mIRC Home    About    Download    Register    News    Help

Print Thread
Joined: May 2003
Posts: 31
B
Bleepy Offline OP
Ameglian cow
OP Offline
Ameglian cow
B
Joined: May 2003
Posts: 31
Hello,

I've been using mIRC and writing scripts for over a decade now, however the new $unsafe identifier has baffled me.

It may just be me not understanding the help file description, so does anyone happen to have a working example of its use?

Thanks


@#HelpDesk - DALnet
Joined: Dec 2008
Posts: 1,515
Hoopy frood
Offline
Hoopy frood
Joined: Dec 2008
Posts: 1,515
It has the same usage as $safe custom identifier in this topic http://en.wikichip.org/wiki/mirc/msl_injection


Need Online mIRC help or an mIRC Scripting Freelancer? -> https://irc.chathub.org <-
Joined: Jul 2006
Posts: 4,145
W
Hoopy frood
Offline
Hoopy frood
W
Joined: Jul 2006
Posts: 4,145
In addition, the name '$safe' itself was not kept because it could have mislead new users into thinking what they were doing was safe.


#mircscripting @ irc.swiftirc.net == the best mIRC help channel
Joined: May 2003
Posts: 31
B
Bleepy Offline OP
Ameglian cow
OP Offline
Ameglian cow
B
Joined: May 2003
Posts: 31
Ok, the example on that website cleared things up.

Essentially, it prevents execution, evaluation and injection of code.

So just in case any others come here for an answer, I've included a simple demo below:

Example WITHOUT $unsafe

Remote:
Code:
on *:TEXT:.test *:#test:{ .timer 1 1 msg #test $nick said: $2- }

Command:
Code:
<bleepy> .test banana | msg #test evaluated $me | part #test

Output / Result:
Code:
<bot> bleepy said: banana
<bot> evaluated bot
* bot (user@host) has left #test


Example WITH $unsafe

Code:
on *:TEXT:.test2 *:#test:{ .timer 1 1 msg #test $nick said: $unsafe($2-) }

Command:
Code:
<bleepy> .test2 banana | msg #test not evaluated $me | part #test

Output / Result:
Code:
<bot> bleepy said: banana | msg #test not evaluated $me | part #test


@#HelpDesk - DALnet
Joined: Apr 2003
Posts: 342
M
Fjord artisan
Offline
Fjord artisan
M
Joined: Apr 2003
Posts: 342
The help text needs clarification.

Quote:
$unsafe(text)
This identifier is designed to be used with, for example, external user input in commands that may evaluate text later on, such as /timer commands. It delays evaluation of text for one level of evaluation.


This explanation leads one to believe it's used for delayed evaluation, not preventing a remote mSL injection.

BTW... on my system, using /timer 1 1 echo -a $unsafe(1 $chr(124) /echo 2) from the input line results in the following...

Code:
* Timer 1 activated
$unsafe(MSB8IC9lY2hvIDI=).undo
* Timer 1 halted


I'll look into it's probably something local... but certainly odd.

Last edited by MeStinkBAD; 12/05/16 06:10 AM.

Beware of MeStinkBAD! He knows more than he actually does!
Joined: Dec 2002
Posts: 5,411
Hoopy frood
Offline
Hoopy frood
Joined: Dec 2002
Posts: 5,411
Quote:
This explanation leads one to believe it's used for delayed evaluation, not preventing a remote mSL injection.

This description is intentional as it can be used in both contexts.

Quote:
I'll look into it's probably something local... but certainly odd.

That looks fine. This identifier was designed and implemented with the input of scripters who regularly used $safe() but wanted a core internal identifier that behaved in exactly the same way.

Joined: Jul 2006
Posts: 4,145
W
Hoopy frood
Offline
Hoopy frood
W
Joined: Jul 2006
Posts: 4,145
What the identifier does is really delaying one level of evaluation, and that's the only way to prevent injection.
For static/known text, we can delay one level of evaluation using things like $+ and $!ident, but for unknown text abstracted by a local identifier/%variable such as $1-, we can't because we need to get its content during the evaluation of the timer command:
//timer 3 1 echo -a $time - $!time - $ $+ time
Vs
//tokenize 32 dangerous $!me | timer 1 1 echo -a $1- - $ $+ 1- - $unsafe($1-)


#mircscripting @ irc.swiftirc.net == the best mIRC help channel

Link Copied to Clipboard