1
0
Эх сурвалжийг харах

Merge branch 'protect-telnet-user-match' into maint

* protect-telnet-user-match:
  Only validate hosts for the linking bot, not all
  Fix passing no user into user_has_host() not properly looking up user
  Enable host-user matching for bot links

Conflicts:
	doc/UPDATES
Bryan Drewery 13 жил өмнө
parent
commit
426ec73724
4 өөрчлөгдсөн 51 нэмэгдсэн , 11 устгасан
  1. 2 0
      doc/UPDATES
  2. 10 10
      src/dcc.c
  3. 38 1
      src/userrec.c
  4. 1 0
      src/users.h

+ 2 - 0
doc/UPDATES

@@ -1,6 +1,8 @@
 maint
   * Default 'set promisc' to ignore since it's usually a false positive
     and doesn't matter much.
+  * Bots linking in must now have a matching host on their user to succeed linking.
+    This was always requiring a valid host, but was not restricted to that bot.
 
 1.4.2 - http://wraith.botpack.net/milestone/1.4.2
   * Prevent crashing on startup if openssl can not be loaded

+ 10 - 10
src/dcc.c

@@ -1812,20 +1812,20 @@ dcc_telnet_id(int idx, char *buf, int atr)
     char *p = strchr(dcc[idx].host, '@');
     strlcpy(user, dcc[idx].host, p - dcc[idx].host + 1);
     simple_snprintf(sip, sizeof(sip), "-telnet!%s@%s", user, iptostr(htonl(dcc[idx].addr)));
+    struct userrec *u = get_user_by_handle(userlist, nick);
 
-    struct userrec *u = NULL;
     ok = 1;
 
-    if (!u)
-      u = get_user_by_host(sip);			/* Check for -telnet!ident@ip */
-    if (!u)
-      u = get_user_by_host(shost);		/* Check for -telnet!ident@host */
-    if (!u)
-      ok = 0;
+    // Require that the linking bot has a matching host
 
-//    // Restrict connect to matching the user who they claim to be
-//    if (u && strcasecmp(nick, u->handle))
-//      ok = 0;
+    if (u) {
+      /* Check for -telnet!ident@ip or -telnet!ident@host */
+      if (!user_has_matching_host(nick, u, sip) && !user_has_matching_host(nick, u, shost)) {
+	ok = 0;
+      }
+    } else {
+      ok = 0;
+    }
 
     if (!ok) {
       putlog(LOG_BOTS, "*", "Denied link to '%s': Host not recognized: %s", nick, dcc[idx].host);

+ 38 - 1
src/userrec.c

@@ -278,7 +278,7 @@ bool user_has_host(const char *handle, struct userrec *u, char *host)
     return 0;
 
   if (!u && handle)
-    get_user_by_handle(userlist, (char *) handle);
+    u = get_user_by_handle(userlist, (char *) handle);
 
   if (!u)
     return 0;
@@ -292,6 +292,43 @@ bool user_has_host(const char *handle, struct userrec *u, char *host)
   return 0;
 }
 
+bool user_has_matching_host(const char *handle, struct userrec *u, char *host)
+{
+  if (host == NULL) {
+    return false;
+  }
+  rmspace(host);
+  if (!host[0]) {
+    return false;
+  }
+
+  if (!u && handle) {
+    u = get_user_by_handle(userlist, (char *) handle);
+  }
+
+  if (!u) {
+    return false;
+  }
+
+  /* do CIDR matching if given host is an ip */
+  char *p = NULL;
+  bool do_cidr = 0;
+  struct list_type *q = NULL;
+
+  do_cidr = ((p = strchr(host, '@')) && is_dotted_ip(++p));
+
+  for (q = (struct list_type *) get_user(&USERENTRY_HOSTS, u); q; q = q->next) {
+      if (do_cidr && match_cidr(q->extra, host)) {
+	  return true;
+      }
+      if (wild_match(q->extra, host)) {
+	return true;
+      }
+  }
+
+  return false;
+}
+
 void convert_password(struct userrec *u)
 {
   char *oldpass = (char *) get_user(&USERENTRY_PASS1, u);

+ 1 - 0
src/users.h

@@ -96,6 +96,7 @@ struct user_entry_type *find_entry_type(char *);
 struct user_entry *find_user_entry(struct user_entry_type *, struct userrec *);
 void *get_user(struct user_entry_type *, struct userrec *);
 bool user_has_host(const char *, struct userrec *, char *);
+bool user_has_matching_host(const char *handle, struct userrec *u, char *host);
 bool set_user(struct user_entry_type *, struct userrec *, void *);
 
 #define is_bot(u)	((u) && (u)->bot)