MarkLee131
c94df21130
test: cover empty-needle Replace and empty-delim Split ( #2009 )
2026-04-25 17:26:04 +08:00
MarkLee131
794ae6cd60
User: use constant-time compare for MD5/SHA256/plain password paths
...
CString::Equals falls through to strcmp, which short-circuits on the first
differing byte. That leaks the length of the common prefix between the
stored hash (or plain password) and the attacker's guess via response
timing. Argon2id already uses argon2id_verify which is constant-time.
Add a small ConstantTimeEquals helper and use it for the legacy MD5,
SHA256 and plain HASH_NONE branches. No new dependency: the helper is
~10 lines and works on builds without OpenSSL.
2026-04-25 10:39:13 +08:00
MarkLee131
04cf89beec
HTTPSock: reject CR/LF in AddHeader name/value
...
AddHeader wrote its arguments straight into the response stream. No
in-tree caller reaches it with attacker-controlled bytes today, but the
public API is exposed to module authors; one bad caller would be a
header-injection bug. Filter at the entry rather than at every caller.
2026-04-25 10:38:31 +08:00
MarkLee131
514b47cad3
ZNCString: guard Replace/Split against empty-width arguments
...
CString::Replace with an empty sReplace underflowed 'p += uReplaceWidth - 1'
to SIZE_MAX and then the per-iteration 'p++' brought p back to the same
byte, so the function looped forever appending sWith to the output and
eventually OOMed.
CString::Split with empty sDelim and bAllowEmpty=false spun in the
prefix-skip loops because strncasecmp(p, "", 0) is unconditionally 0 and
p += 0 never advances.
No in-tree caller currently passes the bad argument, but the public
library API should not be a bear trap for module authors. Same shape as
#1994 .
2026-04-25 10:38:02 +08:00
MarkLee131
b944299167
Utils: reject out-of-range years in ParseServerTime
...
cctz::parse into a microseconds time_point internally multiplies the
parsed seconds-since-epoch by 1,000,000 in signed int64. Years past ~292k
overflow, which is UB under UBSan or -ftrapv builds. In plain production
builds the overflow silently wraps and buffer playback shows a garbage
timestamp.
Reject anything with a year longer than 5 digits before calling into
cctz. 5 digits covers every realistic IRCv3 @time tag.
2026-04-25 10:36:53 +08:00
MarkLee131
026b88e2fa
ZNCString: avoid left shift of negative value in Base64Decode
...
base64_table uses the sentinel 0xff for bytes outside the base64 alphabet.
The old code read that through (char), producing signed -1, which made the
three (c << N) expressions in Base64Decode undefined behaviour when the
input contained any invalid byte.
Keep c and c1 as unsigned char so the shifts are well-defined. Reachable
pre-auth via CHTTPSock::ReadLine for the Authorization: Basic value.
2026-04-25 10:34:06 +08:00
Alexey Sokolov
94aa541793
ZNC 1.10.2-rc1
znc-1.10.2-rc1
2026-04-23 21:19:26 +01:00
dependabot[bot]
9ff31be416
Bump docker/login-action from 3 to 4
...
Bumps [docker/login-action](https://github.com/docker/login-action ) from 3 to 4.
- [Release notes](https://github.com/docker/login-action/releases )
- [Commits](https://github.com/docker/login-action/compare/v3...v4 )
---
updated-dependencies:
- dependency-name: docker/login-action
dependency-version: '4'
dependency-type: direct:production
update-type: version-update:semver-major
...
Signed-off-by: dependabot[bot] <support@github.com >
2026-04-01 15:21:14 +00:00
dependabot[bot]
0fe69f3145
Bump codecov/codecov-action from 5 to 6
...
Bumps [codecov/codecov-action](https://github.com/codecov/codecov-action ) from 5 to 6.
- [Release notes](https://github.com/codecov/codecov-action/releases )
- [Changelog](https://github.com/codecov/codecov-action/blob/main/CHANGELOG.md )
- [Commits](https://github.com/codecov/codecov-action/compare/v5...v6 )
---
updated-dependencies:
- dependency-name: codecov/codecov-action
dependency-version: '6'
dependency-type: direct:production
update-type: version-update:semver-major
...
Signed-off-by: dependabot[bot] <support@github.com >
2026-04-01 15:21:09 +00:00
dependabot[bot]
4825289561
Bump docker/metadata-action from 5 to 6
...
Bumps [docker/metadata-action](https://github.com/docker/metadata-action ) from 5 to 6.
- [Release notes](https://github.com/docker/metadata-action/releases )
- [Commits](https://github.com/docker/metadata-action/compare/v5...v6 )
---
updated-dependencies:
- dependency-name: docker/metadata-action
dependency-version: '6'
dependency-type: direct:production
update-type: version-update:semver-major
...
Signed-off-by: dependabot[bot] <support@github.com >
2026-04-01 15:21:05 +00:00
dependabot[bot]
05aa47bd91
Bump docker/build-push-action from 6 to 7
...
