X-Git-Url: https://git.netwichtig.de/gitweb/?a=blobdiff_plain;f=src%2Fmodules%2Fm_cgiirc.cpp;h=9ad25e6fbaec626573fe9402a8f08a3bf1f81b02;hb=80e81e3b81b779901fd9d67f8ae030ee30c0bcec;hp=d4a02859d77361c84ee1173308856bb00ea9e6d9;hpb=0a67b8861adfca7b09e59d9639e26b6bf71859a5;p=user%2Fhenk%2Fcode%2Finspircd.git

diff --git a/src/modules/m_cgiirc.cpp b/src/modules/m_cgiirc.cpp
index d4a02859d..9ad25e6fb 100644
--- a/src/modules/m_cgiirc.cpp
+++ b/src/modules/m_cgiirc.cpp
@@ -4,7 +4,7 @@
  *   Copyright (C) 2019 linuxdaemon <linuxdaemon.irc@gmail.com>
  *   Copyright (C) 2014 md_5 <git@md-5.net>
  *   Copyright (C) 2014 Googolplexed <googol@googolplexed.net>
- *   Copyright (C) 2013, 2017-2018 Sadie Powell <sadie@witchery.services>
+ *   Copyright (C) 2013, 2017-2018, 2020-2021 Sadie Powell <sadie@witchery.services>
  *   Copyright (C) 2013 Adam <Adam@anope.org>
  *   Copyright (C) 2012-2013, 2015 Attila Molnar <attilamolnar@hush.com>
  *   Copyright (C) 2012, 2019 Robby <robby@chatbelgie.be>
@@ -39,16 +39,19 @@ enum
 	RPL_WHOISGATEWAY = 350
 };
 
+// One or more hostmask globs or CIDR ranges.
+typedef std::vector<std::string> MaskList;
+
 // Encapsulates information about an ident host.
 class IdentHost
 {
  private:
-	std::string hostmask;
+	MaskList hostmasks;
 	std::string newident;
 
  public:
-	IdentHost(const std::string& mask, const std::string& ident)
-		: hostmask(mask)
+	IdentHost(const MaskList& masks, const std::string& ident)
+		: hostmasks(masks)
 		, newident(ident)
 	{
 	}
@@ -60,10 +63,19 @@ class IdentHost
 
 	bool Matches(LocalUser* user) const
 	{
-		if (!InspIRCd::Match(user->GetRealHost(), hostmask, ascii_case_insensitive_map))
-			return false;
+		for (MaskList::const_iterator iter = hostmasks.begin(); iter != hostmasks.end(); ++iter)
+		{
+			// Does the user's hostname match this hostmask?
+			if (InspIRCd::Match(user->GetRealHost(), *iter, ascii_case_insensitive_map))
+				return true;
 
-		return InspIRCd::MatchCIDR(user->GetIPString(), hostmask, ascii_case_insensitive_map);
+			// Does the user's IP address match this hostmask?
+			if (InspIRCd::MatchCIDR(user->GetIPString(), *iter, ascii_case_insensitive_map))
+				return true;
+		}
+
+		// The user didn't match any hostmasks.
+		return false;
 	}
 };
 
@@ -71,14 +83,14 @@ class IdentHost
 class WebIRCHost
 {
  private:
-	std::string hostmask;
+	MaskList hostmasks;
 	std::string fingerprint;
 	std::string password;
 	std::string passhash;
 
  public:
-	WebIRCHost(const std::string& mask, const std::string& fp, const std::string& pass, const std::string& hash)
-		: hostmask(mask)
+	WebIRCHost(const MaskList& masks, const std::string& fp, const std::string& pass, const std::string& hash)
+		: hostmasks(masks)
 		, fingerprint(fp)
 		, password(pass)
 		, passhash(hash)
@@ -96,26 +108,100 @@ class WebIRCHost
 		if (!fingerprint.empty() && !InspIRCd::TimingSafeCompare(fp, fingerprint))
 			return false;
 
-		// Does the user's hostname match our hostmask?
-		if (InspIRCd::Match(user->GetRealHost(), hostmask, ascii_case_insensitive_map))
-			return true;
+		for (MaskList::const_iterator iter = hostmasks.begin(); iter != hostmasks.end(); ++iter)
+		{
+			// Does the user's hostname match this hostmask?
+			if (InspIRCd::Match(user->GetRealHost(), *iter, ascii_case_insensitive_map))
+				return true;
+
+			// Does the user's IP address match this hostmask?
+			if (InspIRCd::MatchCIDR(user->GetIPString(), *iter, ascii_case_insensitive_map))
+				return true;
+		}
 
