Opened 7 years ago

#15082 new defect

IRC PRPL does not filter \r on its own.

Reported by: Josh @… Owned by: elb
Milestone: Component: IRC
Version: 2.10.0 Keywords: returncarriage newline


The IRC PRPL filters messages sent through purple_conv_chat_send to escape \n and \r\n. These are sent as multiple messages. If a message passed to purple_conv_chat_send contains an \r unpaired with an \n, however, it is not removed or treated as a message break, and the \r is sent raw, leaving the server to interpret the next line as a new command.

For plugins which have the ability to echo input from other users, this is a vulnerability, as it enables third parties to run commands as the plugin's host.

For example, calling purple_conv_chat_send(irc_conv, "Goodbye!\rquit"); will say "Goodbye!", then terminate the connection.

Change History (0)

Note: See TracTickets for help on using tickets.
All information, including names and email addresses, entered onto this website or sent to mailing lists affiliated with this website will be public. Do not post confidential information, especially passwords!