dd9ef2f4d9
tests: add missing include of string.h
2026-06-08 23:17:19 +02:00
551c12e049
relay/api: add resource GET /api/scripts
2026-06-08 23:04:40 +02:00
d74993a42c
relay: limit size of partial message received while reading an HTTP request to prevent memory exhaustion
...
A relay client could send data with no end-of-line (an unterminated method
or header line) and dribble its payload, making WeeChat accumulate it in the
partial message buffer that grew without limit, until all memory was
exhausted. This path is reachable before authentication during websocket
initialization with the "weechat" and "irc" protocols.
The accumulated partial message is now bounded by
RELAY_HTTP_PARTIAL_MESSAGE_MAX_LENGTH: once the limit is reached, the extra
data is ignored.
2026-06-06 09:36:22 +02:00
befbcceb7f
relay/api: add field "last_read_line_id" in GET /api/buffers
2026-06-06 07:04:46 +02:00
3687ce0f0f
relay: limit size of received websocket frame and HTTP body to prevent memory exhaustion
...
A relay client could announce a huge websocket frame (or HTTP body via
"Content-Length") and dribble its payload, making WeeChat accumulate it
in a buffer that grew without limit, until all memory was exhausted. The
websocket frame path is reachable before authentication with the
"weechat" and "irc" protocols.
The announced websocket frame length and HTTP "Content-Length" are now
bounded by WEBSOCKET_FRAME_MAX_LENGTH and RELAY_HTTP_BODY_MAX_LENGTH: an
oversized websocket frame closes the connection, and an oversized body is
rejected.
2026-06-01 21:56:34 +02:00
e540d7a2cf
relay/irc: fix timing attack on PASS command (GHSA-vhv8-g2r9-cwcc)
...
The IRC relay protocol's PASS handler compared the server password with
the client-supplied value using strcmp, leaking the password byte-by-byte
via response timing. This is the same class of bug fixed for the api and
weechat protocols, on a separate code path that did not go through
relay_auth_check_password_plain.
Extract the HMAC-then-constant-time-compare logic from
relay_auth_check_password_plain into relay_auth_password_equals, then
use it in both the plain-auth wrapper and the IRC PASS handler.
2026-05-31 09:16:36 +02:00
5dbb96b66a
relay: limit size of decompressed websocket frame to prevent memory exhaustion (GHSA-v2v4-45wm-5cr3)
...
An authenticated relay client using the permessage-deflate websocket
extension could send a small compressed frame that decompresses to an
unbounded amount of data, exhausting all memory and crashing WeeChat.
The output buffer in relay_websocket_inflate is now capped to
WEBSOCKET_INFLATE_MAX_SIZE: frames decompressing beyond this limit are
rejected and the connection is closed.
2026-05-31 09:16:06 +02:00
f53e7fb9ef
core, plugins: fix typos in comments on functions, use imperative
2026-03-23 20:45:36 +01:00
106fe6ca7c
core: update copyright dates
2026-03-08 10:37:15 +01:00
e6646d1ef1
relay/api: return HTTP error 404 instead of 400 when the buffer is not found in resources completion and input
2025-11-13 07:12:55 +01:00
93d73d234f
relay/api: consider boolean/long query string parameters as invalid if they are empty
2025-10-26 18:12:02 +01:00
d05b83d03f
relay/api: return an error 401 when header "x-weechat-totp" is received with empty value
2025-10-26 10:11:10 +01:00
0009732f78
relay/api: return an error 401 when header "x-weechat-totp" has an invalid value
2025-10-26 09:19:43 +01:00
e637e0de1c
relay/api: return an error 400 when URL parameters "nicks", "lines" and "lines_free" have an invalid value
2025-10-26 08:07:23 +01:00
58c873809b
relay/api: return an error 400 when URL parameter "colors" has an invalid value
2025-10-26 07:22:10 +01:00
1db29cb1ed
relay/api: reject any invalid or unknown password hash algorithm in handshake resource
2025-07-02 20:32:09 +02:00
4348036e2e
tests: remove duplicated "HTTP/1.1" in some relay API tests
