adam/znc
1
0
Fork 0
mirror of https://github.com/znc/znc.git synced 2026-06-25 04:22:08 +02:00
Code Issues Packages Projects Releases Wiki Activity
5,972 Commits 6 Branches 91 Tags
53ffcc909b0da701d0458afd57647bfdd0cee769
Commit Graph

540 Commits

Author SHA1 Message Date
Alexey Sokolov a80cf49f5e Merge pull request #2018 from MarkLee131/fix/http-hardening-headers 
HTTPSock: emit standard hardening response headers
 2026-05-05 00:26:58 +01:00
Alexey Sokolov 6186f611b9 Merge pull request #2017 from MarkLee131/fix/checkpass-constant-time 
User: use constant-time compare for MD5/SHA256/plain password paths
 2026-04-30 08:23:07 +01:00
MarkLee131 f71e021e3b HTTPSock: emit standard hardening response headers 
Close #2012.

Add X-Frame-Options: SAMEORIGIN, X-Content-Type-Options: nosniff and
Referrer-Policy: same-origin to every response so webadmin and module
pages are framed/sniff-protected by default. Add no-store Cache-Control
and Pragma: no-cache on dynamic responses so shared workstations can't
replay authenticated pages from browser history. Skip the cache headers
for 304 and for static asset MIME types (image, font, text/css,
application/javascript) that the existing ETag/Last-Modified path on
PrintFile already handles.

Per review feedback: the emitter is a private WriteHardeningHeaders that
writes each line via the socket directly from PrintHeader, not a public
helper returning a temporary VCString. Callers can override a default
value with AddHeader, or suppress one outright with the new public
OmitHardeningHeader(name).

Tests: drive PrintHeader on a CHTTPSock subclass that captures Write()
calls, then assert with gmock matchers (Contains(StartsWith(...))).
 2026-04-29 20:29:47 +08:00
MarkLee131 20e8f73b03 HTTPSock: extract IsValidHeaderField helper and add tests (#2010) 2026-04-25 17:38:31 +08:00
MarkLee131 f0c3341e35 User,Utils: move ConstantTimeEquals to CUtils and add tests (#2011) 2026-04-25 17:37:33 +08:00
Falk Rund ad6a397ca4 Welcome to 2026 
[skip ci]
 2026-01-01 13:44:32 +01:00
RealKindOne 106a9fcbb4 Make account, away-notify, and chghost only send to client if attached into a channel. 2025-06-26 10:15:13 -04:00
Alexey Sokolov c46bd41037 Unix listener: chmod and change group 
Fix #1955
 2025-06-24 09:04:29 +01:00
Alexey Sokolov 694f50c9c0 Make CTCP flood timer use monotonic time 
Probably should use std::chrono types instead of int, but that'll be a later change
 2025-05-11 21:24:08 +01:00
Alexey Sokolov 4f65f86ccd Warn user if flood protection is delaying the messages for too long 
This should help with cases like #1943
 2025-05-11 21:06:21 +01:00
Alexey Sokolov 5943bc9ed9 Send several caps in the same CAP REQ 
If they got NAKed, then retry them one by one

This should speed up the usual case

Fix #1950
 2025-05-09 23:46:11 +01:00
Alexey Sokolov e80b11b5b5 Move base64 table from header to .cpp 2025-05-09 21:54:36 +01:00
Alexey Sokolov 1c197a5508 Add a way to disable certain capabilities 
This is a way for admins to mitigate some issues caused by caps if such issues ever arise.

E.g. add this to global level in znc.conf:

DisableClientCap = sasl
DisableServerCap = chghost
DisableServerCap = message-tags

Then these caps will be NAKed to client / not requested from server.

Note that this mechanism doesn't fully prevent a cap from being activated, e.g. one could use *send_raw module to request it from server even when disabled.
 2025-05-08 21:55:40 +01:00
Alexey Sokolov 26d2b8fc86 Add doxygen comment to CMessage::GetType() 2025-05-02 19:32:30 +01:00
Alexey Sokolov 2f02a9ea00 Merge branch 'master' into unix 2025-05-01 22:41:27 +01:00
Alexey Sokolov 63d10ccb17 Add support to connect to server via unix socket 
The syntax for AddServer command and config is chosen to be unix:/path or unix:ssl:/path

