Open anarcat opened 11 years ago
dgoulet
commented
11 years ago Yes so libotr uses a html formatted text in a message for the case the remote user does NOT have otr. Irssi does not behave well with html tags thus why you see that.
This is why irssi-otr does not use the default message of libotr for that but pidgin for instance does use it...
Apart from stripping the html tags from the incoming message in irssi-otr, this will continue to happen...
Thoughts?
anarcat
commented
11 years ago That is not the problem. The problem is that this message shows up in the status window, not the chat window. Even worse, it looks like the text is being parsed as a command which makes me worried about remote execution.
dgoulet
commented
10 years ago I'm still investigating this one because you are right this can be really BAD if irssi tries to interpret this as a command.
Currently, I'm unable to reproduce it though... do you have a reliable way to reproduce it each time ? However, I remember seeing this issue so I'll investigate more this issue and flagging it as a security issue until we can sort this one out.
dgoulet
commented
10 years ago So this is due to the default OTR message containing html tags and telling the other side that basically you don't have OTR support you can go to a website to get it. Irssi does not handle well html tags so there is no risk for remote execution since it is prefixed by "" and your nickname follows.
I'll ask upstream libotr to maybe reconsider using html and \n in that message.
It can be reproduce simply by typing "?OTR?" in the private message window. That tag triggers the default messsage to be sent by libotr.
I see this when an OTR session is negotiated:
chat0.koumbit.netis the IRC server I am on while negotiating a private OTR conversation. This looks an awful lot like parts of the message sent to the other party when initating the conversation ( foo has requested an OTR conversation, see foobar.com for more information...)