1
0
mirror of https://github.com/unrealircd/unrealircd.git synced 2026-07-05 00:13:14 +02:00
Commit Graph

3168 Commits

Author SHA1 Message Date
Valerie Liu 54a8fc140b restrict-commands: add option 'channel-create' (channel creation) (#285)
* restrict-commands: add option 'channel-create' for managing who may create new channels.
This has been a commonly requested feature with different requested options, I think it makes sense to do it properly from here
2024-06-14 13:05:34 +00:00
Bram Matthys 58646bafbb Reorder some if's and comment them to make sense.
[skip ci]
2024-06-14 14:36:34 +02:00
Bram Matthys 33c6eb0bcf Destroy channel if 0 users and can_join() rejects the user.
Reported by Valware. E.g. if HOOKTYPE_CAN_JOIN rejects the join
when it is a new channel.

( And yeah... +P channels are not destroyed... handled in
  sub1_from_channel() -> HOOKTYPE_CHANNEL_DESTROY already. )
2024-06-14 14:28:11 +02:00
Bram Matthys c37dc9334b Attempt to fix KICK OperOverride message if you are not +o but have +h/+a/+q.
There was an incorrect OperOverride message if you were had +h, +a or +q
and was kicking someone that you should normally be able to (without override).

This requires quite a bit of further testing, though, it's so easy to get
this wrong. The FIXME still stands to fix this for good some day.

Reported by Valware in https://bugs.unrealircd.org/view.php?id=6423
2024-06-14 10:45:41 +02:00
alice a77ff1f2c8 Fix OPEROVERRIDE_VERIFY option. (#278)
Reported by hnj in https://bugs.unrealircd.org/view.php?id=6418

Appears to have been introduced as part of the 6.x refactor of secret/private channel modes in 8066c13876

Also adjust message for ERR_OPERSPVERIFY to include channel name.
This is to correspond closer to other similar numerics around this area, as well as agreeing with the definition within modern.
2024-06-14 07:22:19 +00:00
Bram Matthys 9d91f61206 Crule: forgot a context && context->client check. Just in case the
crule is used outside security groups / spamfilter, like in
deny link { }.

Also update the match_realname() since via the extban code it would
use match_esc() which is rather confusing if you have double (or
perhaps even triple) escaping when using this in the conf.
2024-05-20 09:31:29 +02:00
Bram Matthys 899955b47d Crule: forgot match_realname('*xyz*'). Now we should be at 100% :) 2024-05-20 09:11:25 +02:00
Bram Matthys 0e9280e731 Crule: add match_account(), match_country(), match_certfp(). 2024-05-20 09:06:11 +02:00
Bram Matthys dbbcba10e3 Let's get rid of this !strlen(arg)
[skip ci]
2024-05-20 08:29:56 +02:00
Bram Matthys 9d166eed26 Some minor tweaks so these can be used in pre-connect-stage.
Otherwise in pre-connect-stage is_identified(), is_webirc()
and is_websocket() will always return false due to the
IsUser() check.

One should always be careful with accessing things in pre-
connect-stage, but in this case the IsLoggedIn() and
moddata_client_get() are safe to use. The former checks
client->user and the latter does not access anything within
client->user at all.
2024-05-20 07:56:07 +02:00
Valerie Liu 14dd3a9038 Crule: add is_identified(), is_websocket() and is_webirc() (#277)
* Update crule.c: add is_identified(), is_websocket() and is_webirc()
* Update RELEASE-NOTES.md
2024-05-20 05:50:07 +00:00
Bram Matthys b07f02fb11 Fix +b ~forward not taking into account +e (ban exemptions).
Reported by rafaelgrether in https://bugs.unrealircd.org/view.php?id=6410
2024-05-19 18:49:33 +02:00
Bram Matthys 229b3a7f1b Fix ~forward checking IsRegNick() instead of IsLoggedIn() 2024-05-19 18:31:38 +02:00
Bram Matthys e12559ad78 Allow modules to provide SASL locally, by hooking into AUTHENTICATE.
Note that this is still a dumb interface and not a real proper
authentication framework.

This adds HOOKTYPE_SASL_AUTHENTICATE and HOOKTYPE_SASL_MECHS and
also provides 3 functions: sasl_succeeded(), sasl_failed() and
a helper function decode_authenticate_plain() for AUTHENTICATE PLAIN.
2024-05-13 13:23:59 +02:00
Bram Matthys 01a441de84 Add crule functions: is_tls(), in_security_group(), match_mask(), match_ip()
* Add more [Crule](https://www.unrealircd.org/docs/Crule) functions:
  * `is_tls()` returns true if the client is using SSL/TLS
  * `in_security_group('known-users')` returns true if the user is in the
    specified [security group](https://www.unrealircd.org/docs/Security-group_block).
  * `match_mask('*@*.example.org')` or `match_mask('*.example.org')`
    returns true if client matches mask.
  * `match_ip('192.168.*')` or with CIDR like `match_ip('192.168.0.0/16')`
    returns true if IP address of client matches.
2024-05-06 10:06:07 +02:00
Bram Matthys a95825687c crule: has_umode->has_user_mode and add has_channel_mode as well.
And update release notes:

