1
0
mirror of https://github.com/unrealircd/unrealircd.git synced 2026-07-05 09:33:13 +02:00
Commit Graph

10521 Commits

Author SHA1 Message Date
Bram Matthys 5580b294f4 Fix memory leak if using spamfilter::except. 2026-02-21 13:20:17 +01:00
Bram Matthys be479aa890 The buffer in spamfilter_build_user_string() was too small causing cut off.
This affects the spamfilter 'u' target. It didn't overflow but was cut off,
potentially causing a NON-MATCH where it could have been a MATCH instead.
2026-02-21 13:18:30 +01:00
Bram Matthys 2ac09de148 Fix central spamfilter with "stop" action, due to using same &var twice. 2026-02-21 13:13:15 +01:00
Bram Matthys 6130c1b5ae Update Windows build because library package with cURL changed
due to switch to 'cmake'. This is for unrealircd-libraries-6.2.3.zip from
https://www.unrealircd.org/docs/Windows_external_libraries_for_UnrealIRCd
2026-01-31 14:35:55 +01:00
Bram Matthys d8e631bacb ** UnrealIRCd 6.2.3-rc1 **
(not 6.2.2-rc1 :D)
[skip ci]
2026-01-31 10:14:21 +01:00
Bram Matthys bb4d1b528f ** UnrealIRCd 6.2.2-rc1 **
(Actually the Windows build is still building :D)
2026-01-31 09:44:57 +01:00
Bram Matthys 287184649c Update doc/unrealircd_wiki.zim to version of 2026-01-31. 2026-01-31 09:43:35 +01:00
Bram Matthys a93ab146b6 Add rpc/message and rpc/security_group modules for Windows build 2026-01-31 07:54:14 +01:00
Bram Matthys 4218010000 Update curl-ca-bundle to latest version (Dec 2 04:12:02 2025 GMT)
[skip ci]
2026-01-30 13:00:33 +01:00
Bram Matthys 6083c039cd Update shipped libs: PCRE2 (10.47), Jansson (2.15.0), Sodium (1.0.21) 2026-01-30 12:58:12 +01:00
Bram Matthys c24424bb50 JSON-RPC: throttle.set did not do anything
Reported by adator in https://bugs.unrealircd.org/view.php?id=6608
2026-01-30 07:39:37 +01:00
Bram Matthys bd1e25d017 Slightly raise default set::handshake-timeout from 30 to 40 seconds. 2026-01-28 09:44:49 +01:00
Bram Matthys 91d5114a1e Whitespace fix
[skip ci]
2026-01-28 09:38:39 +01:00
Bram Matthys ad1b59b4bd Update release notes a bit (what we have so far)
[skip ci]
2026-01-28 09:37:45 +01:00
Bram Matthys 728807d233 Set SSL_OP_NO_RX_CERTIFICATE_COMPRESSION by default.
Every time compression has been used in TLS it has been a source of
trouble. We don't care about such optimizations anyway since connections
are long-lived in IRC. We are not some kind of webserver where every
millisecond counts.
2026-01-27 19:31:25 +01:00
Bram Matthys e083852e86 Create separate resolver channel resolver_channel_https for HTTPS requests.
This one has DNS caching enabled[*], which makes sense for this case.

[*] If using c-ares 1.31.0 or later. That version was released in June 2024.
The shipped-with-UnrealIRCd library version is 1.34.6, so qualifies.
However, if using system c-ares (which is automatically the case, if detected)
then many systems don't have it. The first Linux distro versions that qualify:
* Fedora 40
* Debian 13
* Ubuntu 25.04 (non-LTS) and future Ubuntu 26.04 (LTS)
* Etc...
2026-01-26 09:57:07 +01:00
Bram Matthys a887de92ce Add extra safety in register_user() against shunned users. 2026-01-25 12:56:52 +01:00
Bram Matthys 8467969878 Don't show confusing CENTRAL_BLOCKLIST_TIMEOUT when user is shunned.
Previously it showed this warning and said "Allowing user .. in unchecked"
when the user got shunend by CBL. Usually harmless but.. had a report
where it possibly was not (though that was an older UnrealIRCd version).
In any case, confusing, solved now!
2026-01-25 12:54:30 +01:00
Bram Matthys ef75962a70 We now use a non-zero exitcode if ./unrealircd module install ... fails
Reported by ikci in https://bugs.unrealircd.org/view.php?id=6578
2026-01-23 13:15:17 +01:00
Bram Matthys af0f1fdd6b ModuleManager: check version of local module, don't overwrite if it is newer.
This was a long standing requests by devs.

