diff options
| -rw-r--r-- | include/users.h | 6 | ||||
| -rw-r--r-- | src/configreader.cpp | 8 | ||||
| -rw-r--r-- | src/modules/m_cgiirc.cpp | 9 | ||||
| -rw-r--r-- | src/modules/m_customtitle.cpp | 8 | ||||
| -rw-r--r-- | src/modules/m_vhost.cpp | 10 | ||||
| -rw-r--r-- | src/users.cpp | 6 |
6 files changed, 42 insertions, 5 deletions
diff --git a/include/users.h b/include/users.h index ca9c3f557..c08be8c6f 100644 --- a/include/users.h +++ b/include/users.h @@ -149,6 +149,12 @@ struct CoreExport ConnectClass : public refcountbase */ insp::flat_set<int> ports; + /** If non-empty then the password a user must specify in PASS to be assigned to this class. */ + std::string password; + + /** If non-empty then the hash algorithm that the password field is hashed with. */ + std::string passwordhash; + /** Create a new connect class with no settings. */ ConnectClass(ConfigTag* tag, char type, const std::string& mask); diff --git a/src/configreader.cpp b/src/configreader.cpp index 51f846f70..a43a9d78c 100644 --- a/src/configreader.cpp +++ b/src/configreader.cpp @@ -304,6 +304,14 @@ void ServerConfig::CrossCheckConnectBlocks(ServerConfig* current) me->maxconnwarn = tag->getBool("maxconnwarn", me->maxconnwarn); me->limit = tag->getUInt("limit", me->limit); me->resolvehostnames = tag->getBool("resolvehostnames", me->resolvehostnames); + me->password = tag->getString("password", me->password); + + me->passwordhash = tag->getString("hash", me->passwordhash); + if (!me->password.empty() && (me->passwordhash.empty() || stdalgo::string::equalsci(me->passwordhash, "plaintext"))) + { + ServerInstance->Logs->Log("CONNECTCLASS", LOG_DEFAULT, "<connect> tag '%s' at %s contains an plain text password, this is insecure!", + name.c_str(), tag->getTagLocation().c_str()); + } std::string ports = tag->getString("port"); if (!ports.empty()) diff --git a/src/modules/m_cgiirc.cpp b/src/modules/m_cgiirc.cpp index 94fc99db1..d4a02859d 100644 --- a/src/modules/m_cgiirc.cpp +++ b/src/modules/m_cgiirc.cpp @@ -307,12 +307,19 @@ class ModuleCgiIRC // The IP address will be received via the WEBIRC command. const std::string fingerprint = tag->getString("fingerprint"); const std::string password = tag->getString("password"); + const std::string passwordhash = tag->getString("hash", "plaintext", 1); // WebIRC blocks require a password. if (fingerprint.empty() && password.empty()) throw ModuleException("When using <cgihost type=\"webirc\"> either the fingerprint or password field is required, at " + tag->getTagLocation()); - webirchosts.push_back(WebIRCHost(mask, fingerprint, password, tag->getString("hash"))); + if (!password.empty() && stdalgo::string::equalsci(passwordhash, "plaintext")) + { + ServerInstance->Logs->Log(MODNAME, LOG_DEFAULT, "<cgihost> tag at %s contains an plain text password, this is insecure!", + tag->getTagLocation().c_str()); + } + + webirchosts.push_back(WebIRCHost(mask, fingerprint, password, passwordhash)); } else { diff --git a/src/modules/m_customtitle.cpp b/src/modules/m_customtitle.cpp index faf614e2f..7cdd0bc4f 100644 --- a/src/modules/m_customtitle.cpp +++ b/src/modules/m_customtitle.cpp @@ -136,7 +136,13 @@ class ModuleCustomTitle : public Module, public Whois::LineEventListener if (pass.empty()) throw ModuleException("<title:password> is empty at " + tag->getTagLocation()); - std::string hash = tag->getString("hash"); + const std::string hash = tag->getString("hash", "plaintext", 1); + if (stdalgo::string::equalsci(hash, "plaintext")) + { + ServerInstance->Logs->Log(MODNAME, LOG_DEFAULT, "<title> tag for %s at %s contains an plain text password, this is insecure!", + name.c_str(), tag->getTagLocation().c_str()); + } + std::string host = tag->getString("host", "*@*"); std::string title = tag->getString("title"); std::string vhost = tag->getString("vhost"); diff --git a/src/modules/m_vhost.cpp b/src/modules/m_vhost.cpp index 573b9b31a..43d732ef9 100644 --- a/src/modules/m_vhost.cpp +++ b/src/modules/m_vhost.cpp @@ -103,13 +103,21 @@ class ModuleVHost : public Module std::string mask = tag->getString("host"); if (mask.empty()) throw ModuleException("<vhost:host> is empty! at " + tag->getTagLocation()); + std::string username = tag->getString("user"); if (username.empty()) throw ModuleException("<vhost:user> is empty! at " + tag->getTagLocation()); + std::string pass = tag->getString("pass"); if (pass.empty()) throw ModuleException("<vhost:pass> is empty! at " + tag->getTagLocation()); - std::string hash = tag->getString("hash"); + + const std::string hash = tag->getString("hash", "plaintext", 1); + if (stdalgo::string::equalsci(hash, "plaintext")) + { + ServerInstance->Logs->Log(MODNAME, LOG_DEFAULT, "<vhost> tag for %s at %s contains an plain text password, this is insecure!", + username.c_str(), tag->getTagLocation().c_str()); + } CustomVhost vhost(username, pass, hash, mask); newhosts.insert(std::make_pair(username, vhost)); diff --git a/src/users.cpp b/src/users.cpp index 4edfd574c..0c95ecc0b 100644 --- a/src/users.cpp +++ b/src/users.cpp @@ -1155,9 +1155,9 @@ void LocalUser::SetClass(const std::string &explicit_name) } } - if (regdone && !c->config->getString("password").empty()) + if (regdone && !c->password.empty()) { - if (!ServerInstance->PassCompare(this, c->config->getString("password"), password, c->config->getString("hash"))) + if (!ServerInstance->PassCompare(this, c->password, password, c->passwordhash)) { ServerInstance->Logs->Log("CONNECTCLASS", LOG_DEBUG, "Bad password, skipping"); continue; @@ -1290,4 +1290,6 @@ void ConnectClass::Update(const ConnectClass* src) limit = src->limit; resolvehostnames = src->resolvehostnames; ports = src->ports; + password = src->password; + passwordhash = src->passwordhash; } |