DDMsgReader: When replying to a message, @-codes are now expanded in the quote file.
DDMsgReader: When replying to a message, @-codes are now expanded in the quote file.
Merge request reports
Activity
assigned to @rswindell
@-codes in messages posted by non-Sysops are normally never expanded on Synchronet due to security issues (e.g. a non-sysop posts @HANGUP@, or @DELAY:99999@ for example). Similarly, any message received over a message network should never have any @-codes expanded.
This commit seems to introduce a security concern and raises general concerns about how DDMsgReader handles @-codes currently.
Edited by Rob SwindellIt sounds like it would be best to roll this back.
Also, as far as DDMsgReader interperting @-codes, it only expands @-codes when reading personal email (not on networked sub-boards, or any sub-boards), similar to what you've described. I could add an additional check to make sure the message was posted by a sysop.
It doesn't expand @HANGUP@ or @DELAY@, so those wouldn't be an issue.