Merge branch '1.9.x'

hellomouse · Jul 3, 2024 · 0506e95 · 0506e95
2 parents 82e82f0 + 25fa7a5
commit 0506e95
Show file tree

Hide file tree

Showing 8 changed files with 49 additions and 38 deletions.
diff --git a/ChangeLog.md b/ChangeLog.md
@@ -1,3 +1,11 @@
+# ZNC 1.9.1 (2024-07-03)
+
+* This is a security release to fix CVE-2024-39844: remote code execution vulnerability in modtcl.
+    * To mitigate this for existing installations, simply unload the modtcl module for every user, if it's loaded. Note that only users with admin rights can load modtcl at all.
+    * Thanks to Johannes Kuhn (DasBrain) for reporting, to glguy for the patch, and to multiple IRC network operators for help with mitigating this on server side before disclosure.
+* Improve tooltips in webadmin.
+
+
 # ZNC 1.9.0 (2024-02-22)
 
 ## New

diff --git a/modules/data/webadmin/tmpl/add_edit_chan.tmpl b/modules/data/webadmin/tmpl/add_edit_chan.tmpl
@@ -27,13 +27,13 @@
 				</div>
 
 				<div class="subsection">
-					<div class="inputlabel"><label for="buffersize"><? FORMAT "Buffer Size:" ?></label></div>
+					<div class="inputlabel"><label for="buffersize"><? FORMAT "Buffer size:" ?></label></div>
 					<input id="buffersize" type="number" name="buffersize" value="<? VAR BufferSize ?>" size="10" min="0"
 						   title="<? FORMAT "The buffer count." ?>"/>
 				</div>
 
 				<div class="subsection">
-					<div class="inputlabel"><label for="defmodes"><? FORMAT "Default Modes:" ?></label></div>
+					<div class="inputlabel"><label for="defmodes"><? FORMAT "Default modes:" ?></label></div>
 					<input id="defmodes" type="text" name="defmodes" value="<? VAR DefModes ?>" size="10"
 						   title="<? FORMAT "The default modes of the channel." ?>"/>
 				</div>

diff --git a/modules/data/webadmin/tmpl/add_edit_network.tmpl b/modules/data/webadmin/tmpl/add_edit_network.tmpl
@@ -66,7 +66,7 @@
 				<? ENDIF ?>
 
 				<div class="subsection">
-					<div class="inputlabel"><label for="quitmsg"><? FORMAT "Quit Message:" ?></label></div>
+					<div class="inputlabel"><label for="quitmsg"><? FORMAT "Quit message:" ?></label></div>
 					<input id="quitmsg" type="text" name="quitmsg" value="<? VAR QuitMsg ?>" class="full" maxlength="256"
 						   title="<? FORMAT "You may define a Message shown, when you quit IRC." ?>"
 						   <? IF !QuitMsgEdit ?>disabled<? ENDIF ?> />

diff --git a/modules/data/webadmin/tmpl/add_edit_user.tmpl b/modules/data/webadmin/tmpl/add_edit_user.tmpl
@@ -45,7 +45,7 @@
 						   title="<? FORMAT "Please re-type the above password." ?>"/>
 				</div>
 				<div class="subsection">
-					<div class="inputlabel"><label for="authonlyviamodule"><? FORMAT "Auth Only Via Module:" ?></label></div>
+					<div class="inputlabel"><label for="authonlyviamodule"><? FORMAT "Auth only via module:" ?></label></div>
 					<input id="authonlyviamodule" type="checkbox" name="authonlyviamodule"
 						    title="<? FORMAT "Allow user authentication by external modules only, disabling built-in password authentication." ?>"
 						    <? IF AuthOnlyViaModule ?>checked="checked" <? ENDIF ?><? IF !ImAdmin ?>disabled="disabled" <? ENDIF ?>/>
@@ -87,7 +87,7 @@
 						   <? IF !IdentEdit ?>disabled<? ENDIF ?> />
 				</div>
 				<div class="subsection">
-					<div class="inputlabel"><label for="statusprefix"><? FORMAT "Status Prefix:" ?></label></div>
+					<div class="inputlabel"><label for="statusprefix"><? FORMAT "Status prefix:" ?></label></div>
 					<input id="statusprefix" type="text" name="statusprefix" value="<? VAR StatusPrefix ?>" class="half" maxlength="5"
 						   title="<? FORMAT "The prefix for the status and module queries." ?>"/>
 				</div>
@@ -114,7 +114,7 @@
 				<? ENDIF ?>
 
