* detect repeated DBCS commands from evil clients

git-svn-id: http://opensvn.csie.org/pttbbs/trunk/pttbbs@4877 63ad8ddf-47c3-0310-b6dd-a9e9d9715204

4 files changed, 73 insertions, 4 deletions

diff --git a/mbbsd/mbbsd.c b/mbbsd/mbbsd.c
index 5aba270f..af4ade36 100644
--- a/mbbsd/mbbsd.c
+++ b/mbbsd/mbbsd.c
@@ -1279,11 +1279,8 @@ user_login(void)
     } else if (strcmp(cuser.userid, STR_GUEST) == 0) { /* guest */
 
 	init_guest_info();
-#if 0 // def DBCSAWARE
-	u_detectDBCSAwareEvilClient();
-#else
 	pressanykey();
-#endif
+
     } else {
 	// XXX no userlevel, no guest - what is this?
 	// clear();
diff --git a/mbbsd/passwd.c b/mbbsd/passwd.c
index 9987aceb..46734d8b 100644
--- a/mbbsd/passwd.c
+++ b/mbbsd/passwd.c
@@ -602,9 +602,12 @@ void pwcuInitGuestPerm	()
     cuser.userlevel = 0;
     cuser.uflag = UF_BRDSORT;
     cuser.pager = PAGER_OFF;
+#ifdef DBCSAWARE
+    _ENABLE_BIT(cuser.uflag, UF_DBCSAWARE);
 # ifdef GUEST_DEFAULT_DBCS_NOINTRESC
     _ENABLE_BIT(cuser.uflag, UF_DBCS_NOINTRESC);
 # endif
+#endif
 }
 
 #undef  DIM
diff --git a/mbbsd/register.c b/mbbsd/register.c
index b5a22faf..3db22103 100644
--- a/mbbsd/register.c
+++ b/mbbsd/register.c
@@ -717,10 +717,15 @@ new_register(void)
 #endif
 
 #ifdef DBCSAWARE
+# ifdef DBCSAWARE_SKIP_EVIL_REPEATS_CHECK
     if(u_detectDBCSAwareEvilClient())
 	newuser.uflag &= ~UF_DBCSAWARE;
     else
 	newuser.uflag |= UF_DBCSAWARE;
+# else
+    // since we check for repeats, safe to set DBCS aware to user
+    newuser.uflag |= UF_DBCSAWARE;
+# endif
 #endif
 
     more("etc/register", NA);
diff --git a/mbbsd/telnet.c b/mbbsd/telnet.c
index 7cf1fee5..933f9f3c 100644
--- a/mbbsd/telnet.c
+++ b/mbbsd/telnet.c
@@ -43,6 +43,65 @@ telnet_init(int do_init_cmd)
 	telnet_ctx_send_init_cmds(ctx);
 }
 
+#if defined(DBCSAWARE) && !defined(DBCSAWARE_SKIP_EVIL_REPEATS_CHECK)
+ssize_t 
+dbcs_detect_evil_repeats(unsigned char *buf, ssize_t l)
+{
+    // determine DBCS repeats by evil clients (ref: io.c)
+    if (l == 2)
+    {
+	// XXX l=2 is dangerous. hope we are not in telnet IAC state...
+	// BS:	\b
+	// BS2:	\x7f
+	if (buf[0] != buf[1])
+	    return l;
+
+	if (buf[0] == '\b' ||
+	    buf[0] == '\x1f')
+	    return l-1;
+    } 
+    else if (l == 6)
+    {
+	// RIGHT:   ESC_CHR "OC" or ESC_CHR "[C"
+	// LEFT:    ESC_CHR "OD" or ESC_CHR "[D"
+	if (buf[2] != 'C' && buf[2] != 'D')
+	    return l;
+
+	if ( buf[0] == ESC_CHR &&
+	    (buf[1] == '[' || buf[1] == 'O') &&
+	     buf[0] == buf[3] &&
+	     buf[1] == buf[4] &&
+	     buf[2] == buf[5])
+	    return l-3;
+    } 
+    else if (l == 8)
+    {
+	// RIGHT:   ESC_CHR "[OC"
+	// LEFT:    ESC_CHR "[OD"
+	// DEL:	    ESC_STR "[3~" // vt220
+	if (buf[2] != '3' && buf[2] != 'O')
+	    return l;
+
+	if (buf[0] != ESC_CHR ||
+	    buf[1] != '[' ||
+	    buf[4] != buf[0] ||
+	    buf[5] != buf[1] ||
+	    buf[6] != buf[2] ||
+	    buf[7] != buf[3])
+	    return l;
+
+	if (buf[2] == '3' &&
+	    buf[3] == '~')
+	    return l-4;
+
+	if ( buf[2] == 'O' &&
+	    (buf[3] == 'C' || buf[3] == 'D') )
+	    return l-4;
+    }
+    return l;
+}
+#endif
+
 /* tty_read
  * read from tty, process telnet commands if raw connection.
  * return: >0 = length, <=0 means read more, abort/eof is automatically processed.
@@ -56,6 +115,11 @@ tty_read(unsigned char *buf, size_t max)
     if(l == 0 || (l < 0 && !(errno == EINTR || errno == EAGAIN)))
 	abort_bbs(0);
 
+#if defined(DBCSAWARE) && !defined(DBCSAWARE_SKIP_EVIL_REPEATS_CHECK)
+    if (ISDBCSAWARE())
+	l = dbcs_detect_evil_repeats(buf, l);
+#endif
+
     if(!raw_connection || l <= 0)
 	return l;