1
0
mirror of https://github.com/weechat/weechat.git synced 2026-07-03 08:13:14 +02:00
Commit Graph

4528 Commits

Author SHA1 Message Date
Matthew Horan 055642b9df relay/api: only decompress compressed messages
With permessage-deflate, RSV1 of the first fragment indicates whether or
not the message is compressed [1]. If RSV1 is not set then the message
should not be decompressed.

[1] https://datatracker.ietf.org/doc/html/rfc7692#section-6
2026-07-02 14:48:05 +02:00
Sébastien Helleu e9d998a9bf trigger: add unit for timer interval in /help trigger 2026-06-23 12:15:47 +02:00
Sébastien Helleu bfb34faa97 irc: replace "atol" by "atoll" for variables cast to time_t
On modern 32-bit platforms with a 64-bit time_t, long is 32-bit but time_t is
64-bit.
2026-06-21 08:19:42 +02:00
Sébastien Helleu a4b8d7aedd tcl: fix conversion of dates in the API functions
On modern 32-bit platforms with a 64-bit time_t, long is 32-bit but time_t is
64-bit.

Replace calls to Tcl_GetLongFromObj by Tcl_GetWideIntFromObj.
2026-06-21 08:19:42 +02:00
Sébastien Helleu 75b364cd89 ruby: fix conversion of dates in the API functions
On modern 32-bit platforms with a 64-bit time_t, long is 32-bit but time_t is
64-bit.

Replace calls to NUM2ULONG by NUM2ULL.
2026-06-21 08:19:42 +02:00
Sébastien Helleu 914d3df639 python: fix conversion of dates in the API functions
On modern 32-bit platforms with a 64-bit time_t, long is 32-bit but time_t is
64-bit.

Use "long long" for variables cast to time_t.
2026-06-21 08:19:42 +02:00
Sébastien Helleu a5404172c8 perl: fix conversion of dates in the API functions
On modern 32-bit platforms with a 64-bit time_t, the value returned by SvIV can
be 32-bit (its width depends on how Perl was built), whereas time_t is 64-bit.

Read the date with SvNV instead: a double represents all real timestamps
exactly, so the conversion to time_t no longer depends on the size of the Perl
integer type.
2026-06-21 08:19:42 +02:00
Sébastien Helleu 1dd423cb23 lua: fix conversion of dates in the API functions
On modern 32-bit platforms with a 64-bit time_t, long is 32-bit but time_t is
64-bit.

Use "long long" for variables cast to time_t.
2026-06-21 07:43:59 +02:00
Sébastien Helleu 8f33a72c99 guile: fix conversion of dates in the API functions
On modern 32-bit platforms with a 64-bit time_t, long is 32-bit but time_t is
64-bit.

