Previously, the initDbSession() function would only be run on the
initial connect. Since the initDbSession() code in PostgreSQL is
used to fix the CVE-2013-4422 SQL Injection bug, this means that
Quassel was still vulnerable to that CVE if the PostgreSQL server
is restarted or the connection is lost at any point while Quassel
is running.
This bug also causes the Qt5 psql timezone fix to stop working
after a reconnect.
The fix is to disable Qt's automatic reconnecting, check the
connection status ourselves, and reconnect if necessary, executing
the initDbSession() function afterward.
With Qt5, the PostgreSQL driver will transparently convert times
to the database's timezone before inserting. Because the default
is 'localtime', this causes the local time to be stored in the DB
instead of the UTC time. This in turn causes the time displayed
in the client to be wrong by the same offset as that timezone's
offset. To fix the issue, just make sure the PostgreSQL is in the
'UTC' timezone, so the passed UTC time will not be converted.
Improve the message-splitting algorithm for PRIVMSG and CTCP
This introduces a new message splitting algorithm based on
QTextBoundaryFinder. It works by first starting with the entire
message to be sent, encoding it, and checking to see if it is over
the maximum message length. If it is, it uses QTBF to find the
word boundary most immediately preceding the maximum length. If no
suitable boundary can be found, it falls back to searching for
grapheme boundaries. It repeats this process until the entire
message has been sent.
Unlike what it replaces, the new splitting code is not recursive
and cannot cause stack overflows. Additionally, if it is unable
to split a string, it will give up gracefully and not crash the
core or cause a thread to run away.
This patch fixes two bugs. The first is garbage characters caused
by accidentally splitting the string in the middle of a multibyte
character. Since the new code splits at a character level instead
of a byte level, this will no longer be an issue. The second is
the core crash caused by sending an overlength CTCP query ("/me")
containing only multibyte characters. This bug was caused by the
old CTCP splitter using the byte index from lastParamOverrun() as
a character index for a QString.
1d69ec1...
by
Marcus Eggenberger <email address hidden>
Shipping Mac OS X packages with SQL plugins
For core and mono builds, required SQL plugins are now automatically
included in the bundle. Since the core uses a flat package, it
requires a special qt.conf. Here, the Prefix is set to ../ as the
default Prefix on Mac OS points to the Contents direcotry of the
bundle, which does not exist in the flat package.
The ECB Blowfish decryption function assumed that encrypted input would
always come in blocks of 12 characters, as specified. However, buggy
clients or annoying people may not adhere to that assumption, causing
the core to crash while trying to process the invalid base64 input.
With this commit we make sure that we're not overstepping the bounds of
the input string while decoding it; instead we bail out early and display
the original input. Fixes #1314.
