CopyBot/Red-DiscordBot
1
0
Fork 0
mirror of https://github.com/Cog-Creators/Red-DiscordBot.git synced 2025-11-06 03:08:55 -05:00
Code Issues Packages Projects Releases Wiki Activity

Merge pull request from GHSA-mp9m-g7qj-6vqr

Browse Source 
* Query members for unchunked guilds in massban

* that thing that is a thing ;)
This commit is contained in:
jack1142 2020-10-27 20:46:49 +01:00 committed by GitHub
parent 21f9a6f0b6
commit 726bfd38ad
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
2 changed files with 47 additions and 24 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

16
docs/changelog_3_4_0.rst
View File

@ -9,9 +9,10 @@ Redbot 3.4.1 (2020-10-27)
Read before updating Read before updating
-------------------- --------------------
1. This Red update bumps discord.py to version 1.5.1, which explicitly requests Discord intents. Red requires all Prvileged Intents to be enabled. More information can be found at :ref:`enabling-privileged-intents`. 1. This release fixes a security issue in Mod cog. See `Security changelog below <important-341-2>` for more information.
2. Mutes functionality has been moved from the Mod cog to a new separate cog (Mutes) featuring timed and role-based mutes. If you were using it (or want to start now), you can load the new cog with ``[p]load mutes``. You can see the full `Mutes changelog below <important-341-1>`. 2. This Red update bumps discord.py to version 1.5.1, which explicitly requests Discord intents. Red requires all Prvileged Intents to be enabled. More information can be found at :ref:`enabling-privileged-intents`.
3. Information for Audio users that are using an external Lavalink instance (if you don't know what that is, you should skip this point): 3. Mutes functionality has been moved from the Mod cog to a new separate cog (Mutes) featuring timed and role-based mutes. If you were using it (or want to start now), you can load the new cog with ``[p]load mutes``. You can see the full `Mutes changelog below <important-341-1>`.
4. Information for Audio users that are using an external Lavalink instance (if you don't know what that is, you should skip this point):
We've updated our `application.yml file <https://github.com/Cog-Creators/Red-DiscordBot/blob/3.4.1/redbot/cogs/audio/data/application.yml>`_ and you should update your instance's ``application.yml`` appropriately. We've updated our `application.yml file <https://github.com/Cog-Creators/Red-DiscordBot/blob/3.4.1/redbot/cogs/audio/data/application.yml>`_ and you should update your instance's ``application.yml`` appropriately.
Please ensure that the WS port in Audio's settings (``[p]llset wsport``) is set to the port from the ``application.yml``. Please ensure that the WS port in Audio's settings (``[p]llset wsport``) is set to the port from the ``application.yml``.
@ -19,6 +20,15 @@ Read before updating
End-user changelog End-user changelog
------------------ ------------------
.. _important-341-2:
Security
********
**NOTE:** If you can't update immediately, we recommend globally disabling the affected command until you can.
- **Mod** - Fixed unauthorized privilege escalation exploit in ``[p]massban`` (also called ``[p]hackban``) command. Full security advisory `can be found on our GitHub <https://github.com/Cog-Creators/Red-DiscordBot/security/advisories/GHSA-mp9m-g7qj-6vqr>`_.
Core Bot Core Bot
******** ********

31
redbot/cogs/mod/kickban.py
View File

@ -2,7 +2,7 @@ import asyncio
import contextlib import contextlib
import logging import logging
from datetime import datetime, timedelta, timezone from datetime import datetime, timedelta, timezone
from typing import Optional, Tuple, Union from typing import Dict, List, Optional, Tuple, Union
import discord import discord
from redbot.core import commands, i18n, checks, modlog from redbot.core import commands, i18n, checks, modlog
@ -440,17 +440,30 @@ class KickBanMixin(MixinMeta):
await show_results() await show_results()
return return
# We need to check here, if any of the users isn't a member and if they are,
# we need to use our `ban_user()` method to do hierarchy checks.
members: Dict[int, discord.Member] = {}
to_query: List[int] = []
for user_id in user_ids: for user_id in user_ids:
user = guild.get_member(user_id) member = guild.get_member(user_id)
if user is not None: if member is not None:
if user_id in tempbans: members[user_id] = member
# We need to check if a user is tempbanned here because otherwise they won't be processed later on. elif not guild.chunked:
continue to_query.append(user_id)
else:
# Instead of replicating all that handling... gets attr from decorator # If guild isn't chunked, we might possibly be missing the member from cache,
# so we need to make sure that isn't the case by querying the user IDs for such guilds.
while to_query:
queried_members = await guild.query_members(user_ids=to_query[:100], limit=100)
members.update((member.id, member) for member in queried_members)
to_query = to_query[100:]
# Call `ban_user()` method for all users that turned out to be guild members.
for member in members:
try: try:
success, reason = await self.ban_user( success, reason = await self.ban_user(
user=user, ctx=ctx, days=days, reason=reason, create_modlog_case=True user=member, ctx=ctx, days=days, reason=reason, create_modlog_case=True
) )
if success: if success:
banned.append(user_id) banned.append(user_id)