1
0
mirror of https://github.com/weechat/weechat.git synced 2026-07-05 17:23:15 +02:00
Commit Graph

694 Commits

Author SHA1 Message Date
Sébastien Helleu 377b6da43d relay: limit size of received websocket frame and HTTP body to prevent memory exhaustion
A relay client could announce a huge websocket frame (or HTTP body via
"Content-Length") and dribble its payload, making WeeChat accumulate it
in a buffer that grew without limit, until all memory was exhausted. The
websocket frame path is reachable before authentication with the
"weechat" and "irc" protocols.

The announced websocket frame length and HTTP "Content-Length" are now
bounded by WEBSOCKET_FRAME_MAX_LENGTH and RELAY_HTTP_BODY_MAX_LENGTH: an
oversized websocket frame closes the connection, and an oversized body is
rejected.
2026-06-01 22:09:27 +02:00
Sébastien Helleu c737373d17 relay/irc: fix timing attack on PASS command (GHSA-vhv8-g2r9-cwcc)
The IRC relay protocol's PASS handler compared the server password with
the client-supplied value using strcmp, leaking the password byte-by-byte
via response timing. This is the same class of bug fixed for the api and
weechat protocols, on a separate code path that did not go through
relay_auth_check_password_plain.

Extract the HMAC-then-constant-time-compare logic from
relay_auth_check_password_plain into relay_auth_password_equals, then
use it in both the plain-auth wrapper and the IRC PASS handler.
2026-05-31 09:12:09 +02:00
Sébastien Helleu 30230498b2 relay: fix timing attack on password authentication (GHSA-vhv8-g2r9-cwcc)
The relay authentication used non-constant-time comparisons (strcasecmp,
strcmp) to verify password hashes and plaintext passwords, allowing an
attacker to derive the expected hash byte-by-byte from response timing
and then authenticate without knowing the password.

- SHA/PBKDF2 hex hash comparisons: normalize the client-supplied hash to
  uppercase and compare in constant time over the fixed expected length.
- Plaintext password comparison: HMAC-SHA256 both passwords with a fresh
  per-call random key and compare the fixed-size MACs in constant time,
  hiding both per-byte timing and the password length.

Add string_memcmp_constant_time helper in core, exposed via the plugin
API. Bump WEECHAT_PLUGIN_API_VERSION accordingly.
2026-05-31 09:11:53 +02:00
Sébastien Helleu 35699ea802 relay: limit size of decompressed websocket frame to prevent memory exhaustion (GHSA-v2v4-45wm-5cr3)
An authenticated relay client using the permessage-deflate websocket
extension could send a small compressed frame that decompresses to an
unbounded amount of data, exhausting all memory and crashing WeeChat.

The output buffer in relay_websocket_inflate is now capped to
WEBSOCKET_INFLATE_MAX_SIZE: frames decompressing beyond this limit are
rejected and the connection is closed.
2026-05-31 09:07:23 +02:00
Sébastien Helleu f53e7fb9ef core, plugins: fix typos in comments on functions, use imperative 2026-03-23 20:45:36 +01:00
Sébastien Helleu f5bbe35cfb irc, relay: replace "cancelled" by "canceled" in auto-reconnection message 2026-03-12 20:24:53 +01:00
Sébastien Helleu 106fe6ca7c core: update copyright dates 2026-03-08 10:37:15 +01:00
Sébastien Helleu 306155aa48 relay/api: fix memory leak in receive of message from remote WeeChat 2026-02-16 18:57:14 +01:00
Sébastien Helleu 238f8cbc7e relay/api: fix memory leaks in resources "ping" and "sync" 2026-02-16 18:33:03 +01:00
Emil Velikov 6442b938eb cmake: move zstd/cjson include handling
Move the respective include_directories() stansas to the top-level
cmakefile. While this technically adds them to targets where they are
not needed, there is no harm is having them.

This maskes the find_dependency/use_includes/use_libs more consistent
across the board and helps it stand out where it's forgotten. Fixes for
which will be coming at a later date.

Signed-off-by: Emil Velikov <emil.l.velikov@gmail.com>
2026-02-04 22:21:26 +01:00
Sébastien Helleu c2ff484995 core, irc, relay: add tag "tls" in gnutls messages 2025-11-22 14:52:02 +01:00
Sébastien Helleu 898213b4f2 relay/api: return HTTP error 400 in case of invalid body in resource ping 2025-11-13 20:35:58 +01:00
Sébastien Helleu e6646d1ef1 relay/api: return HTTP error 404 instead of 400 when the buffer is not found in resources completion and input 2025-11-13 07:12:55 +01:00
Sébastien Helleu 93d73d234f relay/api: consider boolean/long query string parameters as invalid if they are empty 2025-10-26 18:12:02 +01:00
Sébastien Helleu d05b83d03f relay/api: return an error 401 when header "x-weechat-totp" is received with empty value 2025-10-26 10:11:10 +01:00
Sébastien Helleu 0009732f78 relay/api: return an error 401 when header "x-weechat-totp" has an invalid value 2025-10-26 09:19:43 +01:00
Sébastien Helleu e637e0de1c relay/api: return an error 400 when URL parameters "nicks", "lines" and "lines_free" have an invalid value 2025-10-26 08:07:23 +01:00
Sébastien Helleu 58c873809b relay/api: return an error 400 when URL parameter "colors" has an invalid value 2025-10-26 07:22:10 +01:00
Sébastien Helleu bff910cae3 relay/api: fix crash when an invalid HTTP request is received from a client
When invalid data is received (not an HTTP request), client->http_req->method
is NULL, so we have to check it's not NULL before comparing it to the supported
methods.

