1
0
mirror of https://github.com/weechat/weechat.git synced 2026-07-05 17:23:15 +02:00
Commit Graph

2118 Commits

Author SHA1 Message Date
Sébastien Helleu afd2728255 core: add weechat.look.theme option and theme_applying guard
Add a new string option "weechat.look.theme" holding the name of the
last theme applied via the upcoming /theme command. It is set
automatically by /theme apply and persisted on disk for /theme info to
display after restart; it is NOT re-applied at startup (the user's
saved color values win to avoid clobbering manual post-apply tweaks).

Amend config_change_color so it skips the gui_color_init_weechat ()
and gui_window_ask_refresh (1) calls when theme_applying is set.
/theme apply will set this flag while iterating overrides so the N
individual option changes do not trigger N redundant screen refreshes;
the apply path then performs a single refresh at the end.
2026-07-05 00:45:58 +02:00
Sébastien Helleu 3e0c5ff556 core: add core-theme skeleton and theme registry
Introduce a new module (core-theme.{c,h}) holding the in-memory registry
of built-in themes used by the upcoming /theme command:

- struct t_theme stores name, description, date and weechat version
  captured at registration time, plus a hashtable of overrides keyed by
  full option name (file.section.option) -> value string.
- theme_register (name, overrides) creates a new theme or merges the
  given overrides into an existing one (later calls override duplicate
  keys); this is the API plugins and scripts will use to contribute
  per-theme color values.
- theme_search and theme_list provide lookup and ordered enumeration.
- theme_init / theme_end are called from weechat_init / weechat_end.

The theme_applying flag is declared here but not yet consumed (it will
gate config_change_color in the next commit to avoid N redundant
window refreshes during /theme apply).

User theme files are not handled by this module: they are read
transiently inside /theme apply (a later commit) and never cached.
2026-07-05 00:45:58 +02:00
Sébastien Helleu 68d5004e12 core: add themable flag to configuration options
Add an "int themable" field on struct t_config_option. The flag is set
automatically for every CONFIG_OPTION_TYPE_COLOR option, and may be set
explicitly on any other type by suffixing the type argument with
"|themable" in the call to config_file_new_option (e.g. "string|themable"
for a string option whose value contains "${color:...}" references).

Opt in the relevant string options in core and in the buflist, fset, irc,
relay plugins.

The flag is exposed via hdata, infolist, and print_log so scripts and
/debug can read it. This is the foundation for an upcoming /theme
command that will only be allowed to modify themable options.
2026-07-05 00:45:58 +02:00
Sébastien Helleu 5a341c69f5 core: set max curl version to 8.22.0 for TLSAUTH symbols 2026-07-05 00:45:03 +02:00
Sébastien Helleu f4564a1cb0 core, api: remove unneeded cast to time_t
The field `tv_sec` of struct timeval is already time_t, the cast is not needed.
2026-06-20 21:50:25 +02:00
Sébastien Helleu c4dfb16df0 core: use function util_parse_longlong to parse date in command /print 2026-06-20 17:30:42 +02:00
Sébastien Helleu 6facd390fe core: use function util_parse_longlong to parse time in function hdata_set 2026-06-20 17:30:41 +02:00
Sébastien Helleu 7e3afaf46d core, api: use "const char *" variables for result of string functions with const parameter 2026-06-15 07:52:10 +02:00
Sébastien Helleu cf702d541f api: change type of parameter "pos_option_name" to "const char **" in function config_search_with_string 2026-06-15 07:29:33 +02:00
aizu-m e60786d059 core: fix buffer overflow in function network_pass_socks5proxy (#2325)
bound the configured proxy username and password before they are copied into the fixed stack buffer in network_pass_socks5proxy, otherwise a login longer than the buffer (a long password or token) overruns it while building the SOCKS5 auth request.
2026-06-12 13:00:17 +02:00
Sébastien Helleu b802681230 api: fix infinite loop in function string_replace when the search string is empty 2026-06-03 21:15:16 +02:00
aizu-m 07871f123f core: fix possible integer truncation in function eval_string_split (#2320) 2026-06-01 10:25:35 +02:00
Sébastien Helleu 43a118ac47 core: fix timing attack on TOTP validation (GHSA-vhv8-g2r9-cwcc)
weecrypto_totp_validate compared the generated and client-supplied OTPs
with strcmp and broke out of the time-window loop on the first match.
Both choices leaked information via response timing: strcmp leaked the
expected OTP digit-by-digit (shrinking the brute-force search from
~10^digits to a handful of guesses within the 30-second window), and
the early break leaked which window offset matched.

Compare in constant time with string_memcmp_constant_time and always
iterate the full window, OR-ing the result into otp_ok without an
early exit.

This affects both relay protocols (which call totp_validate via the
public info hook) and any other caller of the info hook.
2026-05-31 09:16:46 +02:00
Sébastien Helleu 6948aea626 relay: fix timing attack on password authentication (GHSA-vhv8-g2r9-cwcc)
The relay authentication used non-constant-time comparisons (strcasecmp,
strcmp) to verify password hashes and plaintext passwords, allowing an
attacker to derive the expected hash byte-by-byte from response timing
and then authenticate without knowing the password.

- SHA/PBKDF2 hex hash comparisons: normalize the client-supplied hash to
  uppercase and compare in constant time over the fixed expected length.
- Plaintext password comparison: HMAC-SHA256 both passwords with a fresh
  per-call random key and compare the fixed-size MACs in constant time,
  hiding both per-byte timing and the password length.

