The following patch does two things to address the issue here. * Replace user commands (i.e., if the command 'test' is sent twice, the latter overwrites the previous command value) * Restricts to a maximum of 100 (external) user commands. (Completely arbitrary number.)
While I did settings, I did not make them available in the UI. I wasn't sure whether the users should really be able to change them... Additionally, the patch makes sure that the all external user commands are sorted after all internal (created by the user) user commands. This makes sure that it is easy to spot user/hub user commands. ** Patch added: "dcpp_ucsec.diff" https://bugs.launchpad.net/dcplusplus/+bug/1030613/+attachment/3899166/+files/dcpp_ucsec.diff -- You received this bug notification because you are a member of Dcplusplus-team, which is subscribed to the bug report. https://bugs.launchpad.net/bugs/1030613 Title: Normal users can issue CMDs Status in ADCH++: Fix Released Status in DC++: Confirmed Bug description: Any client may send a CMD (only B-type tested) to the hub, distributing it to any user. If done in a bot, you can effectively send tens or hundreds of these, and a receiving client will be forced to manage them, thus potentially causing a DoS scenario. Generate the following user command in DC++ to test yourself; Command type: Raw Context: Hub menu Name: RogueCommand Command: BCMD %[mySID] Security\stest,\sbe\safraid TTHINF\sNIfoobar\n CT2 Hub address: adc:// (Above command should obviously be followed by a new line.) The hub should ignore any CMD originating from a user. Potentially allow CMDs from trusted users. To manage notifications about this bug go to: https://bugs.launchpad.net/adchpp/+bug/1030613/+subscriptions _______________________________________________ Mailing list: https://launchpad.net/~linuxdcpp-team Post to : linuxdcpp-team@lists.launchpad.net Unsubscribe : https://launchpad.net/~linuxdcpp-team More help : https://help.launchpad.net/ListHelp
