From 05c946579f31982e9bf2ef782ea188f1e50e3d4f Mon Sep 17 00:00:00 2001 From: Bram Matthys Date: Mon, 20 May 2024 11:50:24 +0200 Subject: [PATCH] Don't put insecure gatewayed/proxied connections in 'tls-users' security group. For user--proxy--ircserv we don't set +z when user--proxy is not using SSL/TLS and we should behave the same way with ::tls in security groups / match items. See also https://www.unrealircd.org/docs/FAQ#Why_do_users_on_WEBIRC_gateways_not_get_user_mode_+z? But also applies to other types in the proxy block. --- src/securitygroup.c | 17 ++++++++++++++++- 1 file changed, 16 insertions(+), 1 deletion(-) diff --git a/src/securitygroup.c b/src/securitygroup.c index 4314bc8e0..7d12f4758 100644 --- a/src/securitygroup.c +++ b/src/securitygroup.c @@ -876,7 +876,22 @@ int user_allowed_by_security_group(Client *client, SecurityGroup *s) if ((s->connect_time < 0) && (connect_time < 0 - s->connect_time)) goto user_allowed; } - if (s->tls && (IsSecureConnect(client) || (MyConnect(client) && IsSecure(client)))) + /* The following check for 'tls' means: + * - If the user has user mode +z + * - Or, if the user is local but NOT a user, e.g. the user is in + * pre-connect-stage, then check if the underlying connection + * is using SSL/TLS. + * The reason for this is that: + * - We want this security group / match to work in both pre-connect + * and post-connect stage. + * - In post-connect stage we should only check for +z. + * This because it may be a situation of: user--proxy--us where + * the proxy--us connection is SSL/TLS so IsSecure() returns true + * but the user--proxy connection is not on SSL/TLS. We deal with + * that situation elsewhere by stripping the +z in such a case + * and we should behave the same way here, seeing it as non-TLS. + */ + if (s->tls && (IsSecureConnect(client) || (MyConnect(client) && !IsUser(client) && IsSecure(client)))) goto user_allowed; if (s->mask && unreal_mask_match(client, s->mask)) goto user_allowed;