323 Commits

Author SHA1 Message Date
830479cf20 fix: OTR/presence/OMEMO correctness, stanza-id disco gate, build hardening
All checks were successful
CI Code / Check spelling (push) Successful in 17s
CI Code / Check coding style (push) Successful in 32s
CI Code / Code Coverage (push) Successful in 3m45s
CI Code / Linux (debian) (push) Successful in 4m42s
CI Code / Linux (ubuntu) (push) Successful in 4m49s
CI Code / Linux (arch) (push) Successful in 6m25s
- OTR: strip the whitespace tag by shifting the full message tail incl. the NUL, not tag_length bytes, so the body is no longer duplicated for messages longer than the tag.
- presence: snapshot the resource fields before connection_add_available_resource() takes ownership, removing a use-after-free in the own-presence path.
- OMEMO: propagate _omemo_finalize_identity_load() failure on connect (log + cons_show_error + stop) instead of leaving OMEMO silently unavailable.
- OMEMO: guard NULL fingerprint decode in _omemo_fingerprint_decode / omemo_is_trusted_identity / omemo_trust and log every decode failure instead of failing silently.
- stanza-id: gate XEP-0359 dedup on disco urn:xmpp:sid:0 (the `by` JID or its domain), falling back to no-dedup when caps are unknown; add functional tests for trusted vs untrusted server.
- accounts: narrow the group-name sanitizer to the characters GKeyFile forbids in headers ([ ] \n \r), keeping `=` and `#`, so read/write stays symmetric.
- build: re-introduce compiler/sanitizer flags in a Pikaur-safe form (opt-in sanitizers, -Wsign-compare) and fix the resulting -Wsign-compare warnings (incl. proftest _mkdir_recursive).fix: OTR/presence/OMEMO correctness, stanza-id disco gate, build hardening

Author: jabber.developer2 <jabber.developer2@jabber.space>
2026-06-20 10:30:23 +00:00
3f36c303c2 feat(history): flat-file backend with bidirectional SQLite migration
All checks were successful
CI Code / Check spelling (push) Successful in 21s
CI Code / Check coding style (push) Successful in 31s
CI Code / Code Coverage (push) Successful in 2m21s
CI Code / Linux (ubuntu) (push) Successful in 4m30s
CI Code / Linux (debian) (push) Successful in 6m43s
CI Code / Linux (arch) (push) Successful in 10m8s
A flat-file alternative to the SQLite chatlog backend with runtime
switching, full migration tooling, integrity verification, and a
synthetic load harness. SQLite remains the default; both backends share
one dispatch layer (db_backend_t vtable) so callers don't change.

Storage layout
- Per-contact append-only `flatlog/<account>/<contact>/history.log`
  under XDG_DATA_HOME, one line per message
- Single-line file header with embedded format-version marker
  (FLATFILE_FORMAT_VERSION); reader warns on missing or mismatched
  marker, writer and checker stay in sync via preprocessor
  stringification
- Deterministic key=value metadata (`id`, `aid`, `corrects`, `to`,
  `to_res`, `read`) plus escaped body \u2014 `\|`, `\]`, `\\`, `\n`, `\r`
  literals prevent log injection
- Sparse byte-offset index (FF_INDEX_STEP=500) per contact for
  O(log n) time-range lookups; rebuilt on inode / size / mtime
  change, extended in-place when the file just grew
- Per-contact GHashTable caches for archive_id presence and
  stanza_id \u2192 from_jid mapping (O(1) MAM dedup, O(1) LMC sender
  validation)

Hardening
- Path-traversal protection: JID directory name normalisation
  (`@` \u2192 `_at_`, slashes and `..` rejected at construction); every
  per-contact path is anchored under the account's flatlog/
  directory and validated before open
- Symlink-attack protection: every fopen / open uses O_NOFOLLOW; on
  ELOOP the operation aborts with an error rather than following
- Filesystem permissions: log files created with mode 0600,
  directories with mode 0700; both enforced at creation, verified
  on each open and reported on drift by `/history verify`
- Atomic crash-safe export: write to a temp file via mkstemp (mode
  0600, random suffix, no name collisions between concurrent
  exports), fsync, then rename \u2014 partial state never replaces the
  live file
- Concurrency: advisory flock(LOCK_EX) held for the duration of
  every write, including append from live messages and full rewrite
  from export, so two profanity processes can't interleave bytes
  on the same log
- DoS / abuse guards:
    * FF_MAX_LINE_LEN = 10 MB \u2014 lines longer than this are rejected
      at read with a warning; the parser will not allocate
      unbounded memory for a single record
    * FF_MAX_LMC_DEPTH = 100 \u2014 `corrects:` chain walk stops at this
      depth and emits a warning, preventing a malicious correction
      cycle from spinning the apply pass
    * FF_VERSION_SCAN_MAX = 16 \u2014 header version probe never reads
      past 16 leading comment lines, even on garbage input
    * Empty / inverted byte-range early-return in page-up read path
      so a malformed time filter cannot cause an unbounded scan
    * Zero-entry index guard so a file whose every line failed to
      parse cannot cause a NULL deref on later page-up
- LMC sender validation: an incoming correction whose sender does
  not match the original message's sender is rejected at write
  time and surfaced via cons_show_error; a cycle in the apply pass
  is broken via a visited-set
- jid_create_from_bare_and_resource treats NULL, empty string, and
  the literal "(null)" as no resource and returns a bare jid;
  similar normalisation for barejid eliminates the legacy
  "user@host/(null)" artefact that leaked into stored fulljids
  whenever g_strdup_printf("%s", NULL) ran inside create_fulljid

