GNOME Bugzilla – Bug 577026
Sending slash-prefixed messages on IRC is a security risk.
Last modified: 2009-04-13 12:19:57 UTC
In #telepathy a couple of minutes ago, someone sent "/join #foo topsekrit" verbatim by mistake. Empathy *really* ought to, at the very least, refuse to send messages starting with "/" if the protocol is IRC to avoid such information leaks. (This is a subset of the feature requests #533676 and #573407, filed separately because this is a bug rather than a feature request!)
This branch I wrote in December 2008 contains what you want: http://git.collabora.co.uk/?p=user/pierlux/empathy.git;a=blobdiff;f=libempathy-gtk/empathy-chat.c;h=311aea5b1dbc0c59ee8a3206aacb33eef9420f67;hp=5fd61dbdc894d39c415487fb2ddccb59e936ee71;hb=4cdfd3dde157d9ad574db3464f0a2542a5296ba6;hpb=9226a9ef179d8447f3570a0567ca80ba8115f5c2 Basically: if (g_str_has_prefix (trimmed_msg, "/")) { empathy_chat_view_append_event (chat->view, _("Unsupported command")); goto cleanup; // Don't send unsupported commands } /join is an unsupported command AFAIK now.
Fixed in master, but I can't push to 2.26 because it introduces a new string. http://git.collabora.co.uk/?p=empathy.git;a=commitdiff;h=9101916e828982e45b3a58f1e124d92418f02732
That patch is incorrect. I can't say "/me dances" any more; I just get "Unsupported command". + /* Check for all supported commands */ Lies!
Xavier, it is not quite true: 2.26 is string frozen, but there is a procedure to request freeze breaks, see http://live.gnome.org/TranslationProject/HandlingStringFreezes
I fixed the /me