Synchronet now requires the libarchive development package (e.g. libarchive-dev on Debian-based Linux distros, libarchive.org for more info) to build successfully.

  1. 19 Feb, 2021 5 commits
    • Rob Swindell's avatar
      Correct the parse_mail_address() argument order · e9329f6c
      Rob Swindell authored
      Issue introduced in previous commit to this file. The name arg(s) comes before the address arg(s).
      e9329f6c
    • Deucе's avatar
      2d90939b
    • Deucе's avatar
      Fix CIDs 174500 and 174471 · 59b8829a
      Deucе authored
      59b8829a
    • Rob Swindell's avatar
      Automatically route in-transit mail to points to boss nodes · 45ced2a3
      Rob Swindell authored
      If the destination point node is not a linked node (does not exist in sbbsecho.ini), but the boss node is linked, automatically route to the boss node. The log entries look like this when this happens:
      "Routing packet (%s) to boss-node %s"
      "Routing NetMail (%s) to boss-node %s"
      
      For poindexter FORTRAN (REALITY) - test results appreciated.
      
      Incremented SBBSecho version to 3.13.
      45ced2a3
    • Rob Swindell's avatar
      Recognize DNB blacklist exempted email addresses in From fields · 27079b33
      Rob Swindell authored
      Previously, any DNS blacklist-exempt email addresses (in ctrl/dnsbl_exempt.cfg) had to be used in the mail-envelope (the "MAIL FROM:" address) - that doesn't work for all senders that use re-mailers or whatever where you end-up with some *bounce* address as the envelope-sender.
      
      So now, clear the DNSBL results when the From header field is parsed and the sender was in fact an exempt sender. Note: the Subject line will still contain the SPAM tag if the subject was parsed first (came earlier in the message header). May need to address this limitation in the future if it turns out to be a problem (!).
      
      Lowercase the [smtp|smtps]spy.txt log file.
      27079b33
  2. 18 Feb, 2021 6 commits
  3. 17 Feb, 2021 4 commits
  4. 16 Feb, 2021 8 commits
  5. 15 Feb, 2021 17 commits
    • Rob Swindell's avatar
      Disable FTP Bounce (FXP) support by default · 635fad77
      Rob Swindell authored
      The Synchronet FTP server has (since 2001) disallowed PORT/EPRT/LPRT commands with a "reserved" port number (i.e. < 1024) as recommended by RFC2577 and when attempted, would log a "SUSPECTED FTP BOUNCE HACK ATTEMPT" in the data/hack.log file.
      
      However, as Karloch (HISPAMSX) pointed out recently, an FTP Bounce Attack to other TCP ports was still possible (and detected/reported by some security scans as a potential vulnerability).
      
      So, reject all PORT/EPRT/LPRT commands that specify an IP address other than that used for the control TCP connection unless the sysop specifically enables the new "ALLOW_BOUNCE" option flag (in the [ftp] section of sbbs.ini) and the user is an authenticated non-guest/anonymous user. And as before, log the attempt as a suspected hack attempt.
      
      This change also removes the "Directory File Access" checkbox from the Synchronet Control Panel for Windows as that feature is "going away" soon (or at least, it won't be an FTP-specific option/feature if it remains).
      635fad77
    • Rob Swindell's avatar
      Disable FTP Bounce (FXP) support by default · ebece39d
      Rob Swindell authored
      The Synchronet FTP server has (since 2001) disallowed PORT/EPRT/LPRT commands with a "reserved" port number (i.e. < 1024) as recommended by RFC2577 and when attempted, would log a "SUSPECTED FTP BOUNCE HACK ATTEMPT" in the data/hack.log file.
      
      However, as Karloch (HISPAMSX) pointed out recently, an FTP Bounce Attack to other TCP ports was still possible (and detected/reported by some security scans as a potential vulnerability).
      
      So, reject all PORT/EPRT/LPRT commands that specify an IP address other than that used for the control TCP connection unless the sysop specifically enables the new "ALLOW_BOUNCE" option flag (in the [ftp] section of sbbs.ini) and the user is an authenticated non-guest/anonymous user. And as before, log the attempt as a suspected hack attempt.
      
      This change also removes the "Directory File Access" checkbox from the Synchronet Control Panel for Windows as that feature is "going away" soon (or at least, it won't be an FTP-specific option/feature if it remains).
      ebece39d
    • Rob Swindell's avatar
      Address more Coverity issues · 5e7baf93
      Rob Swindell authored
      Reverted the SAFECOPY() NULL source-pointer magic "(null)" string thing as that caused a different Coverity issue. Explicitly check for NULL at the call-sites instead.
      5e7baf93
    • Rob Swindell's avatar
      Address more Coverity issues · 9344a7d8
      Rob Swindell authored
      Reverted the SAFECOPY() NULL source-pointer magic "(null)" string thing as that caused a different Coverity issue. Explicitly check for NULL at the call-sites instead.
      9344a7d8
    • Rob Swindell's avatar
    • Rob Swindell's avatar
    • Rob Swindell's avatar
      7299e000
    • Rob Swindell's avatar
      5771d524
    • Rob Swindell's avatar
      Address Coverity-reported issues · 68990cd8
      Rob Swindell authored
      Hopefully not introducing any bugs in the process.
      68990cd8
    • Rob Swindell's avatar
      Address Coverity-reported issues · 0c441424
      Rob Swindell authored
      Hopefully not introducing any bugs in the process.
      0c441424
    • Rob Swindell's avatar
      Fix exception (crash) when sending file attachments · 8c28acab
      Rob Swindell authored
      The new subject line parsing (with quoted-filename support) had a NULL-pointer deref built-in.
      
      Also fixed a few Coverity-reported issues.
      8c28acab
    • Rob Swindell's avatar
      Update comment header block. · ef86978b
      Rob Swindell authored
      ef86978b
    • Rob Swindell's avatar
      Don't use uninitialized variable in errormsg() · b9540c9a
      Rob Swindell authored
      Caught by Coverity.
      b9540c9a
    • Rob Swindell's avatar
      Handle filelength() failure gracefully · 9683b9d2
      Rob Swindell authored
      Addresses Coverity's NEGATIVE_RETURNS bug-checker issue.
      9683b9d2
    • Rob Swindell's avatar
      Fix memory leaks in error paths of js_show_msg_header() · 829b425a
      Rob Swindell authored
      Identified by Coverity.
      829b425a
    • Rob Swindell's avatar
    • Rob Swindell's avatar
      When replying to PING netmails, use the destination addr as the origaddr · 53d31031
      Rob Swindell authored
      As tested and reported in FIDONEWS by Michiel van der Vlist, 2:280/5555, SBBSecho would use the "best match" FidoNet AKA for the originating address when replying to PING netmail messages and not necessarily the original destination address of the ping request. For systems that have multiple addresses (AKAs) that could be considered appropriate originating addresses for the requesting node address (e.g. multiple addresses in the same zone or zone/net), this could cause a confusion for the PING requester.
      
      The create_netmail() function now accepts an optional source (orig) address parameter and the PING response logic passes the netmail's destination address for the reply message's originating (source) address.
      
      I noticed that AreaMgr responses also follow the same logic as PING responses (just use the best-fit AKA, not necessarily the same address as the original request's destination address) - but I did not choose to address that "issue" at this time.
      53d31031