e540d7a2cf
relay/irc: fix timing attack on PASS command (GHSA-vhv8-g2r9-cwcc)
...
The IRC relay protocol's PASS handler compared the server password with
the client-supplied value using strcmp, leaking the password byte-by-byte
via response timing. This is the same class of bug fixed for the api and
weechat protocols, on a separate code path that did not go through
relay_auth_check_password_plain.
Extract the HMAC-then-constant-time-compare logic from
relay_auth_check_password_plain into relay_auth_password_equals, then
use it in both the plain-auth wrapper and the IRC PASS handler.
2026-05-31 09:16:36 +02:00
5dbb96b66a
relay: limit size of decompressed websocket frame to prevent memory exhaustion (GHSA-v2v4-45wm-5cr3)
...
An authenticated relay client using the permessage-deflate websocket
extension could send a small compressed frame that decompresses to an
unbounded amount of data, exhausting all memory and crashing WeeChat.
The output buffer in relay_websocket_inflate is now capped to
WEBSOCKET_INFLATE_MAX_SIZE: frames decompressing beyond this limit are
rejected and the connection is closed.
2026-05-31 09:16:06 +02:00
f53e7fb9ef
core, plugins: fix typos in comments on functions, use imperative
2026-03-23 20:45:36 +01:00
106fe6ca7c
core: update copyright dates
2026-03-08 10:37:15 +01:00
e6646d1ef1
relay/api: return HTTP error 404 instead of 400 when the buffer is not found in resources completion and input
2025-11-13 07:12:55 +01:00
93d73d234f
relay/api: consider boolean/long query string parameters as invalid if they are empty
2025-10-26 18:12:02 +01:00
d05b83d03f
relay/api: return an error 401 when header "x-weechat-totp" is received with empty value
2025-10-26 10:11:10 +01:00
0009732f78
relay/api: return an error 401 when header "x-weechat-totp" has an invalid value
2025-10-26 09:19:43 +01:00
e637e0de1c
relay/api: return an error 400 when URL parameters "nicks", "lines" and "lines_free" have an invalid value
2025-10-26 08:07:23 +01:00
58c873809b
relay/api: return an error 400 when URL parameter "colors" has an invalid value
2025-10-26 07:22:10 +01:00
1db29cb1ed
relay/api: reject any invalid or unknown password hash algorithm in handshake resource
2025-07-02 20:32:09 +02:00
4348036e2e
tests: remove duplicated "HTTP/1.1" in some relay API tests
2025-07-02 20:32:09 +02:00
93ec10b563
relay/api: return HTTP error 405 (Method Not Allowed) when the method received is not allowed
2025-07-02 20:32:09 +02:00
9783256649
relay/api: use specifier %@ for times formatted by util_strftimeval
2025-05-18 22:15:39 +02:00
a1cbe63a42
tests: move CMake file, main C++/headers for tests and scripts to unit directory
2025-05-05 13:18:34 +02:00
2475f20cb7
all: move description of C files below the copyright and license
2025-03-31 11:47:49 +02:00
3a6ac9ee76
all: add SPDX license tag
2025-03-31 07:49:26 +02:00
d8987a1678
all: replace Copyright lines by SPDX copyright tag
2025-03-30 14:47:12 +02:00
547e2b934e
core: update copyright dates
2025-02-01 23:13:18 +01:00
d302294723
relay/api: always return a body with field "error" in error responses
2025-01-07 07:52:09 +01:00
60422ca6b1
relay: remove extra space in JSON authentication error
2025-01-07 07:28:45 +01:00
9d3388b09e
relay/api: use cjson lib to return errors
2025-01-07 07:23:55 +01:00
d10af1037b
relay/api: use cjson lib to build JSON body of handshake request
2025-01-07 07:18:01 +01:00
c6c420c698
relay: add completion resource
2025-01-05 14:54:07 +01:00
11faf85402
tests: add test for combining request headers
2024-11-24 16:15:35 +01:00
a414fb9da5
tests: add tests for auth via Sec-WebSocket-Protocol
2024-11-24 16:00:25 +01:00
9f67ae369c
spelling: negotiation
...