-		// Does the user's IP address match our hostmask?
-		return InspIRCd::MatchCIDR(user->GetIPString(), hostmask, ascii_case_insensitive_map);
+		// The user didn't match any hostmasks.
+		return false;
+	}
+};
+
+class CommandHexIP : public SplitCommand
+{
+ public:
+	CommandHexIP(Module* Creator)
+		: SplitCommand(Creator, "HEXIP", 1)
+	{
+		allow_empty_last_param = false;
+		Penalty = 2;
+		syntax = "<hex-ip|raw-ip>";
+	}
+
+	CmdResult HandleLocal(LocalUser* user, const Params& parameters) CXX11_OVERRIDE
+	{
+		irc::sockets::sockaddrs sa;
+		if (irc::sockets::aptosa(parameters[0], 0, sa))
+		{
+			if (sa.family() != AF_INET)
+			{
+				user->WriteNotice("*** HEXIP: You can only hex encode an IPv4 address!");
+				return CMD_FAILURE;
+			}
+
+			uint32_t addr = sa.in4.sin_addr.s_addr;
+			user->WriteNotice(InspIRCd::Format("*** HEXIP: %s encodes to %02x%02x%02x%02x.",
+				sa.addr().c_str(), (addr & 0xFF), ((addr >> 8) & 0xFF), ((addr >> 16) & 0xFF),
+				((addr >> 24) & 0xFF)));
+			return CMD_SUCCESS;
+		}
+
+		if (ParseIP(parameters[0], sa))
+		{
+			user->WriteNotice(InspIRCd::Format("*** HEXIP: %s decodes to %s.",
+				parameters[0].c_str(), sa.addr().c_str()));
+			return CMD_SUCCESS;
+		}
+
+		user->WriteNotice(InspIRCd::Format("*** HEXIP: %s is not a valid raw or hex encoded IPv4 address.",
+			parameters[0].c_str()));
+		return CMD_FAILURE;
+	}
+
+	static bool ParseIP(const std::string& in, irc::sockets::sockaddrs& out)
+	{
+		const char* ident = NULL;
+		if (in.length() == 8)
+		{
+			// The ident is an IPv4 address encoded in hexadecimal with two characters
+			// per address segment.
+			ident = in.c_str();
+		}
+		else if (in.length() == 9 && in[0] == '~')
+		{
+			// The same as above but m_ident got to this user before we did. Strip the
+			// ident prefix and continue as normal.
+			ident = in.c_str() + 1;
+		}
+		else
+		{
+			// The user either does not have an IPv4 in their ident or the gateway server
+			// is also running an identd. In the latter case there isn't really a lot we
+			// can do so we just assume that the client in question is not connecting via
+			// an ident gateway.
+			return false;
+		}
+
+		// Try to convert the IP address to a string. If this fails then the user
+		// does not have an IPv4 address in their ident.
+		errno = 0;
+		unsigned long address = strtoul(ident, NULL, 16);
+		if (errno)
+			return false;
+
+		out.in4.sin_family = AF_INET;
+		out.in4.sin_addr.s_addr = htonl(address);
+		return true;
 	}
 };
 
-/*
- * WEBIRC
- *  This is used for the webirc method of CGIIRC auth, and is (really) the best way to do these things.
- *  Syntax: WEBIRC password gateway hostname ip
- *  Where password is a shared key, gateway is the name of the WebIRC gateway and version (e.g. cgiirc), hostname
- *  is the resolved host of the client issuing the command and IP is the real IP of the client.
- *
- * How it works:
- *  To tie in with the rest of cgiirc module, and to avoid race conditions, /webirc is only processed locally
- *  and simply sets metadata on the user, which is later decoded on full connect to give something meaningful.
- */
 class CommandWebIRC : public SplitCommand
 {
  public:
@@ -165,8 +251,9 @@ class CommandWebIRC : public SplitCommand
 			realhost.set(user, user->GetRealHost());
 			realip.set(user, user->GetIPString());
 
