[DRE-commits] r5013 - in trunk/rbot/debian: . patches source
Marc Dequènes
duck at alioth.debian.org
Thu Mar 25 00:48:59 UTC 2010
Author: duck
Date: 2010-03-25 00:48:56 +0000 (Thu, 25 Mar 2010)
New Revision: 5013
Added:
trunk/rbot/debian/patches/reaction_plugin_security_update
trunk/rbot/debian/source/
trunk/rbot/debian/source/format
Modified:
trunk/rbot/debian/changelog
trunk/rbot/debian/control
trunk/rbot/debian/control.in
trunk/rbot/debian/patches/series
trunk/rbot/debian/rules
Log:
[evol/security] format 3, policy 3.8.4, reaction plugin security fix
Modified: trunk/rbot/debian/changelog
===================================================================
--- trunk/rbot/debian/changelog 2010-03-24 23:13:33 UTC (rev 5012)
+++ trunk/rbot/debian/changelog 2010-03-25 00:48:56 UTC (rev 5013)
@@ -1,9 +1,16 @@
-rbot (0.9.14-2) UNRELEASED; urgency=low
+rbot (0.9.14-2) unstable; urgency=high
+ [ Paul van Tilburg ]
* Added Debian/Ruby Extras Maintainers to the uploaders.
- -- Paul van Tilburg <paulvt at debian.org> Sun, 14 Feb 2010 20:29:22 +0100
+ [ Marc Dequènes (Duck) ]
+ * Switched to dpkg-source 3.0 (quilt) format.
+ * Added 'reaction_plugin_security_update' patch to update the reaction
+ plugin and fix several security flows (Closes: #575286).
+ * Increased Standards-Version to 3.8.4 (no changes).
+ -- Marc Dequènes (Duck) <Duck at DuckCorp.org> Thu, 25 Mar 2010 00:13:39 +0100
+
rbot (0.9.14-1) unstable; urgency=low
* New upstream release
@@ -65,7 +72,7 @@
-- Marc Dequènes (Duck) <Duck at DuckCorp.org> Mon, 7 Aug 2006 00:06:16 +0200
-rbot (0.9.9-1) unstable; urgency=high
+rbot (0.9.9-1) unstable; urgency=high
* New upstream release.
* Fixed depends, and build-depends (avoiding FTBFS).
Modified: trunk/rbot/debian/control
===================================================================
--- trunk/rbot/debian/control 2010-03-24 23:13:33 UTC (rev 5012)
+++ trunk/rbot/debian/control 2010-03-25 00:48:56 UTC (rev 5013)
@@ -3,11 +3,9 @@
Priority: optional
Maintainer: Marc Dequènes (Duck) <Duck at DuckCorp.org>
Uploaders: Debian Ruby Extras Maintainers <pkg-ruby-extras-maintainers at lists.alioth.debian.org>
-Build-Depends: debhelper (>= 7.0.1), quilt, patchutils (>= 0.2.25), cdbs (>= 0.4.27), ruby (>= 1.8), ruby-pkg-tools
+Build-Depends: cdbs (>= 0.4.53), debhelper (>= 7.0.1), ruby (>= 1.8), ruby-pkg-tools
Build-Depends-Indep: xsltproc, docbook-xml, docbook-xsl
-Vcs-Svn: svn://svn.debian.org/svn/pkg-ruby-extras/trunk/rbot/
-Vcs-Browser: http://svn.debian.org/viewsvn/pkg-ruby-extras/trunk/rbot/
-Standards-Version: 3.8.1
+Standards-Version: 3.8.4
Homepage: http://ruby-rbot.org/
Package: rbot
Modified: trunk/rbot/debian/control.in
===================================================================
--- trunk/rbot/debian/control.in 2010-03-24 23:13:33 UTC (rev 5012)
+++ trunk/rbot/debian/control.in 2010-03-25 00:48:56 UTC (rev 5013)
@@ -2,9 +2,10 @@
Section: net
Priority: optional
Maintainer: Marc Dequènes (Duck) <Duck at DuckCorp.org>
+Uploaders: Debian Ruby Extras Maintainers <pkg-ruby-extras-maintainers at lists.alioth.debian.org>
Build-Depends: @cdbs@, ruby (>= 1.8), ruby-pkg-tools
Build-Depends-Indep: xsltproc, docbook-xml, docbook-xsl
-Standards-Version: 3.8.1
+Standards-Version: 3.8.4
Homepage: http://ruby-rbot.org/
Package: rbot
Added: trunk/rbot/debian/patches/reaction_plugin_security_update
===================================================================
--- trunk/rbot/debian/patches/reaction_plugin_security_update (rev 0)
+++ trunk/rbot/debian/patches/reaction_plugin_security_update 2010-03-25 00:48:56 UTC (rev 5013)
@@ -0,0 +1,185 @@
+Index: rbot-0.9.14/data/rbot/plugins/reaction.rb
+===================================================================
+--- rbot-0.9.14.orig/data/rbot/plugins/reaction.rb 2010-03-24 23:55:56.000000000 +0100
++++ rbot-0.9.14/data/rbot/plugins/reaction.rb 2010-03-25 01:38:21.000000000 +0100
+@@ -69,7 +69,9 @@
+ @trigger << Regexp.new(rex, true)
+ else
+ rex.sub!(/^(["'])(.*)\1$/, '\2')
+- @trigger << Regexp.new(/\b#{Regexp.escape(rex)}(?:\b|$)/ui)
++ prepend = ( rex =~ /^\w/ ? '(?:\b)' : '')
++ append = ( rex =~ /\w$/ ? '(?:\b|$)' : '')
