1
0
mirror of https://github.com/unrealircd/unrealircd.git synced 2026-07-09 03:43:12 +02:00
Commit Graph

6357 Commits

Author SHA1 Message Date
Bram Matthys fb12e1beeb set::allowed-nickchars: added "hebrew-utf8". Supplied by Lion-O. 2017-11-27 10:30:32 +01:00
Bram Matthys e3b91f8b94 Added UTF8 support in set::allowed-nickchars
See https://www.unrealircd.org/docs/Nick_Character_Sets
Example: set { allowed-nickchars { latin-utf8; }; };
Important remarks:
* All your servers must be on UnrealIRCd 4.0.17 (or later)
* Most(?) services do not support this, so users using UTF8 nicknames
  won't be able to register at NickServ.
* In set::allowed-nickchars you must either choose an utf8 language
  or a non-utf8 character set. You cannot combine the two.
* You also cannot combine multiple scripts/alphabets, such as:
  latin, greek, cyrillic and hebrew. You must choose one.
* If you are already using set::allowed-nickchars on your network
  (eg: 'latin1') then be careful when migrating (to eg: 'latin-utf8'):
  * Your clients may still assume non-UTF8
  * If users registered nicks with accents or other special characters
    at NickServ then they may not be able to access their account
    after the migration to UTF8.

[!] Work in progress [!]
2017-11-25 21:12:41 +01:00
Bram Matthys 2a040b40a5 Improve "non-SSL client on SSL port" detection. 2017-11-25 16:01:56 +01:00
Bram Matthys 668e1241b0 Show additional information in SSL errors. Such as:
"SSL_accept(): Internal OpenSSL error or protocol error: tls_process_client_hello: unsupported protocol"
rather than just
"SSL_accept(): Internal OpenSSL error or protocol error"
Perhaps it can be shortened in a later version if this is acceptable.

