From b00cf4ca15d992623720b24a9c2487d41be8d6cb Mon Sep 17 00:00:00 2001 From: Sadie Powell Date: Sun, 11 Apr 2021 15:03:06 +0100 Subject: Only show the WebIRC gateway name to unprivileged users. --- src/modules/m_cgiirc.cpp | 9 +++++++-- 1 file changed, 7 insertions(+), 2 deletions(-) diff --git a/src/modules/m_cgiirc.cpp b/src/modules/m_cgiirc.cpp index 0759854a2..434043e46 100644 --- a/src/modules/m_cgiirc.cpp +++ b/src/modules/m_cgiirc.cpp @@ -532,11 +532,16 @@ class ModuleCgiIRC void OnWhois(Whois::Context& whois) CXX11_OVERRIDE { // If these fields are not set then the client is not using a gateway. - const std::string* realhost = cmdwebirc.realhost.get(whois.GetTarget()); - const std::string* realip = cmdwebirc.realip.get(whois.GetTarget()); + std::string* realhost = cmdwebirc.realhost.get(whois.GetTarget()); + std::string* realip = cmdwebirc.realip.get(whois.GetTarget()); if (!realhost || !realip) return; + // If the source doesn't have the right privs then only show the gateway name. + std::string hidden = "*"; + if (!whois.GetSource()->HasPrivPermission("users/auspex")) + realhost = realip = &hidden; + const std::string* gateway = cmdwebirc.gateway.get(whois.GetTarget()); if (gateway) whois.SendLine(RPL_WHOISGATEWAY, *realhost, *realip, "is connected via the " + *gateway + " WebIRC gateway"); -- cgit v1.3.1-10-gc9f91 From 0960d5e9e37075e44223c627c93a2e1b41ce8f35 Mon Sep 17 00:00:00 2001 From: Sadie Powell Date: Wed, 14 Apr 2021 18:58:17 +0100 Subject: Update references to config fields which were renamed. --- src/modules/extra/m_ssl_gnutls.cpp | 2 +- src/modules/extra/m_ssl_mbedtls.cpp | 2 +- src/modules/extra/m_ssl_openssl.cpp | 2 +- tools/testssl | 16 ++++++++-------- 4 files changed, 11 insertions(+), 11 deletions(-) diff --git a/src/modules/extra/m_ssl_gnutls.cpp b/src/modules/extra/m_ssl_gnutls.cpp index 4e6b09564..5dadda184 100644 --- a/src/modules/extra/m_ssl_gnutls.cpp +++ b/src/modules/extra/m_ssl_gnutls.cpp @@ -1314,7 +1314,7 @@ class ModuleSSLGnuTLS : public Module } else { - ServerInstance->Logs->Log(MODNAME, LOG_DEFAULT, "You have defined an tag; you should use this in place of \"gnutls\" when configuring TLS (SSL) connections in or "); + ServerInstance->Logs->Log(MODNAME, LOG_DEFAULT, "You have defined an tag; you should use this in place of \"gnutls\" when configuring TLS (SSL) connections in or "); for (ConfigIter i = tags.first; i != tags.second; ++i) { ConfigTag* tag = i->second; diff --git a/src/modules/extra/m_ssl_mbedtls.cpp b/src/modules/extra/m_ssl_mbedtls.cpp index 77c81b7fa..5c768ce3c 100644 --- a/src/modules/extra/m_ssl_mbedtls.cpp +++ b/src/modules/extra/m_ssl_mbedtls.cpp @@ -888,7 +888,7 @@ class ModuleSSLmbedTLS : public Module } else { - ServerInstance->Logs->Log(MODNAME, LOG_DEFAULT, "You have defined an tag; you should use this in place of \"mbedtls\" when configuring TLS (SSL) connections in or "); + ServerInstance->Logs->Log(MODNAME, LOG_DEFAULT, "You have defined an tag; you should use this in place of \"mbedtls\" when configuring TLS (SSL) connections in or "); for (ConfigIter i = tags.first; i != tags.second; ++i) { ConfigTag* tag = i->second; diff --git a/src/modules/extra/m_ssl_openssl.cpp b/src/modules/extra/m_ssl_openssl.cpp index fb965a5ab..0f4e2d713 100644 --- a/src/modules/extra/m_ssl_openssl.cpp +++ b/src/modules/extra/m_ssl_openssl.cpp @@ -1000,7 +1000,7 @@ class ModuleSSLOpenSSL : public Module } else { - ServerInstance->Logs->Log(MODNAME, LOG_DEFAULT, "You have defined an tag; you should use this in place of \"openssl\" when configuring TLS (SSL) connections in or "); + ServerInstance->Logs->Log(MODNAME, LOG_DEFAULT, "You have defined an tag; you should use this in place of \"openssl\" when configuring TLS (SSL) connections in or "); for (ConfigIter i = tags.first; i != tags.second; ++i) { ConfigTag* tag = i->second; diff --git a/tools/testssl b/tools/testssl index 52a152144..1c80ec0eb 100755 --- a/tools/testssl +++ b/tools/testssl @@ -105,14 +105,14 @@ It appears that the server endpoint is using plaintext! Make sure that: - ssl_mbedtls * If you have