relay: add extra forbidden commands in weechat protocol (issue #928)

Commands were already forbidden (option relay.weechat.commands): - /exec - /upgrade - /quit These extra commands are now forbidden by default: - /fset - /set - /unset - /plugin - /script - /python - /perl - /ruby - /lua - /tcl - /guile - /javascript - /php - /secure
weechat · Mar 9, 2019 · dd44c1d · dd44c1d
1 parent 2f5aa3b
commit dd44c1d
Show file tree

Hide file tree

Showing 20 changed files with 76 additions and 73 deletions.
diff --git a/doc/de/autogen/user/relay_options.adoc b/doc/de/autogen/user/relay_options.adoc
@@ -183,7 +183,7 @@
 ** Standardwert: `+""+`
 
 * [[option_relay.weechat.commands]] *relay.weechat.commands*
-** Beschreibung: pass:none[comma-separated list of commands allowed/denied when input data (text or command) is received from a client; "*" means any command, a name beginning with "!" is a negative value to prevent a command from being executed, wildcard "*" is allowed in names; by default all commands are allowed except /exec, /upgrade and /quit (which could lead to denial of service or remote code execution if the client is not trusted)]
+** Beschreibung: pass:none[comma-separated list of commands allowed/denied when input data (text or command) is received from a client; "*" means any command, a name beginning with "!" is a negative value to prevent a command from being executed, wildcard "*" is allowed in names; by default some commands are not allowed (they could lead to denial of service or remote code execution if the client is not trusted)]
 ** Typ: Zeichenkette
 ** Werte: beliebige Zeichenkette
-** Standardwert: `+"*,!exec,!upgrade,!quit"+`
+** Standardwert: `+"*,!exec,!fset,!set,!unset,!plugin,!script,!python,!perl,!ruby,!lua,!tcl,!guile,!javascript,!php,!secure,!upgrade,!quit"+`
diff --git a/doc/en/autogen/user/relay_options.adoc b/doc/en/autogen/user/relay_options.adoc
@@ -183,7 +183,7 @@
 ** default value: `+""+`
 
 * [[option_relay.weechat.commands]] *relay.weechat.commands*
-** description: pass:none[comma-separated list of commands allowed/denied when input data (text or command) is received from a client; "*" means any command, a name beginning with "!" is a negative value to prevent a command from being executed, wildcard "*" is allowed in names; by default all commands are allowed except /exec, /upgrade and /quit (which could lead to denial of service or remote code execution if the client is not trusted)]
+** description: pass:none[comma-separated list of commands allowed/denied when input data (text or command) is received from a client; "*" means any command, a name beginning with "!" is a negative value to prevent a command from being executed, wildcard "*" is allowed in names; by default some commands are not allowed (they could lead to denial of service or remote code execution if the client is not trusted)]
 ** type: string
 ** values: any string
-** default value: `+"*,!exec,!upgrade,!quit"+`
+** default value: `+"*,!exec,!fset,!set,!unset,!plugin,!script,!python,!perl,!ruby,!lua,!tcl,!guile,!javascript,!php,!secure,!upgrade,!quit"+`
diff --git a/doc/fr/autogen/user/relay_options.adoc b/doc/fr/autogen/user/relay_options.adoc
@@ -183,7 +183,7 @@
 ** valeur par défaut: `+""+`
 
 * [[option_relay.weechat.commands]] *relay.weechat.commands*
-** description: pass:none[liste des commandes autorisées/interdites lorsque qu'une entrée de données (texte ou commande) est reçue du client (séparées par des virgules) ; "*" signifie toutes les commandes, un nom commençant par "!" est une valeur négative pour empêcher une commande d'être exécutée, le caractère joker "*" est autorisé dans les noms ; par défaut toutes les commandes sont autorisées sauf /exec, /upgrade et /quit (ce qui pourrait conduire à un déni de service ou l'exécution de commandes à distance si le client n'est pas sûr)]
+** description: pass:none[liste des commandes autorisées/interdites lorsque qu'une entrée de données (texte ou commande) est reçue du client (séparées par des virgules) ; "*" signifie toutes les commandes, un nom commençant par "!" est une valeur négative pour empêcher une commande d'être exécutée, le caractère joker "*" est autorisé dans les noms ; par défaut certaines commandes ne sont pas autorisées (elles pourraient conduire à un déni de service ou l'exécution de commandes à distance si le client n'est pas sûr)]
 ** type: chaîne
 ** valeurs: toute chaîne
-** valeur par défaut: `+"*,!exec,!upgrade,!quit"+`
+** valeur par défaut: `+"*,!exec,!fset,!set,!unset,!plugin,!script,!python,!perl,!ruby,!lua,!tcl,!guile,!javascript,!php,!secure,!upgrade,!quit"+`
diff --git a/doc/it/autogen/user/relay_options.adoc b/doc/it/autogen/user/relay_options.adoc
@@ -183,7 +183,7 @@
 ** valore predefinito: `+""+`
 