* Add more [Crule](https://www.unrealircd.org/docs/Crule) functions:
 * `is_away()` returns true if the client is currently away
 * `has_user_mode('x')` returns true if all the user modes are set on the
   client.
 * `has_channel_mode('x')` can be used for spamfilters with a destination
   channel, such as messages: it returns true if all specified channel modes
   are set on the channel.
2024-04-05 09:25:25 +02:00
Valerie Liu 4bbe55718a add two new crule functions: has_umode and is_away (#275)
This adds two new functions to Crule:
- `has_umode()` which expects a parameter of one or more mode chars, returns true (1) if all of them match, otherwise returns false (0)
- `is_away()` which expects no parameter which simply matches whether the user is set as away as a boolean
2024-04-05 06:55:41 +00:00
Bram Matthys 2b328374a5 Fix whowasdb module causing WHOWAS entries to vanish (way too soon) 2024-03-29 09:41:48 +01:00
Bram Matthys e098be6d28 Some more moving for previous commit aa9fdd352a 2024-02-11 10:34:14 +01:00
Valerie Liu aa9fdd352a Move giving of set::modes-on-connect to after SASL (#270)
This so account-based security groups work correctly with security-group based set xxxxx { modes-on-connect ....; } settings.
[skip ci]
2024-02-11 09:32:20 +00:00
Bram Matthys 037889d7ac Add safety rollback of spamfilter if it doesn't compile. Should not be needed
but we (I) tend to screw up in other areas :D
[skip ci]
2024-01-17 09:48:47 +01:00
Bram Matthys b8a8863c19 Get rid of [BUG] message due to no-implicit-names patch if using DEBUGMODE.
main.BUG_CLIENTCAPABILITYBIT_UNKNOWN_TOKEN [warn] [BUG] ClientCapabilityBit() check for unknown token: no-implicit-names
2024-01-10 18:03:43 +01:00
Bram Matthys ae0206a92a Add oper::auto-join. This setting overrides set::oper-auto-join.
Suggested by Chris_dc in https://bugs.unrealircd.org/view.php?id=6255
2024-01-10 17:06:35 +01:00
Bram Matthys 9f3f9522cf Make operclass available in security-group & mask/match.
security-group netadmin { operclass { netadmin; netadmin-with-override; } }

Untested.
2024-01-10 14:14:14 +01:00
Bram Matthys 079e7babef Fix "Central blocklist too slow to respond" message when using softban
or require authentication { } block.

And the connecting user would get a message every second, which was
a bit floody ;D.

Repoerted by GHF in https://bugs.unrealircd.org/view.php?id=6375
2023-12-28 13:30:49 +01:00
Bram Matthys 64ea1d09d6 Move 'reserved clients' stuff to runtime, since 'ulimit -n' could be lower.
This fixes a bug where if you run ./Config with 'auto' file descriptors,
and then have an unusually low 'ulimit -n' of like 150, you would end up
with a negative amount of file descriptors available for use.

This fix moves it from compile-time setting of reserved fd's to runtime
setting.

All this is wrong, by the way, but that is for another major overhaul,
at least this bug is fixed now :D
2023-12-28 09:00:09 +01:00
Bram Matthys 88c2083df9 Fix no-implicit-names to set official flag. As all buildbots failed. 2023-12-26 15:41:06 +01:00
Bram Matthys 600185deba Add support for CAP draft/no-implicit-names
https://github.com/unrealircd/unrealircd/pull/265 by Valware
"This is an IRCv3 extension which lets clients opt-out of receiving /names on join.
 This is useful for bots on large channels who do not need to know who is in the channel.
 Specification: https://ircv3.net/specs/extensions/no-implicit-names"

+ module rename from 'no-implicit-names-cap' to 'no-implicit-names'
  (simply because no other modules has that -cap suffix)
+ update to Makefile.windows
2023-12-26 14:46:54 +01:00
Bram Matthys 48d3673a02 Only do slow spamfilter detection for regexes, not for 'simple' */?
Since it is pointless and this saves some CPU :)
2023-12-22 15:43:11 +01:00
Bram Matthys c5ed4ef9bb Don't call spamfilter for TAGMSG. If you are filtering that, look at 'T'.
Calling spamfilter for TAGMSG makes no sense as the text is "" (empty) :D

If you want to filter message tags, have a look at spamfilter type 'T',
which filters individual message-tags (not just the ones in TAGMSG but
also for PRIVMSG and NOTICE).

