Help - Search - Members - Calendar
Full Version: Security, an explination
StealthBot.net > StealthBot > Scripting and Plugins > Plugin Projects > Custom Command Xystem (CCX)
Snap
Custom command systems are inherently security risky. - Generally giving people the power to make a custom command, means they can do anything. But there are times where you would want to let a friend/clan leader/member to be able to write CCX commands.
I want you to be able to let them, without them baning your members, or taking your ops.

In it's current state, CCX can't be abused - like:
<Joe>!addcc givemepower 0 /add Joe 999 ADSM
In fact by default*- if Joe had the power to make a cc, he couldn't ban someone:
<Joe>!whoami
<Bot> Joe has access 20.
<Joe>!addcc doban 20 /ban %rest
<Joe>!doban Otherguy

Nothing would happen. Joe needs flags of "O"/"A" or 80 access.
The same is required for the following:
CODE
"/kick", "/ban", "/designate", "/resign", "/squelch", "/ignore", "/clan", "/c", "/options", "/o", "/dnd"

Note that these are all battle.net commands- no internal commands can be accessed in this way.

*You can override this safety-feature with the config hack: security_usesafety=true

- Beware users with power to make CC's can fill your bots queue with messages.

- I'll update this topic with pertinent security warnings and explanations.
Ribose
"/join", "/j", and "/channel" should also be checked.
Snap
Yea, thanks.
Actually, after writing this - I brainstormed a bit.
I'm gonna allow internal commands to be executed - along with other CC's like "& /command".
Rather than the arbitrary "80" access for everything, I'm going to use Command() and ccx_RunCC to execute them.
The only problem with this - is that the IsCommand() doesn't exist in 2.6...
My reasons for avoiding this originally are no longer relevant.
ViRaL
QUOTE(Snap @ Apr 30 2009, 07:06 PM) *


I'm gonna allow internal commands to be executed - along with other CC's like "& /command".
Rather than the arbitrary "80" access for everything, I'm going to use Command() and ccx_RunCC to execute them.



Does this mean we will be able to create command strings that use commands from other plugins, or the greet message, such as !Addcc Startt /setgreet The tournament will begin at 5:00 pm Bnet Time. Or even go as far as to create custom commands that interlock with crs, or SnJ's Trivia?
Snap
That will be difficult to accomplish - because plugins simply 'look' for a command. - There's no way to tell if a plugin has a command or not.
With the Plugin System i'll be able to call all the plugin's UserTalk sub- but this wont work with 2.7 'Scripts'.
The internal commands like /setgreet will work. - And CCX CC's.
I'll play around with it - and hopefully get some feedback when I release 1.94.
Snap
All types of commands can now be executed with CCX. - But the commands are executed as if the user using the CC used the command.
See http://www.stealthbot.net/board/index.php?...st&p=332389 for more details.
This is a "lo-fi" version of our main content. To view the full version with more information, formatting and images, please click here.
Invision Power Board © 2001-2019 Invision Power Services, Inc.