So if third/something is version 1.2.3 in the repository, and you have
src/modules/third/something.c which is version 1.2.4 then neither
'./unrealircd module upgrade' nor './unrealircd module upgrade third/something'
will overwrite the module. It will stay the local 1.2.4 version.
A new status inst/LOCAL was added "module installed, local version is newer
than available online"

The command './unrealircd install third/something' would still (re)install
the online version, though, i think that makes sense.

When working on this I noticed that './unrealircd module upgrade' previously
always recompiled the module, even if it was not updated. This is no longer so.
2026-01-23 11:56:48 +01:00
Bram Matthys 91930e3631 Bleh, just use "*" in ERR_INVALIDMODEPARAM for the param.
Otherwise you get into trouble if client does things like:
MODE #test +l ::a
MODE #test +l :a b c
And I am too lazy to handle these cases :D
2026-01-23 08:48:34 +01:00
Bram Matthys d413959e57 Chanmode +l: when coming from an IRC client, reject <=0 instead of transforming.
Reject it with an ERR_INVALIDMODEPARAM, just like we do for +k.

I think the higher number transforming is fine, but this <=0 transformation
is odd as it almost never is what the user actually intended.

In S2S traffic we still transform, as rejecting there is more problematic,
(causing a desync) and transforming it there is not a major issue, anyway.

Reported by ProgVal in https://bugs.unrealircd.org/view.php?id=6602
2026-01-23 08:45:34 +01:00
Bram Matthys 2dd23d13b7 Silently drop TAGMSG to users who refuse PRIVMSG/NOTICE also (umode +D, +R),
since the message/notice would not make it through either.
This also means someone can no longer iterate through users to see who
is +D/+R by sending a "silent" TAGMSG. (Silent in the sense that the
end-user usually would not have noticed)

Suggested in https://bugs.unrealircd.org/view.php?id=6579 by zw32h (I think)

This also means HOOKTYPE_CAN_SEND_TO_USER now allows you to NOT to
set errmsg, to silently drop a message. Previously we would crash
deliberately on such a situation to enforce that all modules would
set a proper errmsg.
2026-01-23 08:23:22 +01:00
Bram Matthys 3925cea089 Update release notes a bit
[skip ci]
2026-01-23 08:11:01 +01:00
Bram Matthys c2db2715c0 Fix post-registration SASL not working due to change from a few days ago.
(commit 0cf0c0faa2)

This was caused by register_user() being called twice, while it should
only have been called if !IsUser().

Reported by ProgVal in https://bugs.unrealircd.org/view.php?id=6606
My BuildBot screen was also all red :D.
2026-01-23 07:48:01 +01:00
Bram Matthys a5f1aa7f34 Print a [BUG] line if register_user() is called twice. Deliberately crash
when running in DEBUGMODE.
2026-01-23 07:42:57 +01:00
Bram Matthys eea4cfa762 Modulemanager: support compile-flags and always look at modulemanager block
1) We now always look at the module { } block even for unmanaged modules
   (so .c files that you put manually in src/modules/third)
2) New module::compile-flags to allow specifying compile flags / libraries / etc.

See https://www.unrealircd.org/docs/Special_module_manager_block_in_source_file

So the new stuff is:

module {
        .....
        // Simple library dependency:
        compile-flags "-lsomelib";
        // Can even use:
        compile-flags "$(mysql_config --cflags) $(mysql_config --libs)";
        .....
}

This was requested long ago by various people.

And yes, this allows shell commands to be executed if the 3rd party indicates so.
The added risk should be small, since the module could do similarly evil stuff at
runtime, unless you compile with a totally different user compared to runtime.
The most common case where compile time vs runtime is completely different would
be for packaging (deb/rpm/whatever), which presumably ship with zero 3rd party
modules, so then there shouldn't be a concern either.

Obviously, for 3rd party modules in the unrealircd-contrib repository we screen
modules to make sure they don't do anything evil: "No malicious code or intent"
in https://www.unrealircd.org/docs/Rules_for_3rd_party_modules_in_unrealircd-contrib
2026-01-19 09:48:37 +01:00
Bram Matthys 34e3469f91 Merge branch 'unreal60_dev' of github.com:unrealircd/unrealircd into unreal60_dev 2026-01-19 09:04:51 +01:00
Bram Matthys 96f4954e2b Compile ALL 3rd party modules through modulemanager, including unmanaged.
This gets rid of src/buildmod and unifies the process a little, which
i need later.