[skip ci]
2023-12-22 15:38:14 +01:00
Bram Matthys 70a59b8b1e central-api: add format check for api-key so people don't use a request-key there.
Reported by DeviL.
2023-12-18 09:37:18 +01:00
Bram Matthys 49e84436b4 Fix +I ~operclass requiring an operclass block name of >3 characters.
Reported by BlackBishop in https://bugs.unrealircd.org/view.php?id=6372

Was an old leftover check from old style extban API
2023-12-17 09:53:36 +01:00
Bram Matthys b0e87dcafa Fix crash issue in websocket server (CVE-2023-50784) 2023-12-15 12:34:06 +01:00
Bram Matthys fa84174d22 Fix the fix for frame assembly in webserver. 2023-12-12 18:05:23 +01:00
Bram Matthys 7b8c9e8d72 Fix memory leak due to change from yesterday (duh..)
Caused by 4178cb3f81
[skip ci]
2023-12-08 07:44:45 +01:00
Bram Matthys 4178cb3f81 Fix frame reassembly in webserver_handle_request_header()
Previously the same code caused no problem, but then
2fcb5b4669 changed the read buffer
size to 16384.
Since then (6.1.2.x) the webserver_handle_request_header() function
was sometimes cutting 1 byte off the packet due to sizeof(netbuf)-1
which was 16383 bytes. We now no longer use a fixed value and
allocate memory dynamically on the heap.

This fixes the bug that I was seeing but this change still needs
serious extra testing as it may affect websockets and RPC!
2023-12-06 18:19:17 +01:00
Bram Matthys 49614fc891 Thanks to Koragg for reporting previous issue :D
54ad2d1586
[skip ci]
2023-12-05 18:31:56 +01:00
Bram Matthys 54ad2d1586 Fix crash with 'crule', because it was being checked against Services bots 2023-12-05 18:22:25 +01:00
Bram Matthys 99fcf9adf6 Add unrealircd_version in CBL request, mostly for the future.
[skip ci]
2023-12-01 08:03:43 +01:00
Bram Matthys 96b18946ca Include oper name on /SPAMREPORT (for central spamreport) 2023-12-01 07:58:01 +01:00
Bram Matthys 53f0f0cb94 Fix unitialized variable access caused by earlier commit of today
(only if you use a proxy block)
2023-11-27 17:59:37 +01:00
Bram Matthys 5f767a8fe8 Proxy block: rework and add support for X-Forwarded-For, Cloudflare, etc. 2023-11-27 12:10:17 +01:00
Bram Matthys 026d5522a8 Remove WSU() items forwarded & secure, since these are in webserver nowadays. 2023-11-27 10:07:34 +01:00
Bram Matthys 02ac1fc0b3 Add an option to check websocket Origin header via
listen {
	websocket {
		allow-origin { *.example.net; }
	}
}

This allows you to limit websockets to a particular domain, IF the
user is using a normal browser.

Note that any non-browser (eg a websocket command line program) could
just spoof the Origin header, so for that case it doesn't really add
any security or real restriction.
2023-11-26 20:08:17 +01:00
Bram Matthys 98c264aabf Fix some more warnings, rather minor.
[skip ci]
2023-11-26 18:48:09 +01:00
Bram Matthys 0a7f1adc8b Add value check for blacklist config, well, fix it i mean.
And fix some compiler warning (remove a useless check).
[skip ci]
2023-11-26 16:36:11 +01:00
Bram Matthys 07cc8eaeaf central-*.c: remove old module manager stuff and bump version.
[skip ci]
2023-11-25 17:29:06 +01:00
Bram Matthys 4da58dde41 Update central spamreport, https://www.unrealircd.org/docs/Central_spamreport
set::central-blocklist::spamreport and ::spamreport-enabled are now GONE.
We now require a normal spamreport block, just like for other spamreport
functionality. So, if you want to enable this feature, use:
spamreport unrealircd { type central-spamreport; }

See https://www.unrealircd.org/docs/Central_spamreport for all info.

You can use CBL with central spamreport or central spamreport without CBL.
All explained at that URL.
2023-11-25 11:50:25 +01:00
Bram Matthys d08160baca Add option set::central-blocklist::blocklist-enabled yes/no (default yes).
This is mainly for the (less usual) case when someone wants to
use SPAMREPORT but does NOT want to use CBL:

set {
	central-blocklist {
		blocklist-enabled no;
		spamreport-enabled yes;
	}
}

Also documented at https://www.unrealircd.org/docs/Central_spamreport
under 'Configuration'
2023-11-25 10:26:56 +01:00
Bram Matthys bdfc3c97dd Add RegisterApiCallbackResolverHost() and make blacklist module non-PERM.
Hopefully this works OK... still need to test w/REHASH to see.
2023-11-25 09:39:50 +01:00