View Issue Details
| ID | Project | Category | View Status | Date Submitted | Last Update |
|---|---|---|---|---|---|
| 0006004 | unreal | ircd | public | 2021-11-20 12:44 | 2023-03-18 14:16 |
| Reporter | progval | Assigned To | syzop | ||
| Priority | normal | Severity | minor | Reproducibility | always |
| Status | resolved | Resolution | fixed | ||
| Product Version | 5.2.2 | ||||
| Fixed in Version | 6.0.7 | ||||
| Summary | 0006004: The optional <target> parameter of INFO is ignored | ||||
| Description | Both RFCs and the Modern spec define an optional parameter to the INFO command * https://datatracker.ietf.org/doc/html/rfc1459#section-4.3.8 * https://datatracker.ietf.org/doc/html/rfc2812#section-3.4.10 * https://modern.ircdocs.horse/#rplendofinfo-374 Some Unreal configs seem to ignore it, and always return the info of the local server. | ||||
| Steps To Reproduce | first scenario: 1. link two servers with different versions (let's call them serverA and serverB) 2. connect to serverA 3. send "INFO serverB" 4. version of serverA is returned, instead of serverB's second scenario: 1. connect to any server 2. send "INFO invalid.server" 3. info for serverA is returned, instead of ERR_NOSUCHSERVER | ||||
| Additional Information | It's unclear to me when/why it happens, but it currently does on irc1.unrealircd.org. | ||||
| Tags | No tags attached. | ||||
| 3rd party modules | |||||
|
|
Someone identified why it happens: remote /info is oper-only https://github.com/unrealircd/unrealircd/blob/b3b40e62c52085f40837385b5407b70899960a03/src/serv.c#L344 |
|
|
Yeah exactly, this is done to prevent major flooding issues. Regardless of that, I also think it is fine not to show this info to users to remote servers (ones that they may not even have direct access to) We could perhaps send ERR_NOPRIVILEGES instead of just converting it to local, that would be less confusing. So leaving this bug open to do that. |
|
|
And done now, thanks for bringing it up, I think this is better. https://github.com/unrealircd/unrealircd/commit/99c3f8688e857f6d4162ced2a953de244f3a2a30 commit 99c3f8688e857f6d4162ced2a953de244f3a2a30 (HEAD -> unreal60_dev, origin/unreal60_dev, origin/HEAD) Author: Bram Matthys <[email protected]> Date: Sat Mar 18 14:11:48 2023 +0100 When we blocked remote requests for CREDITS/INFO/LICENSE 10 years ago due to flood attacks, back then we changed the argument silently to point to our own server, eg 'INFO some.remote.server' ended up being 'INFO' (local server) when requested by non-IRCOps. Now, we simply return "Permission denied" in such cases, which is more clear and explicit. Reported by progval in https://bugs.unrealircd.org/view.php?id=6004 |
| Date Modified | Username | Field | Change |
|---|---|---|---|
| 2021-11-20 12:44 | progval | New Issue | |
| 2021-11-20 13:03 | progval | Note Added: 0022196 | |
| 2021-11-29 18:26 | syzop | Note Added: 0022223 | |
| 2021-11-29 18:26 | syzop | Assigned To | => syzop |
| 2021-11-29 18:26 | syzop | Status | new => acknowledged |
| 2023-03-18 14:16 | syzop | Status | acknowledged => resolved |
| 2023-03-18 14:16 | syzop | Resolution | open => fixed |
| 2023-03-18 14:16 | syzop | Fixed in Version | => 6.0.7 |
| 2023-03-18 14:16 | syzop | Note Added: 0022781 |