We still compile the 3rd party modules unconditionally and twice (during
both make and make install). Which is a quirk that is in there since U6
and maybe U5 already :D. That's because we don't check if header files
have changed. There was previously a "is the .c file newer than the .so"
in there, though, that is gone now. Anyway, that's something for later.

Another quirk is that we do not halt compile if a 3rd party module fails
to compile. Which was sortof intentional at one point but.. is not ideal,
so will probably changed as well.

Anyway, that's not why i am doing all this stuff right now...
2026-01-19 09:02:53 +01:00
Valerie Liu 1dd6e9b07b Fix indentation in sasl.c return statement (PR #333) 2026-01-18 19:32:11 +01:00
Bram Matthys 0cf0c0faa2 Wait for SASL to complete during handshake (success/fail/timeout).
This is to guard against clients that do like CAP LS 302, NICK, USER,
AUTHENTICATE, CAP END, without waiting for the SASL result.

Previously "CAP END" would abort SASL if the response was not in yet.

Now "CAP END" will cause us to wait for SASL success/fail/timeout
and when that happens we will end the handshake and the user will
come online (or not, if e.g. banned).

In other words, SASL is no longer canceled upon premature CAP END.

And yeah, clients should wait, as is mentioned in
https://ircv3.net/specs/extensions/sasl-3.1
"it is RECOMMENDED to only send CAP END when the SASL exchange is
 completed or needs to be aborted"
But since it is a recommendation and not a hard requirement, we'll
be nice and handle this situation server-side.

Of course, clients could still misbehave then by sending stuff
blindly after CAP END, like JOIN events, without even checking
if they got numeric 001 and so on... so in that sense it shifts
the problem a bit.. but.. at least that type of waiting is
hopefully more common :D
2026-01-18 19:06:59 +01:00
Silent 275f04c76c Fix Y2038 bug on Windows in unreal_setfilemodtime (PR #332)
Int32x32To64 macro internally truncates the arguments to int32,
while time_t is 64-bit on most/all modern platforms.
Therefore, usage of this macro creates a Year 2038 bug.
2026-01-11 07:33:49 +01:00
Bram Matthys 1c461db46d Call update_known_user_cache() right before HOOKTYPE_REMOTE_CONNECT.
Set known_users=NULL during a very limited period, just to be safe.
(Note that it can also be NULL during initial boot, which is a
 longer period, which is why we always NULL-check in the code that
 accesses it, but this aside)
2026-01-10 10:36:40 +01:00
Bram Matthys 0cf9fb1cb0 Also update_known_user_cache() from AllowClient(), just before
calling HOOKTYPE_ALLOW_CLIENT and (potentially) allowing the client in.
2026-01-10 10:32:07 +01:00
Bram Matthys 4235a183e3 Call update_known_user_cache() when reputation score reaches known-users
threshold.

* Possible transition to known-users:
* - logged in is already handled by HOOKTYPE_ACCOUNT_LOGIN so we don't care about those
* - score reached (or just over) the minimum reputation score
* Caveat: if having multiple connections from the same IP then
* the first one may theoretically not have crossed in some cases.
* Ah well, it is a cache, not some precise thingy.
2026-01-10 10:15:09 +01:00
Bram Matthys 76aa3a12a6 Add SecurityGroup *known_users, to more quickly fetch those settings.
And use this in a couple of core routines.

This is to speed things up a liiittle.
2026-01-10 10:14:47 +01:00
Bram Matthys 7374fcc83f Add client->known_user_cached as a quick way to determine if the
user is in known-users or in unknown-users. Not used anywhere yet.

Every 2 minutes we rescore all users. Or more specifically: every
5 seconds we rescore 1/24th of all users. That's the slow update path.

On certain events that cause a likely/possible transition, we update
the cache immediately. At the moment that is on IP change and account
login/logout. More will be added later.
2026-01-10 09:57:18 +01:00
Bram Matthys 34ab517d9e Fix possible problem with channel in config-file, such as security group
or elsewhere. I don't think this is an actual problem, but at least the
fix from 1abf73309a was inconsistent,
if we check for b->client further down, then we should not be reading
from it a few lines up. As said, don't think this code is reached in
practice, but hey...
2026-01-04 10:31:38 +01:00
Bram Matthys de05bb9654 Bump version to 6.2.3-git and write some early release notes 2026-01-04 10:20:46 +01:00
Bram Matthys 21d58a7ebd Do the same as previous commit for the help.*.conf translations
This transplants commits 2868c3fedb
to doc/conf/help/help.*.conf
2026-01-04 09:47:37 +01:00
Bram Matthys 2868c3fedb help.conf: try to be consistent by documenting only end-user commands,
thus removing commands that are only supposed to be used by IRC clients.
We don't intend to document things like CAP, PONG, etc here.