-			WriteLog("Connecting user %s is using a WebIRC gateway; changing their IP from %s to %s.",
-				user->uuid.c_str(), user->GetIPString().c_str(), parameters[3].c_str());
+			WriteLog("Connecting user %s is using the %s WebIRC gateway; changing their IP from %s to %s.",
+				user->uuid.c_str(), parameters[1].c_str(),
+				user->GetIPString().c_str(), parameters[3].c_str());
 
 			// If we have custom flags then deal with them.
 			WebIRC::FlagMap flags;
@@ -227,50 +314,16 @@ class ModuleCgiIRC
 	, public Whois::EventListener
 {
  private:
-	CommandWebIRC cmd;
+	CommandHexIP cmdhexip;
+	CommandWebIRC cmdwebirc;
 	std::vector<IdentHost> hosts;
 
-	static bool ParseIdent(LocalUser* user, irc::sockets::sockaddrs& out)
-	{
-		const char* ident = NULL;
-		if (user->ident.length() == 8)
-		{
-			// The ident is an IPv4 address encoded in hexadecimal with two characters
-			// per address segment.
-			ident = user->ident.c_str();
-		}
-		else if (user->ident.length() == 9 && user->ident[0] == '~')
-		{
-			// The same as above but m_ident got to this user before we did. Strip the
-			// ident prefix and continue as normal.
-			ident = user->ident.c_str() + 1;
-		}
-		else
-		{
-			// The user either does not have an IPv4 in their ident or the gateway server
-			// is also running an identd. In the latter case there isn't really a lot we
-			// can do so we just assume that the client in question is not connecting via
-			// an ident gateway.
-			return false;
-		}
-
-		// Try to convert the IP address to a string. If this fails then the user
-		// does not have an IPv4 address in their ident.
-		errno = 0;
-		unsigned long address = strtoul(ident, NULL, 16);
-		if (errno)
-			return false;
-
-		out.in4.sin_family = AF_INET;
-		out.in4.sin_addr.s_addr = htonl(address);
-		return true;
-	}
-
  public:
 	ModuleCgiIRC()
 		: WebIRC::EventListener(this)
 		, Whois::EventListener(this)
-		, cmd(this)
+		, cmdhexip(this)
+		, cmdwebirc(this)
 	{
 	}
 
@@ -289,9 +342,13 @@ class ModuleCgiIRC
 		{
 			ConfigTag* tag = i->second;
 
+			MaskList masks;
+			irc::spacesepstream maskstream(tag->getString("mask"));
+			for (std::string mask; maskstream.GetToken(mask); )
+				masks.push_back(mask);
+
 			// Ensure that we have the <cgihost:mask> parameter.
-			const std::string mask = tag->getString("mask");
-			if (mask.empty())
+			if (masks.empty())
 				throw ModuleException("<cgihost:mask> is a mandatory field, at " + tag->getTagLocation());
 
 			// Determine what lookup type this host uses.
@@ -300,7 +357,7 @@ class ModuleCgiIRC
 			{
 				// The IP address should be looked up from the hex IP address.
 				const std::string newident = tag->getString("newident", "gateway", ServerInstance->IsIdent);
-				identhosts.push_back(IdentHost(mask, newident));
+				identhosts.push_back(IdentHost(masks, newident));
 			}
 			else if (stdalgo::string::equalsci(type, "webirc"))
 			{
@@ -319,7 +376,7 @@ class ModuleCgiIRC
 						tag->getTagLocation().c_str());
 				}
 
-				webirchosts.push_back(WebIRCHost(mask, fingerprint, password, passwordhash));
+				webirchosts.push_back(WebIRCHost(masks, fingerprint, password, passwordhash));
 			}
 			else
 			{
@@ -329,10 +386,10 @@ class ModuleCgiIRC
 
 		// The host configuration was valid so we can apply it.
 		hosts.swap(identhosts);
-		cmd.hosts.swap(webirchosts);
+		cmdwebirc.hosts.swap(webirchosts);
 
 		// Do we send an oper notice when a m_cgiirc client has their IP changed?
-		cmd.notify = ServerInstance->Config->ConfValue("cgiirc")->getBool("opernotice", true);
+		cmdwebirc.notify = ServerInstance->Config->ConfValue("cgiirc")->getBool("opernotice", true);
 	}
 
