From ce121459f7666d194d4ffa9df59df51920e1bb97 Mon Sep 17 00:00:00 2001 From: Daniel Folkinshteyn Date: Sat, 25 Feb 2012 12:35:55 -0500 Subject: [PATCH] Channelstats: require caller to be in target channel when using commands in this plugin. This fixes information leakage from private channels. --- plugins/ChannelStats/plugin.py | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/plugins/ChannelStats/plugin.py b/plugins/ChannelStats/plugin.py index d09129bed..dd7943c7a 100644 --- a/plugins/ChannelStats/plugin.py +++ b/plugins/ChannelStats/plugin.py @@ -245,6 +245,9 @@ class ChannelStats(callbacks.Plugin): necessary if the message isn't sent on the channel itself. If isn't given, it defaults to the user sending the command. """ + if msg.nick not in irc.state.channels[channel].users: + irc.error(format('You must be in %s to use this command.', channel)) + return if name and ircutils.strEqual(name, irc.nick): id = 0 elif not name: @@ -304,6 +307,9 @@ class ChannelStats(callbacks.Plugin): 'kicks', 'kicked', 'topics', and 'modes'. Any simple mathematical expression involving those variables is permitted. """ + if msg.nick not in irc.state.channels[channel].users: + irc.error(format('You must be in %s to use this command.', channel)) + return # XXX I could do this the right way, and abstract out a safe eval, # or I could just copy/paste from the Math plugin. if expr != expr.translate(utils.str.chars, '_[]'): @@ -345,6 +351,9 @@ class ChannelStats(callbacks.Plugin): Returns the statistics for . is only necessary if the message isn't sent on the channel itself. """ + if msg.nick not in irc.state.channels[channel].users: + irc.error(format('You must be in %s to use this command.', channel)) + return try: stats = self.db.getChannelStats(channel) curUsers = len(irc.state.channels[channel].users)