From e740d952add17488e3eef8fc19316d444a67a08d Mon Sep 17 00:00:00 2001
From: Hubert Hirtz <hubert@hirtzfr.eu>
Date: Thu, 20 Aug 2020 10:00:58 +0200
Subject: [PATCH] Reject downstream NICK with illegal characters

This should avoid confusion when mixing up nickname and user name.
Also it avoid breaking downstreams (since '@' and '!' are used for host
masks).
---
 downstream.go | 15 +++++++++++++++
 1 file changed, 15 insertions(+)

diff --git a/downstream.go b/downstream.go
index 9d33e9e..755beb2 100644
--- a/downstream.go
+++ b/downstream.go
@@ -57,6 +57,8 @@ var errAuthFailed = ircError{&irc.Message{
 	Params:  []string{"*", "Invalid username or password"},
 }}
 
+const illegalNickChars = " :/@!*?"
+
 // permanentDownstreamCaps is the list of always-supported downstream
 // capabilities.
 var permanentDownstreamCaps = map[string]string{
@@ -330,6 +332,12 @@ func (dc *downstreamConn) handleMessageUnregistered(msg *irc.Message) error {
 		if err := parseMessageParams(msg, &nick); err != nil {
 			return err
 		}
+		if strings.ContainsAny(nick, illegalNickChars) {
+			return ircError{&irc.Message{
+				Command: irc.ERR_ERRONEUSNICKNAME,
+				Params:  []string{dc.nick, nick, "contains illegal characters"},
+			}}
+		}
 		if nick == serviceNick {
 			return ircError{&irc.Message{
 				Command: irc.ERR_NICKNAMEINUSE,
@@ -971,6 +979,13 @@ func (dc *downstreamConn) handleMessageRegistered(msg *irc.Message) error {
 			}
 		}
 
+		if strings.ContainsAny(nick, illegalNickChars) {
+			return ircError{&irc.Message{
+				Command: irc.ERR_ERRONEUSNICKNAME,
+				Params:  []string{dc.nick, nick, "contains illegal characters"},
+			}}
+		}
+
 		var err error
 		dc.forEachNetwork(func(n *network) {
 			if err != nil || (upstream != nil && upstream.network != n) {