1
0
mirror of https://github.com/unrealircd/unrealircd.git synced 2026-07-07 13:23:13 +02:00
Commit Graph

7154 Commits

Author SHA1 Message Date
Bram Matthys 094efeee25 Add spamfilter::show-message-content-on-hit to override on a spamfilter basis.
This works the same as set::spamfilter::show-message-content-on-hit
https://www.unrealircd.org/docs/Set_block#set::spamfilter::show-message-content-on-hit
but per spamfilter { } in the conf.

Indirectly suggested in https://bugs.unrealircd.org/view.php?id=6437
2025-02-15 12:14:44 +01:00
Bram Matthys ae166bd99e Add spamfilter::input-conversion none; to not use StripControlChars()
for matching. Docs and release notes text will follow later.
2025-02-15 11:05:37 +01:00
Bram Matthys 3cc06cecb9 Show the message type in target flood log messages (PRIVMSG/NOTICE/TAGMSG).
Changed the log/snomask message from, for example:
Flood blocked (target-flood-user) from evil!xyz@localhost [127.0.0.1] to victim
To:
Flood blocked (target-flood-user) from evil!xyz@localhost [127.0.0.1] to victim (TAGMSG)
2025-02-08 08:33:37 +01:00
Bram Matthys 53e2e9473e Code cleanup 'config_error_flag'.
Maybe a great idea but we use a different errors system.
This config_error_flag thing is unused so only confusing.
2025-01-26 18:12:00 +01:00
Bram Matthys 9aa83edd99 Remove useless \n in calls to config_error() and config_status().
Where did this come from? This isn't printf() or anything.
2025-01-26 17:31:12 +01:00
Bram Matthys 04370d72f9 Minor code cleanup 2025-01-26 17:28:47 +01:00
Bram Matthys d157dc2494 Remove some useless code that is flagged by Coverity.
The set_usermode() result is not used, so useless.

The if (themotd) motdline = ... makes no sense since themotd is
already dereferenced in the code above it (eg: themotd->last_modified.tm_year)
and consequently the motdline = NULL becomes useless too.
2025-01-26 17:14:55 +01:00
Bram Matthys ce47440abd Make config_detect_duplicate() externally accessible. Fix some coverity warnings,
mostly with regards to memory leaks if duplicate config directives are used.
Eg using allow::password twice in the same allow block, or using
link::outgoing::tls-options twice in the same link block. Unusual stuff.
2025-01-26 13:23:32 +01:00
Bram Matthys 80ac9eb888 Central Blocklist: include web/websocket handshake data 2025-01-12 12:31:35 +01:00
Bram Matthys f51e8c0005 Fix make_channel() not checking minimal validity of channel names.
Only an issue for (bad) remote server traffic, since we use
valid_channelname() in JOIN and SAJOIN.
2024-12-13 10:18:02 +01:00
Bram Matthys 42caa34b5c Fix small memory leak if running in DEBUGMODE (mostly for me :D). 2024-12-11 18:25:55 +01:00
Bram Matthys 1f57a606a4 Make binarytohex() from src/misc.c available and use it in certfp code. 2024-11-27 12:37:27 +01:00
Bram Matthys 6c98f7224a Always try to maintain chronological order in chat history, and optimize stuff.
Previously if a new history item was added (because someone sent a message)
we would always append at the end of chat history buffer of the channel.
Now we put the message at the position decided by the "time" message tag,
which could be at the end but also slightly before that.
* Upside: should result in a consistent chat history on all servers
* Downside: if your server time is off for several seconds then it
  could look a little weird. Then again, it would already have looked weird
  in real live chat with timestamps and when replaying chat history probably.

Also add some simple optimizations: in the log line object we now have direct
pointers to the msgid and time strings, so the code doesn't need to do a
find_mtag() all the time. This should lower CPU usage during log playback
and also makes things more simple in the source code.

I did some testing with various history injection variants but this needs
more extensive testing.
2024-11-27 10:34:07 +01:00
Bram Matthys 6940272290 Prevent early UID cut-off. This doesn't happen with current unrealircd traffic
because we send 9 character uids. However, IDLEN is defined as 12 so it is
natural for other people (services and other pseudo server writers) to assume
you could send 12, which failed until now, as it only accepted 11 characters.

