/*
* InspIRCd -- Internet Relay Chat Daemon
*
+ * Copyright (C) 2019 linuxdaemon <linuxdaemon.irc@gmail.com>
+ * Copyright (C) 2014 md_5 <git@md-5.net>
+ * Copyright (C) 2014 Googolplexed <googol@googolplexed.net>
+ * Copyright (C) 2013, 2017-2018, 2020 Sadie Powell <sadie@witchery.services>
+ * Copyright (C) 2013 Adam <Adam@anope.org>
+ * Copyright (C) 2012-2013, 2015 Attila Molnar <attilamolnar@hush.com>
+ * Copyright (C) 2012, 2019 Robby <robby@chatbelgie.be>
* Copyright (C) 2009-2010 Daniel De Graaf <danieldg@inspircd.org>
- * Copyright (C) 2007-2008 John Brooks <john.brooks@dereferenced.net>
- * Copyright (C) 2008 Pippijn van Steenhoven <pip88nl@gmail.com>
- * Copyright (C) 2006-2008 Craig Edwards <craigedwards@brainbox.cc>
- * Copyright (C) 2007 Robin Burchell <robin+git@viroteck.net>
+ * Copyright (C) 2009 Uli Schlachter <psychon@inspircd.org>
+ * Copyright (C) 2007-2009 Robin Burchell <robin+git@viroteck.net>
* Copyright (C) 2007 Dennis Friis <peavey@inspircd.org>
- * Copyright (C) 2006 Oliver Lupton <oliverlupton@gmail.com>
+ * Copyright (C) 2006-2007, 2010 Craig Edwards <brain@inspircd.org>
*
* This file is part of InspIRCd. InspIRCd is free software: you can
* redistribute it and/or modify it under the terms of the GNU General Public
RPL_WHOISGATEWAY = 350
};
-// We need this method up here so that it can be accessed from anywhere
-static void ChangeIP(LocalUser* user, const irc::sockets::sockaddrs& sa)
-{
- // Set the users IP address and make sure they are in the right clone pool.
- ServerInstance->Users->RemoveCloneCounts(user);
- user->SetClientIP(sa);
- ServerInstance->Users->AddClone(user);
- if (user->quitting)
- return;
-
- // Recheck the connect class.
- user->MyClass = NULL;
- user->SetClass();
- user->CheckClass();
- if (user->quitting)
- return;
-
- // Check if this user matches any XLines.
- user->CheckLines(true);
- if (user->quitting)
- return;
-}
-
// Encapsulates information about an ident host.
class IdentHost
{
{
}
- bool Matches(LocalUser* user, const std::string& pass) const
+ bool Matches(LocalUser* user, const std::string& pass, UserCertificateAPI& sslapi) const
{
// Did the user send a valid password?
if (!password.empty() && !ServerInstance->PassCompare(user, password, pass, passhash))
return false;
// Does the user have a valid fingerprint?
- const std::string fp = SSLClientCert::GetFingerprint(&user->eh);
- if (!fingerprint.empty() && fp != fingerprint)
+ const std::string fp = sslapi ? sslapi->GetFingerprint(user) : "";
+ if (!fingerprint.empty() && !InspIRCd::TimingSafeCompare(fp, fingerprint))
return false;
// Does the user's hostname match our hostmask?
StringExtItem gateway;
StringExtItem realhost;
StringExtItem realip;
+ UserCertificateAPI sslapi;
Events::ModuleEventProvider webircevprov;
CommandWebIRC(Module* Creator)
, gateway("cgiirc_gateway", ExtensionItem::EXT_USER, Creator)
, realhost("cgiirc_realhost", ExtensionItem::EXT_USER, Creator)
, realip("cgiirc_realip", ExtensionItem::EXT_USER, Creator)
+ , sslapi(Creator)
, webircevprov(Creator, "event/webirc")
{
allow_empty_last_param = false;
works_before_reg = true;
- this->syntax = "<password> <gateway> <hostname> <ip> [flags]";
+ this->syntax = "<password> <gateway> <hostname> <ip> [<flags>]";
}
CmdResult HandleLocal(LocalUser* user, const Params& parameters) CXX11_OVERRIDE
for (std::vector<WebIRCHost>::const_iterator iter = hosts.begin(); iter != hosts.end(); ++iter)
{
// If we don't match the host then skip to the next host.
- if (!iter->Matches(user, parameters[0]))
+ if (!iter->Matches(user, parameters[0], sslapi))
continue;
irc::sockets::sockaddrs ipaddr;
// Set the IP address sent via WEBIRC. We ignore the hostname and lookup
// instead do our own DNS lookups because of unreliable gateways.
- ChangeIP(user, ipaddr);
+ user->SetClientIP(ipaddr);
return CMD_SUCCESS;
}
// The IP address will be received via the WEBIRC command.
const std::string fingerprint = tag->getString("fingerprint");
const std::string password = tag->getString("password");
+ const std::string passwordhash = tag->getString("hash", "plaintext", 1);
// WebIRC blocks require a password.
if (fingerprint.empty() && password.empty())
throw ModuleException("When using <cgihost type=\"webirc\"> either the fingerprint or password field is required, at " + tag->getTagLocation());
- webirchosts.push_back(WebIRCHost(mask, fingerprint, password, tag->getString("hash")));
+ if (!password.empty() && stdalgo::string::equalsci(passwordhash, "plaintext"))
+ {
+ ServerInstance->Logs->Log(MODNAME, LOG_DEFAULT, "<cgihost> tag at %s contains an plain text password, this is insecure!",
+ tag->getTagLocation().c_str());
+ }
+
+ webirchosts.push_back(WebIRCHost(mask, fingerprint, password, passwordhash));
}
else
{
- throw ModuleException(type + " is an invalid <cgihost:mask> type, at " + tag->getTagLocation());
+ throw ModuleException(type + " is an invalid <cgihost:mask> type, at " + tag->getTagLocation());
}
}
// cannot match this connect class.
const std::string* gateway = cmd.gateway.get(user);
if (!gateway)
+ {
+ ServerInstance->Logs->Log("CONNECTCLASS", LOG_DEBUG, "The %s connect class is not suitable as it requires a connection via a WebIRC gateway",
+ myclass->GetName().c_str());
return MOD_RES_DENY;
+ }
// If the gateway matches the <connect:webirc> constraint then
// allow the check to continue. Otherwise, reject it.
- return InspIRCd::Match(*gateway, webirc) ? MOD_RES_PASSTHRU : MOD_RES_DENY;
+ if (!InspIRCd::Match(*gateway, webirc))
+ {
+ ServerInstance->Logs->Log("CONNECTCLASS", LOG_DEBUG, "The %s connect class is not suitable as the WebIRC gateway name (%s) does not match %s",
+ myclass->GetName().c_str(), gateway->c_str(), webirc.c_str());
+ return MOD_RES_DENY;
+ }
+
+ return MOD_RES_PASSTHRU;
}
ModResult OnUserRegister(LocalUser* user) CXX11_OVERRIDE
user->uuid.c_str(), user->GetIPString().c_str(), address.addr().c_str(), user->ident.c_str(), newident.c_str());
user->ChangeIdent(newident);
- ChangeIP(user, address);
- break;
+ user->SetClientIP(address);
+ break;
}
return MOD_RES_PASSTHRU;
}
Version GetVersion() CXX11_OVERRIDE
{
- return Version("Enables forwarding the real IP address of a user from a gateway to the IRC server", VF_VENDOR);
+ return Version("Adds the ability for IRC gateways to forward the real IP address of users connecting through them.", VF_VENDOR);
}
};