-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Donald Bruce Stewart wrote:
I've listed the mechanisms we use, and exploits that have been thought of, or discovered, over the years, on the page:
http://haskell.org/haskellwiki/Safely_running_untrusted_Haskell_code
Lambdabot uses is the technique of using a space at the beginning of the line to make sure it doesn't do anything special. However, it seems currently for multiple lines (long string or error string) it only puts a space if the first character is '@' ('?', '>', '/', '\001', '\000' are all sent literally). This behavior seems odd (why do it for '@'? and why not always a space?). In XChat the '\000' prevented the rest of the message from appearing, in the unescaped version produced by 'error'. Try (with any string in place of "?botsnack") @run (\str -> replicate 198 'a' ++ str ++ replicate (199 - length str) ' ') "?botsnack" or @run (\str -> error (replicate 188 'a' ++ str)) "?botsnack" (at least lambdabot doesn't respond to itself:) Isaac -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.6 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFGWXCmHgcxvIWYTTURAkrlAKCcxS/kjtqtJCwZl3SrV7q7QyOL0QCgpeKS 9crkBNfI4QYzCn9P+2f7gCk= =8Tsr -----END PGP SIGNATURE-----