Synchronet now requires the libarchive development package (e.g. libarchive-dev on Debian-based Linux distros, for more info) to build successfully.

  1. 15 Feb, 2021 1 commit
    • Rob Swindell's avatar
      Disable FTP Bounce (FXP) support by default · 635fad77
      Rob Swindell authored
      The Synchronet FTP server has (since 2001) disallowed PORT/EPRT/LPRT commands with a "reserved" port number (i.e. < 1024) as recommended by RFC2577 and when attempted, would log a "SUSPECTED FTP BOUNCE HACK ATTEMPT" in the data/hack.log file.
      However, as Karloch (HISPAMSX) pointed out recently, an FTP Bounce Attack to other TCP ports was still possible (and detected/reported by some security scans as a potential vulnerability).
      So, reject all PORT/EPRT/LPRT commands that specify an IP address other than that used for the control TCP connection unless the sysop specifically enables the new "ALLOW_BOUNCE" option flag (in the [ftp] section of sbbs.ini) and the user is an authenticated non-guest/anonymous user. And as before, log the attempt as a suspected hack attempt.
      This change also removes the "Directory File Access" checkbox from the Synchronet Control Panel for Windows as that feature is "going away" soon (or at least, it won't be an FTP-specific option/feature if it remains).
  2. 14 Feb, 2021 1 commit
  3. 24 Jan, 2021 1 commit
    • Rob Swindell's avatar
      Better charset handling of outbound mail · 9c8d7588
      Rob Swindell authored
      The default character set for outbound mail is now auto-determined (when not explicitly specified for a message) between UTF-8, ASCII, and CP437. The [mail] DefaultCharset setting (which fell-back to iso-8859-1 if blank) is no longer "a thing".
      Also: specify 8-bit content-transfer-encoding for the (potentially UTF-8 or CP-437) plain text portion of a MIME-encoded message with file attachment (7-bit was wrong) and pass down the text sub-type (e.g. could be "html") for inclusion in the mime-part header (don't assume text/plain, but still use that as default).
      Also: log an error when failing to delete an attached file (e.g. from data/file/*.out).
  4. 18 Jan, 2021 2 commits
  5. 30 Dec, 2020 1 commit
  6. 22 Dec, 2020 1 commit
    • Rob Swindell's avatar
      Remove dynamic HTML index support from FTP server · 0d01544d
      Rob Swindell authored
      The days of browsers rendering HTML served-up via FTP are over, so remove this feature. This also removes all JavaScript support from the FTP server and that is a bit odd as it was one of the first Synchronet components for which I added JS support.
      Removing this feature was pretty painless; much easier than adding it was. The main motivation was less cruft to port to the file base in the works. There should be no more references to 00index.html anywhere at this point. Bye bye cool feature, we'll miss you.
  7. 24 Nov, 2020 1 commit
    • Rob Swindell's avatar
      Stop pretending to configure the JavaScript Context stack · c0cd8686
      Rob Swindell authored
      The argument to JS_NewContext that we were allowing to be configured was not the contest stack size, but rather:
      "The size, in bytes, of each "stack chunk". This is a memory management tuning parameter which most users should not adjust. 8192 is a good default value." - per Mozilla.
      So we're just going to use the suggested default, hard-coded.
  8. 21 Oct, 2020 1 commit
  9. 15 Sep, 2020 2 commits
  10. 14 Sep, 2020 1 commit
  11. 13 Sep, 2020 3 commits
  12. 12 Sep, 2020 1 commit
    • Rob Swindell's avatar
      Improve startup w/Config Wizard reliability · 351cf95a
      Rob Swindell authored
      I noticed on one particular system that Canceling or Completing
      the configuration wizard on a fresh install, sbbsctrl.exe would
      just shut down (no error dialog or anything, likely a crash of
      some kind). Instrumenting StartupTimerTick() didn't reveal anything
      useful (it ran to completion).
      By changing the method of launching the Configuration Wizard,
      I was able to eliminate this observed problem. Now, the StartupTimer
      runs twice on a fresh install (just once for a normal startup),
      and the second run of the StartupTimerTick starts the configuration
      I also reverted to the previous behavior of dynamically creating
      and destroying the wizard for each use. There's just too much state
      information to restore if the config wizard is run a second time.
      Also, removed a bunch of old Registry settings readings (v3.10/11
      upgrade support) and commented out code.
  13. 11 Sep, 2020 1 commit
  14. 08 Sep, 2020 3 commits
  15. 07 Sep, 2020 1 commit
  16. 16 Aug, 2020 1 commit
  17. 30 Apr, 2020 1 commit
    • rswindell's avatar
      Divorce these files from sbbs.h. · 2847c7ef
      rswindell authored
      Eventually, would love to get this entire project divorced from sbbs.h, but
      that's a rabbit hole I don't want to go down right now.
  18. 17 Apr, 2020 2 commits
  19. 15 Apr, 2020 2 commits
  20. 13 Apr, 2020 1 commit
  21. 08 Apr, 2020 1 commit
  22. 17 Mar, 2020 2 commits
  23. 15 Mar, 2020 6 commits
  24. 26 Sep, 2019 1 commit
  25. 31 Aug, 2019 1 commit
    • rswindell's avatar
      Update the C getnodedat/putnodedat API to not require that the node file · c2e891d2
      rswindell authored
      (ctrl/node.dab) is constantly closed and re-opened for every non-locking read.
      This is really slow across network file systems and unnecessary, so use a
      similar optimization as the C++ sbbs_t class where the file can (and normally
      is) left open across multiple consecutive reads.
  26. 19 Jul, 2019 1 commit