Register Log In

Forums Feature Suggestions Lock commands password

Print Thread

Lock commands password #218639 21/02/10 12:32 AM
Joined: Sep 2005 Posts: 2,881 H hixxy OP Hoopy frood
OP hixxy Hoopy frood H Joined: Sep 2005 Posts: 2,881	I think it would be a good feature if we could set a password for locked commands, and then use that password to bypass the lock option if we need to. /run -p <password> <etc> /dll -p <password> <etc> $pdll(password,etc) $pdllcall(password,etc) $pcom(password,etc) $pdecode(password,etc) $pencode(password,etc) That way you could lock the commands for all but authorised scripts. Obviously the password would be SHA-1d or MD5d before being stored in the ini file, so that the password itself cannot be read by a script.

Re: Lock commands password hixxy #218644 21/02/10 12:49 AM
Joined: Oct 2003 Posts: 3,918 Montreal, QC, Canada A argv0 Hoopy frood
argv0 Hoopy frood A Joined: Oct 2003 Posts: 3,918 Montreal, QC, Canada	This doesn't seem very feasible if you have more than one script on your system that makes use of any of those commands, especially if you didn't write them yourself. How would you tell each scripts about the passwords? Manually editing them? Seems like an awkward thing to do. It would be an even more awkward thing to explain in your script's instructions, if you were a script author. Plus by manually editing the scripts to add your password you would be storing your password in plaintext, bypassing the entire secure hashing deal. If your script had some kind of options dialog to simplify the process by storing it in a variable-- same issue there. Basically this would make it so you could only manually type the command from the editbox-- which is the least important use case to protect from. - argv[0] on EFnet #mIRC - "Life is a pointer to an integer without a cast"

Re: Lock commands password argv0 #218650 21/02/10 12:14 PM
Joined: Sep 2005 Posts: 2,881 H hixxy OP Hoopy frood
OP hixxy Hoopy frood H Joined: Sep 2005 Posts: 2,881	A script could quite easily do something like this: Code: on *:load: set %thisscript.password $$?="This script makes use of $!decode(). If you have set a password in the mIRC lock options dialog, please enter that password now." There is much less of a security issue with scripts storing the password as plain text, as malicious scripts are not going to know that a particular script which may or may not store the lock password is loaded. Different scripts will store the password in different ways, whereas if mIRC stored it as plaintext, there would be a standard way for all scripts to get the password. Scripters could even give the variable an unrelated name, like /set %house <password> And if somebody has access to your computer itself, I think somebody seeing a password for the lock commands is the least of your worries.

Re: Lock commands password hixxy #218662 21/02/10 06:13 PM
Joined: Oct 2003 Posts: 3,918 Montreal, QC, Canada A argv0 Hoopy frood
argv0 Hoopy frood A Joined: Oct 2003 Posts: 3,918 Montreal, QC, Canada	Right, but do you see the problem with that? Why would mIRC go through the trouble to md5 hash your password if it's being stored plaintext in your variables section? Another script can just $read() your script files for $pdll() or /dll -p, grab the first argument, eval it and go. It's a pretty simple attack vector, not to mention you can target popular scripts that way without even a $read (you would already know what the varname was). If the goal is to block other people or scripts from running /dll (or /run) without knowing your password, doing this basically throws the security mechanism out the window with the entire purpose for inputting a password to begin with. - argv[0] on EFnet #mIRC - "Life is a pointer to an integer without a cast"

Re: Lock commands password argv0 #218678 21/02/10 10:33 PM
Joined: Sep 2005 Posts: 2,881 H hixxy OP Hoopy frood
OP hixxy Hoopy frood H Joined: Sep 2005 Posts: 2,881	I do now! Didn't think this through enough :P

Link Copied to Clipboard