BBot

Manipulating strings in mathbot eval

Bug #952479 reported by aj00200 on 2012-03-11

256

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	BBot	Fix Released	High	Thomas Ward

Bug Description

Using ``s in mathbot commands allows for strings to be quoted and accessed like a list.

The following exploit doesn't quite work, but it does show the danger of this bug:
?math hexec(`cm(1)`[1]+`geo.line(1, 2, 3, 4)`[12]+`geo.line(1, 2, 3, 4)`[9]+`geo.triangle((1,1), (2,1), (3,1))`[4]+`geo.triangle((1,1), (2,1), (3,1))`[2]+`geo.triangle((1,1), (2,1), (3,1))`[4]+`cm(1)`[2]+`[0]`[0]+`[0]`[1]+`[0]`[2])

The team behind this bug has been kept Anonymous. Thank you for reporting :)

Tags:

Revision history for this message

aj00200 (aj00200) wrote on 2012-03-11:

#1

Here is another example just for fun:
?math `geo.triangle((0,0),(0.5,1),(1,0))`[4]+`geo.triangle((0,0),(0.5,1),(1,0))`[70]*2

Revision history for this message

aj00200 (aj00200) wrote on 2012-03-11:

#2

patch Edit (491 bytes, text/plain)

Here is another example just for fun:
?math `geo.triangle((0,0),(0.5,1),(1,0))`[4]+`geo.triangle((0,0),(0.5,1),(1,0))`[70]*2

aj00200 (aj00200) on 2012-03-11

visibility:	private → public
Changed in bbottheircbot:
status:	Confirmed → Fix Committed

Revision history for this message

Thomas Ward (teward) wrote on 2012-03-11:

#3

Patching will take some time, as I am very busy. However, I have assigned this bug to myself so that I can apply the patch to the stable PPA.

Changed in bbottheircbot:
assignee:	aj00200 (aj00200) → Thomas Ward (EvilPhoenix) (trekcaptainusa-tw)
status:	Fix Committed → Triaged
status:	Triaged → In Progress

Revision history for this message

Thomas Ward (teward) wrote on 2012-03-11:

#4

Update: Patch applied upstream, next package release will be based off of upstream code, including any other revisions.

Revision history for this message

Thomas Ward (teward) wrote on 2012-03-13:

#5

Fix committed upstream

Changed in bbottheircbot:
status:	In Progress → Fix Committed

Revision history for this message

Thomas Ward (teward) wrote on 2012-03-14:

#6

https://launchpadlibrarian.net/96787436/bbot_7.0.5-stable-1_7.5.7-1.diff.gz

CHANGELOG:

$RELEASES = lucid, maverick, natty, oneiric, precise

bbot (7.5.7-1) $RELEASES; urgency=medium

  * New upstream release:
    * (git: b37b17f) BBot 7.5.7 - Updated version number
    * (git: 9a27a9c) Fixes bug #952479, "Manipulating
        strings in mathbot eval"
-- Thomas Ward <email address hidden> Wed, 14 Mar 2012 12:17:18 -0400

Revision history for this message

Thomas Ward (teward) wrote on 2012-03-14:

#7

Fixed in PPA: https://launchpad.net/~bbot+core+developers/+archive/ppa/

Changed in bbottheircbot:
status:	Fix Committed → Fix Released

Report a bug

This report contains Public Security information

Everyone can see this security related information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Patches

patch Edit

Add patch

Remote bug watches

Bug watches keep track of this bug in other bug trackers.