Just to be clear:
* We generate and send 9 character uids in UnrealIRCd ourselves, this
  works perfectly fine
* In 114d54ac61 in 2021 (UnrealIRCd 5.2.1) i
  enlarged the buffers to allow INCOMING ids of up to 12 characters.
  The reason for that is that I want the option to allow slightly larger
  uids and could start doing that several years later without causing
  desynchs and other problems.
* That didn't work properly, it only allowed up to 11 chars at this point.
* From now on it allows 12 chars. I do NOT recommend sending that though, if
  you want to send bigger ids from your services/pseudo server then use
  11, or... actually just use 9 like in normal unrealircd traffic at the
  moment.

Reported on IRC by craftxbox
2024-11-24 09:56:06 +01:00
Bram Matthys 47e81fe7d3 Set version to 6.1.10-git 2024-11-24 09:46:21 +01:00
Bram Matthys e782748b40 ** UnrealIRCd 6.1.9.1 ** 2024-11-21 19:30:01 +01:00
Bram Matthys 7b0228a2c8 ** UnrealIRCd 6.1.9 ** 2024-11-20 11:17:58 +01:00
Bram Matthys 3317be3069 When using cURL for remote includes we now explicitly disable TLSv1.2
and set our default ciphers and ciphersuites. Note that by default in
UnrealIRCd 6 the built-in (non-cURL) implementation is used for remote
includes, which already uses the same defaults since 6.0.0. Also note
that most distros, like Ubuntu and Debian, already disabled TLSv1.2
in the default openssl conf and thus it was already disabled in cURL.
2024-11-17 12:32:35 +01:00
Bram Matthys cda2bcd930 Fix ecdh-curve X25519 missing when using the defaults.
In config.h we had a:
 #if OPENSSL_VERSION_NUMBER >= 0x10100000L
 #define UNREALIRCD_DEFAULT_ECDH_CURVES "X25519:secp521r1:secp384r1:prime256v1"
 #else
 #define UNREALIRCD_DEFAULT_ECDH_CURVES "secp521r1:secp384r1:prime256v1"
 #endif
...which is fine in theory, but openssl headers are not included at that point,
so OPENSSL_VERSION_NUMBER was not defined.

From now on, we have:
 #define UNREALIRCD_DEFAULT_ECDH_CURVES_PRIMARY "X25519:secp521r1:secp384r1:prime256v1"
 #define UNREALIRCD_DEFAULT_ECDH_CURVES_SECONDARY "secp521r1:secp384r1:prime256v1"
...and we try them in that order. If both fail, we exit with an error (like before).
This because X25519 is not available in OpenSSL before 1.1.0 (so really old)
and may also not be available when running in FIPS mode.
2024-11-17 12:08:23 +01:00
Bram Matthys 08435a5674 Bump version to 6.1.9-git 2024-11-17 09:55:05 +01:00
Bram Matthys b49cb1e720 An additional dbuf_delete() in free_client() that should be unneeded.
In all my tests on real servers this was never a reported leak,
because the dbuf_delete() already happens at other places where the
client is marked dead.

However, with my (private) fuzzing patches I need this freeing because
of a slightly different code path.

I'm putting the patch in mainline just in case I'm wrong and it does
trigger in some kind of niche situation.
2024-11-17 08:11:55 +01:00
Bram Matthys 2c6cea2461 Fix problem with unsubscribing I/O, leading to 100% CPU in some cases.
The IRCd is still responsive (as the bad I/O is not prioritzed) but this
isn't good either. Only happens with some rare triggers.

This was previously reported over e-mail in an older UnrealIRCd version
but after 6-8 hours of debugging I was never able to trigger it.
Later it finally happened on one of my servers and I could debug it.
2024-11-17 08:09:50 +01:00
Bram Matthys 08fb2b46ac Fix crash with "STATS S" if having vhosts with autologin (no login).
This crash is only triggerable by IRCOps.

Also, it shouldn't lists vhosts with "STATS S", it should be "STATS V".
2024-11-17 08:03:32 +01:00
Bram Matthys 4e11d81d67 Fix IPv6 hosts not resolving in UnrealIRCd 6.1.8 / 6.1.8.1.
Reported by bss on IRC.

