Louis-Philippe V ronneau: Hardening Weechat Relays Against RCE on Bullseye
I've been using
weechat
to connect to IRC since late 2016 and one
of its killer feature is relays. They let use other frontends like the Weechat
Android app or the amazing Glowing Bear (packaged in
Debian Bullseye by yours truly).
Sadly, relays also used to be somewhat of a security risk: anyone with access to
a relay1 could run scripts on the machine running weechat
by using
commands such as /exec
or /script
. Not great.
Since version 2.5 (Buster had version 2.3), you can mitigate this
risk by setting a command allowlist for relays. Later versions implemented a
sane default by blocking the following commands:
/exec
/fset
/set
/unset
/plugin
/script
/python
/perl
/ruby
/lua
/tcl
/guile
/javascript
/php
/secure
/upgrade
/quit
weechat
and are using the relays feature, after upgrading to
Bullseye, I would recommend you run the following commands in the weechat
TUI:
/set relay.weechat.commands *,!exec,!fset,!set,!unset,!plugin,!script,!python,!perl,!ruby,!lua,!tcl,!guile,!javascript,!php,!secure,!upgrade,!quit
/save