View Issue Details
| ID | Project | Category | View Status | Date Submitted | Last Update |
|---|---|---|---|---|---|
| 0003449 | unreal | ircd | public | 2007-07-15 18:01 | 2009-07-24 01:06 |
| Reporter | aegis | Assigned To | |||
| Priority | normal | Severity | major | Reproducibility | always |
| Status | closed | Resolution | open | ||
| Platform | * | OS | * | OS Version | * |
| Product Version | 4.0-devel | ||||
| Summary | 0003449: Bug allowing regular users to /stats <any> | ||||
| Description | While playing with InspIRCd I discovered that contrary to what the documentation implies, you can not set <options userstats=""> to prevent the use of all /stats. Instead you must use <options userstats=" "> (please note that is a space between the quotes). This may cause confusion for the end user, as common sense may dicated that simply not setting this value wouldn't allow any /stats (as per the implications of the official InspIRCd documentation). I've marked this bug as major due to it's possible security issues, and suggest disallowing /stats completely to be the absolute default. | ||||
| Steps To Reproduce | Simply define <options userstats=""> | ||||
| Tags | No tags attached. | ||||
| 3rd party modules | |||||
| child of | 0003417 | closed | TODO list for Unreal4.0 |
|
|
I should point out u3's behavior was the opposite: allow all stats by default, you had to list which ones to disable. I kind of like the idea of denying all by default, and allowing specific ones, as it means module-added stats don't require adjusting config files if it's suppoed to be operonly. Yes, "" (empty string) should equal deny all since that makes sense, but an argument could be made for absent meaning no stats denied as being u3 behavior. |
|
|
second this, esp as I believe I had asked for this in a separate bug report for 3.2 |
| Date Modified | Username | Field | Change |
|---|---|---|---|
| 2007-07-15 18:01 | aegis | New Issue | |
| 2007-07-15 22:00 | aquanight | Relationship added | related to 0003417 |
| 2007-07-15 22:01 | aquanight | Note Added: 0014501 | |
| 2007-07-17 04:25 |
|
Status | new => acknowledged |
| 2007-07-22 19:42 | tabrisnet | Note Added: 0014555 | |
| 2007-07-23 09:10 |
|
Relationship deleted | related to 0003417 |
| 2007-07-23 09:10 |
|
Relationship added | child of 0003417 |
| 2007-07-23 19:09 | dmb | QA | => Not touched yet by developer |
| 2007-07-23 19:09 | dmb | U4: Need for upstream patch | => No need for upstream InspIRCd patch |
| 2007-07-23 19:09 | dmb | U4: Upstream notification of bug | => Not decided |
| 2007-07-23 19:09 | dmb | U4: Contributor working on this | => None |
| 2007-07-23 19:09 | dmb | Status | acknowledged => new |
| 2007-07-23 19:15 | dmb | Status | new => acknowledged |
| 2007-07-23 19:16 | dmb | U4: Need for upstream patch | No need for upstream InspIRCd patch => Upstream patch needed |
| 2007-07-24 02:41 | dmb | Status | acknowledged => confirmed |
| 2007-07-24 02:42 | dmb | U4: Upstream notification of bug | Not decided => Shared InspIRCd&Unreal4 issue reported by QA |
| 2009-07-24 01:06 | Stealth | Status | confirmed => closed |