++ @trigger << Regexp.new(/#{prepend}#{Regexp.escape(rex)}#{append}/ui)
+ end
+ end
+
+@@ -81,6 +83,8 @@
+ act = :act
+ elsif rex.sub!(/^(?:cmd|command):/,'')
+ act = :cmd
++ elsif rex.sub!(/^ruby:/,'')
++ act = :ruby
+ end
+ @replies << Reply.new(self, act, rex, *args)
+ make_ranges
+@@ -170,7 +174,7 @@
+ super
+ if @registry.has_key?(:reactions)
+ @reactions = @registry[:reactions]
+- raise unless @reactions
++ raise LoadError, "corrupted reaction database" unless @reactions
+ else
+ @reactions = []
+ end
+@@ -202,28 +206,33 @@
+ help(:react)
+ when :remove, :delete, :rm, :del
+ "reaction #{topic} <trigger> [<n>] => removes reactions to expression <trigger>. If <n> (a positive integer) is specified, only remove the n-th reaction, otherwise remove the trigger completely"
++ when :move
++ "reaction move <trigger> to <other> => move all reactions to <trigger> to the new trigger <other>"
+ when :chance, :chances
+ "reaction chances are expressed either in terms of percentage (like 30%) or in terms of floating point numbers (like 0.3), and are clipped to be " +
+ "between 0 and 1 (i.e. 0% and 100%). A reaction can have multiple replies, each with a different chance; if the total of the chances is less than one, " +
+ "there is a chance that the trigger will not actually cause a reply. Otherwise, the chances express the relative frequency of the replies."
+ when :trigger, :triggers
+- "reaction triggers can have one of the format: single_word 'multiple words' \"multiple words \" /regular_expression/ !regular_expression!. " +
++ "reaction triggers can have one of the format: single_word 'multiple words' \"multiple words \" /regular_expression/ !regular_expression!. " +
+ "If prefixed by 'act:' (e.g. act:/(order|command)s/) the bot will only respond if a CTCP ACTION matches the trigger"
+ when :reply, :replies
+ "reaction replies are simply messages that the bot will reply when a trigger is matched. " +
+- "Replies can be prefixed by 'act:' (e.g. act:goes shopping) to signify that the bot should act instead of saying the message. " +
+- "Replies can be prefixed by 'cmd:' or 'command:' (e.g. cmd:lart %{who}) to issue a command to the bot. " +
+- "Replies can use the %{key} syntax to access one of the following keys: " +
+- "who (the user that said the trigger), bot (the bot's own nick), " +
+- "target (the first word following the trigger), what (whatever follows target), " +
++ "Replies prefixed by 'act:' (e.g. act:goes shopping) signify that the bot should act instead of saying the message. " +
++ "Replies prefixed by 'cmd:' or 'command:' (e.g. cmd:lart %{who}) issue a command to the bot. " +
++ "Replies can use the %{key} syntax to access the following keys: " +
++ "who (user that said the trigger), bot (bot's own nick), " +
++ "target (first word following the trigger), what (whatever follows target), " +
+ "before (everything that precedes the trigger), after, (everything that follows the trigger), " +
+- "match (the actual matched text), match1, match2, ... (the i-th capture)"
++ "match (matched text), match1, match2, ... (the i-th capture). " +
++ "Replies prefixed by 'ruby:' (e.g. ruby:m.reply 'Hello ' + subs[:who]) are interpreted as ruby code. " +
++ "No %{key} substitution is done in this case, use the subs hash in the code instead. " +
++ "Be warned that creating ruby replies can open unexpected security holes in the bot."
+ when :list
+ "reaction list [n]: lists the n-the page of programmed reactions (30 reactions are listed per page)"
+ when :show
+ "reaction show <trigger>: list the programmed replies to trigger <trigger>"
+ else
+- "reaction topics: add, remove, delete, rm, del, triggers, replies, chance, list, show"
++ "reaction topics: add, remove, delete, rm, del, move, triggers, replies, chance, list, show"
+ end
+ end
+
+@@ -261,18 +270,28 @@
+ reply = wanted.pick_reply
+ debug "picked #{reply}"
+ return unless reply
+- args = reply.apply(subs)
+- if args[0] == :cmd
++ act, arg = reply.apply(subs)
++ case act
++ when :ruby
++ begin
++ # no substitutions for ruby code
++ eval(reply.reply)
++ rescue Exception => e
++ error e
++ end
++ when :cmd
+ begin
+ # Pass the new message back to the bot.