2025-07-02 20:32:09 +02:00
93ec10b563
relay/api: return HTTP error 405 (Method Not Allowed) when the method received is not allowed
2025-07-02 20:32:09 +02:00
9783256649
relay/api: use specifier %@ for times formatted by util_strftimeval
2025-05-18 22:15:39 +02:00
a1cbe63a42
tests: move CMake file, main C++/headers for tests and scripts to unit directory
2025-05-05 13:18:34 +02:00
2475f20cb7
all: move description of C files below the copyright and license
2025-03-31 11:47:49 +02:00
3a6ac9ee76
all: add SPDX license tag
2025-03-31 07:49:26 +02:00
d8987a1678
all: replace Copyright lines by SPDX copyright tag
2025-03-30 14:47:12 +02:00
547e2b934e
core: update copyright dates
2025-02-01 23:13:18 +01:00
d302294723
relay/api: always return a body with field "error" in error responses
2025-01-07 07:52:09 +01:00
60422ca6b1
relay: remove extra space in JSON authentication error
2025-01-07 07:28:45 +01:00
9d3388b09e
relay/api: use cjson lib to return errors
2025-01-07 07:23:55 +01:00
d10af1037b
relay/api: use cjson lib to build JSON body of handshake request
2025-01-07 07:18:01 +01:00
c6c420c698
relay: add completion resource
2025-01-05 14:54:07 +01:00
11faf85402
tests: add test for combining request headers
2024-11-24 16:15:35 +01:00
a414fb9da5
tests: add tests for auth via Sec-WebSocket-Protocol
2024-11-24 16:00:25 +01:00
9f67ae369c
spelling: negotiation
...
Signed-off-by: Josh Soref <2119212+jsoref@users.noreply.github.com >
2024-09-28 21:22:56 +02:00
6fdf39165a
spelling: client
...
Signed-off-by: Josh Soref <2119212+jsoref@users.noreply.github.com >
2024-09-28 18:22:41 +02:00
02847246b2
core, plugins, tests: fix octal notation in strings
2024-09-19 08:34:18 +02:00
6908eec160
tests: replace POINTERS_EQUAL by STRCMP_EQUAL in string comparisons with NULL
2024-09-14 10:26:42 +02:00
434c1ee3c4
relay/api: send the sync request at the same time as buffer data retrieval
...
This fixes events missed by the client when synchronizing after fetching data.
2024-08-25 21:13:38 +02:00
6bb4d64512
relay/api: allow array with multiple requests in websocket frame received from client
2024-08-25 20:48:52 +02:00
d4ca32832e
relay: redefine bar item "input_prompt" to display the connection status on remote buffers, if different from "connected"
2024-08-21 20:37:00 +02:00
a317c785fb
relay/api: add automatic reconnection to remote ( closes #2166 )
...
New options:
- remote option "autoreconnect_delay"
- relay.api.remote_autoreconnect_delay_growing
- relay.api.remote_autoreconnect_delay_max
2024-08-11 12:18:28 +02:00
24734c4fe0
relay/api: add field "tmie_displayed" in GET /api/buffers
2024-08-10 13:58:58 +02:00
41ab22554c
tests/relay/api: add missing fields in test of buffer to json function
2024-08-10 13:42:38 +02:00
b00f94dc70
relay/api: add field "hidden" in GET /api/buffers (issue #2159 )
2024-08-10 12:42:55 +02:00
07ef722c06
relay/api: disconnect cleanly when the remote is quitting ( closes #2168 )
2024-08-09 23:37:33 +02:00
6e775e4768
relay/api: close obsolete buffers when reconnecting to the remote
...
This closes all buffers that exist locally but not on the remote any more,
after reconnecting to the remote.
2024-08-09 18:08:31 +02:00
eb5399518e
relay/api: clear lines and nicklist on all remote buffers upon successful connection to the remote ( closes #2161 )
2024-08-09 18:01:59 +02:00
87a5620623
tests: fix typo in header
2024-08-09 07:24:11 +02:00
8c48b2f310
relay/api: fix connection to remote using an IPv6 address with square brackets ( closes #2156 )
2024-07-22 17:24:50 +02:00
3828a9f987
tests: add field "request_id" in tests of relay api protocol
2024-06-30 00:22:46 +02:00
f8f6e100d0
relay/api: always set "body_type" and "body" (null if there is no body) in websocket frame
2024-06-29 23:59:59 +02:00
555632b615
relay/remote: update buffer line on event "buffer_line_data_changed"
2024-06-27 21:39:21 +02:00
Sébastien Helleu