1
0
mirror of https://github.com/weechat/weechat.git synced 2026-07-05 09:13:14 +02:00
Commit Graph

2089 Commits

Author SHA1 Message Date
aizu-m 12c4170fbf core: fix buffer overflow in function network_pass_socks5proxy (#2325)
bound the configured proxy username and password before they are copied into the fixed stack buffer in network_pass_socks5proxy, otherwise a login longer than the buffer (a long password or token) overruns it while building the SOCKS5 auth request.
2026-06-12 13:03:20 +02:00
Sébastien Helleu d15ce789a0 api: fix infinite loop in function string_replace when the search string is empty 2026-06-03 21:17:32 +02:00
Sébastien Helleu 1ca2a00255 core: fix timing attack on TOTP validation (GHSA-vhv8-g2r9-cwcc)
weecrypto_totp_validate compared the generated and client-supplied OTPs
with strcmp and broke out of the time-window loop on the first match.
Both choices leaked information via response timing: strcmp leaked the
expected OTP digit-by-digit (shrinking the brute-force search from
~10^digits to a handful of guesses within the 30-second window), and
the early break leaked which window offset matched.

Compare in constant time with string_memcmp_constant_time and always
iterate the full window, OR-ing the result into otp_ok without an
early exit.

This affects both relay protocols (which call totp_validate via the
public info hook) and any other caller of the info hook.
2026-05-31 09:14:24 +02:00
Sébastien Helleu 30230498b2 relay: fix timing attack on password authentication (GHSA-vhv8-g2r9-cwcc)
The relay authentication used non-constant-time comparisons (strcasecmp,
strcmp) to verify password hashes and plaintext passwords, allowing an
attacker to derive the expected hash byte-by-byte from response timing
and then authenticate without knowing the password.

- SHA/PBKDF2 hex hash comparisons: normalize the client-supplied hash to
  uppercase and compare in constant time over the fixed expected length.
- Plaintext password comparison: HMAC-SHA256 both passwords with a fresh
  per-call random key and compare the fixed-size MACs in constant time,
  hiding both per-byte timing and the password length.

Add string_memcmp_constant_time helper in core, exposed via the plugin
API. Bump WEECHAT_PLUGIN_API_VERSION accordingly.
2026-05-31 09:11:53 +02:00
Sébastien Helleu 564ad2d5cd core: set max curl version to 8.21.0 for symbol CURLAUTH_DIGEST_IE 2026-05-23 13:20:58 +02:00
Luc Schrijvers f0f77e1bd9 Build fix for Haiku 2026-05-23 13:19:08 +02:00
Sébastien Helleu f53e7fb9ef core, plugins: fix typos in comments on functions, use imperative 2026-03-23 20:45:36 +01:00
Sébastien Helleu d34eb40187 core: set max curl version to 8.20.0 for RTMP symbols
rtmp support has been dropped in curl, see:
https://github.com/curl/curl/commit/ceae02db040de3cf7ae4c3f8ec99e8286b568c2e
2026-03-21 17:59:48 +01:00
Sébastien Helleu f7267bc992 core: replace "mypassword" by "my_password" in /help secure 2026-03-21 17:27:02 +01:00
Sébastien Helleu 147d5b3f88 core: replace "mynick" by "andrew" in /help secure 2026-03-21 17:22:20 +01:00
Sébastien Helleu da4881959e core: replace "proxyname" by "proxy_name" in /help proxy 2026-03-21 13:28:38 +01:00
Sébastien Helleu 5e963c7546 core: replace "barname" by "bar_name" in /help bar 2026-03-21 13:23:55 +01:00
Sébastien Helleu 9bf2d51493 core: add option -e to evaluate all commands before executing them in command /eval 2026-03-14 00:03:27 +01:00
Sébastien Helleu 27ae6ca789 core: fix crash with /eval when the current buffer is closed in a command 2026-03-13 23:11:00 +01:00
Sébastien Helleu b82ce33c6c core: fix quotes in upgrade error message 2026-03-12 20:16:49 +01:00
Sébastien Helleu 01d2887b13 core: replace ellipsis by "etc." in /help secure 2026-03-09 23:01:29 +01:00
Sébastien Helleu ec6372f4df core: add missing double quote in /help hotlist 2026-03-09 22:51:20 +01:00
Sébastien Helleu 71329fd595 core: remove double quotes around buffer number in error message 2026-03-09 22:45:30 +01:00
Sébastien Helleu 106fe6ca7c core: update copyright dates 2026-03-08 10:37:15 +01:00
Sébastien Helleu 630f2e2e7c core: translate command line options separately in output of weechat --help 2026-03-08 09:10:29 +01:00
Sébastien Helleu eb0b01f62a core: move functions on command-line arguments to a separate source 2026-03-07 12:47:11 +01:00
Sébastien Helleu d0478bdc04 core: update copyright date 2026-03-07 00:02:34 +01:00
Emil Velikov 6442b938eb cmake: move zstd/cjson include handling
Move the respective include_directories() stansas to the top-level
cmakefile. While this technically adds them to targets where they are
not needed, there is no harm is having them.

