diff options
Diffstat (limited to 'src/modules')
-rw-r--r-- | src/modules/extra/m_ldapauth.cpp | 47 | ||||
-rw-r--r-- | src/modules/m_cgiirc.cpp | 10 | ||||
-rw-r--r-- | src/modules/m_cloaking.cpp | 7 | ||||
-rw-r--r-- | src/modules/m_dnsbl.cpp | 9 |
4 files changed, 40 insertions, 33 deletions
diff --git a/src/modules/extra/m_ldapauth.cpp b/src/modules/extra/m_ldapauth.cpp index 6c765fb2e..405bab082 100644 --- a/src/modules/extra/m_ldapauth.cpp +++ b/src/modules/extra/m_ldapauth.cpp @@ -310,36 +310,25 @@ public: } RAIILDAPMessage msg; - std::string what = (attribute + "=" + (useusername ? user->ident : user->nick)); - if ((res = ldap_search_ext_s(conn, base.c_str(), searchscope, what.c_str(), NULL, 0, NULL, NULL, NULL, 0, &msg)) != LDAP_SUCCESS) + std::string what; + std::string::size_type pos = user->password.find(':'); + // If a username is provided in PASS, use it, othewrise user their nick or ident + if (pos != std::string::npos) { - // Do a second search, based on password, if it contains a : - // That is, PASS <user>:<password> will work. - size_t pos = user->password.find(":"); - if (pos != std::string::npos) - { - // manpage says we must deallocate regardless of success or failure - // since we're about to do another query (and reset msg), first - // free the old one. - msg.dealloc(); - - std::string cutpassword = user->password.substr(0, pos); - res = ldap_search_ext_s(conn, base.c_str(), searchscope, cutpassword.c_str(), NULL, 0, NULL, NULL, NULL, 0, &msg); - - if (res == LDAP_SUCCESS) - { - // Trim the user: prefix, leaving just 'pass' for later password check - user->password = user->password.substr(pos + 1); - } - } + what = (attribute + "=" + user->password.substr(0, pos)); - // It may have found based on user:pass check above. - if (res != LDAP_SUCCESS) - { - if (verbose) - ServerInstance->SNO->WriteToSnoMask('c', "Forbidden connection from %s (LDAP search failed: %s)", user->GetFullRealHost().c_str(), ldap_err2string(res)); - return false; - } + // Trim the user: prefix, leaving just 'pass' for later password check + user->password = user->password.substr(pos + 1); + } + else + { + what = (attribute + "=" + (useusername ? user->ident : user->nick)); + } + if ((res = ldap_search_ext_s(conn, base.c_str(), searchscope, what.c_str(), NULL, 0, NULL, NULL, NULL, 0, &msg)) != LDAP_SUCCESS) + { + if (verbose) + ServerInstance->SNO->WriteToSnoMask('c', "Forbidden connection from %s (LDAP search failed: %s)", user->GetFullRealHost().c_str(), ldap_err2string(res)); + return false; } if (ldap_count_entries(conn, msg) > 1) { @@ -404,7 +393,7 @@ public: std::string dnPart; while (stream.GetToken(dnPart)) { - std::string::size_type pos = dnPart.find('='); + pos = dnPart.find('='); if (pos == std::string::npos) // malformed continue; diff --git a/src/modules/m_cgiirc.cpp b/src/modules/m_cgiirc.cpp index cce2e7855..09f6a4659 100644 --- a/src/modules/m_cgiirc.cpp +++ b/src/modules/m_cgiirc.cpp @@ -73,6 +73,7 @@ class CommandWebirc : public Command realhost("cgiirc_realhost", Creator), realip("cgiirc_realip", Creator), webirc_hostname("cgiirc_webirc_hostname", Creator), webirc_ip("cgiirc_webirc_ip", Creator) { + allow_empty_last_param = false; works_before_reg = true; this->syntax = "password client hostname ip"; } @@ -81,6 +82,14 @@ class CommandWebirc : public Command if(user->registered == REG_ALL) return CMD_FAILURE; + irc::sockets::sockaddrs ipaddr; + if (!irc::sockets::aptosa(parameters[3], 0, ipaddr)) + { + IS_LOCAL(user)->CommandFloodPenalty += 5000; + ServerInstance->SNO->WriteGlobalSno('a', "Connecting user %s tried to use WEBIRC but gave an invalid IP address.", user->GetFullRealHost().c_str()); + return CMD_FAILURE; + } + for(CGIHostlist::iterator iter = Hosts.begin(); iter != Hosts.end(); iter++) { if(InspIRCd::Match(user->host, iter->hostmask, ascii_case_insensitive_map) || InspIRCd::MatchCIDR(user->GetIPString(), iter->hostmask, ascii_case_insensitive_map)) @@ -108,6 +117,7 @@ class CommandWebirc : public Command } } + IS_LOCAL(user)->CommandFloodPenalty += 5000; ServerInstance->SNO->WriteGlobalSno('a', "Connecting user %s tried to use WEBIRC, but didn't match any configured webirc blocks.", user->GetFullRealHost().c_str()); return CMD_FAILURE; } diff --git a/src/modules/m_cloaking.cpp b/src/modules/m_cloaking.cpp index 105d68833..1bf99f919 100644 --- a/src/modules/m_cloaking.cpp +++ b/src/modules/m_cloaking.cpp @@ -493,11 +493,14 @@ class ModuleCloaking : public Module { std::string chost; + irc::sockets::sockaddrs hostip; + bool host_is_ip = irc::sockets::aptosa(host, ip.port(), hostip) && hostip == ip; + switch (mode) { case MODE_COMPAT_HOST: { - if (ipstr != host) + if (!host_is_ip) { std::string tail = LastTwoDomainParts(host); @@ -520,7 +523,7 @@ class ModuleCloaking : public Module break; case MODE_HALF_CLOAK: { - if (ipstr != host) + if (!host_is_ip) chost = prefix + SegmentCloak(host, 1, 6) + LastTwoDomainParts(host); if (chost.empty() || chost.length() > 50) chost = SegmentIP(ip, false); diff --git a/src/modules/m_dnsbl.cpp b/src/modules/m_dnsbl.cpp index d4101686a..3dea080ce 100644 --- a/src/modules/m_dnsbl.cpp +++ b/src/modules/m_dnsbl.cpp @@ -70,8 +70,8 @@ class DNSBLResolver : public Resolver int i = countExt.get(them); if (i) countExt.set(them, i - 1); - // Now we calculate the bitmask: 256*(256*(256*a+b)+c)+d - if(result.length()) + // All replies should be in 127.0.0.0/8 + if (result.compare(0, 4, "127.") == 0) { unsigned int bitmask = 0, record = 0; bool match = false; @@ -82,6 +82,7 @@ class DNSBLResolver : public Resolver switch (ConfEntry->type) { case DNSBLConfEntry::A_BITMASK: + // Now we calculate the bitmask: 256*(256*(256*a+b)+c)+d bitmask = resultip.s_addr >> 24; /* Last octet (network byte order) */ bitmask &= ConfEntry->bitmask; match = (bitmask != 0); @@ -196,7 +197,11 @@ class DNSBLResolver : public Resolver ConfEntry->stats_misses++; } else + { + if (!result.empty()) + ServerInstance->SNO->WriteGlobalSno('a', "DNSBL: %s returned address outside of acceptable subnet 127.0.0.0/8: %s", ConfEntry->domain.c_str(), result.c_str()); ConfEntry->stats_misses++; + } } } |