specified one or more tags then the value of - is the same as an field. Otherwise, it should - be set to "gnutls" for the ssl_gnutls module, "openssl" for the ssl_openssl - module, or "mbedtls" for the ssl_mbedtls module. - - * If you have specified the name of an in then the - value of is set to "gnutls" if using the ssl_gnutls - module, "openssl" if using the ssl_openssl module, or "mbedtls" if using - the ssl_mbedtls module. + is the same as an field. Otherwise, it + should be set to "gnutls" for the ssl_gnutls module, "openssl" for the + ssl_openssl module, or "mbedtls" for the ssl_mbedtls module. + + * If you have specified the name of an in then + the value of is set to "gnutls" if using the + ssl_gnutls module, "openssl" if using the ssl_openssl module, or "mbedtls" + if using the ssl_mbedtls module. * If you have your SSL configuration in a file other than inspircd.conf then that file is included by inspircd.conf. -- cgit v1.3.1-10-gc9f91 From ba8a15adcde58a7db5e00790a55803be9d6d2fda Mon Sep 17 00:00:00 2001 From: Sadie Powell Date: Fri, 16 Apr 2021 11:50:51 +0100 Subject: Fix using a different field name in ldapauth than is documented. Closes #1864. --- src/modules/m_ldapauth.cpp | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/modules/m_ldapauth.cpp b/src/modules/m_ldapauth.cpp index 8fc0ca0b0..4885bc0e5 100644 --- a/src/modules/m_ldapauth.cpp +++ b/src/modules/m_ldapauth.cpp @@ -331,7 +331,7 @@ public: vhost = tag->getString("host"); // Set to true if failed connects should be reported to operators verbose = tag->getBool("verbose"); - useusername = tag->getBool("userfield"); + useusername = tag->getBool("useusername", tag->getBool("userfield")); LDAP.SetProvider("LDAP/" + tag->getString("dbid")); -- cgit v1.3.1-10-gc9f91 From b0f16081ccaef527ed4b5434a7264508cf455f39 Mon Sep 17 00:00:00 2001 From: Sadie Powell Date: Sat, 17 Apr 2021 14:18:50 +0100 Subject: Fix the 'w' extban not being added to the EXTBAN 005 numeric. --- src/modules/m_cgiirc.cpp | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/src/modules/m_cgiirc.cpp b/src/modules/m_cgiirc.cpp index 434043e46..f0963e4c1 100644 --- a/src/modules/m_cgiirc.cpp +++ b/src/modules/m_cgiirc.cpp @@ -332,6 +332,11 @@ class ModuleCgiIRC ServerInstance->SNO->EnableSnomask('w', "CGIIRC"); } + void On005Numeric(std::map& tokens) CXX11_OVERRIDE + { + tokens["EXTBAN"].push_back('w'); + } + ModResult OnCheckBan(User* user, Channel*, const std::string& mask) CXX11_OVERRIDE { if (mask.length() <= 2 || mask[0] != 'w' || mask[1] != ':') -- cgit v1.3.1-10-gc9f91 From 23b8d6bbed74a44bef4936b1f92d0376a974bf76 Mon Sep 17 00:00:00 2001 From: Sadie Powell Date: Sat, 17 Apr 2021 18:04:50 +0100 Subject: Improve the debug logging for httpd_acl auth attempts. --- src/modules/m_httpd_acl.cpp | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/src/modules/m_httpd_acl.cpp b/src/modules/m_httpd_acl.cpp index 533e3c578..197bf589e 100644 --- a/src/modules/m_httpd_acl.cpp +++ b/src/modules/m_httpd_acl.cpp @@ -200,20 +200,30 @@ class ModuleHTTPAccessList : public Module, public HTTPACLEventListener return true; } else + { /* Invalid password */ + ServerInstance->Logs->Log(MODNAME, LOG_DEBUG, "HTTP authorization: password and username do not match"); BlockAccess(http, 401, "WWW-Authenticate", "Basic realm=\"Restricted Object\""); + } } else + { /* Malformed user:pass pair */ + ServerInstance->Logs->Log(MODNAME, LOG_DEBUG, "HTTP authorization: password and username malformed"); BlockAccess(http, 401, "WWW-Authenticate", "Basic realm=\"Restricted Object\""); + } } else + { /* Unsupported authentication type */ + ServerInstance->Logs->Log(MODNAME, LOG_DEBUG, "HTTP authorization: unsupported auth type: %s", authtype.c_str()); BlockAccess(http, 401, "WWW-Authenticate", "Basic realm=\"Restricted Object\""); + } } else { /* No password given at all, access denied */ + ServerInstance->Logs->Log(MODNAME, LOG_DEBUG, "HTTP authorization: password and username not sent"); BlockAccess(http, 401, "WWW-Authenticate", "Basic realm=\"Restricted Object\""); } return false; -- cgit v1.3.1-10-gc9f91