0005098: WEBIRC users bypass blacklist checks

ID	Project	Category	View Status	Date Submitted	Last Update

0005098	unreal	ircd	public	2018-05-29 14:06	2018-06-11 08:55

Reporter	jesopo	Assigned To	syzop
Priority	normal	Severity	feature	Reproducibility	always
Status	resolved	Resolution	fixed
Fixed in Version	4.0.18

Summary	0005098: WEBIRC users bypass blacklist checks
Description	It seems that users connecting through a webirc using the WEBIRC protocol are either not checked against blacklists or the blacklist is done before the IP spoofing is done

3rd party modules

jesopo 2018-06-03 17:37 reporter ~0020135	Just a note for anyone else effected by this - putting the blacklist on anope (and I assume Atheme) will correctly catch these users.

PeGaSuS 2018-06-10 18:10 reporter ~0020138	I can confirm the issue. I've tried myself on my mobile phone connecting directly and via browser (web chat, with Orbot). This is what happened: https://pastebin.com/VVKCNSnK

syzop 2018-06-11 08:39 administrator ~0020142	This is the endless debate of where security checks should be done... at the perimeter or not. I'm therefore considering this a feature enhancement, not a bug.

syzop 2018-06-11 08:55 administrator ~0020143	Thanks for the report. Tested with an IP from dronebl and seems to work. commit 93957fc7eeb607183459548429f5ee26bc96d3e6 Author: Bram Matthys <[email protected]> Date: Mon Jun 11 08:53:34 2018 +0200 blacklist module: also check the ip of WEBIRC users. Suggested by jesopo (0005098).

Date Modified	Username	Field	Change
2018-05-29 14:06	jesopo	New Issue
2018-06-03 17:37	jesopo	Note Added: 0020135
2018-06-10 18:10	PeGaSuS	Note Added: 0020138
2018-06-11 08:39	syzop	Note Added: 0020142
2018-06-11 08:39	syzop	Severity	major => feature
2018-06-11 08:39	syzop	Status	new => acknowledged
2018-06-11 08:55	syzop	Assigned To	=> syzop
2018-06-11 08:55	syzop	Status	acknowledged => resolved
2018-06-11 08:55	syzop	Resolution	open => fixed
2018-06-11 08:55	syzop	Fixed in Version	=> 4.0.18
2018-06-11 08:55	syzop	Note Added: 0020143