 				<div class="subsection">
-					<div class="inputlabel"><label for="quitmsg"><? FORMAT "Quit Message:" ?></label></div>
+					<div class="inputlabel"><label for="quitmsg"><? FORMAT "Quit message:" ?></label></div>
 					<input type="text" name="quitmsg" value="<? VAR QuitMsg ?>" class="full" maxlength="256"
 						   title="<? FORMAT "You may define a Message shown, when you quit IRC." ?>"
 						   <? IF !QuitMsgEdit ?>disabled<? ENDIF ?> />
@@ -249,13 +249,13 @@
 		<div class="sectionbg">
 			<div class="sectionbody">
 				<div class="subsection third">
-					<div class="inputlabel"><label for="chanmodes"><? FORMAT "Default Modes:" ?></label></div>
+					<div class="inputlabel"><label for="chanmodes"><? FORMAT "Default modes:" ?></label></div>
 					<input id="chanmodes" type="text" name="chanmodes" value="<? VAR DefaultChanModes ?>" maxlength="32"
 						   title="<? FORMAT "These are the default modes ZNC will set when you join an empty channel." ?>"/>
 					<br /><span class="info"><? FORMAT "Empty = use standard value" ?></span>
 				</div>
 				<div class="subsection third">
-					<div class="inputlabel"><label for="chanbufsize"><? FORMAT "Buffer Size:" ?></label></div>
+					<div class="inputlabel"><label for="chanbufsize"><? FORMAT "Buffer size:" ?></label></div>
 					<input id="chanbufsize" type="number" name="chanbufsize" value="<? VAR ChanBufferSize ?>" min="0"
 						   title="<? FORMAT "This is the amount of lines that the playback buffer will store for channels before dropping off the oldest line. The buffers are stored in the memory by default." ?>"/>
 					<br /><span class="info"><? FORMAT "Empty = use standard value" ?></span>
@@ -269,12 +269,12 @@
 		<div class="sectionbg">
 			<div class="sectionbody">
 				<div class="subsection third">
-					<div class="inputlabel"><label for="maxquerybuffers"><? FORMAT "Max Buffers:" ?></label></div>
+					<div class="inputlabel"><label for="maxquerybuffers"><? FORMAT "Max buffers:" ?></label></div>
 					<input id="maxquerybuffers" type="number" name="maxquerybuffers" value="<? VAR MaxQueryBuffers ?>" class="third" min="0"
 						   title="<? FORMAT "Maximum number of query buffers. 0 is unlimited." ?>"/>
 				</div>
 				<div class="subsection third">
-					<div class="inputlabel"><label for="querybufsize"><? FORMAT "Buffer Size:" ?></label></div>
+					<div class="inputlabel"><label for="querybufsize"><? FORMAT "Buffer size:" ?></label></div>
 					<input id="querybufsize" type="number" name="querybufsize" value="<? VAR QueryBufferSize ?>" min="0"
 						   title="<? FORMAT "This is the amount of lines that the playback buffer will store for queries before dropping off the oldest line. The buffers are stored in the memory by default." ?>"/>
 					<br /><span class="info"><? FORMAT "Empty = use standard value" ?></span>
@@ -304,7 +304,7 @@
 		<div class="sectionbg">
 			<div class="sectionbody">
 				<div class="subsection">
-					<div class="inputlabel"><label for="timestampformat"><? FORMAT "Timestamp Format:" ?></label></div>
+					<div class="inputlabel"><label for="timestampformat"><? FORMAT "Timestamp format:" ?></label></div>
 					<input id="timestampformat" type="text" name="timestampformat" value="<? VAR TimestampFormat ?>" class="full"
 						   title="<? FORMAT "The format for the timestamps used in buffers, for example [%H:%M:%S]. This setting is ignored in new IRC clients, which use server-time. If your client supports server-time, change timestamp format in client settings instead." ?>"/>
 				</div>
@@ -326,7 +326,7 @@
 				</div>
 				<div style="clear:both;"></div>
 				<div class="subsection">
-					<div class="inputlabel"><label for="jointries"><? FORMAT "Join Tries:" ?></label></div>
+					<div class="inputlabel"><label for="jointries"><? FORMAT "Join tries:" ?></label></div>
 					<input id="jointries" type="number" name="jointries" value="<? VAR JoinTries ?>" class="third" min="0"
 						   title="<? FORMAT "This defines how many times ZNC tries to join a channel, if the first join failed, e.g. due to channel mode +i/+k or if you are banned." ?>"/>
 				</div>
@@ -341,22 +341,22 @@
 					       title="<? FORMAT "How much time ZNC waits (in seconds) until it receives something from network or declares the connection timeout. This happens after attempts to ping the peer." ?>"/>
 				</div>
 				<div class="subsection">
-					<div class="inputlabel"><label for="maxnetworks"><? FORMAT "Max IRC Networks Number:" ?></label></div>
+					<div class="inputlabel"><label for="maxnetworks"><? FORMAT "Max IRC networks number:" ?></label></div>
 					<input type="number" name="maxnetworks" value="<? VAR MaxNetworks ?>" class="third" min="0"
 					       title="<? FORMAT "Maximum number of IRC networks allowed for this user." ?>" <? IF !ImAdmin ?>disabled="disabled"<? ENDIF ?> />
 				</div>
 