This maskes the find_dependency/use_includes/use_libs more consistent
across the board and helps it stand out where it's forgotten. Fixes for
which will be coming at a later date.

Signed-off-by: Emil Velikov <emil.l.velikov@gmail.com>
2026-02-04 22:21:26 +01:00
Emil Velikov 323ab8810e cmake: consolidate non-linux library handling
Move the handling to the top-level, adding it _once_ to EXTRA_LIBS.
Thus avoiding some duplication across the board.

Note that final handling varies a bit, namely:
 - OpenBSD/intl should be handled via the existing cmake/FindGettext.cmake
 - Darwin/resolv should not be needed since commit e98a32373 ("core: check
   if res_init requires linking with libresolv")
 - the backtrace/execinfo handling has been consolidated and moved

In the unlikely case of unwanted over-linking, the platforms can add
`-Wl,--as-needed` to their linker flags. Something which is strongly
encouraged and has been the default across multiple (linux) distros for
years.

Alternatively, if move quirks are needed they should be handled in a
single place.

Signed-off-by: Emil Velikov <emil.l.velikov@gmail.com>
2026-02-04 22:21:26 +01:00
Sébastien Helleu f0160bf5ab core: add missing context in English message when a key is added with /key missing 2026-01-21 20:53:25 +01:00
Sébastien Helleu 22b335ce86 core: fix typo in /help help 2026-01-21 20:28:07 +01:00
Sébastien Helleu d5e6c94246 core: fix compiler warning on possible buffer overflow in function util_parse_time (closes #2289) 2025-11-30 11:21:42 +01:00
Sébastien Helleu c2ff484995 core, irc, relay: add tag "tls" in gnutls messages 2025-11-22 14:52:02 +01:00
Sébastien Helleu 4555f9a58a core: fix typo in comment 2025-11-15 20:15:32 +01:00
Sébastien Helleu 3e49b73117 api: fix file descriptor leak in hook_url (closes #2284)
This can happen after a timeout or if the hook is removed during the transfer.
2025-11-15 17:28:44 +01:00
Sébastien Helleu 1c53d3d466 api: add functions to parse integer numbers
New functions:

- util_parse_int
- util_parse_long
- util_parse_longlong
2025-11-12 20:24:00 +01:00
Sébastien Helleu 8032ca1433 core: display an error message in case of invalid size with commands /window splith and /window splitv 2025-11-12 07:26:01 +01:00
Sébastien Helleu ac69288ed7 core: display an error message in case of invalid size with command /window resize 2025-11-12 07:22:12 +01:00
Sébastien Helleu 0930976456 core: display an error if parameters are missing in command /window resize 2025-11-12 07:18:06 +01:00
Sébastien Helleu d5bfe35245 core: display an error if parameters are missing or if the buffer is not with "free content" in command /window scroll_horiz 2025-11-12 07:12:00 +01:00
Sébastien Helleu 90a42ee213 core: display an error if parameters are missing in command /window scroll 2025-11-12 07:08:33 +01:00
Sébastien Helleu 6981f9f204 core: display an error message if the window number is not found with command /window xxx -window N 2025-11-12 07:05:56 +01:00
Sébastien Helleu 237b07575b core: fix typo in comment 2025-11-11 10:57:51 +01:00
Sébastien Helleu cfcadd155d core: display an error message if the date can not be parsed with command /print -date 2025-11-11 10:41:55 +01:00
Sébastien Helleu d0298b4738 core: display a message with command /filter toggle
The command has now the same output as `/filter enable` or `/filter disable`:

  /filter toggle  =>  "Message filtering disabled"
  /filter toggle  =>  "Message filtering enabled"
2025-11-10 15:06:44 +01:00
Sébastien Helleu c0116febe5 core: display an error message in case of invalid parameters with command /cursor 2025-11-10 09:05:36 +01:00
Sébastien Helleu 8c6e6bb383 core: display full buffer name in output of command /buffer listvar 2025-11-10 09:04:13 +01:00
Sébastien Helleu c9d4dd48a0 core: display an error message if the buffer is not found with command /buffer listvar 2025-11-10 09:04:13 +01:00
Sébastien Helleu af41184889 core: fix return code of command /buffer renumber when the start number is invalid 2025-11-10 09:04:13 +01:00
Sébastien Helleu 6d7dd46015 core: display an error message if the bar is not found with command /bar scroll 2025-11-10 09:04:13 +01:00
Sébastien Helleu f854db17ff core: add hdata for hooks
New hooks:

- hook
- hook_command
- hook_command_run
- hook_completion
- hook_config
- hook_connect
- hook_fd
- hook_focus
- hook_hdata
- hook_hsignal
- hook_info
- hook_info_hashtable
- hook_infolist
- hook_line
- hook_modifier
- hook_print
- hook_process
- hook_signal
- hook_timer
- hook_url

New lists (for hooks of type "hook"):

- weechat_hooks_command, last_weechat_hook_command
- weechat_hooks_command_run, last_weechat_hook_command_run
- weechat_hooks_completion, last_weechat_hook_completion
- weechat_hooks_config, last_weechat_hook_config
- weechat_hooks_connect, last_weechat_hook_connect
- weechat_hooks_fd, last_weechat_hook_fd
- weechat_hooks_focus, last_weechat_hook_focus
- weechat_hooks_hdata, last_weechat_hook_hdata
- weechat_hooks_hsignal, last_weechat_hook_hsignal
- weechat_hooks_info, last_weechat_hook_info
- weechat_hooks_info_hashtable, last_weechat_hook_info_hashtable
- weechat_hooks_infolist, last_weechat_hook_infolist
- weechat_hooks_line, last_weechat_hook_line
- weechat_hooks_modifier, last_weechat_hook_modifier
- weechat_hooks_print, last_weechat_hook_print
- weechat_hooks_process, last_weechat_hook_process
- weechat_hooks_signal, last_weechat_hook_signal
- weechat_hooks_timer, last_weechat_hook_timer
- weechat_hooks_url, last_weechat_hook_url
2025-10-12 17:37:24 +02:00
Sébastien Helleu 222cb4876e core: set max version for Curl symbol CURLOPT_KRBLEVEL 2025-09-23 12:13:33 +02:00
Sébastien Helleu e2ae308e3b core: add option weechat.completion.cycle 2025-09-11 21:10:52 +02:00
Sébastien Helleu 665773b119 doc/api: add supported date/time format in function util_parse_time 2025-08-31 12:15:33 +02:00
Sébastien Helleu 1c09118fe1 api: allow lower characters "t" and "z" in function util_parse_time
The following dates are now parsed with the same result:

  2025-08-30T20:12:55.866643Z
  2025-08-30t20:12:55.866643z
2025-08-31 12:15:33 +02:00