Replace calls to scm_to_long by scm_to_long_long.
2026-06-21 07:42:02 +02:00
Sébastien Helleu f4564a1cb0 core, api: remove unneeded cast to time_t
The field `tv_sec` of struct timeval is already time_t, the cast is not needed.
2026-06-20 21:50:25 +02:00
Sébastien Helleu 2aada3d0ca xfer: use util functions to parse integers 2026-06-20 17:30:41 +02:00
Sébastien Helleu 791c39cc84 trigger: use util functions to parse integers 2026-06-20 17:30:41 +02:00
Sébastien Helleu ce6a214ce1 script: use util functions to parse integers 2026-06-20 17:30:41 +02:00
Sébastien Helleu 3c302e078d relay: use util functions to parse integers 2026-06-20 17:30:41 +02:00
Sébastien Helleu 90761d6350 api: use util functions to parse integers 2026-06-20 17:30:41 +02:00
Sébastien Helleu 4eba4f9a47 python: use function util_parse_int in API function hook_signal_send 2026-06-20 17:30:41 +02:00
Sébastien Helleu fcbb508cd7 javascript: use function util_parse_int in API function hook_signal_send 2026-06-20 17:30:41 +02:00
Sébastien Helleu b49eac6f2d irc: use util functions to parse integers 2026-06-20 17:30:41 +02:00
Sébastien Helleu 9b418b4dc2 fset: use util functions to parse integers 2026-06-20 17:30:41 +02:00
Sébastien Helleu 08b173f9b7 exec: use util functions to parse integers 2026-06-20 17:30:41 +02:00
Sébastien Helleu 42b91aa91d buflist: use util functions to parse integers 2026-06-20 17:30:41 +02:00
Sébastien Helleu 3200a05c00 relay/api: fix memory leak in resources "handshake", "input" and "completion" 2026-06-17 21:54:15 +02:00
aizu-m c40261aed1 xfer: fix out-of-bounds write in xfer_dcc_resume_hash (#2326) 2026-06-17 21:29:45 +02:00
Sébastien Helleu 4e206ee3ae trigger: use "const char *" variables for result of string functions with const parameter 2026-06-15 07:55:20 +02:00
Sébastien Helleu 7ff71d2b0e spell: use "const char *" variables for result of string functions with const parameter 2026-06-15 07:55:10 +02:00
Sébastien Helleu 203fdca3e8 script: use "const char *" variables for result of string functions with const parameter 2026-06-15 07:54:40 +02:00
Sébastien Helleu e3ba25df19 relay: use "const char *" variables for result of string functions with const parameter 2026-06-15 07:54:10 +02:00
Sébastien Helleu 64566629c5 irc: use "const char *" variables for result of string functions with const parameter 2026-06-15 07:52:12 +02:00
Sébastien Helleu 7e3afaf46d core, api: use "const char *" variables for result of string functions with const parameter 2026-06-15 07:52:10 +02:00
Sébastien Helleu cf702d541f api: change type of parameter "pos_option_name" to "const char **" in function config_search_with_string 2026-06-15 07:29:33 +02:00
Sébastien Helleu de878b2303 relay/api: remove error 400 which is never returned in response to GET /api/scripts 2026-06-08 23:11:27 +02:00
Sébastien Helleu 80a47b6731 relay/api: add missing fields in script object in OpenAPI document 2026-06-08 23:11:06 +02:00
Sébastien Helleu 551c12e049 relay/api: add resource GET /api/scripts 2026-06-08 23:04:40 +02:00
Sébastien Helleu 12016c4c05 script: add info "script_languages" 2026-06-08 18:54:06 +02:00
aizu-m 51a1149852 relay: fix out-of-bounds read in relay_http_print_log_request (#2324) 2026-06-06 11:18:06 +02:00
Sébastien Helleu d74993a42c relay: limit size of partial message received while reading an HTTP request to prevent memory exhaustion
A relay client could send data with no end-of-line (an unterminated method
or header line) and dribble its payload, making WeeChat accumulate it in the
partial message buffer that grew without limit, until all memory was
exhausted. This path is reachable before authentication during websocket
initialization with the "weechat" and "irc" protocols.

The accumulated partial message is now bounded by
RELAY_HTTP_PARTIAL_MESSAGE_MAX_LENGTH: once the limit is reached, the extra
data is ignored.
2026-06-06 09:36:22 +02:00
Sébastien Helleu befbcceb7f relay/api: add field "last_read_line_id" in GET /api/buffers 2026-06-06 07:04:46 +02:00
aizu-m 56f9ad68fb xfer: fix out-of-bounds read in xfer_chat_recv_cb on empty line (#2323) 2026-06-06 07:01:18 +02:00
aizu-m 328f86affc irc: fix out-of-bounds read in DCC command with quoted filename 2026-06-04 23:17:58 +02:00
aizu-m 23291acb7b xfer: replace directory separator in remote nick by underscore in download filename 2026-06-04 22:38:08 +02:00
Sébastien Helleu 3687ce0f0f relay: limit size of received websocket frame and HTTP body to prevent memory exhaustion
A relay client could announce a huge websocket frame (or HTTP body via
"Content-Length") and dribble its payload, making WeeChat accumulate it
in a buffer that grew without limit, until all memory was exhausted. The
websocket frame path is reachable before authentication with the
"weechat" and "irc" protocols.

