You can upload files to znc via /dcc send *status. The files will be saved in
<datadir>/users/<user>/downloads/. The code for this didn't do any checking on
the file name at all and thus allowed directory traversal attacks by all znc
users (no admin privileges required!).
By exploiting this bug, attackers could e.g. upload a new ssh authorized_keys
file or upload a znc module which lets everyone gain shell access. Anything is
possible.
Again:
ONLY A NORMAL USER ACCOUNT NEEDED, no admin privileges.
THE ATTACKER GOT WRITE ACCESS TO ALL PLACES ZNC GOT WRITE ACCESS TO.
git-svn-id: https://znc.svn.sourceforge.net/svnroot/znc/trunk@1570 726aef4b-f618-498e-8847-2d620e286838
A common pattern for checking directories in ZNC is the following:
sAbsolutePath = CDir::ChangeDir(sAllowedPath, sFile);
if (sAbsolutePath.Left(sAllowedPath.length()) != sAllowedPath)
Error;
But there is a problem: If sAllowedPath doesn't end with a slash, we are
vulnerable to an attack. If e.g. sAllowedPath = "/foo/bar", then
sFile = "../bartender" would result in sAbsolutePath = "/foo/bartender". Since
this path does begin with sAllowedPath, the code allowed it.
There shouldn't be any places where this can be exploited currently, but it is
still a security bug (path traversal).
git-svn-id: https://znc.svn.sourceforge.net/svnroot/znc/trunk@1569 726aef4b-f618-498e-8847-2d620e286838
The issue happened if off_t was a signed, 4 byte integer (x86). In this case
(off_t) 0xffffffff is -1 and a file size is always larger than -1 which
unconditionally caused the "File too large" error to trigger.
Thanks to [Deton8r] for reporting this bug and flakes for debugging it.
git-svn-id: https://znc.svn.sourceforge.net/svnroot/znc/trunk@1568 726aef4b-f618-498e-8847-2d620e286838
This now states more explicitly that c-ares is not strictly required.
Thanks to flakes for noticing that the error messages needs improvement and to
w00t for improving the improved error message flakes and me came up with.
git-svn-id: https://znc.svn.sourceforge.net/svnroot/znc/trunk@1565 726aef4b-f618-498e-8847-2d620e286838
Everything which isn't a CClient with a successful login counts as an
unidentified connection in this context. Modules who don't want this kind of
limit on their listening sockets can override CSocket::ConnectionFrom(), but
their sockets will still count towards this limit.
git-svn-id: https://znc.svn.sourceforge.net/svnroot/znc/trunk@1561 726aef4b-f618-498e-8847-2d620e286838
We need to have an upper limit of the size of HTTP POST data. With the current
code you could just send 4 GiB of data to webadmin and ZNC would try to keep all
of this in memory.
This patch implements an upper limit for HTTP POST data of 1 MiB.
Thanks to cnu for finding this.
git-svn-id: https://znc.svn.sourceforge.net/svnroot/znc/trunk@1559 726aef4b-f618-498e-8847-2d620e286838
If a user is deleted while it is trying to connect to an IRC server, the IRC
socket wasn't deleted together with the user. At some later point in time, the
IRC socket will try to use the user object, which was already freed by now.
Fix this by erasing IRC sockets together with their user object.
Thanks to cnu for reporting this.
git-svn-id: https://znc.svn.sourceforge.net/svnroot/znc/trunk@1557 726aef4b-f618-498e-8847-2d620e286838
After the first attempt to lookup an address, Csocket already created the socket
used for communicating. Since at this point it wasn't yet known whether we will
yield a IPv4 or IPv6 address, Csocket just always used IPv4. This would then
later fail to connect() with 'Address family not supported by protocol'.
This patch fixes this by creating the socket fd only when the DNS lookup
completed successfully.
git-svn-id: https://znc.svn.sourceforge.net/svnroot/znc/trunk@1556 726aef4b-f618-498e-8847-2d620e286838
Every socket which is based on CZNCSock will now use c-ares for its name
resolving. This is possible thanks to CSocket's Csock::GetAddrInfo() which
lets one override the DNS lookup.
This can be disabled with --disable-c-ares.
If IPv6 is enabled and Csocket didn't specify which kind of lookup (ipv4/ipv6)
it wants, we first do an ipv4 lookup. If that lookup doesn't yield any useful
result, we try again with an ipv6 lookup. If one wants to force ipv6 usage on a
domain which also resolves to an ipv4 address, he has to set an ipv6 vhost.
git-svn-id: https://znc.svn.sourceforge.net/svnroot/znc/trunk@1551 726aef4b-f618-498e-8847-2d620e286838
Classes derived from Csock* can be casted implicitly to their base class, this
explicit casts are rather pointless.
git-svn-id: https://znc.svn.sourceforge.net/svnroot/znc/trunk@1548 726aef4b-f618-498e-8847-2d620e286838
The following sequence triggered this bug:
/mode <chan> +ov-o <you> <you> <you>
The deop called CNick::RemPerm('@') which removed the '@' from the list of
perms via std::string::erase(<positiong of '@' in that string>). The bug was
that erase() by default erases till the end of the string, but we only wanted
to remove a single character. The fix is easy, just pass in '1' as a second
parameter. :)
Thanks to sp219 for finding and reporting this bug.
git-svn-id: https://znc.svn.sourceforge.net/svnroot/znc/trunk@1547 726aef4b-f618-498e-8847-2d620e286838
Changes include...
