A malicious or compromised IRC server could send data with no end-of-line
(or a flood of "005" messages), making WeeChat accumulate it in a buffer
that grew without limit, until all memory was exhausted.
The unterminated received message and the accumulated "005" (ISUPPORT)
data are now bounded by IRC_SERVER_RECV_MSG_MAX_LENGTH and
IRC_SERVER_ISUPPORT_MAX_LENGTH: extra data is ignored once the limit is
reached.
The IRC relay protocol's PASS handler compared the server password with
the client-supplied value using strcmp, leaking the password byte-by-byte
via response timing. This is the same class of bug fixed for the api and
weechat protocols, on a separate code path that did not go through
relay_auth_check_password_plain.
Extract the HMAC-then-constant-time-compare logic from
relay_auth_check_password_plain into relay_auth_password_equals, then
use it in both the plain-auth wrapper and the IRC PASS handler.
An authenticated relay client using the permessage-deflate websocket
extension could send a small compressed frame that decompresses to an
unbounded amount of data, exhausting all memory and crashing WeeChat.
The output buffer in relay_websocket_inflate is now capped to
WEBSOCKET_INFLATE_MAX_SIZE: frames decompressing beyond this limit are
rejected and the connection is closed.
Before parsing IRC messages, they were almost all changed to convert IRC color
codes to WeeChat color codes, which caused some bugs when storing data like
account and real names (stored with WeeChat color codes instead of IRC colors).
Now the messages are parsed as-is, then the colors are converted only when
strings are displayed in a buffer by `weechat_printf()`.
This fixes a test failure when the test changing the option is executed before
this one:
…/tests/unit/plugins/relay/api/test-relay-api-protocol.cpp:799: error: Failure in TEST(RelayApiProtocolWithClient, RecvJson)
expected <HTTP/1.1 101 Switching Protocols
Upgrade: websocket
Connection: Upgrade
Sec-WebSocket-Accept: Z5uTZwvwYNDm9w4HFGk26ijp/p0=
>
but was <HTTP/1.1 403 Forbidden
Content-Length: 0
>
difference starts at position 9 at: < HTTP/1.1 403 Forbid>
1: error: Failure in TEST(RelayApiMsg, HotlistToJson)
1: expected <2024-05-26T10:29:37.716512Z>
1: but was <2024-05-26T10:29:37.000000Z>
1: difference starts at position 20 at: <T10:29:37.000000Z >
Sébastien Helleu