diff --git a/doc/RELEASE-NOTES b/doc/RELEASE-NOTES index b6818494a..d5efcdab1 100644 --- a/doc/RELEASE-NOTES +++ b/doc/RELEASE-NOTES @@ -18,6 +18,10 @@ Major issues fixed: Minor issues fixed: * Prevent /OPER for oper blocks with non-existant operclass * Bump MAXCONNECTIONS for Windows, allowing you to hold more clients. +* The 'ban too broad' checking was broken. This permitted glines such + as 192.168.0.0/1 being set. Now it rejects CIDR of /15 and lower. + To disable this safety measure you can (still) use: + set { options { allow-insane-bans; }; }; Other changes: * The websocket module now no longer sends \r\n in the websocket diff --git a/src/modules/m_tkl.c b/src/modules/m_tkl.c index 6d2e14653..936bc0d33 100644 --- a/src/modules/m_tkl.c +++ b/src/modules/m_tkl.c @@ -379,15 +379,8 @@ int ban_too_broad(char *usermask, char *hostmask) /* Allow things like clone@*, dsfsf@*, etc.. */ if (!strchr(usermask, '*') && !strchr(usermask, '?')) return 0; - - /* STEP 1: Must at least contain 4 non-wildcard/non-dot characters */ - for (p = hostmask; *p; p++) - if (*p != '*' && *p != '.' && *p != '?') - cnt++; - - if (cnt >= 4) - return 0; + /* If it's a CIDR, then check /mask first.. */ p = strchr(hostmask, '/'); if (p) { @@ -395,13 +388,24 @@ int ban_too_broad(char *usermask, char *hostmask) if (strchr(hostmask, ':')) { if (cidrlen < 48) - return 0; /* too broad IPv6 CIDR mask */ + return 1; /* too broad IPv6 CIDR mask */ } else { if (cidrlen < 16) - return 0; /* too broad IPv4 CIDR mask */ + return 1; /* too broad IPv4 CIDR mask */ } } + /* Must at least contain 4 non-wildcard/non-dot characters. + * This will deal with non-CIDR and hosts, but any correct + * CIDR mask will also pass this test (which is fine). + */ + for (p = hostmask; *p; p++) + if (*p != '*' && *p != '.' && *p != '?') + cnt++; + + if (cnt >= 4) + return 0; + return 1; }