 				<? SETBLOCK Substitutions_Link ?><a href="https://wiki.znc.in/ExpandString" target="_blank" class="external"><? FORMAT "Substitutions" ?></a><? ENDSETBLOCK ?>
 				<div class="subsection half" id="ctcpreplies_plain">
-					<div class="inputlabel"><label for="ctcpreplies_text"><? FORMAT "CTCP Replies:" ?></label></div>
+					<div class="inputlabel"><label for="ctcpreplies_text"><? FORMAT "CTCP replies:" ?></label></div>
 					<div><textarea name="ctcpreplies" cols="70" rows="3" id="ctcpreplies_text" <? IF !CTCPEdit ?>disabled<? ENDIF ?>><? LOOP CTCPLoop ?><? VAR CTCP ?>
 <? ENDLOOP ?>
 </textarea></div>
 					<br /><span class="info"><? FORMAT "One reply per line. Example: <code>TIME Buy a watch!</code>" ?></span>
 					<br /><span class="info"><? FORMAT "{1} are available" "Substitutions_Link ESC=" ?></span>
 				</div>
 				<div class="subsection" id="ctcpreplies_js" style="display:none" data-placeholder="<? FORMAT "Empty value means this CTCP request will be ignored" ?>">
-					<div class="inputlabel"><? FORMAT "CTCP Replies:" ?></div>
+					<div class="inputlabel"><? FORMAT "CTCP replies:" ?></div>
 					<div>
 						<table style="width:100%">
 							<thead>

diff --git a/modules/data/webadmin/tmpl/settings.tmpl b/modules/data/webadmin/tmpl/settings.tmpl
@@ -99,56 +99,56 @@
 
 
 				<div class="subsection third">
-					<div class="inputlabel"><label for="statusprefix"><? FORMAT "Status Prefix:" ?></label></div>
+					<div class="inputlabel"><label for="statusprefix"><? FORMAT "Status prefix:" ?></label></div>
 					<input id="statusprefix" type="text" name="statusprefix" value="<? VAR StatusPrefix ?>"
 						   title="<? FORMAT "The prefix for the status and module queries." ?>"/>
 					<br /><span class="info"><? FORMAT "Default for new users only." ?></span>
 				</div>
 
 
 				<div class="subsection half">
-					<div class="inputlabel"><label for="maxbufsize"><? FORMAT "Maximum Buffer Size:" ?></label></div>
+					<div class="inputlabel"><label for="maxbufsize"><? FORMAT "Maximum buffer size:" ?></label></div>
 					<input id="maxbufsize" type="number" name="maxbufsize" value="<? VAR MaxBufferSize ?>"
 						   title="<? FORMAT "Sets the global Max Buffer Size a user can have." ?>"/>
 				</div>
 
 
 				<div class="subsection half">
-					<div class="inputlabel"><label for="connectdelay"><? FORMAT "Connect Delay:" ?></label></div>
+					<div class="inputlabel"><label for="connectdelay"><? FORMAT "Connect delay:" ?></label></div>
 					<input id="connectdelay" type="number" name="connectdelay" value="<? VAR ConnectDelay ?>"
 						   title="<? FORMAT "The time between connection attempts to IRC servers, in seconds. This affects the connection between ZNC and the IRC server; not the connection between your IRC client and ZNC." ?>"/>
 				</div>
 
