make error recovery configurable

irc/client.go

@@ -185,9 +185,11 @@ func (client *Client) run() {
 	var msg ircmsg.IrcMessage
 
 	defer func() {
-		if r := recover(); r != nil {
-			client.server.logger.Error("internal",
-				fmt.Sprintf("Client caused panic, disconnecting: %v\n%s", r, debug.Stack()))
+		if client.server.RecoverFromErrors() {
+			if r := recover(); r != nil {
+				client.server.logger.Error("internal",
+					fmt.Sprintf("Client caused panic, disconnecting: %v\n%s", r, debug.Stack()))
+			}
 		}
 		// ensure client connection gets closed
 		client.destroy()

irc/config.go

@@ -188,7 +188,8 @@ type Config struct {
 	Logging []logger.LoggingConfig
 
 	Debug struct {
-		StackImpact StackImpactConfig
+		RecoverFromErrors *bool `yaml:"recover-from-errors"`
+		StackImpact       StackImpactConfig
 	}
 
 	Limits struct {

irc/getters.go

@@ -23,6 +23,12 @@ func (server *Server) getPassword() []byte {
 	return server.password
 }
 
+func (server *Server) RecoverFromErrors() bool {
+	server.configurableStateMutex.RLock()
+	defer server.configurableStateMutex.RUnlock()
+	return server.recoverFromErrors
+}
+
 func (server *Server) ProxyAllowedFrom() []string {
 	server.configurableStateMutex.RLock()
 	defer server.configurableStateMutex.RUnlock()

irc/server.go

@@ -109,6 +109,7 @@ type Server struct {
 	operclasses                  map[string]OperClass
 	password                     []byte
 	passwords                    *passwd.SaltedManager
+	recoverFromErrors            bool
 	registeredChannels           map[string]*RegisteredChannel
 	registeredChannelsMutex      sync.RWMutex
 	rehashMutex                  sync.Mutex
@@ -1250,21 +1251,23 @@ func (server *Server) applyConfig(config *Config, initial bool) error {
 		server.name = config.Server.Name
 		server.nameCasefolded = casefoldedName
 	}
-	server.networkName = config.Network.Name
 
 	server.configurableStateMutex.Lock()
+	server.networkName = config.Network.Name
 	if config.Server.Password != "" {
 		server.password = config.Server.PasswordBytes()
 	} else {
 		server.password = nil
 	}
-	server.configurableStateMutex.Unlock()
-
 	// apply new WebIRC command restrictions
 	server.webirc = config.Server.WebIRC
-
 	// apply new PROXY command restrictions
 	server.proxyAllowedFrom = config.Server.ProxyAllowedFrom
+	server.recoverFromErrors = true
+	if config.Debug.RecoverFromErrors != nil {
+		server.recoverFromErrors = *config.Debug.RecoverFromErrors
+	}
+	server.configurableStateMutex.Unlock()
 
 	err = server.connectionLimiter.ApplyConfig(config.Server.ConnectionLimiter)
 	if err != nil {

oragono.yaml

@@ -267,6 +267,14 @@ logging:
 
 # debug options
 debug:
+    # when enabled, oragono will attempt to recover from certain kinds of
+    # client-triggered runtime errors that would normally crash the server.
+    # this makes the server more resilient to DoS, but could result in incorrect
+    # behavior. deployments that would prefer to "start from scratch", e.g., by
+    # letting the process crash and auto-restarting it with systemd, can set
+    # this to false.
+    recover-from-errors: true
+
     # enabling StackImpact profiling
     stackimpact:
         # whether to use StackImpact