Changed:
r->ipv6 = IsIPV6(client);
To:
r->ipv6 = IsIPV6(client) ? 1 : 0;

The problem is that:
 #define IsIPV6(x)                      ((x)->flags & CLIENT_FLAG_IPV6)
(..so without ?1:0..)
made this effectively:
 r->ipv6 = CLIENT_FLAG_IPV6;

..which is..
 #define CLIENT_FLAG_IPV6                       0x800000000     /**< client is using IPv6 */
.. and 0x800000000 doesn't fit in r->ipv6, which is of size 'char' (so max is 0xff)
2024-11-16 13:17:06 +01:00
Bram Matthys 30b9f66f71 ** UnrealIRCd 6.1.8.1 ** 2024-10-17 18:30:07 +02:00
Bram Matthys 6d60899007 Good idea to bump the vhost module version to 6.1.8.1
[skip ci]
2024-10-17 18:22:16 +02:00
Bram Matthys 019c327821 Fix crash with new auto-vhost code. 2024-10-17 17:44:50 +02:00
Bram Matthys 985a591df2 Previous commit broke "GLINE *@1.2.3.4 0 test" and had a memory leak.
The former was fixed by merging the 'if'. The latter by getting rid
of dynamic memory allocation, long live the stack!
2024-10-16 10:21:16 +02:00
Valerie Liu 8e47aff2cf Make *LINE behave smarter if missing reason or time value (#304)
Now this works like:
if the time param exists, even without a reason, it will be checked if it's a time param. if it's not a time param, it'll be considered to be the reason (or the first part of it anyway)

Reported by PeGaSuS in https://bugs.unrealircd.org/view.php?id=6105
2024-10-16 08:01:12 +00:00
Bram Matthys cf6718fdb2 Fix vhosts and blacklist reasons being lowercased
This was unintentional strtolower() in unreal_expand_string()
2024-10-14 18:56:21 +02:00
Bram Matthys 33276fb2ee ** UnrealIRCd 6.1.8 ** 2024-10-11 07:22:51 +02:00
Bram Matthys 665dd8584a ** UnrealIRCd 6.1.8-rc1 ** 2024-09-27 10:19:18 +02:00
Bram Matthys c86b474ed8 Fix crash on crule "||"; in config file.
Reported by Valware in https://bugs.unrealircd.org/view.php?id=6438
2024-09-25 13:04:30 +02:00
Bram Matthys eae680c773 Update release notes a bit
... and make set::max-inherit-extended-bans::ban-exception default to 0
because that functionality is not implemented
The +e's are already checked when using +b ~inherit though..
2024-09-25 10:14:46 +02:00
Bram Matthys 2c77bc3723 Ok now make it 100% the same as pure IRC. There was still 1 char missing :D 2024-09-25 09:54:29 +02:00
Bram Matthys efbcf1f3b6 Actually test and fix the websocket cutoff bug from
7a43448674
2024-09-25 09:45:55 +02:00
Bram Matthys 918347af9e Fix config test for security-group
(in case of missing parameter for public or priority)
2024-09-25 09:21:44 +02:00
Valerie Liu fff76c4b29 Make authprompt work with recently new "sasl-from-a-module" hooks (#302) 2024-09-25 07:15:31 +00:00
Bram Matthys 7a43448674 Add unrl_utf8_make_valid() special option 2 to fix previous commit.
Without this, the IRC message could be far beyond >510 characters
(excluding message tags).

This code is untested!
2024-09-24 18:32:14 +02:00
Valerie Liu 713414e716 Websockets with type 'text': don't truncate lines to 510 chars when there are message tags (#301)
Allow full mtag messages to be sent over websockets
2024-09-24 16:30:02 +00:00
Bram Matthys 5860172780 Free previous GeoIP result upon IP change. Otherwise if the new geoip
lookup fails the old result stays there which is confusing.

