From: Michael Marley <michael@michaelmarley.com>
Date: Mon, 2 Apr 2018 23:11:31 +0000 (-0400)
Subject: Reject clients that attempt to login before the core is configured
X-Git-Tag: travis-deploy-test~133
X-Git-Url: https://git.quassel-irc.org/?p=quassel.git;a=commitdiff_plain;h=e17fca767d60c06ca02bc5898ced04f06d3670bd

Reject clients that attempt to login before the core is configured

Properly-implemented clients should never try to do this, but if it
is done, this patch prevents it from crashing the core.

Thanks to @chaign_c (https://twitter.com/chaign_c/) for finding this
issue.
---

diff --git a/src/core/coreauthhandler.cpp b/src/core/coreauthhandler.cpp
index cf0c82b0..913968bc 100644
--- a/src/core/coreauthhandler.cpp
+++ b/src/core/coreauthhandler.cpp
@@ -221,6 +221,12 @@ void CoreAuthHandler::handle(const Login &msg)
     if (!checkClientRegistered())
         return;
 
+    if (!Core::isConfigured()) {
+        qWarning() << qPrintable(tr("Client")) << qPrintable(socket()->peerAddress().toString()) << qPrintable(tr("attempted to login before the core was configured, rejecting."));
+        _peer->dispatch(ClientDenied(tr("<b>Attempted to login before core was configured!</b><br>The core must be configured before attempting to login.")));
+        return;
+    }
+
     // First attempt local auth using the real username and password.
     // If that fails, move onto the auth provider.
     UserId uid = Core::validateUser(msg.user, msg.password);