Bumps [docker/build-push-action](https://github.com/docker/build-push-action ) from 6 to 7.
- [Release notes](https://github.com/docker/build-push-action/releases )
- [Commits](https://github.com/docker/build-push-action/compare/v6...v7 )
---
updated-dependencies:
- dependency-name: docker/build-push-action
dependency-version: '7'
dependency-type: direct:production
update-type: version-update:semver-major
...
Signed-off-by: dependabot[bot] <support@github.com >
2026-04-01 15:20:59 +00:00
Alexey Sokolov
8566db72dd
Merge pull request #1995 from jabberwock/fix/getparamscolon-bounds-check
...
Message: add bounds check in GetParamsColon when uIdx >= params.size()
2026-03-17 18:05:39 +00:00
jabberwock
20908fc2d1
test: add GetParamsColon unit tests including out-of-bounds uIdx cases
2026-03-17 09:39:50 -07:00
jabberwock
94aeaa02bf
Message: add bounds check in GetParamsColon when uIdx >= params.size()
...
Without this check, when uIdx >= m_vsParams.size() and the vector is
non-empty, the subtraction in the clamp condition underflows to SIZE_MAX.
GetParamsSplit() already has the equivalent check at the top of the
function; this brings GetParamsColon() in line with it.
Fixes #1994
2026-03-17 09:39:50 -07:00
Alexey Sokolov
55d34645de
Merge pull request #1992 from TehPeGaSuS/patch-2
...
Fix formatting in ZNC connection message
2026-03-10 18:45:27 +00:00
TehPeGaSuS
4c0483adfa
Use user configured network
...
Use user configured network on the IRC client connection message example, so it turns from `/server <znc_server_ip> 1025 Admin:<pass>` to `/server <znc_server_ip> 1025 Admin/libera:<pass>`.
Should have done this from the start... 😅
2026-03-10 10:26:35 +01:00
TehPeGaSuS
9cb82dad06
Fix formatting in ZNC connection message
...
Make IRC client connection example consistent with the line above
2026-03-10 10:02:55 +01:00
dependabot[bot]
e76c4df386
Bump actions/upload-artifact from 6 to 7
...
Bumps [actions/upload-artifact](https://github.com/actions/upload-artifact ) from 6 to 7.
- [Release notes](https://github.com/actions/upload-artifact/releases )
- [Commits](https://github.com/actions/upload-artifact/compare/v6...v7 )
---
updated-dependencies:
- dependency-name: actions/upload-artifact
dependency-version: '7'
dependency-type: direct:production
update-type: version-update:semver-major
...
Signed-off-by: dependabot[bot] <support@github.com >
2026-03-01 12:32:22 +00:00
Alexey Sokolov
84be3d0f0b
Merge pull request #1990 from danny8376/webadmin-pass-w-space
...
Fix webadmin serverlist parsing for password containing space
2026-02-27 00:00:45 +00:00
DannyAAM
c2a760709c
Fix webadmin serverlist parsing for password containing space
2026-02-26 21:57:50 +08:00
Alexey Sokolov
ad7bd6d7ee
Don't try to join channel which ZNC is already on.
...
When Goguma connects to ZNC, it joins the joined channels again and
again, triggering flood protection.
Note: even with this fix, the Goguma+ZNC experience is still pretty bad
and requires doing something about repeating chat history
2026-01-26 22:15:23 +00:00
Alexey Sokolov
a187ae180e
Merge pull request #1987 from znc/dependabot/github_actions/actions/upload-artifact-6
...
Bump actions/upload-artifact from 5 to 6
2026-01-01 17:01:41 +00:00
Alexey Sokolov
e9a1f0d975
Merge pull request #1989 from Un1matr1x/issues/1988
...
Welcome to 2026
2026-01-01 14:55:26 +00:00
Falk Rund
ad6a397ca4
Welcome to 2026
...
[skip ci]
2026-01-01 13:44:32 +01:00
dependabot[bot]
bd99d51122
Bump actions/upload-artifact from 5 to 6
...
Bumps [actions/upload-artifact](https://github.com/actions/upload-artifact ) from 5 to 6.
- [Release notes](https://github.com/actions/upload-artifact/releases )
- [Commits](https://github.com/actions/upload-artifact/compare/v5...v6 )
---
updated-dependencies:
- dependency-name: actions/upload-artifact
dependency-version: '6'
dependency-type: direct:production
update-type: version-update:semver-major
...
Signed-off-by: dependabot[bot] <support@github.com >
2026-01-01 12:01:34 +00:00
Alexey Sokolov
418628a0d9
Merge pull request #1985 from znc/dependabot/github_actions/actions/checkout-6
...
Bump actions/checkout from 5 to 6
2025-12-12 01:09:26 +00:00
ZNC-Jenkins
fbfd391ec3
Update translations from Crowdin for bg_BG
2025-12-11 00:27:03 +00:00
dependabot[bot]
1ae1b0a520
Bump actions/checkout from 5 to 6
...
