validate normalized masks as IRC params

irc/strings.go

@@ -15,6 +15,8 @@ import (
 	"golang.org/x/text/secure/precis"
 	"golang.org/x/text/unicode/norm"
 	"golang.org/x/text/width"
+
+	"github.com/oragono/oragono/irc/utils"
 )
 
 const (
@@ -270,7 +272,11 @@ func CanonicalizeMaskWildcard(userhost string) (expanded string, err error) {
 	if host != "*" {
 		host = strings.ToLower(host)
 	}
-	return fmt.Sprintf("%s!%s@%s", nick, user, host), nil
+	expanded = fmt.Sprintf("%s!%s@%s", nick, user, host)
+	if utils.SafeErrorParam(expanded) != expanded {
+		err = errInvalidCharacter
+	}
+	return
 }
 
 func foldASCII(str string) (result string, err error) {

irc/strings_test.go

@@ -193,7 +193,7 @@ func TestSkeleton(t *testing.T) {
 func TestCanonicalizeMaskWildcard(t *testing.T) {
 	tester := func(input, expected string, expectedErr error) {
 		out, err := CanonicalizeMaskWildcard(input)
-		if out != expected {
+		if expectedErr == nil && out != expected {
 			t.Errorf("expected %s to canonicalize to %s, instead %s", input, expected, out)
 		}
 		if err != expectedErr {
@@ -216,6 +216,10 @@ func TestCanonicalizeMaskWildcard(t *testing.T) {
 	tester("Shivaram*", "shivaram*!*@*", nil)
 	tester("*SHIVARAM*", "*shivaram*!*@*", nil)
 	tester("*SHIVARAM*   ", "*shivaram*!*@*", nil)
+
+	tester(":shivaram", "", errInvalidCharacter)
+	tester("shivaram!us er@host", "", errInvalidCharacter)
+	tester("shivaram!user@ho st", "", errInvalidCharacter)
 }
 
 func validFoldTester(first, second string, equal bool, folder func(string) (string, error), t *testing.T) {