← Back to team overview

linuxdcpp-team team mailing list archive

  1. linuxdcpp-team team
  2. Mailing list archive
  3. Message #07570

[Bug 1030613] Re: Normal users can issue CMDs

  Thread PreviousDate PreviousThread Next 
1) 100 is far too low: my test hub, for example, sends me 1176 user commands at login. in particular, a popular translation script sends 702 user commands; another popular script (FunScript) sends 251. i am willing to bet other scripts like Dixbot or Leviathan also send hundreds of user commands.
a better max value would be one beyond which opening a menu takes too long on a regular computer.

2) the current rule for settings in DC++ is to add them "fully" - with a
UI, help, etc. for the max value, a hard-coded one would be fine by me
if it were high enough. the replacing behavior should not be a setting
but be standard (user commands are identified by their name).

3) the new loop that is executed on each user command addition has to be
tested with hubs that send thousands of user commands. storing them in
some sort of ordered map might help with performance....

4) i would remove the log message when the limit has been reached. note
also that said log message could result in quite the spam in its current
state. again, this depends on the value decided in #1; if it is high
enough, the log message is futile.

5) in the following:
if(!lst.empty() && !lstExternal.empty())
shouldn't the AND be an OR?

6) doesn't UserCommand::FLAG_NOSAVE already accomplish the job of the
new UserCommand::external? if it doesn't, add a new flag instead of a
new bool.

-- 
You received this bug notification because you are a member of
Dcplusplus-team, which is subscribed to the bug report.
https://bugs.launchpad.net/bugs/1030613

Title:
  Normal users can issue CMDs

Status in ADCH++:
  Fix Released
Status in DC++:
  In Progress

Bug description:
  Any client may send a CMD (only B-type tested) to the hub,
  distributing it to any user. If done in a bot, you can effectively
  send tens or hundreds of these, and a receiving client will be forced
  to manage them, thus potentially causing a DoS scenario.

  Generate the following user command in DC++ to test yourself;
  Command type: Raw
  Context: Hub menu
  Name: RogueCommand
  Command: BCMD %[mySID] Security\stest,\sbe\safraid TTHINF\sNIfoobar\n CT2
  Hub address: adc://

  (Above command should obviously be followed by a new line.)

  The hub should ignore any CMD originating from a user. Potentially
  allow CMDs from trusted users.

To manage notifications about this bug go to:
https://bugs.launchpad.net/adchpp/+bug/1030613/+subscriptions

References

  Thread PreviousDate PreviousThread Next