 	ModResult OnSetConnectClass(LocalUser* user, ConnectClass* myclass) CXX11_OVERRIDE
@@ -344,19 +401,30 @@ class ModuleCgiIRC
 
 		// If the user is not connecting via a WebIRC gateway then they
 		// cannot match this connect class.
-		const std::string* gateway = cmd.gateway.get(user);
+		const std::string* gateway = cmdwebirc.gateway.get(user);
 		if (!gateway)
+		{
+			ServerInstance->Logs->Log("CONNECTCLASS", LOG_DEBUG, "The %s connect class is not suitable as it requires a connection via a WebIRC gateway",
+					myclass->GetName().c_str());
 			return MOD_RES_DENY;
+		}
 
 		// If the gateway matches the <connect:webirc> constraint then
 		// allow the check to continue. Otherwise, reject it.
-		return InspIRCd::Match(*gateway, webirc) ? MOD_RES_PASSTHRU : MOD_RES_DENY;
+		if (!InspIRCd::Match(*gateway, webirc))
+		{
+			ServerInstance->Logs->Log("CONNECTCLASS", LOG_DEBUG, "The %s connect class is not suitable as the WebIRC gateway name (%s) does not match %s",
+					myclass->GetName().c_str(), gateway->c_str(), webirc.c_str());
+			return MOD_RES_DENY;
+		}
+
+		return MOD_RES_PASSTHRU;
 	}
 
 	ModResult OnUserRegister(LocalUser* user) CXX11_OVERRIDE
 	{
 		// There is no need to check for gateways if one is already being used.
-		if (cmd.realhost.get(user))
+		if (cmdwebirc.realhost.get(user))
 			return MOD_RES_PASSTHRU;
 
 		for (std::vector<IdentHost>::const_iterator iter = hosts.begin(); iter != hosts.end(); ++iter)
@@ -368,15 +436,15 @@ class ModuleCgiIRC
 			// We have matched an <cgihost> block! Try to parse the encoded IPv4 address
 			// out of the ident.
 			irc::sockets::sockaddrs address(user->client_sa);
-			if (!ParseIdent(user, address))
+			if (!CommandHexIP::ParseIP(user->ident, address))
 				return MOD_RES_PASSTHRU;
 
 			// Store the hostname and IP of the gateway for later use.
-			cmd.realhost.set(user, user->GetRealHost());
-			cmd.realip.set(user, user->GetIPString());
+			cmdwebirc.realhost.set(user, user->GetRealHost());
+			cmdwebirc.realip.set(user, user->GetIPString());
 
 			const std::string& newident = iter->GetIdent();
-			cmd.WriteLog("Connecting user %s is using an ident gateway; changing their IP from %s to %s and their ident from %s to %s.",
+			cmdwebirc.WriteLog("Connecting user %s is using an ident gateway; changing their IP from %s to %s and their ident from %s to %s.",
 				user->uuid.c_str(), user->GetIPString().c_str(), address.addr().c_str(), user->ident.c_str(), newident.c_str());
 
 			user->ChangeIdent(newident);
@@ -452,12 +520,12 @@ class ModuleCgiIRC
 			return;
 
 		// If these fields are not set then the client is not using a gateway.
-		const std::string* realhost = cmd.realhost.get(whois.GetTarget());
-		const std::string* realip = cmd.realip.get(whois.GetTarget());
+		const std::string* realhost = cmdwebirc.realhost.get(whois.GetTarget());
+		const std::string* realip = cmdwebirc.realip.get(whois.GetTarget());
 		if (!realhost || !realip)
 			return;
 
-		const std::string* gateway = cmd.gateway.get(whois.GetTarget());
+		const std::string* gateway = cmdwebirc.gateway.get(whois.GetTarget());
 		if (gateway)
 			whois.SendLine(RPL_WHOISGATEWAY, *realhost, *realip, "is connected via the " + *gateway + " WebIRC gateway");
 		else
@@ -466,7 +534,7 @@ class ModuleCgiIRC
 
 	Version GetVersion() CXX11_OVERRIDE
 	{
-		return Version("Enables forwarding the real IP address of a user from a gateway to the IRC server", VF_VENDOR);
+		return Version("Adds the ability for IRC gateways to forward the real IP address of users connecting through them.", VF_VENDOR);
 	}
 };