Reported on IRC where 10.x.x.x was shown as "Poland" which was a
leftover from the "real IP" before WEBIRC spoofing was used to set
the IP to 10.x.x.x. Reported by Jellis.
2024-09-23 19:10:33 +02:00
Bram Matthys 7765f226be Detect operclass::parent loops.
Reported by craftxbox in https://bugs.unrealircd.org/view.php?id=6471
2024-09-23 17:25:17 +02:00
Bram Matthys 7d37795353 Don't list security groups by default, add 'public <yes|no>'
* [Security group blocks](https://www.unrealircd.org/docs/Security-group_block)
  are now hidden in lists by default. If you want the security group to be shown
  in things like `MODE #channel +b ~security-group:x` (which shows a list)
  then you need to use `public yes;`. The default security groups
  like known-users, webirc-users, etc. are public by default.
2024-09-23 13:11:24 +02:00
Bram Matthys afbb0c283b Accept multiple masks in ban ip { } and ban nick { } such as:
ban ip {
	mask { 1.1.1.1; 2.2.2.2; 3.3.3.3; }
	reason "Go away";
}

Or the alternate form:

ban ip {
	mask 1.1.1.1;
	mask 2.2.2.2;
	mask 3.3.3.3;
	reason "Go away";
}

Suggested by magic000 in https://bugs.unrealircd.org/view.php?id=4599

Note that this is not a Mask item, these are special, hence the
special code.
2024-09-23 12:29:35 +02:00
Bram Matthys 403b055756 Fix duplicate_security_group() not inheriting 'ip' entries.
There was a typo where it was inheriting exclude-ip entries as
ip entries. This could have been very dangerous but fortunately
exclude-ip was broken so it was impossible to add exclude-ip
entries and that list was always empty / NULL.

This only affected proxy { } blocks with type forwarded/x-forwarded/
cloudflare. The proxy block worked fine, but we also tried to exempt
these IPs from blacklist checking and connect-flood and this was
NOT effective due to this bug... even though the entries were shown
in "STATS except" with these IPs (because 'printable_list' was
correctly duplicated).

Other than that very particular use-case, this function is not used
at the moment.
2024-09-20 19:28:15 +02:00
Bram Matthys 7dc3c230a7 Now that we support $variables, add set::oper-vhost so you can set a default
vhost for opers, such as: set { oper-vhost $operclass.admin.example.net; }

If the oper has an oper::vhost then that one will override.

https://www.unrealircd.org/docs/Set_block#set::oper-vhost
2024-09-20 17:54:39 +02:00
Bram Matthys 9a2d54cd01 Support $variables in oper::vhost (for variables see previous commit)
Eg: vhost "$operlogin@$operclass.example.net";

Also add potentially_valid_vhost() function which can be used in
config code to ignore invalid $vars. Then at runtime you use the
real valid_vhost() function after variable expansion by
unreal_expand_string().
2024-09-20 17:26:16 +02:00
Bram Matthys 4557036cd6 Move unreal_expand_string() to an efunc so all code can access it
and use it not only from vhost { } block code but also for like
blacklist::reason.

This so the same variables with the same names are available at
those places.

Supported are:
$nick, $username, $realname, $ip, $hostname, $server, $account,
$operlogin, $operclass, $country_code (xx for unknown),
$asn (0 for unknown).
2024-09-20 17:13:23 +02:00
Bram Matthys 60c0ab8da2 Make vhost::vhost support $variables. Currently supported are:
$nick, $username, $realname, $ip, $account, $operlogin, $operclass,
$country_code (xx for unknown), $asn (0 for unknown).

Note that if a $variable fails to expand, eg $operlogin but the
user is not oper, then the vhost will not be applied. A warning
is sent to the vhost snomask (+s +v) in such a case.

Examples:

/* Set authenticated users to $account.example.org */
vhost { auto-login yes; vhost $account.example.org; mask { identified yes; } }

/* Obviously not really a good idea, but.. to illustrate: */
vhost { auto-login yes; vhost $country_code.example.org; mask *; }

Also, when vhost { } blocks are read and need to be matched, they
are read top-down now, which is the most logical way. First match wins.

All this needs testing :)
2024-09-20 16:48:22 +02:00
Bram Matthys e9ffe5b5e7 Add vhost::auto-login: checks on-connect if user meets ::mask criteria
and if so, it sets the vhost on the user. Except when the user already
has a vhost (eg from anope during SASL).
If vhost::auto-login is 'yes' then you don't need ::login and ::password.

Suggested by PeGaSuS.

Support for variables like $account in vhost::vhost, more examples and
a release notes entry will follow in later commit(s).
2024-09-20 15:43:55 +02:00