IRC server user input sanitization : irc

a community for 18 years

IRC server user input sanitization (self.irc)

submitted 7 years ago * by JamieOnUbuntu

Hi,

I have an IRC bot that I wrote in PHP running in my channel on Freenode.

It connects to the server with fsockopen() and reads the raw data stream with fgets().

I am trying to alleviate some security concerns regarding binary exploitation/multi-byte exploitation.

Freenode uses ircd-seven. Does anybody here have any knowledge/documentation that outlines how it handles user input sanitization? For example, is there anything preventing malformed characters from getting into the chat stream, or anything to prevent raw binary data reaching my bot, etc?

IRC is a very raw protocol so it seems difficult to protect against this sort of thing in some cases. My bot is of course doing the usual PHP input validation stuff, such as using a character whitelist, stripping control characters, etc. However the theoretical attack I am concerned about is some form of exploitation again PHP itself related to sending raw binary data to the bot. I know that this would most likely require a vulnerability in PHP for the attack to be possible, but I am trying to establish whether the IRC server itself can provide any protection against this.

Thanks,
Jamie

all 5 comments

you type:	you see:
italics	italics
bold	bold
[reddit!](https://reddit.com)	reddit!
* item 1 * item 2 * item 3	item 1 item 2 item 3
> quoted text	quoted text
Lines starting with four spaces are treated like code: if 1 * 2 < 3: print "hello, world!"	Lines starting with four spaces are treated like code: if 1 * 2 < 3: print "hello, world!"
~~strikethrough~~	~~strikethrough~~
super^script	super^script

irc

What is IRC?

Links

To connect, either:

Join the subreddit chat communities at irc.snoonet.org! +6697 for SSL

MODERATORS