 * [[option_relay.weechat.commands]] *relay.weechat.commands*
-** descrizione: pass:none[comma-separated list of commands allowed/denied when input data (text or command) is received from a client; "*" means any command, a name beginning with "!" is a negative value to prevent a command from being executed, wildcard "*" is allowed in names; by default all commands are allowed except /exec, /upgrade and /quit (which could lead to denial of service or remote code execution if the client is not trusted)]
+** descrizione: pass:none[comma-separated list of commands allowed/denied when input data (text or command) is received from a client; "*" means any command, a name beginning with "!" is a negative value to prevent a command from being executed, wildcard "*" is allowed in names; by default some commands are not allowed (they could lead to denial of service or remote code execution if the client is not trusted)]
 ** tipo: stringa
 ** valori: qualsiasi stringa
-** valore predefinito: `+"*,!exec,!upgrade,!quit"+`
+** valore predefinito: `+"*,!exec,!fset,!set,!unset,!plugin,!script,!python,!perl,!ruby,!lua,!tcl,!guile,!javascript,!php,!secure,!upgrade,!quit"+`
diff --git a/doc/ja/autogen/user/relay_options.adoc b/doc/ja/autogen/user/relay_options.adoc
@@ -183,7 +183,7 @@
 ** デフォルト値: `+""+`
 
 * [[option_relay.weechat.commands]] *relay.weechat.commands*
-** 説明: pass:none[comma-separated list of commands allowed/denied when input data (text or command) is received from a client; "*" means any command, a name beginning with "!" is a negative value to prevent a command from being executed, wildcard "*" is allowed in names; by default all commands are allowed except /exec, /upgrade and /quit (which could lead to denial of service or remote code execution if the client is not trusted)]
+** 説明: pass:none[comma-separated list of commands allowed/denied when input data (text or command) is received from a client; "*" means any command, a name beginning with "!" is a negative value to prevent a command from being executed, wildcard "*" is allowed in names; by default some commands are not allowed (they could lead to denial of service or remote code execution if the client is not trusted)]
 ** タイプ: 文字列
 ** 値: 未制約文字列
-** デフォルト値: `+"*,!exec,!upgrade,!quit"+`
+** デフォルト値: `+"*,!exec,!fset,!set,!unset,!plugin,!script,!python,!perl,!ruby,!lua,!tcl,!guile,!javascript,!php,!secure,!upgrade,!quit"+`
diff --git a/doc/pl/autogen/user/relay_options.adoc b/doc/pl/autogen/user/relay_options.adoc
@@ -183,7 +183,7 @@
 ** domyślna wartość: `+""+`
 
 * [[option_relay.weechat.commands]] *relay.weechat.commands*
-** opis: pass:none[comma-separated list of commands allowed/denied when input data (text or command) is received from a client; "*" means any command, a name beginning with "!" is a negative value to prevent a command from being executed, wildcard "*" is allowed in names; by default all commands are allowed except /exec, /upgrade and /quit (which could lead to denial of service or remote code execution if the client is not trusted)]
+** opis: pass:none[comma-separated list of commands allowed/denied when input data (text or command) is received from a client; "*" means any command, a name beginning with "!" is a negative value to prevent a command from being executed, wildcard "*" is allowed in names; by default some commands are not allowed (they could lead to denial of service or remote code execution if the client is not trusted)]
 ** typ: ciąg
 ** wartości: dowolny ciąg
-** domyślna wartość: `+"*,!exec,!upgrade,!quit"+`
+** domyślna wartość: `+"*,!exec,!fset,!set,!unset,!plugin,!script,!python,!perl,!ruby,!lua,!tcl,!guile,!javascript,!php,!secure,!upgrade,!quit"+`
diff --git a/po/cs.po b/po/cs.po
@@ -21,7 +21,7 @@ msgid ""
 msgstr ""
 "Project-Id-Version: WeeChat\n"
 "Report-Msgid-Bugs-To: flashcode@flashtux.org\n"
-"POT-Creation-Date: 2019-02-28 20:53+0100\n"
+"POT-Creation-Date: 2019-03-09 17:49+0100\n"
 "PO-Revision-Date: 2019-02-28 20:53+0100\n"
 "Last-Translator: Ondřej Súkup <mimi.vx@gmail.com>\n"
 "Language-Team: weechat-dev <weechat-dev@nongnu.org>\n"
@@ -10868,9 +10868,9 @@ msgid ""
 "comma-separated list of commands allowed/denied when input data (text or "
 "command) is received from a client; \"*\" means any command, a name "
 "beginning with \"!\" is a negative value to prevent a command from being "
-"executed, wildcard \"*\" is allowed in names; by default all commands are "
-"allowed except /exec, /upgrade and /quit (which could lead to denial of "
-"service or remote code execution if the client is not trusted)"
+"executed, wildcard \"*\" is allowed in names; by default some commands are "
+"not allowed (they could lead to denial of service or remote code execution "
+"if the client is not trusted)"
 msgstr ""
 