Add string_memcmp_constant_time helper in core, exposed via the plugin
API. Bump WEECHAT_PLUGIN_API_VERSION accordingly.
2026-05-31 09:16:15 +02:00
Sébastien Helleu d7fd2b7b0b core: define author name/email as constants
This fixes the following compiler warning:

src/core/core-args.c:180: warning: Message contains an embedded email address.  Better move it out of the translatable string, see https://www.gnu.org/software/gettext/manual/html_node/No-embedded-URLs.html
2026-05-30 13:39:45 +02:00
Sébastien Helleu 3e994996c6 core: set max curl version to 8.21.0 for symbol CURLAUTH_DIGEST_IE 2026-05-12 13:12:12 +02:00
Sébastien Helleu 17b593325a core: complete /help away by mentioning the option irc.look.display_away 2026-05-04 18:47:04 +02:00
Sébastien Helleu 3082c2e4e5 core: add condition on connected relay api clients in default value of option weechat.look.hotlist_add_conditions 2026-04-28 21:30:51 +02:00
Sébastien Helleu 0c29e5a630 core: fix possible integer truncation in functions eval_string_cut and eval_string_repeat 2026-04-10 21:48:56 +02:00
Sébastien Helleu 77a0dbfd44 core: remove dead code 2026-04-10 21:48:37 +02:00
Sébastien Helleu 54eff44d74 core: check error ERANGE after call to strtoul in function util_version_number 2026-04-05 15:33:33 +02:00
Sébastien Helleu 83d760deae core: check error ERANGE after call to strtoull in function util_parse_delay 2026-04-05 15:33:33 +02:00
Sébastien Helleu 5147b19e51 core: use function util_parse_longlong in function util_parse_time 2026-04-05 15:33:33 +02:00
Sébastien Helleu 50959eeb01 core: use function util_parse_longlong in upgrade functions 2026-04-05 15:33:33 +02:00
Sébastien Helleu ac2ed69c0b core: use function util_parse_longlong in function sys_setrlimit 2026-04-05 15:33:33 +02:00
Sébastien Helleu 2f7f707df0 core: use function util_parse_longlong in function string_parse_size 2026-04-05 15:33:33 +02:00
Sébastien Helleu 94e5de4836 core: use function util_parse_int in function string_get_priority_and_name 2026-04-05 15:33:33 +02:00
Sébastien Helleu 38f9a5587f core: use util functions to parse integers in function network_connect_child_read_cb 2026-04-05 15:33:33 +02:00
Sébastien Helleu 6432711798 core: use util functions to parse integers in hook functions 2026-04-05 15:33:33 +02:00
Sébastien Helleu 81c23a5134 core: use util functions to parse integers in hdata functions 2026-04-05 15:33:33 +02:00
Sébastien Helleu 6336c22293 core: use util functions to parse integers in eval functions 2026-04-05 15:33:33 +02:00
Sébastien Helleu 6658122b03 core: use util functions to parse integers in config functions 2026-04-05 15:33:33 +02:00
Sébastien Helleu 7e8f8b5178 core: use util functions to parse integers in core commands 2026-04-05 15:33:33 +02:00
Emil Velikov 7d88e53182 Bump required zstd to v1.4.0
Bump the requirement to v1.4.0, which means we can remove all the ifdef
guards.

It was released over 6 years ago, with latest release being 1.5.7.

The oldest distributions we target Ubuntu 20.04 and Debian Bullseye,
have 1.4.4 and 1.4.8 respectively.

Signed-off-by: Emil Velikov <emil.l.velikov@gmail.com>
2026-03-29 18:39:02 +02:00
Luc Schrijvers 8fe741e057 Build fix for Haiku 2026-03-29 18:31:27 +02:00
Sébastien Helleu f53e7fb9ef core, plugins: fix typos in comments on functions, use imperative 2026-03-23 20:45:36 +01:00
Sébastien Helleu d34eb40187 core: set max curl version to 8.20.0 for RTMP symbols
rtmp support has been dropped in curl, see:
https://github.com/curl/curl/commit/ceae02db040de3cf7ae4c3f8ec99e8286b568c2e
2026-03-21 17:59:48 +01:00
Sébastien Helleu f7267bc992 core: replace "mypassword" by "my_password" in /help secure 2026-03-21 17:27:02 +01:00
Sébastien Helleu 147d5b3f88 core: replace "mynick" by "andrew" in /help secure 2026-03-21 17:22:20 +01:00
Sébastien Helleu da4881959e core: replace "proxyname" by "proxy_name" in /help proxy 2026-03-21 13:28:38 +01:00
Sébastien Helleu 5e963c7546 core: replace "barname" by "bar_name" in /help bar 2026-03-21 13:23:55 +01:00
Sébastien Helleu 9bf2d51493 core: add option -e to evaluate all commands before executing them in command /eval 2026-03-14 00:03:27 +01:00
Sébastien Helleu 27ae6ca789 core: fix crash with /eval when the current buffer is closed in a command 2026-03-13 23:11:00 +01:00
Sébastien Helleu b82ce33c6c core: fix quotes in upgrade error message 2026-03-12 20:16:49 +01:00
Sébastien Helleu 01d2887b13 core: replace ellipsis by "etc." in /help secure 2026-03-09 23:01:29 +01:00
Sébastien Helleu ec6372f4df core: add missing double quote in /help hotlist 2026-03-09 22:51:20 +01:00
Sébastien Helleu 71329fd595 core: remove double quotes around buffer number in error message 2026-03-09 22:45:30 +01:00
Sébastien Helleu 106fe6ca7c core: update copyright dates 2026-03-08 10:37:15 +01:00
Sébastien Helleu 630f2e2e7c core: translate command line options separately in output of weechat --help 2026-03-08 09:10:29 +01:00
Sébastien Helleu eb0b01f62a core: move functions on command-line arguments to a separate source 2026-03-07 12:47:11 +01:00