From 95898abbb17277b9b7d6287b2105b46c6541ed99 Mon Sep 17 00:00:00 2001 From: Aaron Jones Date: Sat, 14 Aug 2021 23:14:39 +0000 Subject: [PATCH] ircd/newconf: ignore invalid connect block passwords (#261) Also, ignore a connect block that requests certfp authentication without setting the ssl flag, as it will then go on to fail anyway. Finally, correct an erroneous error message about class blocks. --- ircd/newconf.c | 76 +++++++++++++++++++++++++++++++++++++------------- 1 file changed, 57 insertions(+), 19 deletions(-) diff --git a/ircd/newconf.c b/ircd/newconf.c index 62faf427..101942f9 100644 --- a/ircd/newconf.c +++ b/ircd/newconf.c @@ -768,7 +768,7 @@ conf_end_class(struct TopConf *tc) if(EmptyString(yy_class->class_name)) { - conf_report_error("Ignoring connect block -- missing name."); + conf_report_error("Ignoring class block -- missing name."); return 0; } @@ -1231,40 +1231,51 @@ conf_begin_connect(struct TopConf *tc) static int conf_end_connect(struct TopConf *tc) { - if(EmptyString(yy_server->name)) + if (EmptyString(yy_server->name)) { conf_report_error("Ignoring connect block -- missing name."); return 0; } - if(ServerInfo.name != NULL && !irccmp(ServerInfo.name, yy_server->name)) + if (ServerInfo.name != NULL && !irccmp(ServerInfo.name, yy_server->name)) { - conf_report_error("Ignoring connect block for %s -- name is equal to my own name.", - yy_server->name); + conf_report_error("Ignoring connect block for %s -- name is " + "equal to my own name.", yy_server->name); return 0; } - if((EmptyString(yy_server->passwd) || EmptyString(yy_server->spasswd)) && EmptyString(yy_server->certfp)) + if ((EmptyString(yy_server->passwd) || EmptyString(yy_server->spasswd)) + && EmptyString(yy_server->certfp)) { - conf_report_error("Ignoring connect block for %s -- no fingerprint or password credentials provided.", - yy_server->name); + conf_report_error("Ignoring connect block for %s -- no " + "fingerprint or password credentials " + "provided.", yy_server->name); return 0; } - if((yy_server->flags & SERVER_SSL) && EmptyString(yy_server->certfp)) + if ((yy_server->flags & SERVER_SSL) && EmptyString(yy_server->certfp)) { - conf_report_error("Ignoring connect block for %s -- no fingerprint provided for SSL connection.", - yy_server->name); + conf_report_error("Ignoring connect block for %s -- no " + "fingerprint provided for SSL " + "connection.", yy_server->name); return 0; } - if(EmptyString(yy_server->connect_host) - && GET_SS_FAMILY(&yy_server->connect4) != AF_INET - && GET_SS_FAMILY(&yy_server->connect6) != AF_INET6 - ) + if (! (yy_server->flags & SERVER_SSL) && ! EmptyString(yy_server->certfp)) { - conf_report_error("Ignoring connect block for %s -- missing host.", - yy_server->name); + conf_report_error("Ignoring connect block for %s -- " + "fingerprint authentication has " + "been requested; but the ssl flag " + "is not set.", yy_server->name); + return 0; + } + + if (EmptyString(yy_server->connect_host) + && GET_SS_FAMILY(&yy_server->connect4) != AF_INET + && GET_SS_FAMILY(&yy_server->connect6) != AF_INET6) + { + conf_report_error("Ignoring connect block for %s -- missing " + "host.", yy_server->name); return 0; } @@ -1336,7 +1347,20 @@ conf_set_connect_send_password(void *data) rb_free(yy_server->spasswd); } - yy_server->spasswd = rb_strdup(data); + if (EmptyString((const char *) data)) + { + yy_server->spasswd = NULL; + conf_report_warning("Invalid send_password for connect " + "block; must not be empty if provided"); + } + else if (strpbrk(data, " :")) + { + yy_server->spasswd = NULL; + conf_report_error("Invalid send_password for connect " + "block; cannot contain spaces or colons"); + } + else + yy_server->spasswd = rb_strdup(data); } static void @@ -1347,7 +1371,21 @@ conf_set_connect_accept_password(void *data) memset(yy_server->passwd, 0, strlen(yy_server->passwd)); rb_free(yy_server->passwd); } - yy_server->passwd = rb_strdup(data); + + if (EmptyString((const char *) data)) + { + yy_server->passwd = NULL; + conf_report_warning("Invalid accept_password for connect " + "block; must not be empty if provided"); + } + else if (strpbrk(data, " :")) + { + yy_server->passwd = NULL; + conf_report_error("Invalid accept_password for connect " + "block; cannot contain spaces or colons"); + } + else + yy_server->passwd = rb_strdup(data); } static void