This can help with tracing server linking errors, and/or
if using the junk snomask (MODE nick +s +j).
2017-11-25 15:48:28 +01:00
Bram Matthys f7df81fd24 Add AppArmor profile in extras/security/apparmor/unrealircd
See: https://www.unrealircd.org/docs/Using_AppArmor_with_UnrealIRCd
2017-11-25 09:54:47 +01:00
Bram Matthys 0d99670391 Update changelog 2017-11-23 07:56:11 +01:00
Bram Matthys 12df5a96ff Fix crash if using anope with old unreal32 mod w/SSL on non-localhost.
Sounds rare and you should really use a more recent version of anope
with the unreal4 protocol module. But, of course, we shouldn't crash.
2017-11-21 11:40:07 +01:00
Bram Matthys e68f31ba34 Update relnotes 2017-11-20 18:57:40 +01:00
Bram Matthys b7bdb1dc40 Move 4.0.16 release notes to doc/RELEASE-NOTES.old 2017-11-20 18:55:38 +01:00
Bram Matthys 87a42edd4b extbans/timedban automatic -e/-I fix (duh)
Should add a testcase for it, but the test would take 1 minute. Hmmm.
2017-11-20 18:50:02 +01:00
Bram Matthys 0cc5eddce2 extbans/timedban (~t): fix unset not working for +e/+I and reduce load
by spreading the unset event over multiple events (process roughly a
quarter each time). Not important for small networks but for big ones..
2017-11-20 16:48:48 +01:00
Bram Matthys e67d49112e Re-indent src/modules/m_mode.c (yuck...) 2017-11-20 13:48:18 +01:00
Bram Matthys e16dfdc6a6 Add release notes entry for timed bans support in +f. 2017-11-20 09:48:25 +01:00
Bram Matthys aa093f3e2b Timedban support in +f [5t#b2]:10 (set 2 minute ban on text flood).
Naturally this is only available if the extbans/timedban module is
loaded and you should do so on all your servers on the same network
if you want to avoid confusion/desynchs.
2017-11-20 09:44:25 +01:00
Bram Matthys d63bc7e187 Module API: New function is_module_loaded("name"): return 1 / 0 2017-11-20 09:43:43 +01:00
Bram Matthys 92afdb56b5 Timed bans: ~t:duration:mask
These are bans that are automatically removed by the server.
The duration is in minutes and the mask can be any ban mask.
=> Note that you need to load the extbans/timedban module!
Some examples:
* A 5 minute ban on a host:
  +b ~t:5:*!*@host
* A 5 minute quiet ban on a host (unable to speak):
  +b ~t:5:~q:*!*@host
* An invite exception for 1440m/24hrs
  +I ~t:1440:*!*@host
* A temporary exempt ban for a services account
  +e ~t:1440:~a:Account
* Allows someone to speak through +m for the next 24hrs:
  +e ~t:1440:~m:moderated:*!*@host
* And any other crazy ideas you can come up with...
2017-11-20 09:16:03 +01:00
Bram Matthys 8b0fd74c37 Bug: set::restrict-extendedbans did not have effect in stacked bans.
For example if you had:
set { restrict-extendedbans "a"; };
Then this would be rejected:
MODE #chan +b ~a:Account
However, you could still set:
MODE #chan +b ~q:~a:Account
Now this is properly rejected as well.
2017-11-19 20:43:15 +01:00
Bram Matthys 2e1e9a0b91 Load extbans/msgbypass from modules.optional.conf 2017-11-19 17:19:35 +01:00
Bram Matthys eb205e04cc Make types future-proof. Fix ~m case for +M.
BypassMessageRestrictionType -> BypassChannelMessageRestrictionType
BYPASS_MSG_* -> BYPASS_CHANMSG_*
2017-11-19 17:12:28 +01:00
Bram Matthys 1b2b28e6c6 New ban exception ~m:type:mask - allows bypassing of message restrictions.
Valid types are: 'external' (bypass +n), moderated (bypass +m/+M),
'filter' (bypass +G), 'color' (bypass +S/+c) and 'notice' (bypass +T).
Some examples:
* Let LAN users bypass +m: +e ~m:moderated:*!*@192.168.*
* Make GitHub commit bot bypass +n: +e ~m:external:*!*@ipmask
* Allow a services account to use color: +e ~m:color:~a:ColorBot
2017-11-19 16:40:39 +01:00
Bram Matthys dd6f67a266 Send errors regarding invalid bans (if available).
Fix case where conv_param() returns NULL (ban rejected)
causing is_ok() function not to be called so the user
never sees the error. We now try to call the is_ok after
conv_param returns NULL.
So not really an API change, more like a fix.
2017-11-18 19:15:44 +01:00
Bram Matthys b046b86a6e Way to customize the reject connection messages. 2017-11-17 11:13:11 +01:00
Bram Matthys e1af5ae6c5 Move AllowClient/check_client/check_init to m_nick module
(apparently one of the previous commits was partial)
2017-11-17 10:45:54 +01:00
Bram Matthys d13c7b20d0 Code cleanups in AllowClient and register_user 2017-11-17 10:37:45 +01:00
Bram Matthys 7b7f492b71 Move AllowClient/check_client/check_init to m_nick module 2017-11-17 10:10:28 +01:00
Bram Matthys cb6a118c4d antirandom sample conf: remove confusing phrase that doesn't apply 2017-11-15 11:49:46 +01:00
Bram Matthys 3c0db9c72f Move HOOKTYPE_SECURE_CONNECT hook and mode setting up a bit. 2017-11-13 17:02:05 +01:00
Bram Matthys cd7d3f0cc6 Rephrase. Still too long, though. 2017-11-13 17:00:36 +01:00
Bram Matthys 527fa9818c UnrealIRCd will no longer give +z to users on WEBIRC gateways, unless
the WEBIRC gateway gives us some assurance that the
client<->webirc gateway connection is also secure (eg: https).

This is the regular WEBIRC format:
WEBIRC password gateway hostname ip

This indicates a secure client connection (NEW):
WEBIRC password gateway hostname ip :secure

Naturally, WEBIRC gateways MUST NOT send the "secure" option if
the client is using http or some other insecure protocol.

