mIRC Home    About    Download    Register    News    Help

Print Thread
#250595 23/01/15 04:54 AM
Joined: Sep 2014
Posts: 259
S
Sakana Offline OP
Fjord artisan
OP Offline
Fjord artisan
S
Joined: Sep 2014
Posts: 259
I'm using this JSON parser http://hawkee.com/snippet/10194/ to get the 1st word definition from urban dictionary's API.

It's working fine, but when there's a line break in the word definition, it seems that mIRC tries to run the first word after the line break as a command.

For example http://api.urbandictionary.com/v0/define?term=dota+2

Gives "AND Unknown command" in the status window.

Is there any way to fix this?

Sakana #250596 23/01/15 05:07 AM
Joined: Jan 2004
Posts: 1,358
L
Hoopy frood
Offline
Hoopy frood
L
Joined: Jan 2004
Posts: 1,358
The page you've linked is clearly the best place to ask questions about the script, how are you calling it? But if this bug is as you've described it's an extremely major vulnerability.

Edit, this command gives no such error: //jsonopen -du j http://api.urbandictionary.com/v0/define?term=dota+2 | echo -ag $json(j,list,3,definition)

Joined: Sep 2014
Posts: 259
S
Sakana Offline OP
Fjord artisan
OP Offline
Fjord artisan
S
Joined: Sep 2014
Posts: 259
Code:
alias ud {
  JSONOpen -du lookup http://api.urbandictionary.com/v0/define?term= $+ $replace($1-,$chr(32),$chr(43))
  if ($json(lookup,list,0,definition) == $null) echo -a No definition found. 
  echo -a $remove($json(lookup,list,0,definition),],[)
}


The problem arises when I try and message it to a #. I think it adds a $crlf so that the next word is a command .. but I can't figure out how to remove it smirk

Sakana #250598 23/01/15 06:51 AM
Joined: Jul 2006
Posts: 4,145
W
Hoopy frood
Offline
Hoopy frood
W
Joined: Jul 2006
Posts: 4,145
adds $cr and $lf to your $remove smile


#mircscripting @ irc.swiftirc.net == the best mIRC help channel
Sakana #250599 23/01/15 11:49 AM
Joined: Apr 2010
Posts: 969
F
Hoopy frood
Offline
Hoopy frood
F
Joined: Apr 2010
Posts: 969
@Loki: This is not a vulnerability within my JSON parser, but rather a vulnerability in how it is used. It would be no different than retrieving something like <span>sometext\r\n</span> (where \r\n is carriage-return linebreak) from a socket and not sanitizing it before sending it to the channel.

As far as the whole "ask the script author" comment. I understand we are here to help with mIRC and not scripts other's have wrote, but a quick look at the result, and the behavior described by the OP indicates not a problem with the linked 'tool' script, but rather something unexpected within mIRC happening.


--

Anyways, my JSON parser does not sanitize messages. When items are queried they are returned as-is, with linebreaks and the such included. You will need to handle those before passing the data on, to say, a channel


I am SReject
My Stuff
Joined: Jan 2004
Posts: 1,358
L
Hoopy frood
Offline
Hoopy frood
L
Joined: Jan 2004
Posts: 1,358
Originally Posted By: FroggieDaFrog
As far as the whole "ask the script author" comment. I understand we are here to help with mIRC and not scripts other's have wrote, but a quick look at the result, and the behavior described by the OP indicates not a problem with the linked 'tool' script, but rather something unexpected within mIRC happening.

The OP did not include how they were using the script, so without prior knowledge that mIRC throws an error like this with /msg (and not with /echo or /write) there is no indication where the problem lies. That's why I asked what he was doing, and allowed for the possibility the problem was from either source.

It also turns out actual commands are not run anyway and the rest of the line is not evaluated, so there is no vulnerability.

Joined: Sep 2014
Posts: 259
S
Sakana Offline OP
Fjord artisan
OP Offline
Fjord artisan
S
Joined: Sep 2014
Posts: 259
Sorry, should've been more clear ^_^. Didn't mean to say there was something wrong with the parser. Was just confused because using $crlf in the $remove didn't do anything

@Wims Ty

Joined: Jul 2006
Posts: 4,145
W
Hoopy frood
Offline
Hoopy frood
W
Joined: Jul 2006
Posts: 4,145
mIRC doesn't throw an error, /echo or /write or any non-IRC commands will deal with the data passed to them, a IRC command won't, data is sent to the server as-is and if you have a command separator ($lf in this case), it is expected they will be interpreted by the server (mIRC just displays the raw 421 to you).


#mircscripting @ irc.swiftirc.net == the best mIRC help channel

Link Copied to Clipboard