Commit Graph

5987 Commits

Author SHA1 Message Date
MarkLee131 c94df21130 test: cover empty-needle Replace and empty-delim Split (#2009) 2026-04-25 17:26:04 +08:00
MarkLee131 794ae6cd60 User: use constant-time compare for MD5/SHA256/plain password paths
CString::Equals falls through to strcmp, which short-circuits on the first
differing byte. That leaks the length of the common prefix between the
stored hash (or plain password) and the attacker's guess via response
timing. Argon2id already uses argon2id_verify which is constant-time.

Add a small ConstantTimeEquals helper and use it for the legacy MD5,
SHA256 and plain HASH_NONE branches. No new dependency: the helper is
~10 lines and works on builds without OpenSSL.
2026-04-25 10:39:13 +08:00
MarkLee131 04cf89beec HTTPSock: reject CR/LF in AddHeader name/value
AddHeader wrote its arguments straight into the response stream. No
in-tree caller reaches it with attacker-controlled bytes today, but the
public API is exposed to module authors; one bad caller would be a
header-injection bug. Filter at the entry rather than at every caller.
2026-04-25 10:38:31 +08:00
MarkLee131 514b47cad3 ZNCString: guard Replace/Split against empty-width arguments
CString::Replace with an empty sReplace underflowed 'p += uReplaceWidth - 1'
to SIZE_MAX and then the per-iteration 'p++' brought p back to the same
byte, so the function looped forever appending sWith to the output and
eventually OOMed.

CString::Split with empty sDelim and bAllowEmpty=false spun in the
prefix-skip loops because strncasecmp(p, "", 0) is unconditionally 0 and
p += 0 never advances.

No in-tree caller currently passes the bad argument, but the public
library API should not be a bear trap for module authors. Same shape as
#1994.
2026-04-25 10:38:02 +08:00
MarkLee131 b944299167 Utils: reject out-of-range years in ParseServerTime
cctz::parse into a microseconds time_point internally multiplies the
parsed seconds-since-epoch by 1,000,000 in signed int64. Years past ~292k
overflow, which is UB under UBSan or -ftrapv builds. In plain production
builds the overflow silently wraps and buffer playback shows a garbage
timestamp.

Reject anything with a year longer than 5 digits before calling into
cctz. 5 digits covers every realistic IRCv3 @time tag.
2026-04-25 10:36:53 +08:00
MarkLee131 026b88e2fa ZNCString: avoid left shift of negative value in Base64Decode
base64_table uses the sentinel 0xff for bytes outside the base64 alphabet.
The old code read that through (char), producing signed -1, which made the
three (c << N) expressions in Base64Decode undefined behaviour when the
input contained any invalid byte.

Keep c and c1 as unsigned char so the shifts are well-defined. Reachable
pre-auth via CHTTPSock::ReadLine for the Authorization: Basic value.
2026-04-25 10:34:06 +08:00
Alexey Sokolov 94aa541793 ZNC 1.10.2-rc1 znc-1.10.2-rc1 2026-04-23 21:19:26 +01:00
dependabot[bot] 9ff31be416 Bump docker/login-action from 3 to 4
Bumps [docker/login-action](https://github.com/docker/login-action) from 3 to 4.
- [Release notes](https://github.com/docker/login-action/releases)
- [Commits](https://github.com/docker/login-action/compare/v3...v4)

---
updated-dependencies:
- dependency-name: docker/login-action
  dependency-version: '4'
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
2026-04-01 15:21:14 +00:00
dependabot[bot] 0fe69f3145 Bump codecov/codecov-action from 5 to 6
Bumps [codecov/codecov-action](https://github.com/codecov/codecov-action) from 5 to 6.
- [Release notes](https://github.com/codecov/codecov-action/releases)
- [Changelog](https://github.com/codecov/codecov-action/blob/main/CHANGELOG.md)
- [Commits](https://github.com/codecov/codecov-action/compare/v5...v6)

---
updated-dependencies:
- dependency-name: codecov/codecov-action
  dependency-version: '6'
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
2026-04-01 15:21:09 +00:00
dependabot[bot] 4825289561 Bump docker/metadata-action from 5 to 6
Bumps [docker/metadata-action](https://github.com/docker/metadata-action) from 5 to 6.
- [Release notes](https://github.com/docker/metadata-action/releases)
- [Commits](https://github.com/docker/metadata-action/compare/v5...v6)

