search

sopel-irc / sopel

:robot::speech_balloon: An easy-to-use and highly extensible IRC Bot framework. Formerly Willie.
https://sopel.chat
Other
948 stars 402 forks source link

NUL (`\x00`) is not filtered from IRC args/text #2566

Closed dgw closed 4 weeks ago

dgw commented 12 months ago

Requested Feature

irc.utils.safe() strips CR and LF from its input, but not NUL (\x00) even though all three octets are disallowed in IRC lines.

https://github.com/sopel-irc/sopel/blob/3ff58c160ecc7a9d51f1e06426d456c7db4d985a/sopel/irc/utils.py#L20-L48

Problems Solved

Plugins accidentally sending NUL will most likely cause the server to disconnect the bot with an error ("malformed data" or similar).

Alternatives

Plugin authors must manually ensure that anything their code sends to IRC does not contain the NUL byte.

Notes

No response

dgw commented 2 months ago

Remembered this and finally tested it:

@plugin.command('nullme')
@plugin.require_admin("Sorry, I can't let you do that.", reply=True)
@plugin.output_prefix('[NULL] ')
def null(bot, trigger):
    """Send a message containing null, for testing."""
    bot.say("Null\x00byte!")

At least on Rizon, the bot is not disconnected; the message gets truncated:

<dgw> .nullme
<SopelGitpod> [NULL] Null

Obviously not ideal, but not as bad as it could be.