View Issue Details

IDProjectCategoryView StatusLast Update
0004086unrealircdpublic2012-02-26 21:19
ReporterApocalypseAssigned Tosyzop 
PrioritylowSeverityminorReproducibilityalways
Status resolvedResolutionfixed 
PlatformOSCentOSOS Version6
Product Version3.2.9 
Target VersionFixed in Version3.2.10-rc1 
Summary0004086: /stats M
Description/stats m allowed to be used by normal users despite being defined in oper-only-stats as M (this stats command is case-insensitive, or should be)

in src/modules/m_stats.c
inline int stats_operonly_short(char c)
{
        char l;
        if (!OPER_ONLY_STATS)
                return 0;
        if (*OPER_ONLY_STATS == '*')
                return 1;
        if (strchr(OPER_ONLY_STATS, c))
                return 1;
        l = tolower(c);
        /* Hack for the flags that are case insensitive */
        if (l == 'o' || l == 'y' || l == 'k' || l == 'g' || l == 'x' || l == 'c' ||
            l =='f' || l == 'i' || l == 'h')
        {
                if (islower(c) && strchr(OPER_ONLY_STATS, toupper(c)))
                        return 1;
                else if (isupper(c) && strchr(OPER_ONLY_STATS, tolower(c)))
                        return 1;
        }
        /* Hack for c/C/H/h */
        if (l == 'c')
        {
                if (strpbrk(OPER_ONLY_STATS, "hH"))
                        return 1;
        } else if (l == 'h')
                if (strpbrk(OPER_ONLY_STATS, "cC"))
                        return 1;
        return 0;
}

l == 'm' is missing, thus allowing normal users to /stats m, /stats M is still disallowed, note that m/M is case-insensitive, or is supposed to be.
Steps To ReproduceUse /stats m on a network that has M defined in oper-only-stats, this is assuming that mM is not in oper-only-stats already, it should take either m or M, not require both to prevent usage by normal users.

Reproduced on both 3.2.8.1 and 3.2.9 having just M in oper-only-stats.
TagsNo tags attached.
3rd party modules

Activities

Apocalypse

2012-02-20 02:26

reporter  

m_stats.patch (485 bytes)

warg

2012-02-26 05:13

reporter   ~0016910

+1

syzop

2012-02-26 10:29

administrator   ~0016916

http://hg.unrealircd.com/hg/unreal/rev/f4767d3fcba4
- Even when 'M' was listed in set::oper-only-stats you could still do a
  '/STATS m'. Unlike other stats characters, case insensitivity was not
  checked for this one. Reported by and patch from Apocalypse (0004086).

Thanks!

Issue History

Date Modified Username Field Change
2012-02-20 01:07 Apocalypse New Issue
2012-02-20 02:26 Apocalypse File Added: m_stats.patch
2012-02-20 02:27 Apocalypse Status new => has patch
2012-02-26 05:13 warg Note Added: 0016910
2012-02-26 10:29 syzop Note Added: 0016916
2012-02-26 10:29 syzop Status has patch => resolved
2012-02-26 10:29 syzop Fixed in Version => 3.2.10-rc1
2012-02-26 10:29 syzop Resolution open => fixed
2012-02-26 10:29 syzop Assigned To => syzop
2012-02-26 21:19 syzop Category module => ircd