One needs to be admin to change the current skin dir, but it still sounds
like a good idea to be careful...
Plus, this wont deny symlinks anyway!
git-svn-id: https://znc.svn.sourceforge.net/svnroot/znc/trunk@1412 726aef4b-f618-498e-8847-2d620e286838
With the current implementation of CString::Base64Decode the following
code would fail (meaning b would be false):
CString t = "some very long string ...";
bool b = (t == t.Base64Encode_n(true).Base64Decode_n());
The same code without wrapping the base64 output would give b = true
as expected.
The new implementation removes all new lines before decoding so
decoding a wrapped base64 text gives the expected result.
Furthermore replaced malloc and free with new and delete and removed
the check for p in CString::Base64Encode since new will throw if it
failed.
The changes don't affect any existing code.
git-svn-id: https://znc.svn.sourceforge.net/svnroot/znc/trunk@1410 726aef4b-f618-498e-8847-2d620e286838
In some (weird?) cases these flags could make the libperl and libsasl2
checks fail.
Thanks to darix for reporting this.
git-svn-id: https://znc.svn.sourceforge.net/svnroot/znc/trunk@1400 726aef4b-f618-498e-8847-2d620e286838
This patch fixes the same bug as the last commit and also makes sure that
similar bugs can't happen again.
Thanks to cnu for finding and reporting this bug.
Thanks to kroimon for patch review.
git-svn-id: https://znc.svn.sourceforge.net/svnroot/znc/trunk@1396 726aef4b-f618-498e-8847-2d620e286838
There was a bug in webadmin which allowed any users to write arbitrary strings
to znc.conf by setting e.g. their quit message to:
Some quit message
Admin = true
LoadModule = shell
</User>
ISpoofFile = /home/<user>/.ssh/authorited_keys
ISpoofFormat = <some ssh key>
<User a>
(The newlines must be sent as newlines to webadmin)
This commit fixes this by stripping all newlines from all the data fields
by default. Since some fields (e.g. CTCPReplies and Servers) do need newlines,
there is a new function CHTTPSock::GetRawParam() which doesn't do the stripping.
Thanks to cnu for finding and reporting this bug.
Thanks to kroimon for patch review.
git-svn-id: https://znc.svn.sourceforge.net/svnroot/znc/trunk@1395 726aef4b-f618-498e-8847-2d620e286838
strftime() returns zero for errors and the state of the buffer we passed to it
is undefined in this case. This lead to a non-null-terminated string being
used.
The impact of this bug should be low, no writing was done and you were only
able to get a partial stack dump. A crash through this is quite unlikely.
Thanks to cnu for finding and reporting this.
git-svn-id: https://znc.svn.sourceforge.net/svnroot/znc/trunk@1394 726aef4b-f618-498e-8847-2d620e286838
He found the recent privilege escalation bug, is very... 'active' in our IRC
channel and keeps testing SVN versions.
Thanks for your work :)
git-svn-id: https://znc.svn.sourceforge.net/svnroot/znc/trunk@1393 726aef4b-f618-498e-8847-2d620e286838
This is a slightly modified version of the connect_throttle from znc-extra.
If a login attempt fails, all further login attempts from that source IP are
blocked for some time (by default one minute).
git-svn-id: https://znc.svn.sourceforge.net/svnroot/znc/trunk@1390 726aef4b-f618-498e-8847-2d620e286838
This breaks CAuthBase's API for modules that want to auth users.
Instead of overloading AcceptLogin() and RefuseLogin(), they now have to
overload AcceptedLogin() and RefusedLogin().
Modules that auth users (e.g. imapauth) still call AcceptLogin() and
RefuseLogin() which is where OnFailedLogin() gets called.
git-svn-id: https://znc.svn.sourceforge.net/svnroot/znc/trunk@1389 726aef4b-f618-498e-8847-2d620e286838
- No longer a global module, why was it ever one?
- Fix '/msg *admin set ident a' to error out instead of modifying my own user.
- Document '$me'.
- Other, minor stuff.
git-svn-id: https://znc.svn.sourceforge.net/svnroot/znc/trunk@1386 726aef4b-f618-498e-8847-2d620e286838
Remove CFile::SetFD() which was unused and made FD leaks way too easy.
Remove CFile::CFile(int fd, const CString& sLongName) since it's unused and
it was the only reason we needed the m_bClose member which is now also gone.
Call ClearBuffer() in Close() in case someone reuses CFile instances.
Thanks to Sebastinas.
git-svn-id: https://znc.svn.sourceforge.net/svnroot/znc/trunk@1383 726aef4b-f618-498e-8847-2d620e286838
Modules.cpp is capsuled in a huge #ifdef _MODULES block (see r767), but some
code in there still uses #ifndef _MODULES, which is never going to be used.
Thanks to Sebastinas for finding this.
git-svn-id: https://znc.svn.sourceforge.net/svnroot/znc/trunk@1381 726aef4b-f618-498e-8847-2d620e286838
This module basically does the same things webadmin does, but via
an IRC query interface.
Thanks to sebastinas for writing the original version of this module.
Thanks to kroimon for making this suite ZNC's coding style better and porting
it to newer ZNC versions.
Finally, I added a DelUser command and ported it again to laters versions.
git-svn-id: https://znc.svn.sourceforge.net/svnroot/znc/trunk@1379 726aef4b-f618-498e-8847-2d620e286838
This limits the max file size to 16 MiB and makes the read loop stop after
it has read as many bytes as GetSize() said the file is long. This fixes
an endless loop when trying to transfer endless files like /dev/zero.
git-svn-id: https://znc.svn.sourceforge.net/svnroot/znc/trunk@1374 726aef4b-f618-498e-8847-2d620e286838
No idea why we provide this definition for __sun (solaris?), but it doesn't
look like anything uses this and we don't compile on those weird boxes anyway.
git-svn-id: https://znc.svn.sourceforge.net/svnroot/znc/trunk@1365 726aef4b-f618-498e-8847-2d620e286838
