From 6a74b2961b7318bcbf81f040cbbb3cb9f123ff41 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Sergiusz=20Baza=C5=84ski?= <q3k@q3k.org>
Date: Fri, 20 Mar 2020 15:59:14 +0100
Subject: [PATCH] security: fix irc:{Say,Notice} target command injection,
 again

---
 core/irc.lua | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/core/irc.lua b/core/irc.lua
index e8c8930..27af5b0 100644
--- a/core/irc.lua
+++ b/core/irc.lua
@@ -142,7 +142,7 @@ function irc:LoginUser(username, realname)
 end
 
 function irc:Say(target, message)
-    local Target = target:gmatch("[^\r\n]+")() 
+    local Target = target:gmatch("[^\a\r\n: ]+")() 
     for Line in message:gmatch("[^\r\n]+") do
         print(' --> PRIVMSG ' .. Target .. ' :' .. Line)
         self:_Send('PRIVMSG ' .. Target .. ' :' .. Line)
@@ -150,7 +150,7 @@ function irc:Say(target, message)
 end
 
 function irc:Notice(target, message)
-    local Target = target:gmatch("[^\r\n]+")() 
+    local Target = target:gmatch("[^\a\r\n: ]+")() 
     for Line in message:gmatch("[^\r\n]+") do
         print(' --> NOTICE ' .. Target .. ' :' .. Line)
         self:_Send('NOTICE ' .. Target .. ' :' .. Line)