https://gitlab.synchro.net/main/sbbs/-/merge_requests/226#note_2916

@-codes in messages posted by non-Sysops are normally *never* expanded on Synchronet due to security issues (e.g. a non-sysop posts @HANGUP@, or @DELAY:99999@ for example). Similarly, any message received over a message network should never have any @-codes expanded.

This commit seems to introduce a security concern and raises general concerns about how SlyEdit handles @-codes currently.

---
■ Synchronet ■ Vertrauen ■ Home of Synchronet ■ [vert/cvs/bbs].synchro.net

On Fri, 2 Dec 2022 10:46:45 -0800
"Rob Swindell" <rob.swindell@VERT> wrote:

> https://gitlab.synchro.net/main/sbbs/-/merge_requests/226#note_2916
>
> @-codes in messages posted by non-Sysops are normally *never*
> expanded on Synchronet due to security issues (e.g. a non-sysop posts
> @HANGUP@, or @DELAY:99999@ for example). Similarly, any message
> received over a message network should never have any @-codes
> expanded.
>
> This commit seems to introduce a security concern and raises general
> concerns about how SlyEdit handles @-codes currently.

The reason I requested this is because when I responded to an email on
a BBS that was an autogenerated welcome mesasge, the @BBS@ and @ALIAS@
codes were expanded but when I replied, the quoted message had @BBS@
and @ALIAS@.

I think the intent should be that the @codes are converted into the
actual text at the time the message is sent. If the sysop wants to
change their BBS name or the user changes their alias post-sending of
the original, then tough.

I agree that @-codes shouldn't be expanded when sent from a user but if
coming from the system or sysop, then expand them and put the text in.
Problem solved.
--
End Of The Line BBS - Plano, TX
telnet endofthelinebbs.com 23
---
� Synchronet � End Of The Line BBS - endofthelinebbs.com

Re: Re: DDMsgReader: When replying to a message, @-codes are nowexpanded i
By: Nelgin to Rob Swindell on Fri Dec 09 2022 12:29 am

> On Fri, 2 Dec 2022 10:46:45 -0800
> "Rob Swindell" <rob.swindell@VERT> wrote:
>
> > https://gitlab.synchro.net/main/sbbs/-/merge_requests/226#note_2916
>
> > @-codes in messages posted by non-Sysops are normally *never*
> > expanded on Synchronet due to security issues (e.g. a non-sysop posts
> > @HANGUP@, or @DELAY:99999@ for example). Similarly, any message
> > received over a message network should never have any @-codes
> > expanded.
>
> > This commit seems to introduce a security concern and raises general
> > concerns about how SlyEdit handles @-codes currently.
>
> The reason I requested this is because when I responded to an email on
> a BBS that was an autogenerated welcome mesasge, the @BBS@ and @ALIAS@
> codes were expanded but when I replied, the quoted message had @BBS@
> and @ALIAS@.
>
> I think the intent should be that the @codes are converted into the
> actual text at the time the message is sent. If the sysop wants to
> change their BBS name or the user changes their alias post-sending of
> the original, then tough.
>
> I agree that @-codes shouldn't be expanded when sent from a user but if
> coming from the system or sysop, then expand them and put the text in.
> Problem solved.

Yeah, that sounds preferably and a pretty easy change (at elast for those 2 specific @-codes) in exec/newuser.js. Create a new gitlab issue/request for this?
--
digital man (rob)

This Is Spinal Tap quote #36:
Bobbi Flekman: Money talks, and bullshit walks.
Norco, CA WX: 48.5°F, 75.0% humidity, 0 mph E wind, 0.00 inches rain/24hrs
---
■ Synchronet ■ Vertrauen ■ Home of Synchronet ■ [vert/cvs/bbs].synchro.net