The announced websocket frame length and HTTP "Content-Length" are now
bounded by WEBSOCKET_FRAME_MAX_LENGTH and RELAY_HTTP_BODY_MAX_LENGTH: an
oversized websocket frame closes the connection, and an oversized body is
rejected.
2026-06-01 21:56:34 +02:00
Sébastien Helleu 1211510ded irc: limit size of data received from the server to prevent memory exhaustion
A malicious or compromised IRC server could send data with no end-of-line
(or a flood of "005" messages), making WeeChat accumulate it in a buffer
that grew without limit, until all memory was exhausted.

The unterminated received message and the accumulated "005" (ISUPPORT)
data are now bounded by IRC_SERVER_RECV_MSG_MAX_LENGTH and
IRC_SERVER_ISUPPORT_MAX_LENGTH: extra data is ignored once the limit is
reached.
2026-06-01 21:53:03 +02:00
Sébastien Helleu e540d7a2cf relay/irc: fix timing attack on PASS command (GHSA-vhv8-g2r9-cwcc)
The IRC relay protocol's PASS handler compared the server password with
the client-supplied value using strcmp, leaking the password byte-by-byte
via response timing. This is the same class of bug fixed for the api and
weechat protocols, on a separate code path that did not go through
relay_auth_check_password_plain.

Extract the HMAC-then-constant-time-compare logic from
relay_auth_check_password_plain into relay_auth_password_equals, then
use it in both the plain-auth wrapper and the IRC PASS handler.
2026-05-31 09:16:36 +02:00
Sébastien Helleu 6948aea626 relay: fix timing attack on password authentication (GHSA-vhv8-g2r9-cwcc)
The relay authentication used non-constant-time comparisons (strcasecmp,
strcmp) to verify password hashes and plaintext passwords, allowing an
attacker to derive the expected hash byte-by-byte from response timing
and then authenticate without knowing the password.

- SHA/PBKDF2 hex hash comparisons: normalize the client-supplied hash to
  uppercase and compare in constant time over the fixed expected length.
- Plaintext password comparison: HMAC-SHA256 both passwords with a fresh
  per-call random key and compare the fixed-size MACs in constant time,
  hiding both per-byte timing and the password length.

Add string_memcmp_constant_time helper in core, exposed via the plugin
API. Bump WEECHAT_PLUGIN_API_VERSION accordingly.
2026-05-31 09:16:15 +02:00
Sébastien Helleu 5dbb96b66a relay: limit size of decompressed websocket frame to prevent memory exhaustion (GHSA-v2v4-45wm-5cr3)
An authenticated relay client using the permessage-deflate websocket
extension could send a small compressed frame that decompresses to an
unbounded amount of data, exhausting all memory and crashing WeeChat.

The output buffer in relay_websocket_inflate is now capped to
WEBSOCKET_INFLATE_MAX_SIZE: frames decompressing beyond this limit are
rejected and the connection is closed.
2026-05-31 09:16:06 +02:00
Sébastien Helleu 4fdcbf8f93 irc: fix description of info "irc_nick_from_host"
This fixes the following warning from xgettext:

src/plugins/irc/irc-info.c:1361: warning: Message contains an embedded email address.  Better move it out of the translatable string, see https://www.gnu.org/software/gettext/manual/html_node/No-embedded-URLs.html
2026-05-30 15:36:26 +02:00
Sébastien Helleu 4c38ce050b irc, script: display all input actions and in the same way in /list and /script buffers title 2026-05-22 07:56:31 +02:00
Sébastien Helleu 5520ed1950 fset: remove error displayed in core buffer when clicking with the mouse below the last option displayed 2026-05-21 13:55:15 +02:00
Sébastien Helleu 88f0070674 irc: fix tag in message with list of tags when joining a channel
The message with list of nicks on the channel has now tag irc_353 instead of
irc_366.
2026-05-20 20:24:06 +02:00
Sébastien Helleu 7683287f71 relay: add "api" protocol in help on options relay.network.password_hash_algo and relay.network.password_hash_iterations 2026-05-20 20:19:30 +02:00