* Copyright (C) 2019 linuxdaemon <linuxdaemon.irc@gmail.com>
* Copyright (C) 2014 md_5 <git@md-5.net>
* Copyright (C) 2014 Googolplexed <googol@googolplexed.net>
- * Copyright (C) 2013, 2017-2018 Sadie Powell <sadie@witchery.services>
+ * Copyright (C) 2013, 2017-2018, 2020 Sadie Powell <sadie@witchery.services>
* Copyright (C) 2013 Adam <Adam@anope.org>
* Copyright (C) 2012-2013, 2015 Attila Molnar <attilamolnar@hush.com>
* Copyright (C) 2012, 2019 Robby <robby@chatbelgie.be>
RPL_WHOISGATEWAY = 350
};
+// One or more hostmask globs or CIDR ranges.
+typedef std::vector<std::string> MaskList;
+
// Encapsulates information about an ident host.
class IdentHost
{
private:
- std::string hostmask;
+ MaskList hostmasks;
std::string newident;
public:
- IdentHost(const std::string& mask, const std::string& ident)
- : hostmask(mask)
+ IdentHost(const MaskList& masks, const std::string& ident)
+ : hostmasks(masks)
, newident(ident)
{
}
bool Matches(LocalUser* user) const
{
- if (!InspIRCd::Match(user->GetRealHost(), hostmask, ascii_case_insensitive_map))
- return false;
+ for (MaskList::const_iterator iter = hostmasks.begin(); iter != hostmasks.end(); ++iter)
+ {
+ // Does the user's hostname match this hostmask?
+ if (InspIRCd::Match(user->GetRealHost(), *iter, ascii_case_insensitive_map))
+ return true;
- return InspIRCd::MatchCIDR(user->GetIPString(), hostmask, ascii_case_insensitive_map);
+ // Does the user's IP address match this hostmask?
+ if (InspIRCd::MatchCIDR(user->GetIPString(), *iter, ascii_case_insensitive_map))
+ return true;
+ }
+
+ // The user didn't match any hostmasks.
+ return false;
}
};
class WebIRCHost
{
private:
- std::string hostmask;
+ MaskList hostmasks;
std::string fingerprint;
std::string password;
std::string passhash;
public:
- WebIRCHost(const std::string& mask, const std::string& fp, const std::string& pass, const std::string& hash)
- : hostmask(mask)
+ WebIRCHost(const MaskList& masks, const std::string& fp, const std::string& pass, const std::string& hash)
+ : hostmasks(masks)
, fingerprint(fp)
, password(pass)
, passhash(hash)
if (!fingerprint.empty() && !InspIRCd::TimingSafeCompare(fp, fingerprint))
return false;
- // Does the user's hostname match our hostmask?
- if (InspIRCd::Match(user->GetRealHost(), hostmask, ascii_case_insensitive_map))
- return true;
+ for (MaskList::const_iterator iter = hostmasks.begin(); iter != hostmasks.end(); ++iter)
+ {
+ // Does the user's hostname match this hostmask?
+ if (InspIRCd::Match(user->GetRealHost(), *iter, ascii_case_insensitive_map))
+ return true;
- // Does the user's IP address match our hostmask?
- return InspIRCd::MatchCIDR(user->GetIPString(), hostmask, ascii_case_insensitive_map);
+ // Does the user's IP address match this hostmask?
+ if (InspIRCd::MatchCIDR(user->GetIPString(), *iter, ascii_case_insensitive_map))
+ return true;
+ }
+
+ // The user didn't match any hostmasks.
+ return false;
}
};
-/*
- * WEBIRC
- * This is used for the webirc method of CGIIRC auth, and is (really) the best way to do these things.
- * Syntax: WEBIRC password gateway hostname ip
- * Where password is a shared key, gateway is the name of the WebIRC gateway and version (e.g. cgiirc), hostname
- * is the resolved host of the client issuing the command and IP is the real IP of the client.
