extensions/extb_channel: Allow matching secret channels.

This change modifies extb_channel to allow matching users in secret
channels, which prevents trivial ban evasion by setting the target
channel +s. Information leak due to this change is unlikely since the
attacker would have to know that the target channel exists, the name of
the channel (or guess it), have a specific user they wanted to know
whether was in the channel (and not know already), and the target user
would need to have something like autojoin-on-invite enabled (or any of
the other various ways hostname cloaking is attacked).
This commit is contained in:
Keith Buck 2016-12-29 05:44:18 +00:00
parent 28f877462d
commit 1175ff837d
2 changed files with 2 additions and 9 deletions

View file

@ -1,5 +1,5 @@
/*
* Channel extban type: matches users who are in a certain public channel
* Channel extban type: matches users who are in a certain channel
* -- jilles
*/
@ -47,8 +47,5 @@ static int eb_channel(const char *data, struct Client *client_p,
/* require consistent target */
if (chptr->chname[0] == '#' && data[0] == '&')
return EXTBAN_INVALID;
/* privacy! don't allow +s/+p channels to influence another channel */
if (!PubChannel(chptr2) && chptr2 != chptr)
return EXTBAN_INVALID;
return IsMember(client_p, chptr2) ? EXTBAN_MATCH : EXTBAN_NOMATCH;
}

View file

@ -18,11 +18,7 @@ Unless noted below, all types can be used with +b, +q, +e and +I.
$a - Matches all logged in users
$a:<mask> - Matches users logged in with a username matching the mask
(* and ? wildcards)
$c:<chan> - Matches users who are on the given channel; this is only
valid if the channel exists and is not +s or +p. (The ops
of the channel the ban is on cannot necessarily see whether
the user is in the target channel, so it should not
influence whether they can join either.)
$c:<chan> - Matches users who are on the given channel
$o - Matches opers (most useful with +I)
$r:<mask> - Matches users with a realname (gecos) matching the mask
(* and ? wildcards); this can only be used with +b and +q