- CString -
Addition of LCString typedef to list<CString>
Added four more args to CString::Token()...
bool bAllowEmpty = false <-- This default of false is NOT backward compatible but seems way more intuitive
const CString& sLeft = ""
const CString& sRight = ""
bool bTrimQuotes = true
Added CString::OptionSplit()
Added CString::QuoteSplit()
Added two new args to CString::Split()...
bool bTrimQuotes = true,
bool bTrimWhiteSpace = false
- CTemplate -
Added new class CTemplateTagHandler to provide capability to add custom tags and vars
Added var name pointer dereferencing in the form of <? VAR Name=*other_var ?> (use ** to start with a literal star)
Added a list of paths that can be used to look for a given filename in multiple locations
Added CTemplate::PrependPath()
Added CTemplate::AppendPath()
Added CTemplate::RemovePath()
Added CTemplate::ClearPath()
Added CTemplate::PrintString() for filling a CString& instead of a stream
Added <? LT ?> which outputs a literal "<?"
Added <? GT ?> which outputs a literal "?>"
Added <? SETBLOCK ?> and <? ENDSETBLOCK ?> for setting a variable's value to the contents between the tags
Added <? EXPAND ?> for expanding a filename to a path using the settable list of paths
Added <? BREAK ?> and <? CONTINUE ?> inner loop tags
Added <? EXIT ?> tag to stop processing
Added <? DEBUG ?> tag for printing to DEBUG()
Added REVERSE keyword to the <? LOOP ?> tag
git-svn-id: https://znc.svn.sourceforge.net/svnroot/znc/trunk@1537 726aef4b-f618-498e-8847-2d620e286838
If you now load stickychan with "#chan1,#chan2 bla" as its argument, both
channels are stuck where "bla" is the channel key for #chan2.
Thanks to FB-eYe for the suggestion.
git-svn-id: https://znc.svn.sourceforge.net/svnroot/znc/trunk@1534 726aef4b-f618-498e-8847-2d620e286838
deque got constant time removal of elements at the beginning of the sequence,
vector doesn't. The plan is that this saves some CPU time in CBuffer::AddLine()
git-svn-id: https://znc.svn.sourceforge.net/svnroot/znc/trunk@1532 726aef4b-f618-498e-8847-2d620e286838
When ZNC is restarted we have to pass on most of ZNC's arguments. Until now we
only handled --datadir. Now we also handle --debug, --foreground, --no-color
and --allow-root.
Thanks to kopn3ft0r for finding this.
git-svn-id: https://znc.svn.sourceforge.net/svnroot/znc/trunk@1531 726aef4b-f618-498e-8847-2d620e286838
The code checked if every line received from the IRC server started with a
colon and contained at least two spaces using a wildcard comparison. Since not
doing this would violate the IRC specs, we can safely assume this.
This command removes this if and reindents a shitload of code. The only change
in there is a removed comment, everything else should be the same.
git-svn-id: https://znc.svn.sourceforge.net/svnroot/znc/trunk@1528 726aef4b-f618-498e-8847-2d620e286838
I doubt this makes much of a difference, but some callgrind run with one hour
of #ubuntu pointed to this stuff. Let's hope it's at least a little little
little bit faster now
git-svn-id: https://znc.svn.sourceforge.net/svnroot/znc/trunk@1527 726aef4b-f618-498e-8847-2d620e286838
Because the precision defaults to 2, e.g. the traffic stats are now way more
readable.
Thanks to KiNgMaR for the idea and the patch.
git-svn-id: https://znc.svn.sourceforge.net/svnroot/znc/trunk@1525 726aef4b-f618-498e-8847-2d620e286838
r1481 moved the /img/ subdir into /data/, but forgot to fix the path which
is used for the favicon, which meant we generated a 404 for the favicon.
Fix this by using the correct path and everyone is happy again.
git-svn-id: https://znc.svn.sourceforge.net/svnroot/znc/trunk@1524 726aef4b-f618-498e-8847-2d620e286838
The last commit broke the order in which the traffic stats used to be displayed
and it turns out that KiNgMaR cannot live with that, so now we are back to the
old order.
git-svn-id: https://znc.svn.sourceforge.net/svnroot/znc/trunk@1523 726aef4b-f618-498e-8847-2d620e286838
Removed CSmartPtr's GetCount and renamed GetClientCount to GetCount.
The version returning a pointer is not used anyway. Furthermore removed
a check for a null pointer which is already checked some lines above
and replaced m_pType = &(*CopyFrom) with m_tType = CopyFrom.m_pType,
since an overloaded operator & could break this code (it doesn't matter
if we check the m_pType afterwards. It could be nonezero and invalid
anyway).
git-svn-id: https://znc.svn.sourceforge.net/svnroot/znc/trunk@1522 726aef4b-f618-498e-8847-2d620e286838