Hardening Weechat Relays Against RCE on Bullseye

2021-06-24 - Louis-Philippe Véronneau

I've been using weechat to connect to IRC since late 2016 and one of its killer feature is relays. They let use other frontends like the Weechat Android app or the amazing Glowing Bear (packaged in Debian Bullseye by yours truly).

Sadly, relays also used to be somewhat of a security risk: anyone with access to a relay1 could run scripts on the machine running weechat by using commands such as /exec or /script. Not great.

Since version 2.5 (Buster had version 2.3), you can mitigate this risk by setting a command allowlist for relays. Later versions implemented a sane default by blocking the following commands:

  • /exec
  • /fset
  • /set
  • /unset
  • /plugin
  • /script
  • /python
  • /perl
  • /ruby
  • /lua
  • /tcl
  • /guile
  • /javascript
  • /php
  • /secure
  • /upgrade
  • /quit

Sadly, this default didn't make in into Bullseye. If you are running weechat and are using the relays feature, after upgrading to Bullseye, I would recommend you run the following commands in the weechat TUI:

/set relay.weechat.commands *,!exec,!fset,!set,!unset,!plugin,!script,!python,!perl,!ruby,!lua,!tcl,!guile,!javascript,!php,!secure,!upgrade,!quit

  1. For example, someone steals your phone and connects to IRC via the Weechat app...