mIRC Homepage
Posted By: Bleepy Can someone explain $unsafe? - 25/03/16 07:37 PM
Hello,

I've been using mIRC and writing scripts for over a decade now, however the new $unsafe identifier has baffled me.

It may just be me not understanding the help file description, so does anyone happen to have a working example of its use?

Thanks
Posted By: westor Re: Can someone explain $unsafe? - 25/03/16 08:00 PM
It has the same usage as $safe custom identifier in this topic http://en.wikichip.org/wiki/mirc/msl_injection
Posted By: Wims Re: Can someone explain $unsafe? - 25/03/16 08:18 PM
In addition, the name '$safe' itself was not kept because it could have mislead new users into thinking what they were doing was safe.
Posted By: Bleepy Re: Can someone explain $unsafe? - 26/03/16 01:25 AM
Ok, the example on that website cleared things up.

Essentially, it prevents execution, evaluation and injection of code.

So just in case any others come here for an answer, I've included a simple demo below:

Example WITHOUT $unsafe

Remote:
Code:
on *:TEXT:.test *:#test:{ .timer 1 1 msg #test $nick said: $2- }

Command:
Code:
<bleepy> .test banana | msg #test evaluated $me | part #test

Output / Result:
Code:
<bot> bleepy said: banana
<bot> evaluated bot
* bot (user@host) has left #test


Example WITH $unsafe

Code:
on *:TEXT:.test2 *:#test:{ .timer 1 1 msg #test $nick said: $unsafe($2-) }

Command:
Code:
<bleepy> .test2 banana | msg #test not evaluated $me | part #test

Output / Result:
Code:
<bot> bleepy said: banana | msg #test not evaluated $me | part #test
Posted By: MeStinkBAD Re: Can someone explain $unsafe? - 12/05/16 06:02 AM
The help text needs clarification.

Quote:
$unsafe(text)
This identifier is designed to be used with, for example, external user input in commands that may evaluate text later on, such as /timer commands. It delays evaluation of text for one level of evaluation.


This explanation leads one to believe it's used for delayed evaluation, not preventing a remote mSL injection.

BTW... on my system, using /timer 1 1 echo -a $unsafe(1 $chr(124) /echo 2) from the input line results in the following...

Code:
* Timer 1 activated
$unsafe(MSB8IC9lY2hvIDI=).undo
* Timer 1 halted


I'll look into it's probably something local... but certainly odd.
Posted By: Khaled Re: Can someone explain $unsafe? - 12/05/16 07:01 AM
Quote:
This explanation leads one to believe it's used for delayed evaluation, not preventing a remote mSL injection.

This description is intentional as it can be used in both contexts.

Quote:
I'll look into it's probably something local... but certainly odd.

That looks fine. This identifier was designed and implemented with the input of scripters who regularly used $safe() but wanted a core internal identifier that behaved in exactly the same way.
Posted By: Wims Re: Can someone explain $unsafe? - 12/05/16 10:38 AM
What the identifier does is really delaying one level of evaluation, and that's the only way to prevent injection.
For static/known text, we can delay one level of evaluation using things like $+ and $!ident, but for unknown text abstracted by a local identifier/%variable such as $1-, we can't because we need to get its content during the evaluation of the timer command:
//timer 3 1 echo -a $time - $!time - $ $+ time
Vs
//tokenize 32 dangerous $!me | timer 1 1 echo -a $1- - $ $+ 1- - $unsafe($1-)
© mIRC Discussion Forums