Fix warning while we're here.

The value of the macro is INT_MIN, not zero to protect agains weird
edge cases.

I considered INT_MAX, but figured you could get there in sane ways.

The file_list[] parameter was expected to contain only files, but the directory() function (used to create that file_list[]) returns a list of all directory entries, including sub-directories. I could (and maybe will) add an option to directory() to only include files or dirs, but this seemed the more direct fix for the problem reported by DesotoFireflite (VALHALLA):

TickIT's nodelist_handler.js appears to be creating and leaving behind a sub-directory of the temp directory, triggering this error:
 1/23  11:36:56a  QNET libarchive error -1 (13 opening c:\SBBS\temp\event\nodelist_handler/) creating c:\SBBS\data\VERT.REP 

Why isn't the temp directory fully cleaned up after/between events? That's another thing to look into.

To address CID 345626

We need to re-parse the default sexpots.ini [TCP] section for every new session (when using the Prompt feature) or else there's no way to connect to the default host.

Also, telnet to be enabled or disabled (e.g. by setting Telnet=false) in any [TCP] or [TCP:x] section to support a mix of Telnet and non-Telnet hosts.

Also log a warning if a control character is received in response to the prompt, or log a notice if there's a timeout waiting for a response to the prompt. Change the non-control character response value to a debug-level log message.

Set CLS=true in the root section of sexpots.ini to enable. Sends a ^L ASCII 12 0x0c FF CS whatever you want to call it to the remote terminal before sending the carriage return and copyright banner. For Nelgin.

Set to number of seconds to timeout, if desired.
Log the received character in response to the prompt.

Wait up to 10 seconds for a single-char reply to the prompt and if a non-control character was received, use the [TCP:x] (x is the character sent by the user) from the sexpots.ini for the Host and Port values to connect to.

An experimental feature for Nelgin.

When printing a PETSCII Sequence (.seq) file, count the lines/rows and columns similar to how we would if we were using outchar() (but we don't, we use the lower-level outcom() to bypass any translations).

This is related to issue #325:
PETSCII seq files seem to display just fine, the problem I saw was with the auto-pausing (e.g. before a screen-clear) after displaying them.

So some cute user (mine@demon.com) created a new user account on Vertrauen with the alias and real name of "Rob Swindell". Funny.

Now, duplicate user aliases are already and always forbidden (even those that just vaguely match an existing alias) - everyone expects those to be unique. And we already forbid new user real names to match an existing user alias (check_name() enforces this and we use that when checking new user real names too), however, nothing prevented a new user account's alias from matching another existing user's real name. And this is a problem:

1. This new/fake user could post a message or send an email/netmail and it would appear to possibly come from the other/original user (we do have options to send mail and post messages using real names)

2. Received email for real names is supported and if enabled, this second account could be used to intercept mail for the original/first account if it was receiving mail for the original/real user's real name.

So disallowing a new user's real name to match an existing alias fixes one problem. 
However, systems *can* be configured to allow duplicate real names (which is convenient for QWKnet accounts, for example) and so we needed another solution for that problem: meet the 'O' restriction. This restriction flag will prevent a user account from posting messages no sub-boards that require real names. New user accounts that have a duplicate real name (the same as another user account's real name), will automatically be assigned the 'O' restriction flag. Systems that don't allow duplicate real names wouldn't have this issue in the first place.

Scripts that allow the creation of new user accounts might need some updating to match this security logic.

Eliminate some redundant code. Use the userdat lib function provided for this purpose.

Posting restrictions are handled one QWK-message at a time (and have been for a long time). No actual change here.

Fixed a couple sprintf() buffer overflow warnings/issues.

for Nelgin

Default the progress time interval to 500 milliseconds (twice a second).

Don't specify a count/call interval in the call-sites, since we really want to use time-based progress updates now only and the default probably will work fine everywhere.

To send less text over slow (e.g. 4800bps) modems. For Nelgin.