 #, fuzzy

diff --git a/po/de.po b/po/de.po
@@ -24,7 +24,7 @@ msgid ""
 msgstr ""
 "Project-Id-Version: WeeChat\n"
 "Report-Msgid-Bugs-To: flashcode@flashtux.org\n"
-"POT-Creation-Date: 2019-02-28 20:53+0100\n"
+"POT-Creation-Date: 2019-03-09 17:49+0100\n"
 "PO-Revision-Date: 2019-02-28 21:25+0100\n"
 "Last-Translator: Nils Görs <weechatter@arcor.de>\n"
 "Language-Team: German <kde-i18n-de@kde.org>\n"
@@ -12768,13 +12768,14 @@ msgstr ""
 "gesendet wird); keine Zeichenkette = deaktiviert die Zeitanzeige im "
 "Verlaufsspeicher"
 
+#, fuzzy
 msgid ""
 "comma-separated list of commands allowed/denied when input data (text or "
 "command) is received from a client; \"*\" means any command, a name "
 "beginning with \"!\" is a negative value to prevent a command from being "
-"executed, wildcard \"*\" is allowed in names; by default all commands are "
-"allowed except /exec, /upgrade and /quit (which could lead to denial of "
-"service or remote code execution if the client is not trusted)"
+"executed, wildcard \"*\" is allowed in names; by default some commands are "
+"not allowed (they could lead to denial of service or remote code execution "
+"if the client is not trusted)"
 msgstr ""
 "durch Kommata getrennte Liste von Befehlen die erlaubt/verboten sind wenn "
 "Daten (Text oder Befehl) vom Client empfangen werden; \"*\" bedeutet alle "

diff --git a/po/es.po b/po/es.po
@@ -22,7 +22,7 @@ msgid ""
 msgstr ""
 "Project-Id-Version: WeeChat\n"
 "Report-Msgid-Bugs-To: flashcode@flashtux.org\n"
-"POT-Creation-Date: 2019-02-28 20:53+0100\n"
+"POT-Creation-Date: 2019-03-09 17:49+0100\n"
 "PO-Revision-Date: 2019-02-28 20:53+0100\n"
 "Last-Translator: Elián Hanisch <lambdae2@gmail.com>\n"
 "Language-Team: weechat-dev <weechat-dev@nongnu.org>\n"
@@ -11221,9 +11221,9 @@ msgid ""
 "comma-separated list of commands allowed/denied when input data (text or "
 "command) is received from a client; \"*\" means any command, a name "
 "beginning with \"!\" is a negative value to prevent a command from being "
-"executed, wildcard \"*\" is allowed in names; by default all commands are "
-"allowed except /exec, /upgrade and /quit (which could lead to denial of "
-"service or remote code execution if the client is not trusted)"
+"executed, wildcard \"*\" is allowed in names; by default some commands are "
+"not allowed (they could lead to denial of service or remote code execution "
+"if the client is not trusted)"
 msgstr ""
 
