| Anonymous | Login | Signup for a new account | 2010-09-10 16:29 CEST |
| Main | My View | View Issues | Change Log | Roadmap |
| Viewing Issue Simple Details [ Jump to Notes ] | [ View Advanced ] [ Issue History ] [ Print ] | |||||||||||
| ID | Category | Severity | Reproducibility | Date Submitted | Last Update | |||||||
| 0002667 | [unreal] ircd | feature | N/A | 2005-10-30 15:22 | 2006-11-12 15:22 | |||||||
| Reporter | JasonTik | View Status | public | |||||||||
| Assigned To | ||||||||||||
| Priority | normal | Resolution | open | |||||||||
| Status | acknowledged | Product Version | 3.2.4 | |||||||||
| Summary | 0002667: Restricted remote includes | |||||||||||
| Description |
<@Stskeeps> i must admit adding "include http://www.unrealircd.com/unwantedpeople.conf [^] { klines } <@Stskeeps> in example.conf <@Stskeeps> has been tempting at times <SNIP> <@Stskeeps> it would probably be so the include only could do ban{} shit <@Stskeeps> which is a good idea, go report it :P It would be nice to be able to specify a list of blocks that would be accepted from a possibly untrusted remote include. It would allow people to distribute lists of spammers or whatever without me having to worry the would put an oper in for themselves in the future. |
|||||||||||
| Additional Information | ||||||||||||
| Tags | No tags attached. | |||||||||||
| 3rd party modules | ||||||||||||
| QA | Not touched yet by developer | |||||||||||
| U4: Need for upstream patch | No need for upstream InspIRCd patch | |||||||||||
| U4: Upstream notification of bug | Not decided | |||||||||||
| U4: Contributor working on this | None | |||||||||||
| Attached Files | ||||||||||||
|
|
||||||||||||
 Relationships |
||||||
|
||||||
|
Notes |
|
|
(0010618) aquanight (reporter) 2005-10-31 00:36 edited on: 2005-10-31 00:37 |
Interesting, though in a case like this it may be more appropriate to just have a cronjob wget the remote include, grep it for any invalid blocks (will come up with a regex for this later - maybe!), remove said blocks as appropriate, cp final result to usable location, kill -HUP `cat ircd.pid`, etc. Also - what would unreal do with a remote conf that did have a "disallowed" block? |
|
(0010620) pinstrate (reporter) 2005-10-31 01:22 |
this is whatfor dnsbl and other spamlists are made for. |
|
(0010624) w00t (reporter) 2005-11-02 21:48 |
... What are you on about pinstrate? This is _nothing_ to do with dnsbl, ahbl, or any other blacklist. Allow me to clarify what we're talking about. Let's say I link to a new network, and they want me to use a remote include for what they tell me is 'permanent glines' - I might want to make SURE that it couldn't have anything silly, like.. let's say, an extra o:line for them on MY server. THAT is what we are talking about here. --- That aside, I'd also wonder how it would work where say, one server had a module that fiddled around with some configuration stuff, and the other one didn't.. but then, we already work around that kind of a situation in extban synching stuff, etc.. so I guess it'd even out. |
|
(0010625) aquanight (reporter) 2005-11-02 22:35 |
I should point that the situation mentioned here has a trust issue to it. Iow: if you don't trust the admin for a remote include - don't include! It makes more sense to do this kind of thing with public remote includes such as spammer lists or even the CVS spamfilter.conf, limiting the set of available blocks in case some sneaky hacker decides to add some extra blocks to the config (although for both cases, worse damage could be done with the blocks that *are* available - ban user/ip { mask *@*; }; spamfilter { regex "."; target user; }; etc...) |
|
(0010638) JasonTik (reporter) 2005-11-04 18:05 |
aquanight's first post: It would ignore the allowed block, possibly log a warning. aquanight's second post: It doesnt always have to be like that, it could be netwide Vhosts (I know there are better ways to do this, just an example). You cant do much damage making one of those for yourself, since I will ban you by realip. |
|
(0010678) syzop (administrator) 2005-11-09 08:56 |
This idea has been mentioned before, and I don't know yet, I think it's nice, but it's just not on the very top of my list ;). A very similar idea will be used for the distributed spamfilter (which would only allow spamfilter { } and some other blocks), though that is all done internally. |
|
Issue History |
|||
| Date Modified | Username | Field | Change |
| 2005-10-30 15:22 | JasonTik | New Issue | |
| 2005-10-30 20:54 | JasonTik | Issue Monitored: JasonTik | |
| 2005-10-31 00:36 | aquanight | Note Added: 0010618 | |
| 2005-10-31 00:37 | aquanight | Note Edited: 0010618 | |
| 2005-10-31 01:22 | pinstrate | Note Added: 0010620 | |
| 2005-11-02 21:48 | w00t | Note Added: 0010624 | |
| 2005-11-02 22:35 | aquanight | Note Added: 0010625 | |
| 2005-11-04 18:05 | JasonTik | Note Added: 0010638 | |
| 2005-11-09 08:56 | syzop | Note Added: 0010678 | |
| 2006-11-12 15:22 | syzop | Status | new => acknowledged |
| 2006-11-12 15:22 | syzop | Relationship added | child of 0003049 |
| Copyright © 2000 - 2008 Mantis Group |  |
