gruik

Fork of GCU-Squad's RSS-to-IRC bridge
git clone https://git.instinctive.eu/gruik.git
Log | Files | Refs | README | LICENSE
commit d3506035ac77a3623928bcee8568d47cb02d6ddf
parent 4b649632a89b38851dcb256c3537bcb593fa339a
Author: Sébastien Marie <semarie@online.fr>
Date:   Tue, 18 Jul 2023 09:09:47 +0000

do not pass untrusted input to girc.Fmt()

Diffstat:

Mmain.go | 26++++++++++++++------------


1 file changed, 14 insertions(+), 12 deletions(-)

diff --git a/main.go b/main.go
@@ -68,15 +68,17 @@ func getNewsByOrigin(origin string) []News {
 }
 
 func fmtNews(news News) string {
-	return fmt.Sprintf("[{%s}%s{r}] {%s}%s{r} {%s}%s{r} {%s}#%s{r}",
-		viper.GetString("irc.colors.origin"),
-		news.Origin,
-		viper.GetString("irc.colors.title"),
-		news.Title,
-		viper.GetString("irc.colors.link"),
-		news.Link,
-		viper.GetString("irc.colors.hash"),
-		news.Hash)
+	colorReset  := girc.Fmt("{c}")
+	colorOrigin := girc.Fmt(fmt.Sprintf("{%s}", viper.GetString("irc.colors.origin")))
+	colorTitle  := girc.Fmt(fmt.Sprintf("{%s}", viper.GetString("irc.colors.title")))
+	colorLink   := girc.Fmt(fmt.Sprintf("{%s}", viper.GetString("irc.colors.link")))
+	colorHash   := girc.Fmt(fmt.Sprintf("{%s}", viper.GetString("irc.colors.hash")))
+
+	return fmt.Sprintf("[%s%s%s] %s%s%s %s%s%s %s#%s%s",
+		colorOrigin, news.Origin, colorReset,
+		colorTitle, news.Title, colorReset,
+		colorLink, news.Link, colorReset,
+		colorHash, news.Hash, colorReset)
 }
 
 // Fetch and post news from RSS feeds
@@ -140,7 +142,7 @@ func newsFetch(client *girc.Client, channel string) {
 					break
 				}
 
-				client.Cmd.Message(channel, girc.Fmt(fmtNews(news)))
+				client.Cmd.Message(channel, fmtNews(news))
 				time.Sleep(viper.GetDuration("irc.delay"))
 
 				// Mark item as posted
@@ -283,7 +285,7 @@ func main() {
 			for _, xchan := range viper.GetStringSlice("irc.xchannels") {
 				if news := getNewsByHash(s); news.Hash != "" {
 					post := fmt.Sprintf(" {r}(from %s on %s)", e.Source.Name, channel)
-					c.Cmd.Message(xchan, girc.Fmt(fmtNews(news)+post))
+					c.Cmd.Message(xchan, fmtNews(news) + girc.Fmt(post))
 					time.Sleep(viper.GetDuration("irc.delay"))
 				}
 			}
@@ -321,7 +323,7 @@ func main() {
 			numNews--
 			for i := 0; i < n; i++ {
 				fmt.Println(i)
-				c.Cmd.Message(dest, girc.Fmt(fmtNews(showNews[numNews-i])))
+				c.Cmd.Message(dest, fmtNews(showNews[numNews-i]))
 				time.Sleep(viper.GetDuration("irc.delay"))
 			}
 		}