1
0
mirror of https://github.com/weechat/weechat.git synced 2026-07-05 01:03:14 +02:00
Commit Graph

61 Commits

Author SHA1 Message Date
Sébastien Helleu 3c302e078d relay: use util functions to parse integers 2026-06-20 17:30:41 +02:00
Sébastien Helleu 3687ce0f0f relay: limit size of received websocket frame and HTTP body to prevent memory exhaustion
A relay client could announce a huge websocket frame (or HTTP body via
"Content-Length") and dribble its payload, making WeeChat accumulate it
in a buffer that grew without limit, until all memory was exhausted. The
websocket frame path is reachable before authentication with the
"weechat" and "irc" protocols.

The announced websocket frame length and HTTP "Content-Length" are now
bounded by WEBSOCKET_FRAME_MAX_LENGTH and RELAY_HTTP_BODY_MAX_LENGTH: an
oversized websocket frame closes the connection, and an oversized body is
rejected.
2026-06-01 21:56:34 +02:00
Sébastien Helleu 5dbb96b66a relay: limit size of decompressed websocket frame to prevent memory exhaustion (GHSA-v2v4-45wm-5cr3)
An authenticated relay client using the permessage-deflate websocket
extension could send a small compressed frame that decompresses to an
unbounded amount of data, exhausting all memory and crashing WeeChat.

The output buffer in relay_websocket_inflate is now capped to
WEBSOCKET_INFLATE_MAX_SIZE: frames decompressing beyond this limit are
rejected and the connection is closed.
2026-05-31 09:16:06 +02:00
Sébastien Helleu f53e7fb9ef core, plugins: fix typos in comments on functions, use imperative 2026-03-23 20:45:36 +01:00
Sébastien Helleu 106fe6ca7c core: update copyright dates 2026-03-08 10:37:15 +01:00
Sébastien Helleu 2475f20cb7 all: move description of C files below the copyright and license 2025-03-31 11:47:49 +02:00
Sébastien Helleu 3a6ac9ee76 all: add SPDX license tag 2025-03-31 07:49:26 +02:00
Sébastien Helleu d8987a1678 all: replace Copyright lines by SPDX copyright tag 2025-03-30 14:47:12 +02:00
Aaron Jones f5038bccbc Fix function prototypes for list of arguments
At the moment, building WeeChat triggers several thousand -Wstrict-prototypes
diagnostics.  This is due to its source code using an empty argument list for
functions and function pointers that take no arguments, instead of explicitly
declaring that they take no arguments by using a void list.

This commit replaces all empty argument lists with a void list.

Note that Ruby's headers also suffer the same problem, which WeeChat can't
do anything to fix.  Thus, building WeeChat with the Ruby plugin enabled
will still issue approximately 30 such diagnostics.
2025-03-10 08:16:52 +01:00
Sébastien Helleu 547e2b934e core: update copyright dates 2025-02-01 23:13:18 +01:00
Sébastien Helleu b45d2105a5 relay: replace calls to malloc by weechat_asprintf 2024-12-21 15:31:39 +01:00
Trygve Aaberge bd7c503e7b relay/api: support passing auth in sub protocol header
The API for connecting to WebSockets in browsers unfortunately doesn't
support setting any Authorization header. This means that before this
commit it was impossible to connect to the API relay from a web browser.
The only thing that can be set apart from the URL is the
Sec-WebSocket-Protocol header. Therefore this allows you to send the
auth token in this header.

This is a weird way to send auth, but it seems to be the best one that
makes it possible for browsers to connect. Kubernetes also does it this
way: https://github.com/kubernetes/kubernetes/pull/47740

Here is a post describing the different ways to make it possible for a
browser to authenticate against a websocket connection, and it also
recommends doing it this way:
https://stackoverflow.com/questions/4361173/http-headers-in-websockets-client-api/77060459#77060459

Note that when this header is used to pass auth, the client also needs
to specify the `api.weechat` sub protocol. This is because the client
and server have to agree on a sub protocol when this header is
specified, and in order to not send the fake protocol used for auth back
to the client, we require specifying the protocol `api.weechat`, which
the server then returns to the client. This is only necessary when the
Sec-WebSocket-Protocol header is used. If the Authorization header is
used for auth as before, nothing changes.
2024-11-24 16:00:25 +01:00
Sébastien Helleu 26fa0ea1b8 relay: enable websocket extension "permessage-deflate" with "api" relay only 2024-06-02 09:05:40 +02:00
Sébastien Helleu 9264803bc3 relay: fix websocket permessage-deflate extension when the client doesn't send the max window bits parameters 2024-06-01 15:15:01 +02:00
Sébastien Helleu d05df9ee21 relay: fix allocation and reinit of field "client_context_takeover" in websocket deflate structure 2024-06-01 14:42:55 +02:00
Sébastien Helleu e39a309365 relay: add option relay.network.websocket_permessage_deflate 2024-06-01 12:58:17 +02:00
Sébastien Helleu 9a5a1fb300 plugins: remove check of NULL pointers before calling weechat_string_free_split() (issue #865) 2024-04-26 08:53:22 +02:00
Sébastien Helleu 7ee57af8e3 relay: remove check of NULL pointers before calling free() (issue #865) 2024-04-25 20:59:24 +02:00
Sébastien Helleu 90998bd296 relay/api: fix reconnection to remote after disconnection 2024-04-10 21:58:11 +02:00
Sébastien Helleu a3f3c9d09c relay: check that parameter ws_deflate is not NULL in function relay_websocket_deflate_free (issue #2066) 2024-04-07 13:18:13 +02:00
Sébastien Helleu 90b855e1aa relay: add connection to remote (issue #2066)
Connection to remote:

- handshake: offer support for all supported hash algorithms
- network connect with a socket
- upgrade to websocket and authenticate with remote (password/TOTP)
- check websocket response
- get list of buffers (not used yet)

Note: connection to remote with TLS or a proxy is not yet supported.
2024-04-07 13:18:13 +02:00
Sébastien Helleu 965beb37de core: fix print of pointer values 2024-04-01 21:08:52 +02:00
Sébastien Helleu 5c6e6f43d1 relay: disable "permessage-deflate" websocket extension when option relay.network.compression is set to 0 2024-02-04 18:54:56 +01:00
Sébastien Helleu 0414c139b0 relay: fix decoding of websocket frame when a partial frame is received 2024-02-04 18:52:00 +01:00
Sébastien Helleu b7ecf93a22 relay: fix websocket decompression when output buffer is not large enough 2024-02-04 18:23:40 +01:00
Sébastien Helleu f126255d6a core: add support of base64url in encode/decode functions (issue #2066) 2024-02-01 21:39:21 +01:00
Sébastien Helleu 6cfb31c306 relay: add support of websocket extension "permessage-deflate" (closes #1549)
This extension is used to compress and decompress websocket frames (using
the DEFLATE algorithm, with zlib).
2024-02-01 21:38:53 +01:00
Sébastien Helleu 8971fc069a relay: add "api" protocol (HTTP REST API) (issue #2066) 2024-02-01 21:38:49 +01:00
Sébastien Helleu eecb2a997e core: update copyright dates 2024-01-01 22:29:58 +01:00
Sébastien Helleu 33bba784c3 core: update copyright dates 2023-01-01 14:54:35 +01:00
Sébastien Helleu 40339b288a api: return newly allocated string in functions string_tolower and string_toupper 2022-12-18 14:28:58 +01:00
Sébastien Helleu c44b79dce7 core: update copyright dates 2022-01-17 18:41:06 +01:00
Sébastien Helleu d64050bafb relay: remove dead assignment in websocket decoding 2021-11-13 13:32:02 +01:00
Sébastien Helleu 97bdd51112 relay: fix crash when decoding a malformed websocket frame 2021-09-04 15:55:37 +02:00
Sébastien Helleu efc7a588d6 core: update copyright dates 2021-01-02 21:34:16 +01:00
Sébastien Helleu 0271eacbe5 relay: rename variable length_hash to hash_size 2020-03-01 23:14:55 +01:00
Sébastien Helleu 9a6a27ef58 core: move crypto functions to wee-crypto.c, rename API function string_hash to crypto_hash 2020-03-01 21:24:27 +01:00
Sébastien Helleu c4ef3d6c2e core: merge functions string_hash_binary and string_hash into a single function string_hash 2020-03-01 16:41:28 +01:00
Sébastien Helleu bb363ab27f relay: call function string_hash_binary in relay_websocket_build_handshake to compute SHA1 hash
This removes dependency on libgcrypt in relay plugin.
2020-03-01 09:03:49 +01:00
Sébastien Helleu feb6258910 core: update copyright dates 2020-01-04 10:41:26 +01:00
Sébastien Helleu 471f9c61da relay: remove obsolete comment 2019-02-24 16:13:04 +01:00
Sébastien Helleu 2b0057239b core: update copyright dates 2019-01-01 15:40:51 +01:00
Sébastien Helleu 4034d07d5a core: use https for links in comments 2018-12-01 08:21:49 +01:00
Sébastien Helleu 342261d35b core: use https for all links where secured http is supported 2018-11-29 23:18:55 +01:00
Sébastien Helleu 4712d0bb06 core: use https for links to GNU GPL license 2018-11-29 23:16:07 +01:00
Sébastien Helleu de8d640958 relay: add support of close frame in websocket connection (closes #1281) 2018-11-12 20:43:48 +01:00
Sébastien Helleu ed3f281ba9 api: add functions string_base_{encode,decode}, remove functions string_{encode,decode}_base64 2018-11-04 14:49:11 +01:00
Sébastien Helleu 8848b0e22a api: return integer in function string_encode_base64 2018-11-02 14:09:23 +01:00
Sébastien Helleu ecdbaef288 relay: remove useless test on length 2018-10-01 22:59:05 +02:00
Sébastien Helleu ed4837b2f6 core: update copyright dates 2018-01-05 00:54:18 +01:00