1
0
mirror of https://github.com/weechat/weechat.git synced 2026-07-03 16:23:14 +02:00

relay/api: return an error 401 when header "x-weechat-totp" has an invalid value

This commit is contained in:
Sébastien Helleu
2025-10-26 09:19:43 +01:00
parent e637e0de1c
commit 0009732f78
3 changed files with 22 additions and 3 deletions
+1
View File
@@ -33,6 +33,7 @@ SPDX-License-Identifier: GPL-3.0-or-later
- irc: fix warning on creation of irc.msgbuffer option when the server name contains upper case letters ([#2281](https://github.com/weechat/weechat/issues/2281))
- relay/api: fix crash when an invalid HTTP request is received from a client
- relay/api: return an error 400 when URL parameters "colors", "nicks", "lines" and "lines_free" have an invalid value
- relay/api: return an error 401 when header "x-weechat-totp" has an invalid value
## Version 4.7.1 (2025-08-16)
+13 -3
View File
@@ -588,9 +588,9 @@ relay_http_get_auth_status (struct t_relay_client *client)
{
const char *auth, *sec_websocket_protocol, *client_totp, *pos;
char *relay_password, *totp_secret, *info_totp_args, *info_totp;
char *user_pass;
char **protocol_array;
char *user_pass, **protocol_array, *error;
int rc, i, length, protocol_count, use_base64url, totp_ok;
long number;
rc = 0;
relay_password = NULL;
@@ -599,6 +599,17 @@ relay_http_get_auth_status (struct t_relay_client *client)
user_pass = NULL;
use_base64url = 0;
client_totp = weechat_hashtable_get (client->http_req->headers, "x-weechat-totp");
if (client_totp && client_totp[0])
{
number = strtol (client_totp, &error, 10);
if (!error || error[0] || (number < 0) || (number > 999999))
{
rc = -4;
goto end;
}
}
relay_password = weechat_string_eval_expression (
weechat_config_string (relay_config_network_password),
NULL, NULL, NULL);
@@ -725,7 +736,6 @@ relay_http_get_auth_status (struct t_relay_client *client)
NULL, NULL, NULL);
if (totp_secret && totp_secret[0])
{
client_totp = weechat_hashtable_get (client->http_req->headers, "x-weechat-totp");
if (!client_totp || !client_totp[0])
{
rc = -3;
@@ -713,6 +713,13 @@ TEST(RelayHttp, GetAuthStatus)
hashtable_set (client->http_req->headers, "authorization", "Basic \u26c4");
LONGS_EQUAL(-2, relay_http_get_auth_status (client));
/* test invalid TOTP */
hashtable_set (client->http_req->headers, "x-weechat-totp", "abcdef");
LONGS_EQUAL(-4, relay_http_get_auth_status (client));
hashtable_set (client->http_req->headers, "x-weechat-totp", "1234567");
LONGS_EQUAL(-4, relay_http_get_auth_status (client));
hashtable_remove (client->http_req->headers, "x-weechat-totp");
/* test invalid plain-text password ("test") */
hashtable_set (client->http_req->headers, "authorization", "Basic cGxhaW46dGVzdA==");
LONGS_EQUAL(-2, relay_http_get_auth_status (client));
@@ -907,6 +914,7 @@ TEST(RelayHttp, GetAuthStatus)
free (totp2);
config_file_option_reset (relay_config_network_totp_secret, 1);
config_file_option_reset (relay_config_network_totp_window, 1);
hashtable_remove (client->http_req->headers, "x-weechat-totp");
/* test invalid plain-text password ("test") via Sec-WebSocket-Protocol */
hashtable_remove (client->http_req->headers, "authorization");