From 0009732f783828d78d690eaf660b1a25f149ca05 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?S=C3=A9bastien=20Helleu?= Date: Sun, 26 Oct 2025 09:19:43 +0100 Subject: [PATCH] relay/api: return an error 401 when header "x-weechat-totp" has an invalid value --- CHANGELOG.md | 1 + src/plugins/relay/relay-http.c | 16 +++++++++++++--- tests/unit/plugins/relay/test-relay-http.cpp | 8 ++++++++ 3 files changed, 22 insertions(+), 3 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 993e8e277..280987159 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -33,6 +33,7 @@ SPDX-License-Identifier: GPL-3.0-or-later - irc: fix warning on creation of irc.msgbuffer option when the server name contains upper case letters ([#2281](https://github.com/weechat/weechat/issues/2281)) - relay/api: fix crash when an invalid HTTP request is received from a client - relay/api: return an error 400 when URL parameters "colors", "nicks", "lines" and "lines_free" have an invalid value +- relay/api: return an error 401 when header "x-weechat-totp" has an invalid value ## Version 4.7.1 (2025-08-16) diff --git a/src/plugins/relay/relay-http.c b/src/plugins/relay/relay-http.c index 711a81087..9c24e032b 100644 --- a/src/plugins/relay/relay-http.c +++ b/src/plugins/relay/relay-http.c @@ -588,9 +588,9 @@ relay_http_get_auth_status (struct t_relay_client *client) { const char *auth, *sec_websocket_protocol, *client_totp, *pos; char *relay_password, *totp_secret, *info_totp_args, *info_totp; - char *user_pass; - char **protocol_array; + char *user_pass, **protocol_array, *error; int rc, i, length, protocol_count, use_base64url, totp_ok; + long number; rc = 0; relay_password = NULL; @@ -599,6 +599,17 @@ relay_http_get_auth_status (struct t_relay_client *client) user_pass = NULL; use_base64url = 0; + client_totp = weechat_hashtable_get (client->http_req->headers, "x-weechat-totp"); + if (client_totp && client_totp[0]) + { + number = strtol (client_totp, &error, 10); + if (!error || error[0] || (number < 0) || (number > 999999)) + { + rc = -4; + goto end; + } + } + relay_password = weechat_string_eval_expression ( weechat_config_string (relay_config_network_password), NULL, NULL, NULL); @@ -725,7 +736,6 @@ relay_http_get_auth_status (struct t_relay_client *client) NULL, NULL, NULL); if (totp_secret && totp_secret[0]) { - client_totp = weechat_hashtable_get (client->http_req->headers, "x-weechat-totp"); if (!client_totp || !client_totp[0]) { rc = -3; diff --git a/tests/unit/plugins/relay/test-relay-http.cpp b/tests/unit/plugins/relay/test-relay-http.cpp index e901cc3ea..843255e00 100644 --- a/tests/unit/plugins/relay/test-relay-http.cpp +++ b/tests/unit/plugins/relay/test-relay-http.cpp @@ -713,6 +713,13 @@ TEST(RelayHttp, GetAuthStatus) hashtable_set (client->http_req->headers, "authorization", "Basic \u26c4"); LONGS_EQUAL(-2, relay_http_get_auth_status (client)); + /* test invalid TOTP */ + hashtable_set (client->http_req->headers, "x-weechat-totp", "abcdef"); + LONGS_EQUAL(-4, relay_http_get_auth_status (client)); + hashtable_set (client->http_req->headers, "x-weechat-totp", "1234567"); + LONGS_EQUAL(-4, relay_http_get_auth_status (client)); + hashtable_remove (client->http_req->headers, "x-weechat-totp"); + /* test invalid plain-text password ("test") */ hashtable_set (client->http_req->headers, "authorization", "Basic cGxhaW46dGVzdA=="); LONGS_EQUAL(-2, relay_http_get_auth_status (client)); @@ -907,6 +914,7 @@ TEST(RelayHttp, GetAuthStatus) free (totp2); config_file_option_reset (relay_config_network_totp_secret, 1); config_file_option_reset (relay_config_network_totp_window, 1); + hashtable_remove (client->http_req->headers, "x-weechat-totp"); /* test invalid plain-text password ("test") via Sec-WebSocket-Protocol */ hashtable_remove (client->http_req->headers, "authorization");