linuxdcpp-team team mailing list archive

[Fredrik Ullner <ullner@xxxxxxxxx>]

The following patch does two things to address the issue here.
* Replace user commands (i.e., if the command 'test' is sent twice, the latter overwrites the previous command value)
* Restricts to a maximum of 100 (external) user commands. (Completely arbitrary number.)

While I did settings, I did not make them available in the UI. I wasn't
sure whether the users should really be able to change them...

Additionally, the patch makes sure that the all external user commands
are sorted after all internal (created by the user) user commands. This
makes sure that it is easy to spot user/hub user commands.

** Patch added: "dcpp_ucsec.diff"
   https://bugs.launchpad.net/dcplusplus/+bug/1030613/+attachment/3899166/+files/dcpp_ucsec.diff

-- 
You received this bug notification because you are a member of
Dcplusplus-team, which is subscribed to the bug report.
https://bugs.launchpad.net/bugs/1030613

Title:
  Normal users can issue CMDs

Status in ADCH++:
  Fix Released
Status in DC++:
  Confirmed

Bug description:
  Any client may send a CMD (only B-type tested) to the hub,
  distributing it to any user. If done in a bot, you can effectively
  send tens or hundreds of these, and a receiving client will be forced
  to manage them, thus potentially causing a DoS scenario.

  Generate the following user command in DC++ to test yourself;
  Command type: Raw
  Context: Hub menu
  Name: RogueCommand
  Command: BCMD %[mySID] Security\stest,\sbe\safraid TTHINF\sNIfoobar\n CT2
  Hub address: adc://

  (Above command should obviously be followed by a new line.)

  The hub should ignore any CMD originating from a user. Potentially
  allow CMDs from trusted users.

To manage notifications about this bug go to:
https://bugs.launchpad.net/adchpp/+bug/1030613/+subscriptions