For security reasons, only admins can add such servers, to prevent users from poking around the file system.
 2025-04-20 22:40:20 +01:00
Alexey Sokolov d3a7f125cf Make unix sockets work from modules 2025-04-20 08:31:36 +01:00
Alexey Sokolov dab1127090 Add unix listener support to *status addport, delport 2025-04-19 22:17:30 +01:00
Alexey Sokolov b952502eae Dedup code between TCP and Unix listener 2025-04-19 20:17:52 +01:00
Alexey Sokolov b53612edab Merge branch 'master' into unix 2025-04-18 23:46:16 +01:00
Alexey Sokolov 5befe2f7f8 Implement invite-notify 2025-04-18 22:23:01 +01:00
Alexey Sokolov 6a0f0dce9c Merge pull request #1941 from DarthGandalf/tagmsg 
Implement message-tags spec
 2025-04-13 11:46:18 +01:00
Alexey Sokolov 69cb57e51e Add @since comment to SASL module callbacks 2025-04-11 21:34:59 +01:00
Alexey Sokolov f93829e3b3 Implement message-tags spec 
Message tags were supported already, but not arbitrary tags, and not
TAGMSG
 2025-04-11 21:28:10 +01:00
Giovanni 30fbf1172c Fix host name retrieval during TLS certificate generation (#1935) 
Use HOSTNAME if defined, otherwise invoke gethostname(3) if possible,
fallback to uname(2)
 2025-03-16 15:43:39 +00:00
Alexey Sokolov 8778a2bb5d Parse network and client from authzid. Tests will be in future commit 2025-02-24 09:21:30 +00:00
Alexey Sokolov 4f07558a7d Remove a footgun by decreasing the SASL API surface for modules 
Even without the bad vtable of mutex inside shared_ptr, if a module
creates a subclass of CAuthBase, but then unloads, we have the same
problem.
 2025-02-23 09:25:24 +00:00
Alexey Sokolov 6e9980d67f Various SASL changes 2025-02-22 15:59:52 +00:00
Alexey Sokolov 4ef64eb4d5 rename next sasl module hook 2025-02-13 21:36:07 +00:00
Alexey Sokolov c8266aafda Rename new callback, fix build 2025-02-13 21:22:09 +00:00
Alexey Sokolov 41a0030fdb Merge branch 'master' into sasl 
Conflicts:
	include/znc/Client.h
	src/Client.cpp
	src/Modules.cpp
	test/integration/tests/modules.cpp
 2025-02-13 20:37:32 +00:00
Peter 44e4b95a20 Welcome to 2025 (#1929) 2025-02-07 23:23:45 +00:00
Alexey Sokolov d49399bbca Implement chghost capability 
Interaction with extended-join doesn't yet work correctly, because ZNC
doesn't keep track of everyone's real names
 2024-10-15 13:26:20 +01:00
Alexey Sokolov 6e0591ff98 Remove unused field and getter 
When account-tag was introduced, these fields were used, but since cap
3.2 this is no longer useful
 2024-02-10 00:18:11 +00:00
Alexey Sokolov 2b3b224bca Make modperl support AddServerDependentCapability 2024-01-14 12:11:00 +00:00
Alexey Sokolov efd136c01c Make modpython work with server-dependent caps 2024-01-14 11:12:32 +00:00
Alexey Sokolov e2508d9716 Add comments 2024-01-14 00:58:37 +00:00
Alexey Sokolov b1009bd809 Code cleanup 
Since now there are no server-dependent caps defined in the core
 2024-01-14 00:27:21 +00:00
Alexey Sokolov f7ff0ee3f3 Modulefy core server-dependent caps 2024-01-13 23:34:03 +00:00
Alexey Sokolov 99e6869b28 Add CCapability 2024-01-13 21:22:42 +00:00
Alexey Sokolov b5a6ff528b The test is now working 2024-01-07 22:55:52 +00:00
Alexey Sokolov 1d3b33354f Merge branch 'master' into cap302 2024-01-06 20:36:24 +00:00
Alexey Sokolov 66137bd89a Progress 2024-01-05 00:45:41 +00:00
Falk Rund 17a004aa0b Welcome to 2024 
[skip ci]
 2023-12-31 21:09:25 +01:00
Alexey Sokolov 4cbccac707 Merge branch 'master' into cap302 2023-11-19 10:53:47 +00:00
Alexey Sokolov 52a9752ed0 Add comments to header 2023-11-19 10:52:14 +00:00
Alexey Sokolov 0a355636b2 Cleanup ZNC_LVREFQUAL 2023-11-18 15:07:46 +00:00
Alexey Sokolov 9835f76939 Use std::variant to save a bit of RAM 2023-11-18 13:39:18 +00:00
Alexey Sokolov a1a254bef1 Update password hashes from SHA-256 to Argon2id 
These days salted SHA-256 is considered quite weak for passwords.

Transparently upgrade existing hashes upon login.

Bump cmake requirement to able to use IMPORTED_TARGET, this will allow
further cleanup in next commits.
 2023-09-27 01:11:07 +01:00
delthas 1dd995ef77 Reabse and address PR comments 2023-08-31 14:35:49 +02:00