 #, fuzzy

diff --git a/po/fr.po b/po/fr.po
@@ -21,8 +21,8 @@ msgid ""
 msgstr ""
 "Project-Id-Version: WeeChat\n"
 "Report-Msgid-Bugs-To: flashcode@flashtux.org\n"
-"POT-Creation-Date: 2019-02-28 20:53+0100\n"
-"PO-Revision-Date: 2019-02-28 20:53+0100\n"
+"POT-Creation-Date: 2019-03-09 17:49+0100\n"
+"PO-Revision-Date: 2019-03-09 17:51+0100\n"
 "Last-Translator: Sébastien Helleu <flashcode@flashtux.org>\n"
 "Language-Team: weechat-dev <weechat-dev@nongnu.org>\n"
 "Language: fr\n"
@@ -12495,17 +12495,17 @@ msgid ""
 "comma-separated list of commands allowed/denied when input data (text or "
 "command) is received from a client; \"*\" means any command, a name "
 "beginning with \"!\" is a negative value to prevent a command from being "
-"executed, wildcard \"*\" is allowed in names; by default all commands are "
-"allowed except /exec, /upgrade and /quit (which could lead to denial of "
-"service or remote code execution if the client is not trusted)"
+"executed, wildcard \"*\" is allowed in names; by default some commands are "
+"not allowed (they could lead to denial of service or remote code execution "
+"if the client is not trusted)"
 msgstr ""
 "liste des commandes autorisées/interdites lorsque qu'une entrée de données "
 "(texte ou commande) est reçue du client (séparées par des virgules) ; \"*\" "
 "signifie toutes les commandes, un nom commençant par \"!\" est une valeur "
 "négative pour empêcher une commande d'être exécutée, le caractère joker \"*"
-"\" est autorisé dans les noms ; par défaut toutes les commandes sont "
-"autorisées sauf /exec, /upgrade et /quit (ce qui pourrait conduire à un déni "
-"de service ou l'exécution de commandes à distance si le client n'est pas sûr)"
+"\" est autorisé dans les noms ; par défaut certaines commandes ne sont pas "
+"autorisées (elles pourraient conduire à un déni de service ou l'exécution de "
+"commandes à distance si le client n'est pas sûr)"
 
 msgid "number of clients for relay"
 msgstr "nombre de clients pour le relai"

diff --git a/po/hu.po b/po/hu.po
@@ -20,7 +20,7 @@ msgid ""
 msgstr ""
 "Project-Id-Version: WeeChat\n"
 "Report-Msgid-Bugs-To: flashcode@flashtux.org\n"
-"POT-Creation-Date: 2019-02-28 20:53+0100\n"
+"POT-Creation-Date: 2019-03-09 17:49+0100\n"
 "PO-Revision-Date: 2019-02-28 20:18+0100\n"
 "Last-Translator: Andras Voroskoi <voroskoi@frugalware.org>\n"
 "Language-Team: weechat-dev <weechat-dev@nongnu.org>\n"
@@ -10227,9 +10227,9 @@ msgid ""
 "comma-separated list of commands allowed/denied when input data (text or "
 "command) is received from a client; \"*\" means any command, a name "
 "beginning with \"!\" is a negative value to prevent a command from being "
-"executed, wildcard \"*\" is allowed in names; by default all commands are "
-"allowed except /exec, /upgrade and /quit (which could lead to denial of "
-"service or remote code execution if the client is not trusted)"
+"executed, wildcard \"*\" is allowed in names; by default some commands are "
+"not allowed (they could lead to denial of service or remote code execution "
+"if the client is not trusted)"
 msgstr ""
 
 #, fuzzy

diff --git a/po/it.po b/po/it.po
@@ -20,7 +20,7 @@ msgid ""
 msgstr ""
 "Project-Id-Version: WeeChat\n"
 "Report-Msgid-Bugs-To: flashcode@flashtux.org\n"
-"POT-Creation-Date: 2019-02-28 20:53+0100\n"
+"POT-Creation-Date: 2019-03-09 17:49+0100\n"
 "PO-Revision-Date: 2019-02-28 20:53+0100\n"
 "Last-Translator: Esteban I. Ruiz Moreno <exio4.com@gmail.com>\n"
 "Language-Team: weechat-dev <weechat-dev@nongnu.org>\n"
@@ -11423,9 +11423,9 @@ msgid ""
 "comma-separated list of commands allowed/denied when input data (text or "
 "command) is received from a client; \"*\" means any command, a name "
 "beginning with \"!\" is a negative value to prevent a command from being "
-"executed, wildcard \"*\" is allowed in names; by default all commands are "
-"allowed except /exec, /upgrade and /quit (which could lead to denial of "
-"service or remote code execution if the client is not trusted)"
+"executed, wildcard \"*\" is allowed in names; by default some commands are "
+"not allowed (they could lead to denial of service or remote code execution "
+"if the client is not trusted)"
 msgstr ""
 
