When one now finishes a web request with PAGE_DONE, the code actively calls
Close(CLT_AFTERWRITE) which one previously had to call explicitly. This means
there is finally a difference between PAGE_DONE and PAGE_DEFERRED. ;)
git-svn-id: https://znc.svn.sourceforge.net/svnroot/znc/trunk@1981 726aef4b-f618-498e-8847-2d620e286838
Until now, the code checked for <moddir>/www/<mod name> and just used
./modules/www/<mod name> if the other dir didn't exist.
Now we calculate the correct path from the module's shared object's path, which
is the correct thing to do.
git-svn-id: https://znc.svn.sourceforge.net/svnroot/znc/trunk@1967 726aef4b-f618-498e-8847-2d620e286838
to existing action="post" forms. Right now, we don't have much of a
real protection against CSRF yet, but psychon is working on making
that happen :)
git-svn-id: https://znc.svn.sourceforge.net/svnroot/znc/trunk@1933 726aef4b-f618-498e-8847-2d620e286838
PrintStaticFile() called ExpandFile() twice if debug output was enabled which
caused it's DEBUG() error messages to be printed twice.
It then called CHTTPSock::PrintFile() to print the actual file. PrintFile()
always sends a result page, no matter if this is an error page or a proper
result page. Thus we should always return PAGE_DONE here, since PAGE_NOTFOUND
was already handled.
git-svn-id: https://znc.svn.sourceforge.net/svnroot/znc/trunk@1882 726aef4b-f618-498e-8847-2d620e286838
webskins dir, made default the _default_ skin, moved dark-clouds to dark-clouds,
added /skinfiles/ feature to base skins on each other (and not only on default).
Next up: re-adding help texts that got lost during webadmin->webmods transition,
making skins look nice again.
git-svn-id: https://znc.svn.sourceforge.net/svnroot/znc/trunk@1868 726aef4b-f618-498e-8847-2d620e286838
This function caches its result for not-logged-in users since r1857. With this
commit, it also now works properly for logged-in ones.
git-svn-id: https://znc.svn.sourceforge.net/svnroot/znc/trunk@1862 726aef4b-f618-498e-8847-2d620e286838
When a module page is requested, m_sModName is set. When then GetSession() tries
to look up its session cookie, it doesn't find it since GetRequestCookie()
actually looks up Mod::<modname>::<cookie name>.
The fix is to look up the global cookie name if the mod one doesnt exist.
git-svn-id: https://znc.svn.sourceforge.net/svnroot/znc/trunk@1861 726aef4b-f618-498e-8847-2d620e286838
When one sent a basic-auth header, OnLogin() was called with the request's data
which caused a GetSession() call which generated a new session. Sadly, this
session wasn't saved anywhere, so a new one session was generated later when
OnPageRequest() triggered. This could lead to a NULL pointer dereference.
git-svn-id: https://znc.svn.sourceforge.net/svnroot/znc/trunk@1857 726aef4b-f618-498e-8847-2d620e286838
To achieve that, split internal cookie jar into a jar for received cookies
and one for cookies that are to be sent with the response.
git-svn-id: https://znc.svn.sourceforge.net/svnroot/znc/trunk@1840 726aef4b-f618-498e-8847-2d620e286838
When e.g. imapauth started handling a login from WebMods it opened a new TCP
connection etc. This took time, but WebMods didn't actually wait for the login
to finish which caused the login to fail later on since the HTTP socket was
already destroyed.
This fixes it by letting the HTTP sock just hang. Once the login finishes,
CHTTPSock::Redirect() is called to let it come back to life again.
Thanks to DarthGandalf for finding this issue.
git-svn-id: https://znc.svn.sourceforge.net/svnroot/znc/trunk@1834 726aef4b-f618-498e-8847-2d620e286838
Instead of return a bool, this now returns an enum. This explains the meaning of
the returned value better and will be used in the next commit to fix a bug.
git-svn-id: https://znc.svn.sourceforge.net/svnroot/znc/trunk@1833 726aef4b-f618-498e-8847-2d620e286838
This changes CHTTPSock so that one can handle HTTP requests asynchronously.
This is done by not forcing a page to be sent out in the caller of
OnPageRequest() but instead requiring a call to the new function
CHTTPSock::PrintPage().
git-svn-id: https://znc.svn.sourceforge.net/svnroot/znc/trunk@1830 726aef4b-f618-498e-8847-2d620e286838
If a user who is currently logged in to WebMods is deleted, his CWebSession
still kept a stale CUser pointer around. The next time he loaded a web page,
Bad Things(tm) happened.
This is fixed by deleting all of a user's sessions when that user is deleted.
Thanks to DarthGandalf for spotting the bug and writing the patch.
git-svn-id: https://znc.svn.sourceforge.net/svnroot/znc/trunk@1827 726aef4b-f618-498e-8847-2d620e286838
When a CWebSock was destroyed before its CWebAuth, the CWebAuth dereferenced a
stale pointer once it was used again. Fix this by calling
CAuthBase::Invalidate() appropriately.
Thanks to DarthGandalf for finding this.
git-svn-id: https://znc.svn.sourceforge.net/svnroot/znc/trunk@1826 726aef4b-f618-498e-8847-2d620e286838
The traffic generated by it was just discarded. Now it's accounted towards a
user if one is logged in, else towards the global traffic usage.
git-svn-id: https://znc.svn.sourceforge.net/svnroot/znc/trunk@1825 726aef4b-f618-498e-8847-2d620e286838
WebModules use CHTTPSock for the HTTP server. That class requires a CModule
instance for working since it's based on CSocket. This was solved by creating a
fake module instance which is destroyed when the socket is destroyed.
The problem here was that CSocket's destructor tried to access that module
instance which was already destroyed resulting in a use-after-free.
git-svn-id: https://znc.svn.sourceforge.net/svnroot/znc/trunk@1824 726aef4b-f618-498e-8847-2d620e286838
We now use a lot more data for generating the session id which is fed to a hash
to make it impossible to attack specific parts of the input.
Also we now retry generating a new session id in the (improbable) case of
collision with an existing session id.
Thanks a lot to cnu for pointing out the weakness in the old code by stealing my
session cookie, you evil hacker!
git-svn-id: https://znc.svn.sourceforge.net/svnroot/znc/trunk@1819 726aef4b-f618-498e-8847-2d620e286838
psychon