Bumps [actions/checkout](https://github.com/actions/checkout ) from 5 to 6.
- [Release notes](https://github.com/actions/checkout/releases )
- [Changelog](https://github.com/actions/checkout/blob/main/CHANGELOG.md )
- [Commits](https://github.com/actions/checkout/compare/v5...v6 )
---
updated-dependencies:
- dependency-name: actions/checkout
dependency-version: '6'
dependency-type: direct:production
update-type: version-update:semver-major
...
Signed-off-by: dependabot[bot] <support@github.com >
2025-12-10 00:59:37 +00:00
Alexey Sokolov
d8b8c16783
Merge branch '1.10.x'
2025-12-10 00:55:07 +00:00
Dominique Leuenberger
49af1c8d53
Fix build with SWIG 4.4
...
SWIG 4.4 has dropped the usage of SWIG_NULLPTR again, which means we can't
rely on its presence to identify SWIG >= 4.2.0
Generate a swig_version.h by parsing the output of `swig -version` and
writing this in a hex representation
Fixes #1979
2025-12-10 00:34:39 +00:00
ZNC-Jenkins
18416d7df6
Update translations from Crowdin for
2025-12-06 00:26:11 +00:00
ZNC-Jenkins
7c2571ff03
Update translations from Crowdin for
2025-12-06 00:26:10 +00:00
ZNC-Jenkins
0d651d6f67
Update translations from Crowdin for de_DE
2025-11-20 00:26:22 +00:00
ZNC-Jenkins
bfa58f6892
Update translations from Crowdin for de_DE
2025-11-20 00:26:21 +00:00
ZNC-Jenkins
4aa81e07f6
Update translations from Crowdin for
2025-11-15 00:29:28 +00:00
ZNC-Jenkins
7747f9bb1d
Update translations from Crowdin for
2025-11-15 00:29:23 +00:00
ZNC-Jenkins
ea22b297fc
Update translations from Crowdin for de_DE nl_NL
2025-11-10 00:26:12 +00:00
ZNC-Jenkins
4115baa9f4
Update translations from Crowdin for de_DE nl_NL
2025-11-10 00:26:11 +00:00
ZNC-Jenkins
74a5da185c
Update translations from Crowdin for de_DE
2025-11-09 00:26:22 +00:00
ZNC-Jenkins
3427c58246
Update translations from Crowdin for de_DE
2025-11-09 00:26:17 +00:00
ZNC-Jenkins
7847b4c007
Update translations from Crowdin for
2025-11-08 00:26:26 +00:00
ZNC-Jenkins
530b2ac7b8
Update translations from Crowdin for
2025-11-08 00:26:25 +00:00
ZNC-Jenkins
cb1d4aae94
Update translations from Crowdin for de_DE
2025-11-07 00:26:39 +00:00
Alexey Sokolov
81a76a05b0
Merge pull request #1982 from bastelratte/syntax_de
...
Update autoreply.de_DE.po
2025-11-06 00:57:00 +00:00
bastelratte
97fc8be37a
Update autoreply.de_DE.po
...
Correction DE when = wenn
2025-11-05 21:14:08 +01:00
Alexey Sokolov
2df0206d06
Merge pull request #1980 from znc/dependabot/github_actions/actions/upload-artifact-5
...
Bump actions/upload-artifact from 4 to 5
2025-11-01 12:38:56 +00:00
Alexey Sokolov
cf889c1727
Merge pull request #1981 from znc/dependabot/github_actions/github/codeql-action-4
...
Bump github/codeql-action from 3 to 4
2025-11-01 12:38:19 +00:00
dependabot[bot]
1586688217
Bump github/codeql-action from 3 to 4
...
Bumps [github/codeql-action](https://github.com/github/codeql-action ) from 3 to 4.
- [Release notes](https://github.com/github/codeql-action/releases )
- [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md )
- [Commits](https://github.com/github/codeql-action/compare/v3...v4 )
---
updated-dependencies:
- dependency-name: github/codeql-action
dependency-version: '4'
dependency-type: direct:production
update-type: version-update:semver-major
...
Signed-off-by: dependabot[bot] <support@github.com >
2025-11-01 12:01:28 +00:00
dependabot[bot]
19b3cc0e2b
Bump actions/upload-artifact from 4 to 5
...
Bumps [actions/upload-artifact](https://github.com/actions/upload-artifact ) from 4 to 5.
- [Release notes](https://github.com/actions/upload-artifact/releases )
- [Commits](https://github.com/actions/upload-artifact/compare/v4...v5 )
---
updated-dependencies:
- dependency-name: actions/upload-artifact
dependency-version: '5'
dependency-type: direct:production
update-type: version-update:semver-major
...
Signed-off-by: dependabot[bot] <support@github.com >
2025-11-01 12:01:23 +00:00
ZNC-Jenkins
447f503f4c
Update translations from Crowdin for pl_PL
2025-10-26 00:26:21 +00:00