This fixes a regression introduced in commit
93ec10b563.
2025-08-16 21:19:43 +02:00
Sébastien Helleu be78d185ea relay/api: bump API version to 0.4.1 2025-07-02 20:52:42 +02:00
Sébastien Helleu 58067431de relay/api: process HTTP request received as soon as a NULL char is received
This fixes the API probe made by schemathesis, so it detects immediately that
such NULL byte is not allowed by WeeChat, instead of timing out after 10
seconds:

   API capabilities:

     Supports NULL byte in headers:    ✘
2025-07-02 20:32:09 +02:00
Sébastien Helleu 902332c3e6 relay/api: move resource bodies into their paths in OpenAPI document 2025-07-02 20:32:09 +02:00
Sébastien Helleu 0b82429b39 relay/api: add example of value for the parameter buffer_id in OpenAPI document 2025-07-02 20:32:09 +02:00
Sébastien Helleu 8b2165d441 relay/api: fix example of ping data in OpenAPI document 2025-07-02 20:32:09 +02:00
Sébastien Helleu fca2412424 relay/api: fix example of completion list in OpenAPI document 2025-07-02 20:32:09 +02:00
Sébastien Helleu d279a80733 relay/api: remove extra double quote in example of line date (OpenAPI document) 2025-07-02 20:32:09 +02:00
Sébastien Helleu 4444addf4d relay/api: fix operationId of completion resource in OpenAPI document 2025-07-02 20:32:09 +02:00
Sébastien Helleu 4ce74403dc relay/api: fix typo in OpenAPI document 2025-07-02 20:32:09 +02:00
Sébastien Helleu 1db29cb1ed relay/api: reject any invalid or unknown password hash algorithm in handshake resource 2025-07-02 20:32:09 +02:00
Sébastien Helleu d8baabd250 relay/api: use "buffer_name" first if received, then "buffer_id" in completion and input resources
This fixes some tests done by shemathesis, which sends "buffer_id" to
0 (unknown buffer) and "buffer_name" to a valid buffer name.
2025-07-02 20:32:09 +02:00
Sébastien Helleu 93ec10b563 relay/api: return HTTP error 405 (Method Not Allowed) when the method received is not allowed 2025-07-02 20:32:09 +02:00
Sébastien Helleu 927a50e366 core, plugins: replace "%p" by "%lx" in calls to sscanf 2025-05-18 22:17:29 +02:00
Sébastien Helleu d0c00f7db2 Revert "core, plugins: replace "%lx" by "%p" in calls to sscanf"
This reverts commit e64ab3c675.

This was causing incorrect conversion of strings "0x..." to pointers on systems
like Solaris/illumos.

And as a side effect, buffers were sometimes empty in weechat relay clients
like glowing-bear.
2025-05-18 22:17:16 +02:00
Sébastien Helleu 9783256649 relay/api: use specifier %@ for times formatted by util_strftimeval 2025-05-18 22:15:39 +02:00
Sébastien Helleu 2475f20cb7 all: move description of C files below the copyright and license 2025-03-31 11:47:49 +02:00
Sébastien Helleu 3a6ac9ee76 all: add SPDX license tag 2025-03-31 07:49:26 +02:00
Sébastien Helleu 55d936d63a relay: add SPDX copyright tag in relay OpenAPI document 2025-03-30 14:47:12 +02:00
Sébastien Helleu d8987a1678 all: replace Copyright lines by SPDX copyright tag 2025-03-30 14:47:12 +02:00
Sébastien Helleu 764b309e92 core, irc, relay: fix formatting of seconds and microseconds 2025-03-16 14:04:28 +01:00
Aaron Jones f5038bccbc Fix function prototypes for list of arguments
At the moment, building WeeChat triggers several thousand -Wstrict-prototypes
diagnostics.  This is due to its source code using an empty argument list for
functions and function pointers that take no arguments, instead of explicitly
declaring that they take no arguments by using a void list.

This commit replaces all empty argument lists with a void list.

Note that Ruby's headers also suffer the same problem, which WeeChat can't
do anything to fix.  Thus, building WeeChat with the Ruby plugin enabled
will still issue approximately 30 such diagnostics.
2025-03-10 08:16:52 +01:00
Sébastien Helleu ca6e483cdc relay/api: add a way to toggle between remote and local command execution on remote buffers (issue #2148)
New default key:

- Alt+Ctrl+l (L): toggle execution of commands: remote/local

New options:

- relay.api.remote_input_cmd_local: text displayed for command executed locally
- relay.api.remote_input_cmd_remote: text displayed for command executed on the
  remote WeeChat
2025-02-09 18:31:37 +01:00
Sébastien Helleu 547e2b934e core: update copyright dates 2025-02-01 23:13:18 +01:00
Sébastien Helleu d302294723 relay/api: always return a body with field "error" in error responses 2025-01-07 07:52:09 +01:00
Sébastien Helleu 60422ca6b1 relay: remove extra space in JSON authentication error 2025-01-07 07:28:45 +01:00
Sébastien Helleu 9d3388b09e relay/api: use cjson lib to return errors 2025-01-07 07:23:55 +01:00
Sébastien Helleu d10af1037b relay/api: use cjson lib to build JSON body of handshake request 2025-01-07 07:18:01 +01:00
Sébastien Helleu 10b4fffaca relay/api: fix return code when buffer is not found in completion resource callback 2025-01-07 07:12:37 +01:00
Sébastien Helleu c48dee3211 relay/api: add schema for errors returned in OpenAPI document 2025-01-06 07:45:02 +01:00
Nils c6c420c698 relay: add completion resource 2025-01-05 14:54:07 +01:00
Sébastien Helleu cfe34388fb relay/api: bump version in OpenAPI document 2025-01-05 13:05:58 +01:00