Closed Bug 956694 Opened 10 years ago Closed 2 years ago

Thunderbird's IRC client automatically joins any channel it's invited to

Categories

(Chat Core :: IRC, defect)

defect
Not set
normal

Tracking

(thunderbird_esr91 wontfix, thunderbird99 fixed)

RESOLVED FIXED
99 Branch
Tracking Status
thunderbird_esr91 --- wontfix
thunderbird99 --- fixed

People

(Reporter: u450280, Assigned: freaktechnik)

References

Details

Attachments

(1 file)

User Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:28.0) Gecko/20100101 Firefox/28.0 (Beta/Release)
Build ID: 20140104063516

Steps to reproduce:

Simply /invite any Thunderbird user to any IRC channel.


Actual results:

Thunderbird is forced to join the channel; even if the user decides to leave, inviting the user again forces the user into the channel again.


Expected results:

Invitations should *never* (and I bet that's even part of the RFC) lead to automatic joining which isn't preventable by the joining user.

One possible example of abusing this is creating #newtest, setting its mode to "+ikf unknownpassword #otherchannel", then inviting Thunderbird to #newtest (that's possible because we're +o there).
Thunderbird will then try to join, but that won't work (key "unknownpassword"), so Thunderbird is forwarded to #otherchannel.

(okay, this kind of abuse would also require operator status in #otherchannel to be able to create the forward, or a channel mode which allows anybody to forward to that channel, but I guess there are other ways to abuse the behavior of Thunderbird)


I could also think of creating a new channel, enabling ChanServ's "restricted" feature and annoying any Thunderbird user by inviting them over and over again
or forcing it to join as many channels as the network settings allow, thus blocking the user from joining any new channel.

Also, all those annoying channel operators who want to advertise their oh-so-great channels in the network help channels of big networks (messages like "plz join my #channel its great" can frequently been seen in #freenode, for example) could instead /invite any Thunderbird user to their channel, and if that user decides to leave, simply invite them again.
(In reply to Tobias "ToBeFree" Frei from comment #0)
> Thunderbird is forced to join the channel; even if the user decides to
> leave, inviting the user again forces the user into the channel again.
Yes, this was done on purpose. You can disable this with "messenger.conversations.autoAcceptChatInvitations" pref, see [1] for more information. I don't remember if this pref is in the UI or not, but it's certainly tweakable from about:config.

> Invitations should *never* (and I bet that's even part of the RFC) lead to
> automatic joining which isn't preventable by the joining user.
The relevant section is RFC 2812 3.2.7 [2]: there's nothing about client behavior in it. As I pointed out above, this behavior is already preventable.

> One possible example of abusing this is creating #newtest, setting its mode
> to "+ikf unknownpassword #otherchannel", then inviting Thunderbird to
> #newtest (that's possible because we're +o there).
> Thunderbird will then try to join, but that won't work (key
> "unknownpassword"), so Thunderbird is forwarded to #otherchannel.
This seems a pretty contrived example of abuse. An easier one would be the user is invited to a channel they do not want to be in or is invited to a large number of channels all at once or invited back to a channel they've parted. Really anything where the user does not want to be in a channel.

> (okay, this kind of abuse would also require operator status in
> #otherchannel to be able to create the forward, or a channel mode which
> allows anybody to forward to that channel, but I guess there are other ways
> to abuse the behavior of Thunderbird)
On most networks if you create a new channel you're automatically operator.

[1] http://mxr.mozilla.org/comm-central/source/chat/chat-prefs.js#30
[2] http://tools.ietf.org/html/rfc2812#section-3.2.7
Thank you for the information about the about:config setting, I just searched for "IRC" there. However, I really wonder why "1" is the default for this setting. Setting "1" as default really seems to be a security issue for me, and I think that the default settings should be safe instead.

According to the RFC (your [2]), "When the channel has invite-only flag set, only channel operators may issue INVITE command." - that even makes the issue worse because any user, not just an operator, can abuse this invitation behavior unless mode +i is set, then. However, it does not seem to be like that on Charybdis, fortunately.

Also, "There is no requirement that the channel the target user is being invited to must exist or be a valid channel." ...what about auto-K-Lining channels on some networks? Would I be able to /invite Thunderbird #klinechannel to force it to be k-lined? At least it seems to be possible with the current default settings and according to the RFC.
(In reply to Tobias "ToBeFree" Frei from comment #2)
> Thank you for the information about the about:config setting, I just
> searched for "IRC" there.
It isn't an IRC only setting, it exists for all protocols that support this behavior.

> However, I really wonder why "1" is the default
> for this setting. Setting "1" as default really seems to be a security issue
> for me, and I think that the default settings should be safe instead.
That's why it's possible to change it. We set it to 1 as the general behavior users would want (as judged by us) is to join the channel they were invited to.

> According to the RFC (your [2]), "When the channel has invite-only flag set,
> only channel operators may issue INVITE command." - that even makes the
> issue worse because any user, not just an operator, can abuse this
> invitation behavior unless mode +i is set, then. However, it does not seem
> to be like that on Charybdis, fortunately.
This doesn't really add more evidence to the above. I think you've already made your argument clear enough. (Most networks don't have +i set on channels, by the way.)

> Also, "There is no requirement that the channel the target user is being
> invited to must exist or be a valid channel." ...what about auto-K-Lining
> channels on some networks? Would I be able to /invite Thunderbird
> #klinechannel to force it to be k-lined? At least it seems to be possible
> with the current default settings and according to the RFC.
I don't really know what an auto-K-lining channel is, I assume it's a channel that will cause you get banned if you don't have access to it or something? Yes, it seems like this would happen if you invited the user to it.
(In reply to Patrick Cloke [:clokep] from comment #3)
> I don't really know what an auto-K-lining channel is, I assume it's a
> channel that will cause you get banned if you don't have access to it or
> something? Yes, it seems like this would happen if you invited the user to
> it.

It's a channel that has been "forbidden" by network staff because it was abused by bots/drones. Anyone joining such a channel will be banned (k-lined) from the whole IRC network including all channels. I know of such channels on StaticBox and Freenode, and I guess many other networks have similar channels.

http://freenode.net/faq.shtml#drones
Status: UNCONFIRMED → RESOLVED
Closed: 10 years ago
Resolution: --- → INVALID
This bug was resolved as invalid because, based on commments, there is no bug here and the feature is working as designed.
(In reply to Al Billings [:abillings] from comment #5)

> there is no bug here and the feature is working as designed.

While I agree that there's no sensitive security issue here (I'm removing the security flag), I think the behavior here is suboptimal and limiting the ability to abuse /invite would be desirable.
Group: core-security
Status: RESOLVED → REOPENED
Ever confirmed: true
OS: Linux → All
Hardware: x86_64 → All
Resolution: INVALID → ---
Depends on: 1733568
Component: Instant Messaging → IRC
Product: Thunderbird → Chat Core
Version: 24 Branch → trunk
Assignee: nobody → martin
Target Milestone: --- → 99 Branch

Pushed by mkmelin@iki.fi:
https://hg.mozilla.org/comm-central/rev/181525199395
Prompt for MUC invites. r=clokep

Status: REOPENED → RESOLVED
Closed: 10 years ago2 years ago
Resolution: --- → FIXED

For the record -- the applied fix is also for XMPP.

See Also: → 1747260
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Created:
Updated:
Size: