Synchronet now requires the libarchive development package (e.g. libarchive-dev on Debian-based Linux distros, libarchive.org for more info) to build successfully.

  1. 17 Feb, 2021 8 commits
  2. 16 Feb, 2021 14 commits
  3. 15 Feb, 2021 18 commits
    • Deucе's avatar
      Less tired. · 2cbf3030
      Deucе authored
      2cbf3030
    • Deucе's avatar
      Less tired. · 5379321a
      Deucе authored
      5379321a
    • Deucе's avatar
      Parse redirects the easy way. · dfd7e11c
      Deucе authored
      I'm not sure what echicken was trying here, but apparently it doesn't
      work for nelgin.
      
      Likely fixes #220.
      dfd7e11c
    • Deucе's avatar
      Parse redirects the easy way. · aeb26cba
      Deucе authored
      I'm not sure what echicken was trying here, but apparently it doesn't
      work for nelgin.
      
      Likely fixes #220.
      aeb26cba
    • Rob Swindell's avatar
      Merge branch 'mlong/xtrnfeb2' into 'master' · c8ae13c3
      Rob Swindell authored
      3rd party external doors - exitilus, jibben, jns
      
      See merge request !110
      c8ae13c3
    • Rob Swindell's avatar
      Merge branch 'mlong/xtrnfeb2' into 'master' · 90d98dfa
      Rob Swindell authored
      3rd party external doors - exitilus, jibben, jns
      
      See merge request !110
      90d98dfa
    • Michael Long's avatar
      d2aa024f
    • Michael Long's avatar
      0a58ca90
    • Rob Swindell's avatar
      If finger doesn't return a valid JSON object, log the returned string(s) · 171fe43c
      Rob Swindell authored
      ... instead of the JSON parse exception as reported via IRC:
      <matjam> !finger ?bbs:Stupendous BBS@vert.synchro.net result: SyntaxError: JSON.parse
      171fe43c
    • Rob Swindell's avatar
      If finger doesn't return a valid JSON object, log the returned string(s) · a8768797
      Rob Swindell authored
      ... instead of the JSON parse exception as reported via IRC:
      <matjam> !finger ?bbs:Stupendous BBS@vert.synchro.net result: SyntaxError: JSON.parse
      a8768797
    • Rob Swindell's avatar
      Document new [ftp] ALLOW_BOUNCE option · 779a621a
      Rob Swindell authored
      779a621a
    • Rob Swindell's avatar
      Document new [ftp] ALLOW_BOUNCE option · faac4653
      Rob Swindell authored
      faac4653
    • Rob Swindell's avatar
      Disable FTP Bounce (FXP) support by default · 635fad77
      Rob Swindell authored
      The Synchronet FTP server has (since 2001) disallowed PORT/EPRT/LPRT commands with a "reserved" port number (i.e. < 1024) as recommended by RFC2577 and when attempted, would log a "SUSPECTED FTP BOUNCE HACK ATTEMPT" in the data/hack.log file.
      
      However, as Karloch (HISPAMSX) pointed out recently, an FTP Bounce Attack to other TCP ports was still possible (and detected/reported by some security scans as a potential vulnerability).
      
      So, reject all PORT/EPRT/LPRT commands that specify an IP address other than that used for the control TCP connection unless the sysop specifically enables the new "ALLOW_BOUNCE" option flag (in the [ftp] section of sbbs.ini) and the user is an authenticated non-guest/anonymous user. And as before, log the attempt as a suspected hack attempt.
      
      This change also removes the "Directory File Access" checkbox from the Synchronet Control Panel for Windows as that feature is "going away" soon (or at least, it won't be an FTP-specific option/feature if it remains).
      635fad77
    • Rob Swindell's avatar
      Disable FTP Bounce (FXP) support by default · ebece39d
      Rob Swindell authored
      The Synchronet FTP server has (since 2001) disallowed PORT/EPRT/LPRT commands with a "reserved" port number (i.e. < 1024) as recommended by RFC2577 and when attempted, would log a "SUSPECTED FTP BOUNCE HACK ATTEMPT" in the data/hack.log file.
      
      However, as Karloch (HISPAMSX) pointed out recently, an FTP Bounce Attack to other TCP ports was still possible (and detected/reported by some security scans as a potential vulnerability).
      
      So, reject all PORT/EPRT/LPRT commands that specify an IP address other than that used for the control TCP connection unless the sysop specifically enables the new "ALLOW_BOUNCE" option flag (in the [ftp] section of sbbs.ini) and the user is an authenticated non-guest/anonymous user. And as before, log the attempt as a suspected hack attempt.
      
      This change also removes the "Directory File Access" checkbox from the Synchronet Control Panel for Windows as that feature is "going away" soon (or at least, it won't be an FTP-specific option/feature if it remains).
      ebece39d
    • Rob Swindell's avatar
      Address more Coverity issues · 5e7baf93
      Rob Swindell authored
      Reverted the SAFECOPY() NULL source-pointer magic "(null)" string thing as that caused a different Coverity issue. Explicitly check for NULL at the call-sites instead.
      5e7baf93
    • Rob Swindell's avatar
      Address more Coverity issues · 9344a7d8
      Rob Swindell authored
      Reverted the SAFECOPY() NULL source-pointer magic "(null)" string thing as that caused a different Coverity issue. Explicitly check for NULL at the call-sites instead.
      9344a7d8
    • Rob Swindell's avatar
      glob() paranoia · 081e05c7
      Rob Swindell authored
      Make Coverity happy.
      081e05c7
    • Rob Swindell's avatar
      glob() paranoia · 454a05f0
      Rob Swindell authored
      Make Coverity happy.
      454a05f0