浏览代码

* Fixed security flaw with 'auth-obscure', and improved: auth-obscure now gives a hash regardless of 'dccauth'.

svn: 2279
Bryan Drewery 21 年之前
父节点
当前提交
c9db8feabe
共有 3 个文件被更改,包括 11 次插入6 次删除
  1. 1 0
      doc/UPDATES
  2. 2 2
      misc/help.txt
  3. 8 4
      src/dcc.c

+ 1 - 0
doc/UPDATES

@@ -34,6 +34,7 @@ Lines prefixed with '-' were disabled before release and are not finished, or ar
 * Fixed 'reset*' being blocked with 'botcmd *'
 * Added code to prevent cmd_botcmd from being chained over botnet.
 * Disabled cmd_away/cmd_back over 'botcmd'
+* Fixed security flaw with 'auth-obscure', and improved: auth-obscure now gives a hash regardless of 'dccauth'.
 
 1.2.4
 * Fixed cmd_botset not displaying botnick.

+ 2 - 2
misc/help.txt

@@ -1504,8 +1504,8 @@ See also: reload, backup
 [S]  $bauth-key$b        The authkey used during authing.G ive to users if they need to auth. 
                           (can be bot specific)
 [C]  $bauth-prefix$b     The prefix character used for msg cmds, ie: $u!$uop or $u.$uop
-[B]  $bauth-obscure$b    Will not halt in dcc pass is wrong and authing is enabled. 
-                          Will always fail at auth hash though.
+[B]  $bauth-obscure$b    Will not halt on dcc login if pass is wrong. Will display auth hash..
+                          Will always fail at hash though.
 [N]  $bdcc-autoaway$b    Time in seconds until a user is set auto-away on dcc.
                           (0/- to disable)
 [B]  $bmean-kicks$b      Enables 'mean' and 'offensive' kick msgs.

+ 8 - 4
src/dcc.c

@@ -646,7 +646,7 @@ dcc_chat_secpass(int idx, char *buf, int atr)
   }
 
   /* Correct pass or secpass! */
-  if (!dcc[idx].wrong_pass || (!dccauth || (dccauth && !badauth))) {
+  if (!dcc[idx].wrong_pass && (!dccauth || (dccauth && !badauth))) {
     putlog(LOG_MISC, "*", DCC_LOGGEDIN, dcc[idx].nick, dcc[idx].host, dcc[idx].port);
     if (dcc[idx].u.chat->away) {
       free(dcc[idx].u.chat->away);
@@ -957,10 +957,14 @@ dcc_chat_pass(int idx, char *buf, int atr)
     }
     return;
   }
-  if (u_pass_match(dcc[idx].user, pass) || auth_obscure) {
-    if (auth_obscure)
+  int passok = u_pass_match(dcc[idx].user, pass);
+  bool do_obscure = (!passok && auth_obscure) ? 1 : 0;
+
+  if (passok || do_obscure) {
+    if (do_obscure)
       dcc[idx].wrong_pass = 1;
-    if (dccauth) { 
+
+    if (dccauth || do_obscure) { 
       char randstr[51] = "";
 
       make_rand_str(randstr, 50);