 
 				<div class="subsection half">
-					<div class="inputlabel"><label for="serverthrottle"><? FORMAT "Server Throttle:" ?></label></div>
+					<div class="inputlabel"><label for="serverthrottle"><? FORMAT "Server throttle:" ?></label></div>
 					<input id="serverthrottle" type="number" name="serverthrottle" value="<? VAR ServerThrottle ?>"
 						   title="<? FORMAT "The minimal time between two connect attempts to the same hostname, in seconds. Some servers refuse your connection if you reconnect too fast." ?>"/>
 				</div>
 
 
 				<div class="subsection half">
-					<div class="inputlabel"><label for="anoniplimit"><? FORMAT "Anonymous Connection Limit per IP:" ?></label></div>
+					<div class="inputlabel"><label for="anoniplimit"><? FORMAT "Anonymous connection limit per IP:" ?></label></div>
 					<input id="anoniplimit" type="number" name="anoniplimit" value="<? VAR AnonIPLimit ?>"
 						   title="<? FORMAT "Limits the number of unidentified connections per IP." ?>"/>
 				</div>
 
 
 				<div class="subsection">
-					<div class="inputlabel"><? FORMAT "Protect Web Sessions:" ?></div>
+					<div class="inputlabel"><? FORMAT "Protect web sessions:" ?></div>
 					<div class="checkbox"><input type="checkbox" name="protectwebsessions" id="protectwebsessions_checkbox"<? IF ProtectWebSessions ?> checked="checked"<? ENDIF ?> />
 						<label for="protectwebsessions_checkbox"><? FORMAT "Disallow IP changing during each web session" ?></label></div>
 				</div>
 
 
 				<div class="subsection">
-					<div class="inputlabel"><? FORMAT "Hide ZNC Version:" ?></div>
+					<div class="inputlabel"><? FORMAT "Hide ZNC version:" ?></div>
 					<div class="checkbox"><input type="checkbox" name="hideversion" id="hideversion_checkbox"<? IF HideVersion ?> checked="checked"<? ENDIF ?> />
 						<label for="hideversion_checkbox"><? FORMAT "Hide version number from non-ZNC users" ?></label></div>
 				</div>
 
 				<div class="subsection">
-					<div class="inputlabel"><? FORMAT "Auth Only Via Module:" ?></div>
+					<div class="inputlabel"><? FORMAT "Auth only via module:" ?></div>
 					<div class="checkbox"><input type="checkbox" name="authonlyviamodule" id="authonlyviamodule_checkbox"<? IF AuthOnlyViaModule ?> checked="checked"<? ENDIF ?> />
 						<label for="authonlyviamodule_checkbox"><? FORMAT "Allow user authentication by external modules only" ?></label></div>
 				</div>

diff --git a/modules/data/webadmin/tmpl/traffic.tmpl b/modules/data/webadmin/tmpl/traffic.tmpl
@@ -15,23 +15,23 @@
 					</tr>
 				<? IF IsAdmin ?>
 					<tr class="evenrow">
-						<th><? FORMAT "Total Users" ?></th>
+						<th><? FORMAT "Total users" ?></th>
 						<td><? VAR TotalUsers ?></td>
 					</tr>
                     <tr class="oddrow">
-						<th><? FORMAT "Total Networks" ?></th>
+						<th><? FORMAT "Total networks" ?></th>
 						<td><? VAR TotalNetworks ?></td>
 					</tr>
 					<tr class="evenrow">
-						<th><? FORMAT "Attached Networks" ?></th>
+						<th><? FORMAT "Attached networks" ?></th>
 						<td><? VAR AttachedNetworks ?></td>
 					</tr>
 					<tr class="oddrow">
-						<th><? FORMAT "Total Client Connections" ?></th>
+						<th><? FORMAT "Total client connections" ?></th>
 						<td><? VAR TotalCConnections ?></td>
 					</tr>
 					<tr class="evenrow">
-						<th><? FORMAT "Total IRC Connections" ?></th>
+						<th><? FORMAT "Total IRC connections" ?></th>
 						<td><? VAR TotalIRCConnections ?></td>
 					</tr>
 				<? ELSE ?>
@@ -40,7 +40,7 @@
 						<td><? VAR TotalNetworks ?></td>
 					</tr>
 					<tr class="oddrow">
-						<th><? FORMAT "Attached Networks" ?></th>
+						<th><? FORMAT "Attached networks" ?></th>
 						<td><? VAR AttachedNetworks ?></td>
 					</tr>
 					<tr class="evenrow">

