https://gitlab.synchro.net/main/sbbs/-/merge_requests/226#note_2916
@-codes in messages posted by non-Sysops are normally *never*
expanded on Synchronet due to security issues (e.g. a non-sysop posts @HANGUP@, or @DELAY:99999@ for example). Similarly, any message
received over a message network should never have any @-codes
expanded.
This commit seems to introduce a security concern and raises general
concerns about how SlyEdit handles @-codes currently.
On Fri, 2 Dec 2022 10:46:45 -0800
"Rob Swindell" <rob.swindell@VERT> wrote:
https://gitlab.synchro.net/main/sbbs/-/merge_requests/226#note_2916
@-codes in messages posted by non-Sysops are normally *never*
expanded on Synchronet due to security issues (e.g. a non-sysop posts @HANGUP@, or @DELAY:99999@ for example). Similarly, any message
received over a message network should never have any @-codes
expanded.
This commit seems to introduce a security concern and raises general concerns about how SlyEdit handles @-codes currently.
The reason I requested this is because when I responded to an email on
a BBS that was an autogenerated welcome mesasge, the @BBS@ and @ALIAS@
codes were expanded but when I replied, the quoted message had @BBS@
and @ALIAS@.
I think the intent should be that the @codes are converted into the
actual text at the time the message is sent. If the sysop wants to
change their BBS name or the user changes their alias post-sending of
the original, then tough.
I agree that @-codes shouldn't be expanded when sent from a user but if coming from the system or sysop, then expand them and put the text in. Problem solved.