https://github.com/ircv3/ircv3-ideas/issues/12
2017-11-13 16:47:22 +01:00
Bram Matthys 512c8fb000 Move the place where we set umode +z (secure). Needed for next. 2017-11-13 16:23:49 +01:00
Bram Matthys 31688fbae8 Update version to 4.0.17-devel to reflect development status. 2017-11-13 08:25:00 +01:00
Bram Matthys 07f056c1a4 Add reference to https://www.unrealircd.org/docs/IRCOp_guide 2017-11-13 08:17:28 +01:00
Bram Matthys d8470bb902 AppVeyor: needs both unrar and unzip 2017-11-12 08:08:41 +01:00
Bram Matthys f86cf68548 UnrealIRCd 4.0.16 2017-11-12 07:59:11 +01:00
Bram Matthys 1425583bed Zip file now. Does this work? 2017-11-11 11:06:48 +01:00
Bram Matthys 1070e43141 Windows: update dependencies (libs). 2017-11-11 11:04:51 +01:00
Bram Matthys 7d6d33a5bc Update c-ares to 1.13.0 (20-jun-2017) 2017-11-11 09:57:35 +01:00
Bram Matthys 67396c808d Update release notes 2017-11-10 19:48:32 +01:00
Bram Matthys 69264175e7 Update conf/ssl/curl-ca-bundle.crt (Wed Sep 20 03:12:05 2017 GMT) 2017-11-10 19:12:39 +01:00
Bram Matthys 1e059ca0e4 Update to PCRE2 10.30 (14-August-2017) 2017-11-10 19:05:36 +01:00
Bram Matthys 6b35aa35a8 Delete UnrealIRCd 3.2.x changelogs (they are in git anyway) 2017-11-10 18:58:21 +01:00
Bram Matthys c5e38b9272 UnrealIRCd 4.0.16-rc1 2017-10-29 12:16:43 +01:00
Bram Matthys 704487e124 Fix numerous crash bugs in server to server code.
In 3.2.x we didn't fix these bugs since servers are trusted and
should send correct commands. In 4.0.x we changed this so we would
fix them when we come across such issues at normal priority (not
consider them security issues). I now took it a step further and
actively checked/looked for these issues and a bunch of them were
found. Almost all are NULL pointer dereferences, with some exceptions.
* S2S: MODE: check conv_param return value (NULL ptr crash)
* S2S: MODE: floodprot: More checks (NULL ptr crash)
* S2S: MODE: OOB write of NULL (write NULL past last element in an array)
* S2S: NICK: old compat fixes (NULL ptr crash)
* S2S: PROTOCTL: Check for double SID=
* S2S: SERVER: require at least 3 parameters (NULL ptr crash)
* S2S: SJOIN: require at least 3 parameters (NULL ptr crash)
* S2S: SJOIN: Fix OOB read (read 1 byte past buffer)
* S2S: TKL: validate set_at and expire_at (NULL ptr crash)
* S2S: TKL: require at least 9 parameters for spamf, not 8 (NULL ptr crash)
* S2S: TKL: ignore invalid spamfilter matching type (remove abort() call)
* S2S: TOPIC: querying for topic is not permitted (NULL ptr crash)
* S2S: UID: require 12 parameters (NULL ptr crash)
* S2S: WATCH: this is not a server command (NULL ptr crash)
* Fix OOB read (1 byte beyond string) for timevals. This was reachable
  from config code, TKL (S2S) and /*LINE (Oper). In practice no crash.
* MODE: make code less confusing (effectively no change)
* TRACE: remove strange output in case of 0 lines of output
* Fix unimportant memory leak on boot (#4713, reported by dg)
* Fix small memory leak upon 'DNS i' (oper only command)
* Always work on a copy in clean_ban_mask(). This fixes a bug that could
  result in a strlcpy(buf, buf, sizeof(buf)). So, overlapping strings,
  which is undefined behavior.
2017-10-29 11:20:52 +01:00
Bram Matthys d574183825 Travis-CI: Use CPPFLAGS instead of CFLAGS 2017-10-23 16:52:28 +02:00
Bram Matthys 0dadba5482 Travis-CI: Use -DFAKELAG_CONFIGURABLE for tests. From 300 to 30s. 2017-10-23 16:37:22 +02:00
Bram Matthys 52a7478bd0 Comment it out like this so we can use -D 2017-10-23 16:37:00 +02:00
Bram Matthys 1dfcac9794 Travis-CI: Blah. 2017-10-23 14:14:58 +02:00
Bram Matthys 0318edbad0 Reinstall git during run-tests (may have been removed earlier in 'local-curl' test) 2017-10-23 13:42:16 +02:00
Bram Matthys cec74b0208 Use MAKE="make -j3" to make ./Config run faster as well. 2017-10-23 12:38:57 +02:00
Bram Matthys 13740a7d13 Travis-CI: Generate TLS certificate during test build (needed for testing further on) 2017-10-23 12:34:41 +02:00