Synchronet now requires the libarchive development package (e.g. libarchive-dev on Debian-based Linux distros, libarchive.org for more info) to build successfully.

  1. 18 Feb, 2021 3 commits
  2. 17 Feb, 2021 4 commits
  3. 16 Feb, 2021 8 commits
  4. 15 Feb, 2021 17 commits
    • Rob Swindell's avatar
      Disable FTP Bounce (FXP) support by default · 635fad77
      Rob Swindell authored
      The Synchronet FTP server has (since 2001) disallowed PORT/EPRT/LPRT commands with a "reserved" port number (i.e. < 1024) as recommended by RFC2577 and when attempted, would log a "SUSPECTED FTP BOUNCE HACK ATTEMPT" in the data/hack.log file.
      
      However, as Karloch (HISPAMSX) pointed out recently, an FTP Bounce Attack to other TCP ports was still possible (and detected/reported by some security scans as a potential vulnerability).
      
      So, reject all PORT/EPRT/LPRT commands that specify an IP address other than that used for the control TCP connection unless the sysop specifically enables the new "ALLOW_BOUNCE" option flag (in the [ftp] section of sbbs.ini) and the user is an authenticated non-guest/anonymous user. And as before, log the attempt as a suspected hack attempt.
      
      This change also removes the "Directory File Access" checkbox from the Synchronet Control Panel for Windows as that feature is "going away" soon (or at least, it won't be an FTP-specific option/feature if it remains).
      635fad77
    • Rob Swindell's avatar
      Disable FTP Bounce (FXP) support by default · ebece39d
      Rob Swindell authored
      The Synchronet FTP server has (since 2001) disallowed PORT/EPRT/LPRT commands with a "reserved" port number (i.e. < 1024) as recommended by RFC2577 and when attempted, would log a "SUSPECTED FTP BOUNCE HACK ATTEMPT" in the data/hack.log file.
      
      However, as Karloch (HISPAMSX) pointed out recently, an FTP Bounce Attack to other TCP ports was still possible (and detected/reported by some security scans as a potential vulnerability).
      
      So, reject all PORT/EPRT/LPRT commands that specify an IP address other than that used for the control TCP connection unless the sysop specifically enables the new "ALLOW_BOUNCE" option flag (in the [ftp] section of sbbs.ini) and the user is an authenticated non-guest/anonymous user. And as before, log the attempt as a suspected hack attempt.
      
      This change also removes the "Directory File Access" checkbox from the Synchronet Control Panel for Windows as that feature is "going away" soon (or at least, it won't be an FTP-specific option/feature if it remains).
      ebece39d
    • Rob Swindell's avatar
      Address more Coverity issues · 5e7baf93
      Rob Swindell authored
      Reverted the SAFECOPY() NULL source-pointer magic "(null)" string thing as that caused a different Coverity issue. Explicitly check for NULL at the call-sites instead.
      5e7baf93
    • Rob Swindell's avatar
      Address more Coverity issues · 9344a7d8
      Rob Swindell authored
      Reverted the SAFECOPY() NULL source-pointer magic "(null)" string thing as that caused a different Coverity issue. Explicitly check for NULL at the call-sites instead.
      9344a7d8
    • Rob Swindell's avatar
    • Rob Swindell's avatar
    • Rob Swindell's avatar
      7299e000
    • Rob Swindell's avatar
      5771d524
    • Rob Swindell's avatar
      Address Coverity-reported issues · 68990cd8
      Rob Swindell authored
      Hopefully not introducing any bugs in the process.
      68990cd8
    • Rob Swindell's avatar
      Address Coverity-reported issues · 0c441424
      Rob Swindell authored
      Hopefully not introducing any bugs in the process.
      0c441424
    • Rob Swindell's avatar
      Fix exception (crash) when sending file attachments · 8c28acab
      Rob Swindell authored
      The new subject line parsing (with quoted-filename support) had a NULL-pointer deref built-in.
      
      Also fixed a few Coverity-reported issues.
      8c28acab
    • Rob Swindell's avatar
      Update comment header block. · ef86978b
      Rob Swindell authored
      ef86978b
    • Rob Swindell's avatar
      Don't use uninitialized variable in errormsg() · b9540c9a
      Rob Swindell authored
      Caught by Coverity.
      b9540c9a
    • Rob Swindell's avatar
      Handle filelength() failure gracefully · 9683b9d2
      Rob Swindell authored
      Addresses Coverity's NEGATIVE_RETURNS bug-checker issue.
      9683b9d2
    • Rob Swindell's avatar
      Fix memory leaks in error paths of js_show_msg_header() · 829b425a
      Rob Swindell authored
      Identified by Coverity.
      829b425a
    • Rob Swindell's avatar
    • Rob Swindell's avatar
      When replying to PING netmails, use the destination addr as the origaddr · 53d31031
      Rob Swindell authored
      As tested and reported in FIDONEWS by Michiel van der Vlist, 2:280/5555, SBBSecho would use the "best match" FidoNet AKA for the originating address when replying to PING netmail messages and not necessarily the original destination address of the ping request. For systems that have multiple addresses (AKAs) that could be considered appropriate originating addresses for the requesting node address (e.g. multiple addresses in the same zone or zone/net), this could cause a confusion for the PING requester.
      
      The create_netmail() function now accepts an optional source (orig) address parameter and the PING response logic passes the netmail's destination address for the reply message's originating (source) address.
      
      I noticed that AreaMgr responses also follow the same logic as PING responses (just use the best-fit AKA, not necessarily the same address as the original request's destination address) - but I did not choose to address that "issue" at this time.
      53d31031
  5. 14 Feb, 2021 4 commits
    • Rob Swindell's avatar
      95281f96
    • Rob Swindell's avatar
    • Rob Swindell's avatar
      Make the node.cnf loading optional in load_cfg() · bd04c690
      Rob Swindell authored
      Don't return an error if the node#/node.cnf file can't be opened for all uses of load_cfg() except from the terminal server. This fixes #214 for Tracker1
      bd04c690
    • Rob Swindell's avatar
      Strip/ignore high (parity) bit in ZPAD, ZDLE, and hex headers · 0f7716c0
      Rob Swindell authored
      The previous committed fix/issue raised some additional concerns about this "parity" bit:
      
      Something I didn't notice before from the ZMODEM spec:
      "The hex header receiving routine ignores parity."
      
      And looking at lrzsz's zm.c, I see it goes even further and ignores the "parity" bit on the ZPAD and ZDLE bytes proceeding the frame encoding byte as well as in the frame encoding byte itself (so ZHEX, 'B' 0x22 and 0xC2 should be treated as equivalent).
      
      I find it strange that some ZMODEM implementations (e.g. chuck's zshhdr()) would send the terminating LF with the even-parity bit set, but not set the even-parity flag for any of the frame content bytes. And then, expect that the parity flag may be set on incoming hex headers. I suppose it makes sense for 7-E-1 connections, but then the transmitted terminating LF would have had its parity flag set automatically (would not need to be set manually in the code). Add to the mysteries of ZMODEM that will likely never be solved.
      0f7716c0
  6. 13 Feb, 2021 1 commit
    • Rob Swindell's avatar
      Accept hex headers terminated with 0x8A · 12ac1fc4
      Rob Swindell authored
      Some ZMODEM implementations set the high bit (even parity?) when sending this '\n' terminator.
      As reported via IRC:
      <Keyop> sexyz: !zmodem_recv_hex_header HEX header not terminated with LF: 138 (8Ah)
      12ac1fc4
  7. 11 Feb, 2021 1 commit
  8. 10 Feb, 2021 1 commit
  9. 07 Feb, 2021 1 commit