 #, fuzzy

diff --git a/po/ja.po b/po/ja.po
@@ -20,7 +20,7 @@ msgid ""
 msgstr ""
 "Project-Id-Version: WeeChat\n"
 "Report-Msgid-Bugs-To: flashcode@flashtux.org\n"
-"POT-Creation-Date: 2019-02-28 20:53+0100\n"
+"POT-Creation-Date: 2019-03-09 17:49+0100\n"
 "PO-Revision-Date: 2019-02-28 20:53+0100\n"
 "Last-Translator: AYANOKOUZI, Ryuunosuke <i38w7i3@yahoo.co.jp>\n"
 "Language-Team: Japanese <https://github.com/l/weechat/tree/master/"
@@ -12043,9 +12043,9 @@ msgid ""
 "comma-separated list of commands allowed/denied when input data (text or "
 "command) is received from a client; \"*\" means any command, a name "
 "beginning with \"!\" is a negative value to prevent a command from being "
-"executed, wildcard \"*\" is allowed in names; by default all commands are "
-"allowed except /exec, /upgrade and /quit (which could lead to denial of "
-"service or remote code execution if the client is not trusted)"
+"executed, wildcard \"*\" is allowed in names; by default some commands are "
+"not allowed (they could lead to denial of service or remote code execution "
+"if the client is not trusted)"
 msgstr ""
 
 msgid "number of clients for relay"

diff --git a/po/pl.po b/po/pl.po
@@ -22,7 +22,7 @@ msgid ""
 msgstr ""
 "Project-Id-Version: WeeChat\n"
 "Report-Msgid-Bugs-To: flashcode@flashtux.org\n"
-"POT-Creation-Date: 2019-02-28 20:53+0100\n"
+"POT-Creation-Date: 2019-03-09 17:49+0100\n"
 "PO-Revision-Date: 2019-02-28 20:53+0100\n"
 "Last-Translator: Krzysztof Korościk <soltys@soltys.info>\n"
 "Language-Team: Polish <kde-i18n-doc@kde.org>\n"
@@ -12227,9 +12227,9 @@ msgid ""
 "comma-separated list of commands allowed/denied when input data (text or "
 "command) is received from a client; \"*\" means any command, a name "
 "beginning with \"!\" is a negative value to prevent a command from being "
-"executed, wildcard \"*\" is allowed in names; by default all commands are "
-"allowed except /exec, /upgrade and /quit (which could lead to denial of "
-"service or remote code execution if the client is not trusted)"
+"executed, wildcard \"*\" is allowed in names; by default some commands are "
+"not allowed (they could lead to denial of service or remote code execution "
+"if the client is not trusted)"
 msgstr ""
 
 msgid "number of clients for relay"

diff --git a/po/pt.po b/po/pt.po
@@ -20,7 +20,7 @@ msgid ""
 msgstr ""
 "Project-Id-Version: WeeChat\n"
 "Report-Msgid-Bugs-To: flashcode@flashtux.org\n"
-"POT-Creation-Date: 2019-02-28 20:53+0100\n"
+"POT-Creation-Date: 2019-03-09 17:49+0100\n"
 "PO-Revision-Date: 2019-02-28 20:53+0100\n"
 "Last-Translator: Vasco Almeida <vascomalmeida@sapo.pt>\n"
 "Language-Team: Portuguese <>\n"
@@ -11883,9 +11883,9 @@ msgid ""
 "comma-separated list of commands allowed/denied when input data (text or "
 "command) is received from a client; \"*\" means any command, a name "
 "beginning with \"!\" is a negative value to prevent a command from being "
-"executed, wildcard \"*\" is allowed in names; by default all commands are "
-"allowed except /exec, /upgrade and /quit (which could lead to denial of "
-"service or remote code execution if the client is not trusted)"
+"executed, wildcard \"*\" is allowed in names; by default some commands are "
+"not allowed (they could lead to denial of service or remote code execution "
+"if the client is not trusted)"
 msgstr ""
 
 msgid "number of clients for relay"

diff --git a/po/pt_BR.po b/po/pt_BR.po
@@ -21,7 +21,7 @@ msgid ""
 msgstr ""
 "Project-Id-Version: WeeChat\n"
 "Report-Msgid-Bugs-To: flashcode@flashtux.org\n"
-"POT-Creation-Date: 2019-02-28 20:53+0100\n"
+"POT-Creation-Date: 2019-03-09 17:49+0100\n"
 "PO-Revision-Date: 2019-02-28 20:53+0100\n"
 "Last-Translator: Eduardo Elias <camponez@gmail.com>\n"
 "Language-Team: weechat-dev <weechat-dev@nongnu.org>\n"
@@ -10676,9 +10676,9 @@ msgid ""
 "comma-separated list of commands allowed/denied when input data (text or "
 "command) is received from a client; \"*\" means any command, a name "
 "beginning with \"!\" is a negative value to prevent a command from being "
-"executed, wildcard \"*\" is allowed in names; by default all commands are "
-"allowed except /exec, /upgrade and /quit (which could lead to denial of "
-"service or remote code execution if the client is not trusted)"
+"executed, wildcard \"*\" is allowed in names; by default some commands are "
+"not allowed (they could lead to denial of service or remote code execution "
+"if the client is not trusted)"
 msgstr ""
 
 #, fuzzy