diff --git a/modules/modtcl.cpp b/modules/modtcl.cpp
@@ -248,8 +248,9 @@ class CModTcl : public CModule {
         // chan specific
         unsigned int nLength = vChans.size();
         for (unsigned int n = 0; n < nLength; n++) {
+            CString sChannel = TclEscape(CString(vChans[n]->GetName()));
             sCommand = "Binds::ProcessNick {" + sOldNick + "} {" + sHost +
-                       "} - {" + vChans[n]->GetName() + "} {" + sNewNickTmp +
+                       "} - {" + sChannel + "} {" + sNewNickTmp +
                        "}";
             int i = Tcl_Eval(interp, sCommand.c_str());
             if (i != TCL_OK) {
@@ -260,14 +261,16 @@ class CModTcl : public CModule {
 
     void OnKick(const CNick& OpNick, const CString& sKickedNick, CChan& Channel,
                 const CString& sMessage) override {
+        CString sMes = TclEscape(sMessage);
         CString sOpNick = TclEscape(CString(OpNick.GetNick()));
         CString sNick = TclEscape(sKickedNick);
         CString sOpHost =
             TclEscape(CString(OpNick.GetIdent() + "@" + OpNick.GetHost()));
+        CString sChannel = TclEscape(Channel.GetName());
 
         CString sCommand = "Binds::ProcessKick {" + sOpNick + "} {" + sOpHost +
-                           "} - {" + Channel.GetName() + "} {" + sNick + "} {" +
-                           sMessage + "}";
+                           "} - {" + sChannel + "} {" + sNick + "} {" +
+                           sMes + "}";
         int i = Tcl_Eval(interp, sCommand.c_str());
         if (i != TCL_OK) {
             PutModule(Tcl_GetStringResult(interp));

diff --git a/modules/webadmin.cpp b/modules/webadmin.cpp
@@ -792,9 +792,9 @@ class CWebAdminMod : public CModule {
 
             CTemplate& o2 = Tmpl.AddRow("OptionLoop");
             o2["Name"] = "autoclearchanbuffer";
-            o2["DisplayName"] = t_s("Auto Clear Chan Buffer");
+            o2["DisplayName"] = t_s("Auto clear chan buffer");
             o2["Tooltip"] =
-                t_s("Automatically Clear Channel Buffer After Playback");
+                t_s("Automatically clear channel buffer after playback");
             if ((pChan && pChan->AutoClearChanBuffer()) ||
                 (!pChan && pUser->AutoClearChanBuffer())) {
                 o2["Checked"] = "true";
@@ -1621,7 +1621,7 @@ class CWebAdminMod : public CModule {
 
             CTemplate& o1 = Tmpl.AddRow("OptionLoop");
             o1["Name"] = "autoclearchanbuffer";
-            o1["DisplayName"] = t_s("Auto Clear Chan Buffer");
+            o1["DisplayName"] = t_s("Auto clear chan buffer");
             o1["Tooltip"] =
                 t_s("Automatically clear channel buffer after playback (the "
                     "default value for new channels)");
@@ -1686,7 +1686,7 @@ class CWebAdminMod : public CModule {
 
                 CTemplate& o13 = Tmpl.AddRow("OptionLoop");
                 o13["Name"] = "denysetnetwork";
-                o13["DisplayName"] = t_s("Deny Editing Networks/Servers");
+                o13["DisplayName"] = t_s("Deny editing networks/servers");
                 o13["Tooltip"] =
                     t_s("Deny adding/deleting networks, setting network name and editing the server list");
                 if (pUser->DenySetNetwork()) {
@@ -1709,7 +1709,7 @@ class CWebAdminMod : public CModule {
 
                 CTemplate& o16 = Tmpl.AddRow("OptionLoop");
                 o16["Name"] = "denysetctcpreplies";
-                o16["DisplayName"] = t_s("Deny Setting CTCP Replies");
+                o16["DisplayName"] = t_s("Deny setting CTCP replies");
                 o16["Tooltip"] =
                     t_s("Block customizing CTCP replies for non-admin users");
                 if (pUser->DenySetCTCPReplies()) {
@@ -1719,7 +1719,7 @@ class CWebAdminMod : public CModule {
 
             CTemplate& o17 = Tmpl.AddRow("OptionLoop");
             o17["Name"] = "autoclearquerybuffer";
-            o17["DisplayName"] = t_s("Auto Clear Query Buffer");
+            o17["DisplayName"] = t_s("Auto clear query buffer");
             o17["Tooltip"] =
                 t_s("Automatically clear query buffer after playback");
             if (pUser->AutoClearQueryBuffer()) {