98 Commits

Author SHA1 Message Date
72f4f186da merge: sync upstream profanity-im/profanity
All checks were successful
CI Code / Check spelling (push) Successful in 18s
CI Code / Check coding style (push) Successful in 34s
CI Code / Code Coverage (push) Successful in 2m36s
CI Code / Linux (debian) (push) Successful in 4m41s
CI Code / Linux (ubuntu) (push) Successful in 4m52s
CI Code / Linux (arch) (push) Successful in 5m40s
Sync with upstream profanity-im/profanity.

Major upstream changes incorporated:

Memory management
  - Replace malloc+memset with g_new0 throughout codebase
  - Adopt auto_gchar / auto_gcharv / auto_gerror / auto_jid cleanup macros
  - Replace free() with g_free() for GAlloc'd memory

Editor rewrite
  - Remove pthread-based async editor; use GChildWatch callback API
  - New launch_editor(initial_content, callback, user_data) interface
  - Proper signal handling (SIGINT, SIGTSTP, SIGPIPE reset in child)
  - ui_suspend()/ui_resume() integration for TTY management

OMEMO improvements
  - Dual backend support: libsignal-protocol-c and libomemo-c
  - Proper pre-key removal after use (XEP-0384 compliance)
  - Automatic pre-key regeneration when store drops below threshold
  - New functions: omemo_is_device_active(), omemo_is_jid_trusted()
  - omemo_get_jid_untrusted_fingerprints() for better error messages
  - Fingerprint notifications on new device identity discovery
  - Deterministic pre-key ID generation tracking max_pre_key_id
  - omemo_trust_changed() UI updates on trust state changes

JID validation
  - RFC 6122-compliant validation in jid_is_valid()
  - Character-level checks (RFC 6122 forbidden chars: & ' / : < > @)
  - Length limits: 1023 per component, 3071 total
  - New jid_is_valid_user_jid() for user vs. service JID distinction

Database
  - Schema migration v3: UNIQUE constraint on archive_id for deduplication
  - Triggers for corrected message tracking (replaces_db_id / replaced_by_db_id)
  - db_history_result_t return type, _truncate_datetime_suffix()

UI / console
  - win_warn_needed() / win_warn_sent() warning deduplication hash table
  - PAD_MIN_HEIGHT dynamic pad sizing with PAD_THRESHOLD auto-cleanup
  - Spellcheck integration in input field with Unicode word detection
  - cons_spellcheck_setting() for /settings ui output
  - /[command]? shortcut for command help

Account config
  - Account name sanitization for GKeyFile special chars ([ ] = # \n \r)
  - Replace popen() with g_spawn_sync() for eval_password
  - TLS policy: add "direct" option alongside legacy

Connection
  - Port validation with g_assert (0–65535)
  - SHA-256 certificate fingerprint support (XMPP_CERT_PUBKEY_FINGERPRINT_SHA256)
  - "direct" TLS policy alias for legacy SSL

Common utilities
  - str_xml_sanitize() for XML 1.0 illegal character removal
  - string_matches_one_of() with formatted error messages
  - valid_tls_policy_option() helper
  - prof_date_time_format_iso8601() utility
  - Improved strip_arg_quotes() with backslash unescaping
  - prof_occurrences() uses g_slist_prepend + reverse for performance

PGP / OX
  - Proper GPGME resource cleanup with goto-cleanup pattern
  - g_string_free(xmppuri) leak fix in _ox_key_lookup

CSV export
  - Use GString + g_file_set_contents instead of raw write() syscalls

Tests
  - Restructured into subdirectories: command/, config/, xmpp/, ui/, omemo/, otr/, pgp/
  - New test_cmd_ac.c for autocompleter unit tests
  - Updated stubs for new UI suspend/resume functions

License headers
  - Migrate to SPDX-3.0 identifiers (GPL-3.0-or-later WITH OpenSSL-exception)

────────────────────────────────────────────────────
cproof-specific preservations:

  - XEP-0308 LMC: replace_id ?: id logic in message/stanza/omemo
  - Force encryption: cmd_force_encryption, test_forced_encryption
  - CWE-134: format string protection (cons_show("%s", ...))
  - y_start_pos-based paging in window.c
  - db_history_result_t return type, _truncate_datetime_suffix()

Merge-time fixes:

  - common.c: format-security (-Werror) — cons_show(errmsg) → cons_show("%s", errmsg)
  - database.c: null-deref guard — !msg->timestamp → msg && !msg->timestamp
  - console.c: implicit size_t → int cast — (int)(maxlen + 1)
  - tlscerts.c: %d for size_t — %zu

Build system:
  - Kept autotools (Makefile.am, configure.ac); upstream uses Meson
  - Restored deleted files: bootstrap.sh, autogen.sh, ax_valgrind_check.m4, configure-debug
  - Updated Makefile.am test paths for subdirectory structure
  - Added test_cmd_ac, test_forced_encryption to test sources

Functional tests:
  - Use cproof version; upstream requires stbbr_for_xmlns from updated stabber
  - Not yet available in devs/stabber fork

Closes #64

Merge author: jabber.developer2
Commits authors:
 Michael Vetter <jubalh@iodoru.org>
& Steffen Jaeckel <s@jaeckel.eu>
2026-05-26 17:48:14 +00:00
3f36c303c2 feat(history): flat-file backend with bidirectional SQLite migration
All checks were successful
CI Code / Check spelling (push) Successful in 21s
CI Code / Check coding style (push) Successful in 31s
CI Code / Code Coverage (push) Successful in 2m21s
CI Code / Linux (ubuntu) (push) Successful in 4m30s
CI Code / Linux (debian) (push) Successful in 6m43s
CI Code / Linux (arch) (push) Successful in 10m8s
A flat-file alternative to the SQLite chatlog backend with runtime
switching, full migration tooling, integrity verification, and a
synthetic load harness. SQLite remains the default; both backends share
one dispatch layer (db_backend_t vtable) so callers don't change.

Storage layout
- Per-contact append-only `flatlog/<account>/<contact>/history.log`
  under XDG_DATA_HOME, one line per message
- Single-line file header with embedded format-version marker
  (FLATFILE_FORMAT_VERSION); reader warns on missing or mismatched
  marker, writer and checker stay in sync via preprocessor
  stringification
- Deterministic key=value metadata (`id`, `aid`, `corrects`, `to`,
  `to_res`, `read`) plus escaped body \u2014 `\|`, `\]`, `\\`, `\n`, `\r`
  literals prevent log injection
- Sparse byte-offset index (FF_INDEX_STEP=500) per contact for
  O(log n) time-range lookups; rebuilt on inode / size / mtime
  change, extended in-place when the file just grew
- Per-contact GHashTable caches for archive_id presence and
  stanza_id \u2192 from_jid mapping (O(1) MAM dedup, O(1) LMC sender
  validation)

Hardening
- Path-traversal protection: JID directory name normalisation
  (`@` \u2192 `_at_`, slashes and `..` rejected at construction); every
  per-contact path is anchored under the account's flatlog/
  directory and validated before open
- Symlink-attack protection: every fopen / open uses O_NOFOLLOW; on
  ELOOP the operation aborts with an error rather than following
- Filesystem permissions: log files created with mode 0600,
  directories with mode 0700; both enforced at creation, verified
  on each open and reported on drift by `/history verify`
- Atomic crash-safe export: write to a temp file via mkstemp (mode
  0600, random suffix, no name collisions between concurrent
  exports), fsync, then rename \u2014 partial state never replaces the
  live file
- Concurrency: advisory flock(LOCK_EX) held for the duration of
  every write, including append from live messages and full rewrite
  from export, so two profanity processes can't interleave bytes
  on the same log
- DoS / abuse guards:
    * FF_MAX_LINE_LEN = 10 MB \u2014 lines longer than this are rejected
      at read with a warning; the parser will not allocate
      unbounded memory for a single record
    * FF_MAX_LMC_DEPTH = 100 \u2014 `corrects:` chain walk stops at this
      depth and emits a warning, preventing a malicious correction
      cycle from spinning the apply pass
    * FF_VERSION_SCAN_MAX = 16 \u2014 header version probe never reads
      past 16 leading comment lines, even on garbage input
    * Empty / inverted byte-range early-return in page-up read path
      so a malformed time filter cannot cause an unbounded scan
    * Zero-entry index guard so a file whose every line failed to
      parse cannot cause a NULL deref on later page-up
- LMC sender validation: an incoming correction whose sender does
  not match the original message's sender is rejected at write
  time and surfaced via cons_show_error; a cycle in the apply pass
  is broken via a visited-set
- jid_create_from_bare_and_resource treats NULL, empty string, and
  the literal "(null)" as no resource and returns a bare jid;
  similar normalisation for barejid eliminates the legacy
  "user@host/(null)" artefact that leaked into stored fulljids
  whenever g_strdup_printf("%s", NULL) ran inside create_fulljid

