View Issue Details
| ID | Project | Category | View Status | Date Submitted | Last Update |
|---|---|---|---|---|---|
| 0005948 | unreal | ircd | public | 2021-07-01 22:47 | 2021-07-03 07:23 |
| Reporter | progval | Assigned To | syzop | ||
| Priority | normal | Severity | minor | Reproducibility | always |
| Status | closed | Resolution | no change required | ||
| Summary | 0005948: reply-tag should not filter out "invalid" +draft/reply values | ||||
| Description | The reply-tag module has a replytag_mtag_is_ok functions used to decide whether a +draft/reply tag should be relayed or not. However, https://ircv3.net/specs/extensions/message-tags#client-only-tags requires that "Client-only tags MUST be relayed on PRIVMSG, NOTICE and TAGMSG messages" (with the exception of tags blacklist with CLIENTTAGDENY) | ||||
| Steps To Reproduce | C -> S: @+draft/reply=ct95w3xemz8qj9du2h74wp8pee PRIVMSG bob :hey yourself S -> C: @msgid=VGJcm5Uub8uVd9Z8nnGfkD;time=2021-07-01T20:42:23.879Z :alice!username@Clk-4D552FD5 PRIVMSG bob :hey yourself | ||||
| 3rd party modules | |||||
|
|
Allowing unfiltered message tags opens up the way to flood massively, eg with 2048 byte message tags. At UnrealIRCd we find security very important and will not allow such stupid stuff. In this case, validating the msgid is the easiest way to prevent this. We have been hearing that "you are violating the spec" for decades now at UnrealIRCd. In the past it applied to RFC1459, i guess this one is new. We can apply moderation, filtering and other techniques to any command, any content, not limited to message tags but also to (for example) PRIVMSG text/content itself, think of spamfilter, user and channel mode +G, textbans, antimixedutf8, and so on and so on. This will never change. We have always done that and will keep doing that in the interest of IRC (eg to allow features that are otherwise not possible, ones that violate RFC1459) and/or to enhance security or anti-flood systems. Also I should point out that in this case the message tags specification explicitly says: "Servers MAY apply moderation to client-only tags using existing or newly specified modes or configuration". (... or in this case, code) More practically speaking, the +reply message tag is meant to reply to a msgid. There is really no reason to support replying to an invalid msgid. If that's a problem in your test framework, then I suggest you first send a message, acquire the msgid, and then use +draft/reply to reply to it. |
