CEF/ergo
1
0
Fork 0
forked from External/ergo
Code Pull requests Activity

fix #1634:

Browse source 
1. Fix auth bypass in the default configuration with the addition of
   server.password (the REGISTER command was allowed before connection
   registration, allowing unauthenticated users to REGISTER and then
   take advantage of skip-server-password)
2. Caution operators against the use of require-sasl without disabling
   user-initiated account registration. (Such a configuration is still valid
   in the case of a public server that requires everyone to register.)
This commit is contained in:
Shivaram Lingamneni 2021-04-25 19:22:08 -04:00
parent 7481bf0385
commit 97ba1c3d63
5 changed files with 38 additions and 13 deletions
Download patch file Download diff file Expand all files Collapse all files

23
irc/config.go
View file

@ -1299,6 +1299,19 @@ func LoadConfig(filename string) (config *Config, err error) {
config.Accounts.defaultUserModes = ParseDefaultUserModes(config.Accounts.DefaultUserModes)
if config.Server.Password != "" {
config.Server.passwordBytes, err = decodeLegacyPasswordHash(config.Server.Password)
if err != nil {
return nil, err
}
if config.Accounts.LoginViaPassCommand && !config.Accounts.SkipServerPassword {
return nil, errors.New("Using a server password and login-via-pass-command requires skip-server-password as well")
}
// #1634: accounts.registration.allow-before-connect is an auth bypass
// for configurations that start from default and then enable server.password
config.Accounts.Registration.AllowBeforeConnect = false
}
config.Accounts.RequireSasl.exemptedNets, err = utils.ParseNetList(config.Accounts.RequireSasl.Exempted)
if err != nil {
return nil, fmt.Errorf("Could not parse require-sasl exempted nets: %v", err.Error())
@ -1389,16 +1402,6 @@ func LoadConfig(filename string) (config *Config, err error) {
// parse default channel modes
config.Channels.defaultModes = ParseDefaultChannelModes(config.Channels.DefaultModes)
if config.Server.Password != "" {
config.Server.passwordBytes, err = decodeLegacyPasswordHash(config.Server.Password)
if err != nil {
return nil, err
}
if config.Accounts.LoginViaPassCommand && !config.Accounts.SkipServerPassword {
return nil, errors.New("Using a server password and login-via-pass-command requires skip-server-password as well")
}
}
if config.Accounts.Registration.BcryptCost == 0 {
config.Accounts.Registration.BcryptCost = passwd.DefaultCost
}