Commands
- `/history switch sqlite|flatfile` \u2014 runtime backend swap, closes
  the old backend and opens the new one without reconnecting
- `/history export [<jid>]` \u2014 SQLite -> flat-file, merging with any
  existing flatlog (dedup keyed on a SHA-256 hash mixing stanza_id,
  timestamp, from_jid, body \u2014 robust against id reuse by older
  clients)
- `/history import [<jid>]` \u2014 flat-file -> SQLite, same merge
  semantics, runs inside a single SQLite transaction with rollback
  on per-contact failure
- `/history verify [<jid>]` \u2014 integrity check; emits a structured
  list of issues (ERROR / WARNING / INFO) per file:
    * file-level: missing log, wrong permissions (\u2260 0600), UTF-8
      BOM present, CRLF line endings, empty file
    * line-level: invalid UTF-8 (with byte offset), embedded
      control characters, unparsable lines, timestamps out of
      order, duplicate `id:` and `aid:` (tracked separately so a
      stanza/archive id collision isn't double-reported)
    * cross-line: broken `corrects:` references whose target id is
      not present in the file
- `/history backend` \u2014 show currently active backend
- Active backend indicator `[sqlite]` / `[flatfile]` in the status
  bar next to the JID
- Roster-JID autocomplete for verify / export / import
- export and import open a SQLite handle on demand when the
  flatfile backend is currently active, so migration works
  regardless of which backend is live

Tests
- Unit: database_export (parser round-trip, escape/unescape, dedup
  key stability, JID normalisation), database_stress (14 cases
  exercising rapid writes, large messages, deep LMC chains, MAM
  dedup, concurrent contacts)
- Functional: history persistence across reconnects, export /
  import round-trip with content equality, MUC migration,
  timestamp normalisation across timezones
- Bench harness P1\u2013P5 (synthetic load: bulk insert, time-range
  read, page-up scroll, MAM ingest, mixed workload) and failure
  modes F1\u2013F17 (page-up cursor and forward-iteration symmetry,
  oversized lines, MAM dedup, LMC depth and cycles, BOM/CRLF,
  missing log, empty file, mtime+inode flip, broken corrects, etc.)
- All bench tests integrate with the existing make targets and
  emit CSV rows for baseline comparison

