dolysis/conduwuit
3
0
Fork 0
mirror of https://github.com/girlbossceo/conduwuit.git synced 2024-11-30 13:43:30 +00:00
Code Issues Packages Projects Releases Wiki Activity

dont allow "remote admins" to run public escaped cmds on behalf of others

Browse source 
Signed-off-by: strawberry <strawberry@puppygock.gay>
This commit is contained in:
strawberry 2024-06-14 23:46:07 -04:00
parent 08bf074cbb
commit 03c04ce0a1
1 changed files with 6 additions and 1 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

7
src/service/admin/mod.rs
View file

@ -18,7 +18,7 @@ use serde_json::value::to_raw_value;
use tokio::{sync::Mutex, task::JoinHandle}; use tokio::{sync::Mutex, task::JoinHandle};
use tracing::error; use tracing::error;
use crate::{pdu::PduBuilder, services, PduEvent}; use crate::{pdu::PduBuilder, services, user_is_local, PduEvent};
pub type HandlerResult = Pin<Box<dyn Future<Output = Result<AdminEvent, Error>> + Send>>; pub type HandlerResult = Pin<Box<dyn Future<Output = Result<AdminEvent, Error>> + Send>>;
pub type Handler = fn(AdminEvent) -> HandlerResult; pub type Handler = fn(AdminEvent) -> HandlerResult;
@ -276,6 +276,11 @@ pub async fn is_admin_command(pdu: &PduEvent, body: &str) -> bool {
return false; return false;
} }
// only allow public escaped commands by local admins
if is_public_escape && !user_is_local(&pdu.sender) {
return false;
}
// Check if server-side command-escape is disabled by configuration // Check if server-side command-escape is disabled by configuration
if is_public_escape && !services().globals.config.admin_escape_commands { if is_public_escape && !services().globals.config.admin_escape_commands {
return false; return false;