logbot: how can we be careful with write access to the server #21

New Issue

Open

opened 2021-05-16 11:58:49 +02:00 by mb · 1 comment

mb commented 2021-05-16 11:58:49 +02:00

Copy Link

logbot and whisperbot can be invited by anyone, using their xmpp addresses, enabling write access to the server. Let's be careful with that.

Leaving some snippets from the conversation here:

My first instinct is this is a bad idea to have out in the open like this.

But yeah something with writeaccess to the server should not be able to invited this way by random people

we can add a flag where you whitelist servers / rooms that the bot will join. Easy way to address it.

nice promiscious pipeline

logbot and whisperbot can be invited by anyone, using their xmpp addresses, enabling write access to the server. Let's be careful with that. Leaving some snippets from the conversation here: > My first instinct is this is a bad idea to have out in the open like this. > But yeah something with writeaccess to the server should not be able to invited this way by random people > we can add a flag where you whitelist servers / rooms that the bot will join. Easy way to address it. > nice promiscious pipeline

decentral1se commented 2021-06-04 10:21:17 +02:00

Owner

Copy Link

Extending https://git.vvvvvvaria.org/decentral1se/xbotlib#invitations with whitelisting would be a good idea.

Extending https://git.vvvvvvaria.org/decentral1se/xbotlib#invitations with whitelisting would be a good idea.

Sign in to join this conversation.

No Branch/Tag Specified

Branches Tags

master

No results found.

Labels

Clear labels

No items

No Label

Milestone

Clear milestone

No items

No Milestone

Assignees

Clear assignees

No Assignees

2 Participants

Notifications

Subscribe

Due Date

The due date is invalid or out of range. Please use the format 'yyyy-mm-dd'.

No due date set.

Dependencies

No dependencies set.

Reference: varia/bots#21

No description provided.