- *
- * How it works:
- * To tie in with the rest of cgiirc module, and to avoid race conditions, /webirc is only processed locally
- * and simply sets metadata on the user, which is later decoded on full connect to give something meaningful.
- */
class CommandWebIRC : public SplitCommand
{
public:
realhost.set(user, user->GetRealHost());
realip.set(user, user->GetIPString());
- WriteLog("Connecting user %s is using a WebIRC gateway; changing their IP from %s to %s.",
- user->uuid.c_str(), user->GetIPString().c_str(), parameters[3].c_str());
+ WriteLog("Connecting user %s is using the %s WebIRC gateway; changing their IP from %s to %s.",
+ user->uuid.c_str(), parameters[1].c_str(),
+ user->GetIPString().c_str(), parameters[3].c_str());
// If we have custom flags then deal with them.
WebIRC::FlagMap flags;
{
ConfigTag* tag = i->second;
+ MaskList masks;
+ irc::spacesepstream maskstream(tag->getString("mask"));
+ for (std::string mask; maskstream.GetToken(mask); )
+ masks.push_back(mask);
+
// Ensure that we have the <cgihost:mask> parameter.
- const std::string mask = tag->getString("mask");
- if (mask.empty())
+ if (masks.empty())
throw ModuleException("<cgihost:mask> is a mandatory field, at " + tag->getTagLocation());
// Determine what lookup type this host uses.
{
// The IP address should be looked up from the hex IP address.
const std::string newident = tag->getString("newident", "gateway", ServerInstance->IsIdent);
- identhosts.push_back(IdentHost(mask, newident));
+ identhosts.push_back(IdentHost(masks, newident));
}
else if (stdalgo::string::equalsci(type, "webirc"))
{
// The IP address will be received via the WEBIRC command.
const std::string fingerprint = tag->getString("fingerprint");
const std::string password = tag->getString("password");
+ const std::string passwordhash = tag->getString("hash", "plaintext", 1);
// WebIRC blocks require a password.
if (fingerprint.empty() && password.empty())
throw ModuleException("When using <cgihost type=\"webirc\"> either the fingerprint or password field is required, at " + tag->getTagLocation());
- webirchosts.push_back(WebIRCHost(mask, fingerprint, password, tag->getString("hash")));
+ if (!password.empty() && stdalgo::string::equalsci(passwordhash, "plaintext"))
+ {
+ ServerInstance->Logs->Log(MODNAME, LOG_DEFAULT, "<cgihost> tag at %s contains an plain text password, this is insecure!",
+ tag->getTagLocation().c_str());
+ }
+
+ webirchosts.push_back(WebIRCHost(masks, fingerprint, password, passwordhash));
}
else
{
// cannot match this connect class.
const std::string* gateway = cmd.gateway.get(user);
if (!gateway)
+ {
+ ServerInstance->Logs->Log("CONNECTCLASS", LOG_DEBUG, "The %s connect class is not suitable as it requires a connection via a WebIRC gateway",
+ myclass->GetName().c_str());
return MOD_RES_DENY;
+ }
// If the gateway matches the <connect:webirc> constraint then
// allow the check to continue. Otherwise, reject it.
- return InspIRCd::Match(*gateway, webirc) ? MOD_RES_PASSTHRU : MOD_RES_DENY;
+ if (!InspIRCd::Match(*gateway, webirc))
+ {
+ ServerInstance->Logs->Log("CONNECTCLASS", LOG_DEBUG, "The %s connect class is not suitable as the WebIRC gateway name (%s) does not match %s",
+ myclass->GetName().c_str(), gateway->c_str(), webirc.c_str());
+ return MOD_RES_DENY;
+ }
+
+ return MOD_RES_PASSTHRU;
}
ModResult OnUserRegister(LocalUser* user) CXX11_OVERRIDE
Version GetVersion() CXX11_OVERRIDE
{
- return Version("Enables forwarding the real IP address of a user from a gateway to the IRC server", VF_VENDOR);
+ return Version("Adds the ability for IRC gateways to forward the real IP address of users connecting through them.", VF_VENDOR);
}
};