---
updated-dependencies:
- dependency-name: docker/metadata-action
  dependency-version: '6'
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
2026-04-01 15:21:05 +00:00
dependabot[bot] 05aa47bd91 Bump docker/build-push-action from 6 to 7
Bumps [docker/build-push-action](https://github.com/docker/build-push-action) from 6 to 7.
- [Release notes](https://github.com/docker/build-push-action/releases)
- [Commits](https://github.com/docker/build-push-action/compare/v6...v7)

---
updated-dependencies:
- dependency-name: docker/build-push-action
  dependency-version: '7'
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
2026-04-01 15:20:59 +00:00
Alexey Sokolov 8566db72dd Merge pull request #1995 from jabberwock/fix/getparamscolon-bounds-check
Message: add bounds check in GetParamsColon when uIdx >= params.size()
2026-03-17 18:05:39 +00:00
jabberwock 20908fc2d1 test: add GetParamsColon unit tests including out-of-bounds uIdx cases 2026-03-17 09:39:50 -07:00
jabberwock 94aeaa02bf Message: add bounds check in GetParamsColon when uIdx >= params.size()
Without this check, when uIdx >= m_vsParams.size() and the vector is
non-empty, the subtraction in the clamp condition underflows to SIZE_MAX.
GetParamsSplit() already has the equivalent check at the top of the
function; this brings GetParamsColon() in line with it.

Fixes #1994
2026-03-17 09:39:50 -07:00
Alexey Sokolov 55d34645de Merge pull request #1992 from TehPeGaSuS/patch-2
Fix formatting in ZNC connection message
2026-03-10 18:45:27 +00:00
TehPeGaSuS 4c0483adfa Use user configured network
Use user configured network on the IRC client connection message example, so it turns from `/server <znc_server_ip> 1025 Admin:<pass>` to `/server <znc_server_ip> 1025 Admin/libera:<pass>`.

Should have done this from the start... 😅
2026-03-10 10:26:35 +01:00
TehPeGaSuS 9cb82dad06 Fix formatting in ZNC connection message
Make IRC client connection example consistent with the line above
2026-03-10 10:02:55 +01:00
dependabot[bot] e76c4df386 Bump actions/upload-artifact from 6 to 7
Bumps [actions/upload-artifact](https://github.com/actions/upload-artifact) from 6 to 7.
- [Release notes](https://github.com/actions/upload-artifact/releases)
- [Commits](https://github.com/actions/upload-artifact/compare/v6...v7)

---
updated-dependencies:
- dependency-name: actions/upload-artifact
  dependency-version: '7'
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
2026-03-01 12:32:22 +00:00
Alexey Sokolov 84be3d0f0b Merge pull request #1990 from danny8376/webadmin-pass-w-space
Fix webadmin serverlist parsing for password containing space
2026-02-27 00:00:45 +00:00
DannyAAM c2a760709c Fix webadmin serverlist parsing for password containing space 2026-02-26 21:57:50 +08:00
Alexey Sokolov ad7bd6d7ee Don't try to join channel which ZNC is already on.
When Goguma connects to ZNC, it joins the joined channels again and
again, triggering flood protection.

Note: even with this fix, the Goguma+ZNC experience is still pretty bad
and requires doing something about repeating chat history
2026-01-26 22:15:23 +00:00
Alexey Sokolov a187ae180e Merge pull request #1987 from znc/dependabot/github_actions/actions/upload-artifact-6
Bump actions/upload-artifact from 5 to 6
2026-01-01 17:01:41 +00:00
Alexey Sokolov e9a1f0d975 Merge pull request #1989 from Un1matr1x/issues/1988
Welcome to 2026
2026-01-01 14:55:26 +00:00
Falk Rund ad6a397ca4 Welcome to 2026
[skip ci]
2026-01-01 13:44:32 +01:00
dependabot[bot] bd99d51122 Bump actions/upload-artifact from 5 to 6
Bumps [actions/upload-artifact](https://github.com/actions/upload-artifact) from 5 to 6.
- [Release notes](https://github.com/actions/upload-artifact/releases)
- [Commits](https://github.com/actions/upload-artifact/compare/v5...v6)

---
updated-dependencies:
- dependency-name: actions/upload-artifact
  dependency-version: '6'
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
2026-01-01 12:01:34 +00:00
Alexey Sokolov 418628a0d9 Merge pull request #1985 from znc/dependabot/github_actions/actions/checkout-6
Bump actions/checkout from 5 to 6
2025-12-12 01:09:26 +00:00
ZNC-Jenkins fbfd391ec3 Update translations from Crowdin for bg_BG 2025-12-11 00:27:03 +00:00
dependabot[bot] 1ae1b0a520 Bump actions/checkout from 5 to 6
Bumps [actions/checkout](https://github.com/actions/checkout) from 5 to 6.
- [Release notes](https://github.com/actions/checkout/releases)
- [Changelog](https://github.com/actions/checkout/blob/main/CHANGELOG.md)
- [Commits](https://github.com/actions/checkout/compare/v5...v6)

