We were checking the login throttle at the beginning of every SASL
conversation. This had several problems:
1. Pidgin (on Windows?) tries every mechanism in order, regardless of
the CAP advertisement. It would use up the default throttle allowance
trying unsupported mechanisms like CRAM-MD5.
2. The throttle was actually checked twice for AUTHENTICATE PLAIN
(once at the start of the conversation and once in AuthenticateByPassphrase).
The general pattern here is that we should check the throttle every time we
do something "expensive" (bcrypt verification, send a reset email) or
"dangerous" (anything that could lead to a bruteforce attack on passwords).
Therefore, delete the check from the AUTHENTICATE handler, and add one at
the beginning of the SCRAM conversation to replace it.
Handling of reserved nicknames is special-cased due to #1594, but we want to send
ERR_NICKNAMEINUSE if the nickname is actually in use, since that doesn't pose any
client compatibility problems.
We load registered channels unconditionally; reloading them again on rehash
is incorrect. This caused buggy behavior when channel registration was
disabled in the config, but some registered channels were already loaded.
* Gracefully handle NS cert add myself <fp>
A non-operator with the nick "mynick" attempts to register
a fingerprint to their authenticated account.
They /msg NickServ cert add mynick <fingerprint>
NickServ responds with "Insufficient privileges" because
they've accidentally invoked the operator syntax (to action
other accounts).
This patch allows the user to add the fingerprint if the client's
account is identical to the target account.
Signed-off-by: Matt Hamilton <m@tthamilton.com>
* Update nickserv.go
Compare the case-normalized target to Account()
---------
Signed-off-by: Matt Hamilton <m@tthamilton.com>
Co-authored-by: Shivaram Lingamneni <slingamn@cs.stanford.edu>
Send Message-ID even if DKIM is not enabled, for compatibility with Gmail:
* A workaround for Ergo 2.12.0 is to enable DKIM
* You need to enable either DKIM or SPF (preferably both) to send to Gmail anyway
* You also need forward-confirmed reverse DNS, which can be tricky for IPv6...
* Fix#1997 (allow the use of an external file for the email blacklist)
* Change config key names for blacklist (compatibility break)
* Accept globs rather than regexes for blacklist by default
* Blacklist comparison is now case-insensitive
