Skip to content
Snippets Groups Projects

DDMsgReader: When replying to a message, @-codes are now expanded in the quote file.

Closed DDMsgReader: When replying to a message, @-codes are now expanded in the quote file.
dd_msg_reader_reply_expand_atcodes into master
1 unresolved thread
Closed Eric Oulashin requested to merge dd_msg_reader_reply_expand_atcodes into master
1 unresolved thread

DDMsgReader: When replying to a message, @-codes are now expanded in the quote file.

Merge request reports

Loading
Loading

Activity

Filter activity
  • Approvals
  • Assignees & reviewers
  • Comments (from bots)
  • Comments (from users)
  • Commits & branches
  • Edits
  • Labels
  • Lock status
  • Mentions
  • Merge request status
  • Tracking
  • Eric Oulashin assigned to @rswindell

    assigned to @rswindell

    • Rob Swindell
      Rob Swindell @rswindell
      Owner

      @-codes in messages posted by non-Sysops are normally never expanded on Synchronet due to security issues (e.g. a non-sysop posts @HANGUP@, or @DELAY:99999@ for example). Similarly, any message received over a message network should never have any @-codes expanded.

      This commit seems to introduce a security concern and raises general concerns about how DDMsgReader handles @-codes currently.

      Edited by Rob Swindell
    • Eric Oulashin
      Eric Oulashin @nightfox
      Author Developer

      It sounds like it would be best to roll this back.

      Also, as far as DDMsgReader interperting @-codes, it only expands @-codes when reading personal email (not on networked sub-boards, or any sub-boards), similar to what you've described. I could add an additional check to make sure the message was posted by a sysop.

      It doesn't expand @HANGUP@ or @DELAY@, so those wouldn't be an issue.

    • Please register or sign in to reply
  • Eric Oulashin closed

    closed

Please register or sign in to reply