egghelp/eggheads community Discussion of eggdrop bots, shell accounts and tcl scripts. 2007-09-03T02:37:00-04:00 https://forum.eggheads.org/app.php/feed/topic/13928 2007-09-03T02:37:00-04:00 2007-09-03T02:37:00-04:00 https://forum.eggheads.org/viewtopic.php?p=75646#p75646 <![CDATA[need help with script security]]>

Code: 

foreach i $text {if {([string match "*http://*" $i]) || ([string match "*ftp://*" $i])|| ([string match "*www.*" $i]) || ([string match "*ftp.*" $i])} {set fd [open $urllogfile a+]if {[string match "*www.*" $i] && ![string match "*http://*" $i]} {set i "http://$i"}if {[string match "*ftp.*" $i] && ![string match "*ftp://*" $i]} {set i "ftp://$i"}
to match

Code: 

foreach i $text { if {[string match "*http://*" $i] && ![string match "*http://*<*>*" $i] || [string match "*ftp://*" $i] && ![string match "*ftp://*<*>*" $i] || [string match "*www.*" $i] && ![string match "*www.*<*>*" $i] || [string match "*ftp.*" $i] && ![string match "*ftp.*<*>*" $i]} {  set fd [open $urllogfile a+]   if {[string match "*www.*" $i] && ![string match "*http://*" $i]} {    set i "http://$i"   }    if {[string match "*ftp.*" $i] && ![string match "*ftp://*" $i]} {     set i "ftp://$i"    }
should work. (its just a case of checking that the <tags> are in the url address). :idea:

Statistics: Posted by TCL_no_TK — Mon Sep 03, 2007 2:37 am

]]> 2007-08-21T11:32:48-04:00 2007-08-21T11:32:48-04:00 https://forum.eggheads.org/viewtopic.php?p=75431#p75431 <![CDATA[need help with script security]]>
I found this script:
## This script catches urls said on channels and set on topics
## and makes a webfile of them.
## 21.7.1997 by Goblet email: goblet@sci.fi

set urllogfile "urls.log"
set urlwebfile "/wwwhome/goblet/public_html/blerp/urllog.html"

bind pubm - * check_if_url
bind topc - * check_if_url

proc check_if_url {nick uhost hand chan text} {
global urllogfile urlwebfile botnick
foreach i $text {
if {([string match "*http://*" $i]) || ([string match "*ftp://*" $i])
|| ([string match "*www.*" $i]) || ([string match "*ftp.*" $i])} {
set fd [open $urllogfile a+]
if {[string match "*www.*" $i] && ![string match "*http://*" $i]} {
set i "http://$i"
}
if {[string match "*ftp.*" $i] && ![string match "*ftp://*" $i]} {
set i "ftp://$i"
}
puts $fd "<a href=\"$i\">$i</a><br>"
puts $fd "[ctime [unixtime]] $nick ($uhost)<br><hr>"
close $fd
putlog "URL detected ($nick)"
set fd [open $urlwebfile w]
set fd2 [open $urllogfile r]
puts $fd "<html><head><title>Catched URLs</title></head>"
puts $fd "<body bgcolor=#FFFFFF text=#000000>"
puts $fd "<center><font size=6>URLs catched by $botnick</center><hr>"
puts $fd "<font size=3>"
while {![eof $fd2]} {
gets $fd2 foo
puts $fd $foo
}
puts $fd "<center><address>© <a href=\"http://www.sci.fi/~goblet/\">"
puts $fd "Goblet</a> 1997</address></center>"
puts $fd "</body></html>"
close $fd
close $fd2
}
}
}
putlog "URL-catcher by Goblet"
The problem is, ppl can inject html/java code into it, i'd like to avoid that. I don't know tcl, wish I did.

This is an example of how you can mess the generated html page up.

http://www.<textarea>.com
I think it speaks for itself what happens when it catches that url :)

Any help to fix this flaw is appreciated.

Statistics: Posted by iNFERNiS — Tue Aug 21, 2007 11:32 am

]]>