Author: jabber.developer2 <jabber.developer2@jabber.space>
Reviewed-by: jabber.developer <jabber.developer@jabber.space>
2026-05-05 19:26:07 +00:00
Michael Vetter
07dfeec816 Release 0.15.0 2025-03-27 20:06:38 +01:00
John Hernandez
3c8b4acac4 Fix typos, correct grammar 2023-10-14 18:07:52 +02:00
Michael Vetter
2cf1269b68 Typo fixes 2023-08-03 08:26:23 +02:00
Michael Vetter
acc2ec8fd7 Add 0.14.0 changelog 2023-08-03 07:56:33 +02:00
Michael Vetter
3e7457f42a Release 0.13.1 2022-10-12 16:56:20 +02:00
Michael Vetter
496eb6ceb8 changelog: change header 2022-09-13 12:32:15 +02:00
Michael Vetter
a0376f7583 Add forgotten date to changelog 2022-09-13 12:23:34 +02:00
Michael Vetter
59c5b4e7a6 Add 0.13.0 changelog 2022-09-06 17:10:41 +02:00
Michael Vetter
e87d09aabf Release 0.12.1 2022-04-04 18:13:32 +02:00
Michael Vetter
9214b0a10a Release 0.12.0 2022-03-30 14:08:49 +02:00
Michael Vetter
3ee3d78af5 changelog: add build requirements info 2022-03-29 12:20:10 +02:00
Michael Vetter
b04a68462c Update Changelog for 0.12.0 2022-03-29 12:13:24 +02:00
Michael Vetter
e6f96cd7d7 Release 0.11.1 2021-09-28 19:48:42 +02:00
Michael Vetter
8e43ab05da Fix typos 2021-09-22 13:01:55 +02:00
a1346054
a1dc3d1237 Trim excess whitespace 2021-08-26 01:18:10 +00:00
Michael Vetter
563f08164e Release 0.11.0 2021-07-14 16:23:05 +02:00
Michael Vetter
d382023961 Release 0.10.0 2021-01-09 08:08:10 +01:00
Michael Vetter
c39dc62e36 Add 0.10.0 changelog 2021-01-07 11:46:32 +01:00
Michael Vetter
d4eeb9a3eb Update 0.9.5 changelog 2020-07-01 18:41:46 +02:00
Michael Vetter
1332a4a6c2 Release 0.9.4 2020-06-24 13:56:34 +02:00
Michael Vetter
177c953991 Release 0.9.3 2020-06-19 20:29:31 +02:00
Michael Vetter
c58726d67f Release 0.9.2 2020-06-13 18:37:51 +02:00
Michael Vetter
8551d3dcb1 Release 0.9.1 2020-06-11 10:06:56 +02:00
Michael Vetter
c4339b4ff9 Release 0.9.0 2020-06-09 16:52:09 +02:00
Michael Vetter
08e035dea0 Improve CHANGELOG 2020-06-09 16:42:24 +02:00
Michael Vetter
2d49d68d84 Add 0.9.0 CHANGELOG 2020-06-09 16:25:02 +02:00
Michael Vetter
d05018857b Update changelog for 0.8.1 2020-02-07 21:46:16 +01:00
Michael Vetter
561e842002 Fix years in CHANGELOG 2020-02-03 13:51:48 +01:00
Michael Vetter
94a9de8773 Release 0.8.0 2020-02-03 11:12:17 +01:00
Michael Vetter
6c42aad0ef Update CHANGELOG 2020-01-31 11:28:23 +01:00
Michael Vetter
649d3e0381 Add gruvbox to CHANGELOG 2020-01-28 14:11:24 +01:00
Michael Vetter
4c3cd01088 Fix two typos in CHANGELOG 2020-01-28 13:58:03 +01:00
Michael Vetter
ca9dc5f799 Add Changes header to CHANGELOG 2020-01-28 13:22:08 +01:00
Michael Vetter
825bc58f04 Add changelog draft for 0.8.0 2020-01-28 13:11:01 +01:00
Martin
29f044bb1e Fix typo
`Fix crash when jid has no not part` should probably mean `Fix crash when jid has no node part`.
2019-09-24 12:37:00 +02:00
Michael Vetter
8e76283f97 Add 0.7.1 changelog 2019-09-24 09:07:10 +02:00
Michael Vetter
4dba1c1f70 Add 0.7.0 release date to Changelog 2019-07-31 11:06:21 +02:00
Michael Vetter
3f9047ff77 Add 1154 to CHANGELOG 2019-07-22 15:39:22 +02:00
Michael Vetter
684fdf68ac Add 0.7.0 changelog entry 2019-06-24 07:42:46 +02:00
Michael Vetter
7b434954b2 Add release dates to changelog 2019-06-05 09:10:59 +02:00
Michael Vetter
d4892b29c4 Update profanity repo URL
Move from github.com/boothj5/* to github.com/profanity-im/*
2019-05-03 10:51:28 +02:00
Michael Vetter
bef8878639 Mention prof_win_close feature in CHANGELOG 2019-01-10 12:48:05 +01:00
Dmitry Podgorny
7f65aaa9a2 Add option to trust server's certificate
New tls policy "trust" added to /connect and /account. With the policy
TLS connection is established even with invalid certificate. Note, that
trust policy forces TLS connection and it fails when server doesn't
support TLS.

Examples:
 /connect <jid> tls trust
 /account <name> set tls trust
2018-11-06 14:09:02 +02:00
Michael Vetter
a339899140 Update CHANGELOG
To prepare for next release.
2018-10-04 13:04:55 +02:00
Michael Vetter
d8027e609d Merge pull request #975 from strugee/patch-2
Note CVE-2017-5592 in the CHANGELOG
2018-07-28 11:48:40 +02:00
AJ Jordan
c06643001e Note CVE-2017-5592 in the CHANGELOG 2017-12-19 02:10:16 -05:00
AJ Jordan
85dacdaed6 Fix typo 2017-12-19 01:56:16 -05:00
James Booth
f8b855b09f Update CHANGELOG 2017-07-13 22:29:22 +01:00