egghelp/eggheads community

tcl syntax question

2003-09-17T20:28:55-04:00

well, i put a putlog in there and it is returning the args, so im now quite how to go about this...

Statistics: Posted by Guest — Wed Sep 17, 2003 8:28 pm

tcl syntax question

2003-09-17T20:04:51-04:00

Why not instead figure out what chars are bad, like | and &, and simply check for those?

Statistics: Posted by stdragon — Wed Sep 17, 2003 8:04 pm

tcl syntax question

2003-09-17T17:56:35-04:00

i rewrote it to this:

proc pub_fm {nick uhost hand chan text} {
if {[regexp {[^a-zA-Z0-9\-\_\ ]} $text] == 1} {
putserv "PRIVMSG $chan :Invalid request."
} else {
foreach cmd [split [exec /script.php $text] "\r\n"] { putserv "PRIVMSG $chan :$cmd" }
}
}

and now it works... if i do this ".fm query", it returns data. if i try to add more than one query like ".fm query1 query2" i get an invalid request. would i need to add something else to the regex to get it to count spaces too?

Statistics: Posted by Guest — Wed Sep 17, 2003 5:56 pm

tcl syntax question

2003-09-17T16:33:36-04:00

hmm, its still not working. heres what im dealing with:

bind pub - .fm pub_fm
bind pubm n "#* .exec *" pub_exec

proc pub_fm {nick uhost hand chan text} {
if {[regexp {[^a-zA-Z0-9]} $text] == 1}
{
putserv "PRIVMSG $chan :Invalid request."
} else
{
pub_exec $nick $uhost $hand $chan ".exec script.php $text"
}
}

Before when I just had the pub_exec ... "script.php $text" it worked, but the problem was that if someone execute the command ".fm query | echo oops". but bot would execute the command "echo oops", which can be a real serious vulnerabiliry. So what im trying to do is catch anything that is not a letter or number so that I can not even have the script execute unless if is so.

Here's what i got when i tried to execute it:

.rehash
Rehashed.
.fm #$%
.fm query

The bot didnt respond to the search or the invalid request. Any suggestions?

Statistics: Posted by Guest — Wed Sep 17, 2003 4:33 pm

tcl syntax question

2003-09-17T15:27:31-04:00

Almost. Assuming that you want the if statement to catch requests that don't start with a letter or digit, you just have to change is to add { } around the regular expression. In tcl, [ ] is interpreted specially.

[^a-zA-Z0-9] --> {[^a-zA-Z0-9]}

Also, the command is regexp, not regex.

Statistics: Posted by stdragon — Wed Sep 17, 2003 3:27 pm

tcl syntax question

2003-09-17T14:26:25-04:00

I am trying to work around a vulnerability in php's argv's by doing this:

proc pub_fm {nick uhost hand chan text} {
if {[regex [^a-zA-Z0-9] $text] == 1}
{
putserv "PRIVMSG $chan :Invalid request."
} else
{
pub_exec $nick $uhost $hand $chan ".exec script.php $text"
}
}

I cannot seem to get this to work. Am i doing this the right way? (I am new to TCL)

Statistics: Posted by Guest — Wed Sep 17, 2003 2:26 pm