Skip to content
Snippets Groups Projects

DDMsgReader: When replying to a message, @-codes are now expanded in the quote file.

Closed Eric Oulashin requested to merge dd_msg_reader_reply_expand_atcodes into master
1 unresolved thread

DDMsgReader: When replying to a message, @-codes are now expanded in the quote file.

Merge request reports

Loading
Loading

Activity

Filter activity
  • Approvals
  • Assignees & reviewers
  • Comments (from bots)
  • Comments (from users)
  • Commits & branches
  • Edits
  • Labels
  • Lock status
  • Mentions
  • Merge request status
  • Tracking
    • @-codes in messages posted by non-Sysops are normally never expanded on Synchronet due to security issues (e.g. a non-sysop posts @HANGUP@, or @DELAY:99999@ for example). Similarly, any message received over a message network should never have any @-codes expanded.

      This commit seems to introduce a security concern and raises general concerns about how DDMsgReader handles @-codes currently.

      Edited by Rob Swindell
    • It sounds like it would be best to roll this back.

      Also, as far as DDMsgReader interperting @-codes, it only expands @-codes when reading personal email (not on networked sub-boards, or any sub-boards), similar to what you've described. I could add an additional check to make sure the message was posted by a sysop.

      It doesn't expand @HANGUP@ or @DELAY@, so those wouldn't be an issue.

    • Please register or sign in to reply
  • closed

Please register or sign in to reply
Loading