the hub. The fix is rather trivial.

  I generally dislike the way how code 25 is handled, as DC++ doesn't
  notify the user when it blocks a command and neither when an outgoing
  command is disregarded right before sending.

To manage notifications about this bug go to:
https://bugs.launchpad.net/dcplusplus/+bug/1189975/+subscriptions

References

[Bug 1189975] [NEW] Forbidden commands in ADC
From: maksis, 2013-06-11