From bb587381be7fcdf78843a15570ecc3f1b9046ca2 Mon Sep 17 00:00:00 2001
From: Michael Poole <mdpoole@troilus.org>
Date: Wed, 28 Apr 2004 19:53:40 +0000
Subject: [PATCH] Sanity check user infolines

* Disallow infolines longer than a configured maximum length (by
default, 400 characters).

* Disallow infolines that contain certain characters (currently
just ^A).
git-archimport-id: srvx@srvx.net--2004-srvx/srvx--devo--1.3--patch-51
---
 ChangeLog               | 18 ++++++++++++++++++
 languages/de/strings.db |  2 ++
 src/chanserv.c          | 18 ++++++++++++++++++
 srvx.conf.example       |  2 ++
 4 files changed, 40 insertions(+)

diff --git a/ChangeLog b/ChangeLog
index 7433ad9..0a3a4d3 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -2,6 +2,24 @@
 # arch-tag: automatic-ChangeLog--srvx@srvx.net--2004-srvx/srvx--devo--1.3
 #
 
+2004-04-28 19:53:40 GMT	Michael Poole <mdpoole@troilus.org>	patch-51
+
+    Summary:
+      Sanity check user infolines
+    Revision:
+      srvx--devo--1.3--patch-51
+
+    * Disallow infolines longer than a configured maximum length (by
+    default, 400 characters).
+    
+    * Disallow infolines that contain certain characters (currently
+    just ^A).
+
+    modified files:
+     ChangeLog languages/de/strings.db src/chanserv.c
+     srvx.conf.example
+
+
 2004-04-12 03:25:03 GMT	Michael Poole <mdpoole@troilus.org>	patch-50
 
     Summary:
diff --git a/languages/de/strings.db b/languages/de/strings.db
index e9956d8..99ed5d3 100644
--- a/languages/de/strings.db
+++ b/languages/de/strings.db
@@ -13,6 +13,7 @@
 "CSMSG_BAD_DIE_FORMAT" "Was genau soll $b%s$b sein ?  Bitte benutze eine einzelne Zahl oder das 4d6+3 Format.";
 "CSMSG_BAD_GIVEOPS" "GiveOps kann nicht niedriger sein als GiveVoice (%d).";
 "CSMSG_BAD_GIVEVOICE" "GiveVoice kann nicht höher sein als GiveOps (%d).";
+"CSMSG_BAD_INFOLINE" "Du darfst das Zeichen \\%03o nicht in deiner Infozeile haben.";
 "CSMSG_BAD_MAX_LENGTH" "$b%s$b ist keine gültige maximale Länge (Sie muss zwischen 20 und 450 Zeichen liegen).";
 "CSMSG_BAD_NOTE_ACCESS" "$b%s$b ist kein gültiger Note Zugriffstyp.";
 "CSMSG_BAD_NOTE_TYPE" "Note Typ $b%s$b existiert nicht.";
@@ -94,6 +95,7 @@
 "CSMSG_ILLEGAL_CHANNEL" "$b%s$b ist ein illegaler Channel und kann daher nicht registriert werden.";
 "CSMSG_INCORRECT_ACCESS" "%s hat Access Level $b%d$b, nicht %s.";
 "CSMSG_INFOLINE_LIST" "Der Account $b%s$b hat in folgenden Channeln Access:";
+"CSMSG_INFOLINE_TOO_LONG" "Deine Infoline darf nicht mehr als %u Zeichen haben.";
 "CSMSG_INVALID_ACCESS" "$b%s$b ist ein ungültiger Access Level.";
 "CSMSG_INVALID_MODE_LOCK" "$b%s$b ist ein ungültiger Mode Lock.";
 "CSMSG_INVALID_NUMERIC" "$b%d$b ist nicht gültig.  Wähle:";
diff --git a/src/chanserv.c b/src/chanserv.c
index 1e743c2..51bcb9f 100644
--- a/src/chanserv.c
+++ b/src/chanserv.c
@@ -54,6 +54,7 @@
 #define KEY_NETWORK_HELPER_EPITHET  "network_helper_epithet"
 #define KEY_SUPPORT_HELPER_EPITHET  "support_helper_epithet"
 #define KEY_NODELETE_LEVEL      "nodelete_level"
+#define KEY_MAX_USERINFO_LENGTH "max_userinfo_length"
 
 /* ChanServ database */
 #define KEY_CHANNELS		"channels"
@@ -301,6 +302,8 @@ static const struct message_entry msgtab[] = {
     { "CSMSG_ALREADY_PRESENT", "%s is already in $b%s$b." },
     { "CSMSG_YOU_ALREADY_PRESENT", "You are already in $b%s$b." },
     { "CSMSG_LOW_CHANNEL_ACCESS", "You lack sufficient access in %s to use this command." },
+    { "CSMSG_INFOLINE_TOO_LONG", "Your infoline may not exceed %u characters." },
+    { "CSMSG_BAD_INFOLINE", "You may not use the character \\%03o in your infoline." },
 
     { "CSMSG_KICK_DONE", "Kicked $b%s$b from %s." },
     { "CSMSG_NO_BANS", "No channel bans found on $b%s$b." },
@@ -493,6 +496,7 @@ static struct
     unsigned int        max_owned;
     unsigned int 	max_chan_users;
     unsigned int 	max_chan_bans;
+    unsigned int        max_userinfo_length;
 
     struct string_list  *set_shows;
     struct string_list  *eightball;
@@ -5245,7 +5249,19 @@ static MODCMD_FUNC(user_opt_info)
 
     if(argc > 1)
     {
+        size_t bp;
         infoline = unsplit_string(argv + 1, argc - 1, NULL);
+        if(strlen(infoline) > chanserv_conf.max_userinfo_length)
+        {
+            reply("CSMSG_INFOLINE_TOO_LONG", chanserv_conf.max_userinfo_length);
+            return 0;
+        }
+        bp = strcspn(infoline, "\001");
+        if(infoline[bp])
+        {
+            reply("CSMSG_BAD_INFOLINE", infoline[bp]);
+            return 0;
+        }
         if(uData->info)
             free(uData->info);
         if(infoline[0] == '*' && infoline[1] == 0)
@@ -6255,6 +6271,8 @@ chanserv_conf_read(void)
     chanserv_conf.max_chan_users = str ? atoi(str) : 512;
     str = database_get_data(conf_node, KEY_MAX_CHAN_BANS, RECDB_QSTRING);
     chanserv_conf.max_chan_bans = str ? atoi(str) : 512;
+    str = database_get_data(conf_node, KEY_MAX_USERINFO_LENGTH, RECDB_QSTRING);
+    chanserv_conf.max_userinfo_length = str ? atoi(str) : 400;
     str = database_get_data(conf_node, KEY_NICK, RECDB_QSTRING);
     if(chanserv && str)
         NickChange(chanserv, str, 0);
diff --git a/srvx.conf.example b/srvx.conf.example
index d859f46..3243d38 100644
--- a/srvx.conf.example
+++ b/srvx.conf.example
@@ -186,6 +186,8 @@
         "max_chan_users" "512";
         // maximum bans on a channel banlist
         "max_chan_bans" "512";
+        // maximum length of a user's infoline
+        "max_userinfo_length" "400";
         // If DynLimit is on and there are N users in the channel, ChanServ will
         // try to keep the limit at N+<adjust_threshold>.
         "adjust_threshold" "15";
-- 
2.20.1