• DDMsgReader: When replying to a message, @-codes are now expanded in t

    From Rob Swindell@VERT to GitLab note in main/sbbs on Friday, December 02, 2022 10:46:45
    https://gitlab.synchro.net/main/sbbs/-/merge_requests/226#note_2916

    @-codes in messages posted by non-Sysops are normally *never* expanded on Synchronet due to security issues (e.g. a non-sysop posts @HANGUP@, or @DELAY:99999@ for example). Similarly, any message received over a message network should never have any @-codes expanded.

    This commit seems to introduce a security concern and raises general concerns about how SlyEdit handles @-codes currently.

    ---
    þ Synchronet þ Vertrauen þ Home of Synchronet þ [vert/cvs/bbs].synchro.net
  • From Eric Oulashin@VERT to GitLab note in main/sbbs on Friday, December 02, 2022 11:28:48
    https://gitlab.synchro.net/main/sbbs/-/merge_requests/226#note_2917

    It sounds like maybe this shouldn't be merged then, and I could roll back the change in my local copy.

    Also, perhaps DDMsgReader shouldn't do anything with @-codes at all if the user is reading a networked message sub-board?

    ---
    þ Synchronet þ Vertrauen þ Home of Synchronet þ [vert/cvs/bbs].synchro.net
  • From Eric Oulashin@VERT to GitLab note in main/sbbs on Friday, December 02, 2022 12:36:05
    https://gitlab.synchro.net/main/sbbs/-/merge_requests/226#note_2920

    It sounds like it would be best to roll this back.

    Also, as far as DDMsgReader interperting @-codes, it only expands @-codes when reading personal email (not on networked sub-boards, or any sub-boards), similar to what you've described. I could add an additional check to make sure the message was posted by a sysop.

    It doesn't expand @HANGUP@ or @DELAY@, so those wouldn't be an issue.

    ---
    þ Synchronet þ Vertrauen þ Home of Synchronet þ [vert/cvs/bbs].synchro.net
  • From Nelgin@VERT/EOTLBBS to Rob Swindell on Friday, December 09, 2022 00:29:56
    On Fri, 2 Dec 2022 10:46:45 -0800
    "Rob Swindell" <rob.swindell@VERT> wrote:

    https://gitlab.synchro.net/main/sbbs/-/merge_requests/226#note_2916

    @-codes in messages posted by non-Sysops are normally *never*
    expanded on Synchronet due to security issues (e.g. a non-sysop posts @HANGUP@, or @DELAY:99999@ for example). Similarly, any message
    received over a message network should never have any @-codes
    expanded.

    This commit seems to introduce a security concern and raises general
    concerns about how SlyEdit handles @-codes currently.

    The reason I requested this is because when I responded to an email on
    a BBS that was an autogenerated welcome mesasge, the @BBS@ and @ALIAS@
    codes were expanded but when I replied, the quoted message had @BBS@
    and @ALIAS@.

    I think the intent should be that the @codes are converted into the
    actual text at the time the message is sent. If the sysop wants to
    change their BBS name or the user changes their alias post-sending of
    the original, then tough.

    I agree that @-codes shouldn't be expanded when sent from a user but if
    coming from the system or sysop, then expand them and put the text in.
    Problem solved.
    --
    End Of The Line BBS - Plano, TX
    telnet endofthelinebbs.com 23
    ---
    þ Synchronet þ End Of The Line BBS - endofthelinebbs.com
  • From Digital Man@VERT to Nelgin on Friday, December 09, 2022 09:33:45
    Re: Re: DDMsgReader: When replying to a message, @-codes are nowexpanded i
    By: Nelgin to Rob Swindell on Fri Dec 09 2022 12:29 am

    On Fri, 2 Dec 2022 10:46:45 -0800
    "Rob Swindell" <rob.swindell@VERT> wrote:

    https://gitlab.synchro.net/main/sbbs/-/merge_requests/226#note_2916

    @-codes in messages posted by non-Sysops are normally *never*
    expanded on Synchronet due to security issues (e.g. a non-sysop posts @HANGUP@, or @DELAY:99999@ for example). Similarly, any message
    received over a message network should never have any @-codes
    expanded.

    This commit seems to introduce a security concern and raises general concerns about how SlyEdit handles @-codes currently.

    The reason I requested this is because when I responded to an email on
    a BBS that was an autogenerated welcome mesasge, the @BBS@ and @ALIAS@
    codes were expanded but when I replied, the quoted message had @BBS@
    and @ALIAS@.

    I think the intent should be that the @codes are converted into the
    actual text at the time the message is sent. If the sysop wants to
    change their BBS name or the user changes their alias post-sending of
    the original, then tough.

    I agree that @-codes shouldn't be expanded when sent from a user but if coming from the system or sysop, then expand them and put the text in. Problem solved.

    Yeah, that sounds preferably and a pretty easy change (at elast for those 2 specific @-codes) in exec/newuser.js. Create a new gitlab issue/request for this?
    --
    digital man (rob)

    This Is Spinal Tap quote #36:
    Bobbi Flekman: Money talks, and bullshit walks.
    Norco, CA WX: 48.5øF, 75.0% humidity, 0 mph E wind, 0.00 inches rain/24hrs
    ---
    þ Synchronet þ Vertrauen þ Home of Synchronet þ [vert/cvs/bbs].synchro.net