1
0
mirror of https://github.com/weechat/weechat.git synced 2026-07-10 03:33:12 +02:00
Commit Graph

294 Commits

Author SHA1 Message Date
Sébastien Helleu d7bc041098 core: add version 4.9.1 2026-05-31 15:09:01 +02:00
Sébastien Helleu 43a118ac47 core: fix timing attack on TOTP validation (GHSA-vhv8-g2r9-cwcc)
weecrypto_totp_validate compared the generated and client-supplied OTPs
with strcmp and broke out of the time-window loop on the first match.
Both choices leaked information via response timing: strcmp leaked the
expected OTP digit-by-digit (shrinking the brute-force search from
~10^digits to a handful of guesses within the 30-second window), and
the early break leaked which window offset matched.

Compare in constant time with string_memcmp_constant_time and always
iterate the full window, OR-ing the result into otp_ok without an
early exit.

This affects both relay protocols (which call totp_validate via the
public info hook) and any other caller of the info hook.
2026-05-31 09:16:46 +02:00
Sébastien Helleu 6948aea626 relay: fix timing attack on password authentication (GHSA-vhv8-g2r9-cwcc)
The relay authentication used non-constant-time comparisons (strcasecmp,
strcmp) to verify password hashes and plaintext passwords, allowing an
attacker to derive the expected hash byte-by-byte from response timing
and then authenticate without knowing the password.

- SHA/PBKDF2 hex hash comparisons: normalize the client-supplied hash to
  uppercase and compare in constant time over the fixed expected length.
- Plaintext password comparison: HMAC-SHA256 both passwords with a fresh
  per-call random key and compare the fixed-size MACs in constant time,
  hiding both per-byte timing and the password length.

Add string_memcmp_constant_time helper in core, exposed via the plugin
API. Bump WEECHAT_PLUGIN_API_VERSION accordingly.
2026-05-31 09:16:15 +02:00
Sébastien Helleu 5dbb96b66a relay: limit size of decompressed websocket frame to prevent memory exhaustion (GHSA-v2v4-45wm-5cr3)
An authenticated relay client using the permessage-deflate websocket
extension could send a small compressed frame that decompresses to an
unbounded amount of data, exhausting all memory and crashing WeeChat.

The output buffer in relay_websocket_inflate is now capped to
WEBSOCKET_INFLATE_MAX_SIZE: frames decompressing beyond this limit are
rejected and the connection is closed.
2026-05-31 09:16:06 +02:00
Sébastien Helleu 1400b6c197 core: add fix of IRC tag in ChangeLog 2026-05-23 13:23:26 +02:00
Sébastien Helleu c71978c0b3 core: fix option weechat.look.color_real_white not applied when color is "white" on 16+ colors terminals (closes #1742) 2026-05-23 12:15:04 +02:00
Sébastien Helleu 5520ed1950 fset: remove error displayed in core buffer when clicking with the mouse below the last option displayed 2026-05-21 13:55:15 +02:00
Sébastien Helleu 815640b840 relay: add option relay.network.unix_socket_permissions (closes #2317) 2026-05-10 19:22:57 +02:00
Sébastien Helleu 3082c2e4e5 core: add condition on connected relay api clients in default value of option weechat.look.hotlist_add_conditions 2026-04-28 21:30:51 +02:00
Sébastien Helleu cead39b52f core: add /mute in default command for key alt+"=" (toggle filters)
Since v4.8.0 and commit d0298b4738, toggling
filters with `/filter toggle` displays a message on core buffer.

This is OK when running the command manually, but not when pressing the key
alt+"=".
2026-03-31 19:12:46 +02:00
Sébastien Helleu 5969f9faf6 Version 4.9.0 2026-03-29 10:20:23 +02:00
Sébastien Helleu b8bef1c3e1 irc: fix display of CTCP query sent multiple times to the same user when capability echo-message is enabled (closes #2309) 2026-03-27 18:32:31 +01:00
Sébastien Helleu 6bc11571b5 xfer: evaluate option xfer.network.own_ip 2026-03-18 18:26:06 +01:00
Sébastien Helleu 1532efea6d core: fix style in ChangeLog 2026-03-14 00:12:17 +01:00
Sébastien Helleu 9bf2d51493 core: add option -e to evaluate all commands before executing them in command /eval 2026-03-14 00:03:27 +01:00
Sébastien Helleu 27ae6ca789 core: fix crash with /eval when the current buffer is closed in a command 2026-03-13 23:11:00 +01:00
Sébastien Helleu 87a683ebdb typing: add option typing.look.item_text (closes #2305) 2026-03-09 23:58:11 +01:00
Sébastien Helleu 5eb3bca47b core: add version 4.8.2 2026-03-07 08:19:52 +01:00
Sébastien Helleu 306155aa48 relay/api: fix memory leak in receive of message from remote WeeChat 2026-02-16 18:57:14 +01:00
Sébastien Helleu 238f8cbc7e relay/api: fix memory leaks in resources "ping" and "sync" 2026-02-16 18:33:03 +01:00
Sébastien Helleu ef5f197a4a irc: fix unit of server option anti_flood from seconds to milliseconds in output of /server listfull 2026-01-30 13:49:23 +01:00
Sébastien Helleu 9b4fd66de7 irc: ignore self join if the channel is already joined (closes #2291)
There is an issue with some IRC servers that may send a JOIN with self nick
once already on the channel, this results in a clear of the nicklist on the
second JOIN received.

This fix silently ignores the second self JOIN if the channel is already
joined (with at least one nick).
2025-12-14 14:29:47 +01:00
Sébastien Helleu 518b9ab381 core: add version 4.8.1 2025-12-01 20:17:07 +01:00
Sébastien Helleu 1ff001994c irc: fix creation of irc.msgbuffer option without a server name
The regression was introduced by commit
1b669cd13c, which allowed a server name with
upper case but rejected a name or alias with upper case.

This commit fixed the creation of the option when the server name is not given,
so this command works again:

  /set irc.msgbuffer.whois current
2025-12-01 07:48:58 +01:00
Sébastien Helleu 6bcc6ef65f core: update ChangeLog (issue #2289) 2025-11-30 13:34:05 +01:00
Sébastien Helleu 63b6dee311 core: fix order of sections in ChangeLog 2025-11-30 09:16:42 +01:00
Sébastien Helleu 2534976281 Version 4.8.0 2025-11-30 09:09:35 +01:00
Sébastien Helleu c3f2252385 core: add missing links to upgrade guidelines in ChangeLog 2025-11-30 09:00:26 +01:00
Sébastien Helleu d8569ffe27 buflist: add variable ${index_displayed} 2025-11-28 18:45:22 +01:00
Sébastien Helleu a3f733d29a core: fix styles in ChangeLog 2025-11-28 17:36:30 +01:00
Sébastien Helleu c18d8ecc1d core: add version 4.7.2 2025-11-23 14:17:25 +01:00
Sébastien Helleu 953ede1200 irc: add tags "irc_cap" and "log3" in client capability request and SASL not supported messages 2025-11-22 16:00:32 +01:00
Sébastien Helleu c2ff484995 core, irc, relay: add tag "tls" in gnutls messages 2025-11-22 14:52:02 +01:00
Sébastien Helleu b8048b1666 irc: fix reset of color when multiple modes are set with command /mode 2025-11-22 12:31:37 +01:00
Sébastien Helleu e33ed57b47 irc: fix colors in MODE message (issue #2286) 2025-11-22 10:32:44 +01:00
Sébastien Helleu d23a7a6105 irc: fix colors in ban mask (message 367) and quiet mask (message 728) (closes #2286) 2025-11-22 10:02:47 +01:00
Sébastien Helleu 3e49b73117 api: fix file descriptor leak in hook_url (closes #2284)
This can happen after a timeout or if the hook is removed during the transfer.
2025-11-15 17:28:44 +01:00
Sébastien Helleu 898213b4f2 relay/api: return HTTP error 400 in case of invalid body in resource ping 2025-11-13 20:35:58 +01:00
Sébastien Helleu e6646d1ef1 relay/api: return HTTP error 404 instead of 400 when the buffer is not found in resources completion and input 2025-11-13 07:12:55 +01:00
Sébastien Helleu 69d47b68f5 core: update ChangeLog 2025-11-13 07:08:23 +01:00
Sébastien Helleu 1c53d3d466 api: add functions to parse integer numbers
New functions:

- util_parse_int
- util_parse_long
- util_parse_longlong
2025-11-12 20:24:00 +01:00
Sébastien Helleu 0dab9b9257 irc: display a warning for each unknown or invalid server option in commands /connect and /server 2025-11-01 16:02:53 +01:00
Sébastien Helleu 07ef353b1b irc: remove temporary servers and option irc.look.temporary_servers 2025-11-01 09:15:54 +01:00
Sébastien Helleu df3232fc80 core: move entries in ChangeLog 2025-10-26 18:11:39 +01:00
Sébastien Helleu 0009732f78 relay/api: return an error 401 when header "x-weechat-totp" has an invalid value 2025-10-26 09:19:43 +01:00
Sébastien Helleu e637e0de1c relay/api: return an error 400 when URL parameters "nicks", "lines" and "lines_free" have an invalid value 2025-10-26 08:07:23 +01:00
Sébastien Helleu 58c873809b relay/api: return an error 400 when URL parameter "colors" has an invalid value 2025-10-26 07:22:10 +01:00
Sébastien Helleu 1b669cd13c irc: fix warning on creation of irc.msgbuffer option when the server name contains upper case letters (closes #2281)
Now the following command is OK without warning:

  /set irc.msgbuffer.TEST.notice current

And the following command returns an error instead of a warning (that means the
option is NOT created):

  /set irc.msgbuffer.TEST.NOTICE current
2025-10-14 22:56:41 +02:00
Sébastien Helleu f854db17ff core: add hdata for hooks
New hooks:

- hook
- hook_command
- hook_command_run
- hook_completion
- hook_config
- hook_connect
- hook_fd
- hook_focus
- hook_hdata
- hook_hsignal
- hook_info
- hook_info_hashtable
- hook_infolist
- hook_line
- hook_modifier
- hook_print
- hook_process
- hook_signal
- hook_timer
- hook_url

New lists (for hooks of type "hook"):

- weechat_hooks_command, last_weechat_hook_command
- weechat_hooks_command_run, last_weechat_hook_command_run
- weechat_hooks_completion, last_weechat_hook_completion
- weechat_hooks_config, last_weechat_hook_config
- weechat_hooks_connect, last_weechat_hook_connect
- weechat_hooks_fd, last_weechat_hook_fd
- weechat_hooks_focus, last_weechat_hook_focus
- weechat_hooks_hdata, last_weechat_hook_hdata
- weechat_hooks_hsignal, last_weechat_hook_hsignal
- weechat_hooks_info, last_weechat_hook_info
- weechat_hooks_info_hashtable, last_weechat_hook_info_hashtable
- weechat_hooks_infolist, last_weechat_hook_infolist
- weechat_hooks_line, last_weechat_hook_line
- weechat_hooks_modifier, last_weechat_hook_modifier
- weechat_hooks_print, last_weechat_hook_print
- weechat_hooks_process, last_weechat_hook_process
- weechat_hooks_signal, last_weechat_hook_signal
- weechat_hooks_timer, last_weechat_hook_timer
- weechat_hooks_url, last_weechat_hook_url
2025-10-12 17:37:24 +02:00
Sébastien Helleu 72b2242135 irc: send SASL username with mechanism EXTERNAL (closes #2270)
The SASL username is sent if set, otherwise "+" is still sent.
2025-10-12 16:11:33 +02:00