This makes the interval argument unnecessary I think.

system.illegal_filename() - check if contains illegal chars/sequences
system.safest_filename() - check if contains only safest chars
system.allowed_filename() - check if meets criteria from SCFG->File Options
system.check_filename() - check if legal and meets configured criteria and is not in file.can
bbs.check_filename() - ditto, except will display badfile.msg as appropriate

Now scripts can utilize the sysop-controlled filename criteria and security of the BBS.

Only in debug builds.
If this check fails, then we may be producing/using potentially un-terminated strings and need to do something about that. By default, xpdev/genwrap.h redefines snprintf() as safe_snprintf(), so this check *should* always succeed.

The default is 'size' parameter value is 12 characters, not 13.

If an extended description contains nothing but Ctrl-A codes and white-space, don't display it in a file listing (in place of the normal short description).

Apparent copy/paste error in sbbs_set_sound_settings() - I was wondering why the HangupSound key wasn't saving to the sbbs.ini file from SBBSCTRL.

This is an experimental feature that's been in the code for quite a while without any supporting help/docs (there was the original commit message, I'm sure). I'm not sure how much value this feature is without providing automatic access to the *files* within the sub-directories, but there you have it.

"Request for x is outside of the web root" was already logged (with a "NOTICE" log level), but would not sound the hack attempt alarm (on Windows) or log to the hack.log. Now it does.

file_area.web_vpath_prefix
file-metadata-object (return value of FileBase.get()).vpath

These methods also (optionally) accept a file-meta-object as an argument.

Similar to the ctrl/ftpalias.cfg file, the new ctrl/web_alias.ini file (optional) can be used to map a portion (the first portion, only) of a web request path to a different physical or virtual path. For example, I'm using it to map:
/Synchronet/ = /files/main/sbbs/
for filebase access to my main->sbbs directory of Vertrauen's filebase using a /Synchronet/* web request (i.e. for slightly prettier or shorter custom URLs, if desired).

By setting SCFG->File Options->Web File Virtual Path Prefix to something (e.g. "/files/"), all HTTP or HTTPS requests to the Synchronet Web Server with request paths beginning with this prefix will be interpreted as filebase access requests (with full access control enforcement). This is configured here (in SCFG) rather than, say, the [web] section of sbbs.ini, because I have plans for the terminal server to use this prefix to generate Web-URLs for files to display or email to users.

Currently, only requests to *files* (for download) are supported (no index generation, file information, etc. and definitely no upload support). Full access control (using HTTP auth, not cookies) is used for libraries and directories with controlled access. Credits are deducted and awarded and uploaders are notified of downloads, as one would expect. Requests to any dynamic-web-content files (e.g. .SSJS, .XJS, etc.) will be treated as static file download requests (no script will be executed).

I'm reusing the same virtual path parsing logic from the FTP server (moved to the userdat lib), so the virtual path to a file for download would be, for example, http://yourdomain/files/lib/dir-code/filename.ext

The main motivation for this feature is: FTP-links in email and web pages are just not useful to many users these days and I don't think that sysops should have to rely on a SSJS web UI (e.g. ecWebv4, cool as it is), to provide web-access to the filebases. Using this feature, you can share simpler/shorter web links to your files that will be more enduring.

CID 345291
It's actually a false positive because if an extension (".suffix") exists in filespec, it must also exist in newfilespec since it's a copy, but whatever. It's better form to check.

libarchive apparently cannot be used for in-place modification of (e.g. adding files to) existing archives, so if a bundle already exists, this code would over-write it with a new archive containing just the latest packet. Issue reported by acn (IMZADI) via DOVE-Net.

I could and might create an update_archive() function which extracts and re-creates an archive with additional files, but since I don't have that yet, just disable this for now and always use an external archive utility to create or update bundles (so again, an "Archive" configuration is required in your sbbsecho.ini file, which you most likely already have).

Not sure why, as this utility has been deprecated. :-/

warning: ‘%s’ directive writing up to 4096 bytes into a region of size between 4034 and 4097

When searching descriptions for text, include these new metadata fields in the content to search.