+ # FIXME Maybe we should do it the alias way, only calling
+ # @bot.plugins.privmsg() ?
+- fake_message(@bot.nick+": "+args[1], :from => m)
++ fake_message(@bot.nick+": "+arg, :from => m)
+ rescue RecurseTooDeep => e
+ error e
+ end
++ when :reply
++ m.plainreply arg
+ else
+- m.__send__(*args)
++ m.__send__(act, arg)
+ end
+ end
+
+@@ -282,6 +301,13 @@
+ }
+ end
+
++ def can_add?(m, reaction)
++ return true if reaction.act == :reply
++ return true if reaction.act == :ruby and @bot.auth.permit?(m.source, "reaction::react::ruby", m.channel)
++ return true if reaction.act == :cmd and @bot.auth.permit?(m.source, "reaction::react::cmd", m.channel)
++ return false
++ end
++
+ def handle_add(m, params)
+ trigger = params[:trigger].to_s
+ reply = params[:reply].to_s
+@@ -293,20 +319,45 @@
+ pct = pct.to_f.clip(0,1)
+ end
+
++ new_reaction = false
++
+ reaction = find_reaction(trigger)
+ if not reaction
+ reaction = Reaction.new(trigger)
+ @reactions << reaction
+- m.reply "Ok, I'll start reacting to #{reaction.raw_trigger}"
++ new_reaction = true
+ end
++
+ found = reaction.find_reply(reply)
+ if found
+- found.pct = pct
+- found.author = m.sourcenick
+- found.date = Time.now
+- found.channel = m.channel
++ # ruby replies need special permission
++ if can_add?(m, found)
++ found.pct = pct
++ found.author = m.sourcenick
++ found.date = Time.now
++ found.channel = m.channel
++ else
++ m.reply _("Sorry, you're not allowed to change %{act} replies here") % {
++ :act => found.act
++ }
++ return
++ end
+ else
+ found = reaction.add_reply(reply, pct, m.sourcenick, Time.now, m.channel)
++ unless can_add?(m, found)
++ m.reply _("Sorry, you're not allowed to add %{act} replies here") % {
++ :act => found.act
++ }
++ reaction.rm_reply(reaction.replies.length)
++ if new_reaction
++ @reactions.delete(reaction)
++ end
++ return
++ end
++ end
++
++ if new_reaction
++ m.reply "Ok, I'll start reacting to #{reaction.raw_trigger}"
+ end
+ m.reply "I'll react to #{reaction.raw_trigger} with #{reaction.raw_replies.last} (#{(reaction.replies.last.pct * 100).to_i}%)"
+ end
+@@ -396,6 +447,11 @@
+ plugin.map plugin.add_syntax, :action => 'handle_add',
+ :requirements => { :trigger => plugin.trigger_syntax }
+
++# ruby reactions are security holes, so give stricter permission
++plugin.default_auth('react::ruby', false)
++# cmd reactions can be security holes too
++plugin.default_auth('react::cmd', false)
++
+ plugin.map 'reaction list [:page]', :action => 'handle_list',
+ :requirements => { :page => /^\d+$/ }
+
Modified: trunk/rbot/debian/patches/series
===================================================================
--- trunk/rbot/debian/patches/series 2010-03-24 23:13:33 UTC (rev 5012)
+++ trunk/rbot/debian/patches/series 2010-03-25 00:48:56 UTC (rev 5013)
@@ -1 +1,2 @@
spell_module_use_aspell_not_ispell
+reaction_plugin_security_update
Modified: trunk/rbot/debian/rules
===================================================================
--- trunk/rbot/debian/rules 2010-03-24 23:13:33 UTC (rev 5012)
+++ trunk/rbot/debian/rules 2010-03-25 00:48:56 UTC (rev 5013)
@@ -5,7 +5,6 @@
# Then check manually if everything's ok
include /usr/share/cdbs/1/rules/debhelper.mk
-include /usr/share/cdbs/1/rules/patchsys-quilt.mk
include /usr/share/ruby-pkg-tools/1/class/ruby-setup-rb.mk
DEB_RUBY_CONFIG_ARGS += --shebang=never
Added: trunk/rbot/debian/source/format
===================================================================
--- trunk/rbot/debian/source/format (rev 0)
+++ trunk/rbot/debian/source/format 2010-03-25 00:48:56 UTC (rev 5013)
@@ -0,0 +1 @@
+3.0 (quilt)
More information about the Pkg-ruby-extras-commits
mailing list