a2a1448caeaf2b1a6add92e80d5b17581c54bef3...a6efc1beffc68abb0f64e23e2cfddc83563c9074 · Main / Synchronet

Commits (18)

Address Coverity-reported issues · 0c441424
Rob Swindell authored Feb 15, 2021
```
Hopefully not introducing any bugs in the process.
```
0c441424
Fix typo in previous commit (missing semicolon) · 5771d524
Rob Swindell authored Feb 15, 2021

5771d524
Address gcc warning: comparison of integer expressions of different signedness · c0373038
Rob Swindell authored Feb 15, 2021

c0373038
glob() paranoia · 454a05f0
Rob Swindell authored Feb 15, 2021
```
Make Coverity happy.
```
454a05f0

Rob Swindell authored Feb 15, 2021

Reverted the SAFECOPY() NULL source-pointer magic "(null)" string thing as that caused a different Coverity issue. Explicitly check for NULL at the call-sites instead.

9344a7d8

Disable FTP Bounce (FXP) support by default · ebece39d

Rob Swindell authored Feb 15, 2021

The Synchronet FTP server has (since 2001) disallowed PORT/EPRT/LPRT commands with a "reserved" port number (i.e. < 1024) as recommended by RFC2577 and when attempted, would log a "SUSPECTED FTP BOUNCE HACK ATTEMPT" in the data/hack.log file.

However, as Karloch (HISPAMSX) pointed out recently, an FTP Bounce Attack to other TCP ports was still possible (and detected/reported by some security scans as a potential vulnerability).

So, reject all PORT/EPRT/LPRT commands that specify an IP address other than that used for the control TCP connection unless the sysop specifically enables the new "ALLOW_BOUNCE" option flag (in the [ftp] section of sbbs.ini) and the user is an authenticated non-guest/anonymous user. And as before, log the attempt as a suspected hack attempt.

This change also removes the "Directory File Access" checkbox from the Synchronet Control Panel for Windows as that feature is "going away" soon (or at least, it won't be an FTP-specific option/feature if it remains).

ebece39d

Document new [ftp] ALLOW_BOUNCE option · faac4653
Rob Swindell authored Feb 15, 2021

faac4653

If finger doesn't return a valid JSON object, log the returned string(s) · a8768797

Rob Swindell authored Feb 15, 2021

... instead of the JSON parse exception as reported via IRC:
<matjam> !finger ?bbs:Stupendous BBS@vert.synchro.net result: SyntaxError: JSON.parse

a8768797

3rd party external doors - exitilus, jibben, jns · 0a58ca90
Michael Long authored Feb 15, 2021

0a58ca90
Merge branch 'mlong/xtrnfeb2' into 'master' · 90d98dfa
Rob Swindell authored Feb 15, 2021
```
3rd party external doors - exitilus, jibben, jns

See merge request !110
```
90d98dfa

Parse redirects the easy way. · aeb26cba

Deucе authored Feb 15, 2021

I'm not sure what echicken was trying here, but apparently it doesn't
work for nelgin.

Likely fixes #220.

aeb26cba

Less tired. · 5379321a
Deucе authored Feb 15, 2021

5379321a
Resolve more Coverity issues · 91531c3e
Rob Swindell authored Feb 15, 2021

91531c3e
Merge remote-tracking branch 'origin/master' · 35d07d85
Rob Swindell authored Feb 15, 2021

35d07d85
Oops · 9d05c7f8
Rob Swindell authored Feb 15, 2021

9d05c7f8
Merge remote-tracking branch 'origin/master' · 55a5f22c
Rob Swindell authored Feb 15, 2021

55a5f22c
Remove dead code in js_cryptcon_get() - reported by Coverity · b911ee03
Rob Swindell authored Feb 15, 2021
```
Deuce said to just delete it. <shrug>
```
b911ee03
Merge remote-tracking branch 'origin/master' · a6efc1be
Rob Swindell authored Feb 15, 2021

a6efc1be

Hide whitespace changes

Inline Side-by-side

View file @ a6efc1be

@@ -812,8 +812,6 @@ js_cryptcon_get(JSContext *cx, JSObject *obj, jsid id, jsval *vp)
 	if ((p=(struct js_cryptcon_private_data *)JS_GetPrivate(cx,obj))==NULL) {
 		return JS_TRUE;
 		JS_ReportError(cx, getprivate_failure, WHERE);
 		return JS_FALSE;
+	}
     JS_IdToValue(cx, id, &idval);
-...