| View previous topic :: View next topic |
| Author |
Message |
iNFERNiS
Voice
Joined: 21 Aug 2007
Posts: 13
|
 Posted: Tue Aug 21, 2007 11:32 am Post subject: need help with script security |
 |
|
I needed a script that catches urls from a chan and outputs it to a html file.
I found this script:
| Quote: |
## This script catches urls said on channels and set on topics
## and makes a webfile of them.
## 21.7.1997 by Goblet email: goblet@sci.fi
set urllogfile "urls.log"
set urlwebfile "/wwwhome/goblet/public_html/blerp/urllog.html"
bind pubm - * check_if_url
bind topc - * check_if_url
proc check_if_url {nick uhost hand chan text} {
global urllogfile urlwebfile botnick
foreach i $text {
if {([string match "*http://*" $i]) || ([string match "*ftp://*" $i])
|| ([string match "*www.*" $i]) || ([string match "*ftp.*" $i])} {
set fd [open $urllogfile a+]
if {[string match "*www.*" $i] && ![string match "*http://*" $i]} {
set i "http://$i"
}
if {[string match "*ftp.*" $i] && ![string match "*ftp://*" $i]} {
set i "ftp://$i"
}
puts $fd "<a href=\"$i\">$i</a><br>"
puts $fd "[ctime [unixtime]] $nick ($uhost)<br><hr>"
close $fd
putlog "URL detected ($nick)"
set fd [open $urlwebfile w]
set fd2 [open $urllogfile r]
puts $fd "<html><head><title>Catched URLs</title></head>"
puts $fd "<body bgcolor=#FFFFFF text=#000000>"
puts $fd "<center><font size=6>URLs catched by $botnick</center><hr>"
puts $fd "<font size=3>"
while {![eof $fd2]} {
gets $fd2 foo
puts $fd $foo
}
puts $fd "<center><address>© <a href=\"http://www.sci.fi/~goblet/\">"
puts $fd "Goblet</a> 1997</address></center>"
puts $fd "</body></html>"
close $fd
close $fd2
}
}
}
putlog "URL-catcher by Goblet"
|
The problem is, ppl can inject html/java code into it, i'd like to avoid that. I don't know tcl, wish I did.
This is an example of how you can mess the generated html page up.
http://www.<textarea>.com
I think it speaks for itself what happens when it catches that url 
Any help to fix this flaw is appreciated. |
|
| Back to top |
|
 |
TCL_no_TK
Owner
Joined: 25 Aug 2006
Posts: 509
Location: England, Yorkshire
|
| Posted: Mon Sep 03, 2007 2:37 am Post subject: |
|
|
Replace the following lines | Code: | foreach i $text {
if {([string match "*http://*" $i]) || ([string match "*ftp://*" $i])
|| ([string match "*www.*" $i]) || ([string match "*ftp.*" $i])} {set fd [open $urllogfile a+]
if {[string match "*www.*" $i] && ![string match "*http://*" $i]} {set i "http://$i"}
if {[string match "*ftp.*" $i] && ![string match "*ftp://*" $i]} {set i "ftp://$i"} |
to match | Code: | foreach i $text {
if {[string match "*http://*" $i] && ![string match "*http://*<*>*" $i] || [string match "*ftp://*" $i] && ![string match "*ftp://*<*>*" $i] || [string match "*www.*" $i] && ![string match "*www.*<*>*" $i] || [string match "*ftp.*" $i] && ![string match "*ftp.*<*>*" $i]} {
set fd [open $urllogfile a+]
if {[string match "*www.*" $i] && ![string match "*http://*" $i]} {
set i "http://$i"
}
if {[string match "*ftp.*" $i] && ![string match "*ftp://*" $i]} {
set i "ftp://$i"
} |
should work. (its just a case of checking that the <tags> are in the url address). 
_________________
TCL the misunderstood |
|
| Back to top |
|
|
|
FAQ
Search
Memberlist
Usergroups
Register
Profile
Log in to check your private messages
Log in