---
updated-dependencies:
- dependency-name: actions/checkout
  dependency-version: '6'
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
2025-12-10 00:59:37 +00:00
Alexey Sokolov d8b8c16783 Merge branch '1.10.x' 2025-12-10 00:55:07 +00:00
Dominique Leuenberger 49af1c8d53 Fix build with SWIG 4.4
SWIG 4.4 has dropped the usage of SWIG_NULLPTR again, which means we can't
rely on its presence to identify SWIG >= 4.2.0

Generate a swig_version.h by parsing the output of `swig -version` and
writing this in a hex representation

Fixes #1979
2025-12-10 00:34:39 +00:00
ZNC-Jenkins 18416d7df6 Update translations from Crowdin for 2025-12-06 00:26:11 +00:00
ZNC-Jenkins 7c2571ff03 Update translations from Crowdin for 2025-12-06 00:26:10 +00:00
ZNC-Jenkins 0d651d6f67 Update translations from Crowdin for de_DE 2025-11-20 00:26:22 +00:00
ZNC-Jenkins bfa58f6892 Update translations from Crowdin for de_DE 2025-11-20 00:26:21 +00:00
ZNC-Jenkins 4aa81e07f6 Update translations from Crowdin for 2025-11-15 00:29:28 +00:00
ZNC-Jenkins 7747f9bb1d Update translations from Crowdin for 2025-11-15 00:29:23 +00:00
ZNC-Jenkins ea22b297fc Update translations from Crowdin for de_DE nl_NL 2025-11-10 00:26:12 +00:00
ZNC-Jenkins 4115baa9f4 Update translations from Crowdin for de_DE nl_NL 2025-11-10 00:26:11 +00:00
ZNC-Jenkins 74a5da185c Update translations from Crowdin for de_DE 2025-11-09 00:26:22 +00:00
ZNC-Jenkins 3427c58246 Update translations from Crowdin for de_DE 2025-11-09 00:26:17 +00:00
ZNC-Jenkins 7847b4c007 Update translations from Crowdin for 2025-11-08 00:26:26 +00:00
ZNC-Jenkins 530b2ac7b8 Update translations from Crowdin for 2025-11-08 00:26:25 +00:00
ZNC-Jenkins cb1d4aae94 Update translations from Crowdin for de_DE 2025-11-07 00:26:39 +00:00
Alexey Sokolov 81a76a05b0 Merge pull request #1982 from bastelratte/syntax_de
Update autoreply.de_DE.po
2025-11-06 00:57:00 +00:00
bastelratte 97fc8be37a Update autoreply.de_DE.po
Correction DE when = wenn
2025-11-05 21:14:08 +01:00
Alexey Sokolov 2df0206d06 Merge pull request #1980 from znc/dependabot/github_actions/actions/upload-artifact-5
Bump actions/upload-artifact from 4 to 5
2025-11-01 12:38:56 +00:00
Alexey Sokolov cf889c1727 Merge pull request #1981 from znc/dependabot/github_actions/github/codeql-action-4
Bump github/codeql-action from 3 to 4
2025-11-01 12:38:19 +00:00
dependabot[bot] 1586688217 Bump github/codeql-action from 3 to 4
Bumps [github/codeql-action](https://github.com/github/codeql-action) from 3 to 4.
- [Release notes](https://github.com/github/codeql-action/releases)
- [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md)
- [Commits](https://github.com/github/codeql-action/compare/v3...v4)

---
updated-dependencies:
- dependency-name: github/codeql-action
  dependency-version: '4'
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
2025-11-01 12:01:28 +00:00
dependabot[bot] 19b3cc0e2b Bump actions/upload-artifact from 4 to 5
Bumps [actions/upload-artifact](https://github.com/actions/upload-artifact) from 4 to 5.
- [Release notes](https://github.com/actions/upload-artifact/releases)
- [Commits](https://github.com/actions/upload-artifact/compare/v4...v5)

---
updated-dependencies:
- dependency-name: actions/upload-artifact
  dependency-version: '5'
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
2025-11-01 12:01:23 +00:00
ZNC-Jenkins 447f503f4c Update translations from Crowdin for pl_PL 2025-10-26 00:26:21 +00:00