Signed-off-by: Josh Soref <2119212+jsoref@users.noreply.github.com >
2024-09-28 21:22:56 +02:00
6fdf39165a
spelling: client
...
Signed-off-by: Josh Soref <2119212+jsoref@users.noreply.github.com >
2024-09-28 18:22:41 +02:00
02847246b2
core, plugins, tests: fix octal notation in strings
2024-09-19 08:34:18 +02:00
6908eec160
tests: replace POINTERS_EQUAL by STRCMP_EQUAL in string comparisons with NULL
2024-09-14 10:26:42 +02:00
434c1ee3c4
relay/api: send the sync request at the same time as buffer data retrieval
...
This fixes events missed by the client when synchronizing after fetching data.
2024-08-25 21:13:38 +02:00
6bb4d64512
relay/api: allow array with multiple requests in websocket frame received from client
2024-08-25 20:48:52 +02:00
d4ca32832e
relay: redefine bar item "input_prompt" to display the connection status on remote buffers, if different from "connected"
2024-08-21 20:37:00 +02:00
a317c785fb
relay/api: add automatic reconnection to remote ( closes #2166 )
...
New options:
- remote option "autoreconnect_delay"
- relay.api.remote_autoreconnect_delay_growing
- relay.api.remote_autoreconnect_delay_max
2024-08-11 12:18:28 +02:00
24734c4fe0
relay/api: add field "tmie_displayed" in GET /api/buffers
2024-08-10 13:58:58 +02:00
41ab22554c
tests/relay/api: add missing fields in test of buffer to json function
2024-08-10 13:42:38 +02:00
b00f94dc70
relay/api: add field "hidden" in GET /api/buffers (issue #2159 )
2024-08-10 12:42:55 +02:00
07ef722c06
relay/api: disconnect cleanly when the remote is quitting ( closes #2168 )
2024-08-09 23:37:33 +02:00
6e775e4768
relay/api: close obsolete buffers when reconnecting to the remote
...
This closes all buffers that exist locally but not on the remote any more,
after reconnecting to the remote.
2024-08-09 18:08:31 +02:00
eb5399518e
relay/api: clear lines and nicklist on all remote buffers upon successful connection to the remote ( closes #2161 )
2024-08-09 18:01:59 +02:00
87a5620623
tests: fix typo in header
2024-08-09 07:24:11 +02:00
8c48b2f310
relay/api: fix connection to remote using an IPv6 address with square brackets ( closes #2156 )
2024-07-22 17:24:50 +02:00
3828a9f987
tests: add field "request_id" in tests of relay api protocol
2024-06-30 00:22:46 +02:00
f8f6e100d0
relay/api: always set "body_type" and "body" (null if there is no body) in websocket frame
2024-06-29 23:59:59 +02:00
555632b615
relay/remote: update buffer line on event "buffer_line_data_changed"
2024-06-27 21:39:21 +02:00
44238650bc
tests: relay: fix relay_http_parse_header function prototype
2024-06-07 12:39:40 +02:00
6b7137aa25
tests: reset option relay.network.websocket_allowed_origins after changing it in tests ( closes #2127 )
...
This fixes a test failure when the test changing the option is executed before
this one:
…/tests/unit/plugins/relay/api/test-relay-api-protocol.cpp:799: error: Failure in TEST(RelayApiProtocolWithClient, RecvJson)
expected <HTTP/1.1 101 Switching Protocols
Upgrade: websocket
Connection: Upgrade
Sec-WebSocket-Accept: Z5uTZwvwYNDm9w4HFGk26ijp/p0=
>
but was <HTTP/1.1 403 Forbidden
Content-Length: 0
>
difference starts at position 9 at: < HTTP/1.1 403 Forbid>
2024-06-07 12:33:17 +02:00
26fa0ea1b8
relay: enable websocket extension "permessage-deflate" with "api" relay only
2024-06-02 09:05:40 +02:00
9264803bc3
relay: fix websocket permessage-deflate extension when the client doesn't send the max window bits parameters
2024-06-01 15:15:01 +02:00
d05df9ee21
relay: fix allocation and reinit of field "client_context_takeover" in websocket deflate structure
2024-06-01 14:42:55 +02:00
Sébastien Helleu