Forums Scripts & Popups text event q, exploit

Ok. I guess I shouldn't assume things work the same from the editbox as they do from a script.

I'm not sure what you mean, how exactly are you getting it to evaluate?

The only way I'd be able to get something to evaluate would be if I typed //say !page $findfile(...), but that's because of the double slashes. The only other way it'd evaluate is if you had an on input event that is evaluating everything an extra time.

Well, I did use // when the Write command (see my example). But I thought scripts did // anyhow.

They do.

But the script would be executing //msg #channel $2-, so the contents of $2- won't be evaluated.

I don't think the // in a (text) event will result in evaluating identifiers. Riamus should test it in an event, not in a command issued to a mirc window.

Obviously it just isn't evaluated in a remote event without intentionally evaluating it with $eval. This must be a security measure that was added at some point.

But PLEASE always use the n parameter in $read and $readini!!! Otherwise a script like !page can be exploited!

This cannot be exploited, because by default, everything will only be evaluated once. This means that $chan is transformed into the channel name, and $2- is transformed into the text after !say. The same thing would happen if you changed msg to /msg or //msg, because that's how remote scripts work. The only way you could make this script exploitable is by adding some code that makes the $2- evaluate an extra time, for example by changing it to:



..because timers evaluate everything once when the timer is started, and then an extra time when the timer fires (ie. after one second in this case). So any $identifiers in the text after !say will be evaluated. /scon, /scid and /flash all behave in this fashion too; they evaluate everything an extra time.

Or:



$eval() is used to control how many times you want something to evaluate. If you decide to evaluate $2- twice, instead of the default (once), then all identifiers within the text will be evaluated.

To explain this with an example, let's say somebody types:



Then $2- will evaluate to:



But if you evaluate it once more, then the $findfile() in that message will also be evaluated. If you evaluated it a third time, then the filename returned by $findfile() would also be evaluated (so if it found a file called "$time", that would evaluate to the time), etc etc.

If you don't already know how evaluation works it can seem complex and daunting, but it's really not that hard to understand.

on *:TEXT:!page*:#:{
if ($istok($2-,|,32) == $true) { msg $chan $+($nick,...) you are using an invalid character }
else {
write page.txt Page By $nick $+ : $remove($2-,/,$)
msg $chan Page added $nick
}
}

Ultimately I would remove the chars | / $ from the picture

That's your preference, but there's no need to do that.