Remove ISON, PONG, WATCH. Also remove DALINFO which no longer exists.

Re-index the USERCMDS and OPERCMDS table. This removes no longer existing
commands and may also have added some that were not in the index.

Moved STATS from USERCMDS to OPERCMDS since by default it is Oper-only
(and very likely is so effectively in practice).

Maybe PRIVMSG is a bit inconsistent in all this, since users don't type
that but usually it is like MSG. But yeah.. okay.. i can live with that.

As an aside, I don't like services commands being documented in HELPOP,
but that is another matter. These should be 100% documented in the wiki
first before they are scratched in the HELPOP. Right now some are still
missing.
2026-01-04 09:36:01 +01:00
Bram Matthys 2ca1dd0000 Warn about something like ban user { mask { asn { 12 34; } } reason "go away"; }
Where 12 34; is wrong and should have been 12; 34;
Reported by roger.
2026-01-03 20:17:18 +01:00
Bram Matthys 4e3989f304 Add ban user { ....; soft yes; } as an easy way to add a soft-ban from
the config file, without having to resort to things like mask %~asn:XXX;
Now you can just use:
ban user {
	asn { 11111; 22222; 33333; 44444; }
	soft yes;
	reason "This ASN is not allowed. If you have an account you can still bypass";
}

Requested by nobody but sounds like a good idea :)
2026-01-03 19:59:52 +01:00
Pedro Catalão d0a553790d Fix typo in Windows installation instructions link (PR #331) 2026-01-03 10:34:44 +01:00
Bram Matthys 1abf73309a Fix crash when using Extended Server Ban with invalid syntax in config file.
Reported for 'country', but also applied to 'asn', 'certfp' and 'channel'.
2025-12-26 12:25:05 +01:00
Bram Matthys c85c16f78c JSON-RPC: server_ban and server_ban_exception: expand mask/match items
Previously these showed up as "name":"<match item>", now they show
up properly like this:
        "match": {
          "account": "Syzop"
        },

(... and have no "name" item)

Also expand spamfilter::except while we are at it.
2025-12-14 10:37:50 +01:00
Bram Matthys ded89d1935 JSON-RPC: Make connthrottle.status use config::except and change "state".
* I changed "state":"active" to "state":"monitoring" to make clear it is
  not throttling at that moment but actively monitoring the situation.
* The config::except stuff was previously shown directly under config
  and only 3 particular items (that are most popular). Now we expand to
  sub-item "except" and use json_expand_security_group() to expand all
  the mask items, in a consistent way, just like for security groups.

{
  "jsonrpc": "2.0",
  "method": "connthrottle.status",
  "id": 123,
  "result": {
    "enabled": true,
    "throttling_this_minute": false,
    "throttling_previous_minute": false,
    "state": "monitoring",
    "start_delay_remaining": 0,
    "reputation_gathering": false,
    "counters": {
      "local_count": 0,
      "global_count": 0
    },
    "stats_last_minute": {
      "rejected_clients": 0,
      "allowed_except": 0,
      "allowed_unknown_users": 0
    },
    "config": {
      "local_throttle_count": 20,
      "local_throttle_period": 60,
      "global_throttle_count": 30,
      "global_throttle_period": 60,
      "start_delay": 180,
      "except": {
        "identified": true,
        "reputation_score": 24
      }
    }
  }
}
2025-12-14 10:26:28 +01:00
Bram Matthys c990848d2f Make json_expand_security_groups() really expand all and reorder some.
* Add some missing fields, such as destination, but mostly in the
  exclude- area where a bunch were missing (some of those are a bit
  far fetched, but hey, they exist, so should be shown if in use).
* Re-order fields to more closely match the struct (still not 100%)
* Extended fields, such as "account" and "country", now show up
  directly under the security group, just like the other fields,
  such as "reputation_score". This is also how they show up in the
  config file, so hide the the fact that internally in the struct it
  is stored differently.
* Add a comment in SecurityGroup struct in include/struct.h to make
  it clear you have to add/update stuff at 7 places if you are adding
  something new.
2025-12-14 10:11:09 +01:00
Bram Matthys 426040d870 Move json_expand_security_group() from rpc/security_group to core
and don't include name/priority if it is called for a match item
(which don't have a name or priority).
2025-12-14 09:43:52 +01:00
Bram Matthys 806fa83dd7 ** UnrealIRCd 6.2.2 ** 2025-12-12 12:16:31 +01:00