Commands
- `/history switch sqlite|flatfile` \u2014 runtime backend swap, closes
  the old backend and opens the new one without reconnecting
- `/history export [<jid>]` \u2014 SQLite -> flat-file, merging with any
  existing flatlog (dedup keyed on a SHA-256 hash mixing stanza_id,
  timestamp, from_jid, body \u2014 robust against id reuse by older
  clients)
- `/history import [<jid>]` \u2014 flat-file -> SQLite, same merge
  semantics, runs inside a single SQLite transaction with rollback
  on per-contact failure
- `/history verify [<jid>]` \u2014 integrity check; emits a structured
  list of issues (ERROR / WARNING / INFO) per file:
    * file-level: missing log, wrong permissions (\u2260 0600), UTF-8
      BOM present, CRLF line endings, empty file
    * line-level: invalid UTF-8 (with byte offset), embedded
      control characters, unparsable lines, timestamps out of
      order, duplicate `id:` and `aid:` (tracked separately so a
      stanza/archive id collision isn't double-reported)
    * cross-line: broken `corrects:` references whose target id is
      not present in the file
- `/history backend` \u2014 show currently active backend
- Active backend indicator `[sqlite]` / `[flatfile]` in the status
  bar next to the JID
- Roster-JID autocomplete for verify / export / import
- export and import open a SQLite handle on demand when the
  flatfile backend is currently active, so migration works
  regardless of which backend is live

Tests
- Unit: database_export (parser round-trip, escape/unescape, dedup
  key stability, JID normalisation), database_stress (14 cases
  exercising rapid writes, large messages, deep LMC chains, MAM
  dedup, concurrent contacts)
- Functional: history persistence across reconnects, export /
  import round-trip with content equality, MUC migration,
  timestamp normalisation across timezones
- Bench harness P1\u2013P5 (synthetic load: bulk insert, time-range
  read, page-up scroll, MAM ingest, mixed workload) and failure
  modes F1\u2013F17 (page-up cursor and forward-iteration symmetry,
  oversized lines, MAM dedup, LMC depth and cycles, BOM/CRLF,
  missing log, empty file, mtime+inode flip, broken corrects, etc.)
- All bench tests integrate with the existing make targets and
  emit CSV rows for baseline comparison

Author: jabber.developer2 <jabber.developer2@jabber.space>
Reviewed-by: jabber.developer <jabber.developer@jabber.space>
2026-05-05 19:26:07 +00:00
0722dc9e36 build(pikaur): Fix failure due to duplicated flag and warnings
All checks were successful
CI Code / Check spelling (pull_request) Successful in 20s
CI Code / Check coding style (pull_request) Successful in 35s
CI Code / Linux (ubuntu) (pull_request) Successful in 6m42s
CI Code / Linux (debian) (pull_request) Successful in 6m47s
CI Code / Code Coverage (pull_request) Successful in 7m3s
CI Code / Linux (arch) (pull_request) Successful in 9m33s
CI Code / Check spelling (push) Successful in 20s
CI Code / Check coding style (push) Successful in 39s
CI Code / Code Coverage (push) Successful in 2m53s
CI Code / Linux (debian) (push) Successful in 4m8s
CI Code / Linux (ubuntu) (push) Successful in 4m35s
CI Code / Linux (arch) (push) Successful in 10m28s
2026-04-13 19:52:24 +00:00
9ec01fa8cc fix: CWE-134 format string audit and compiler hardening
All checks were successful
CI Code / Check spelling (push) Successful in 20s
CI Code / Check coding style (push) Successful in 36s
CI Code / Code Coverage (push) Successful in 5m38s
CI Code / Linux (ubuntu) (push) Successful in 7m1s
CI Code / Linux (debian) (push) Successful in 7m5s
CI Code / Linux (arch) (push) Successful in 7m19s
Security:
Fix CWE-134 in iq.c: user-controlled string passed as format argument
Add G_GNUC_PRINTF annotations to all variadic printf-like wrappers
in ui.h, log.h and http_common.h
Compiler flags (configure.ac):

Replace basic -Wformat/-Wformat-nonliteral with -Wformat=2
Add -Wextra, -Wnull-dereference, -Wpointer-arith,
-Wimplicit-function-declaration, -Wundef, -Wfloat-equal,
-Wredundant-decls, -Walloc-zero
Add -fstack-protector-strong, -fno-common, -D_FORTIFY_SOURCE=2
Add GCC-specific flags via AC_COMPILE_IFELSE: -Wlogical-op,
-Wduplicated-cond, -Wduplicated-branches, -Wstringop-overflow,
-Warray-bounds=2
Suppress noisy -Wextra sub-warnings: -Wno-unused-parameter,
-Wno-missing-field-initializers, -Wno-sign-compare,
-Wno-cast-function-type
Remove AM_CFLAGS/CFLAGS duplication
Bug fixes found by new warnings:

chatlog.c: non-MUCPM redact path passed resourcepart instead of NULL
rosterwin.c: merge duplicated if/else branches into single condition
omemo.c: redundant else-if in omemo_automatic_start; remove
unnecessary scope block and goto, use early return
console.c: pointer compared to integer 0 instead of NULL
stanza.c: increase pri_str/idle_str buffers from 10 to 12 bytes
(INT_MIN = -2147483648 needs 12 bytes including NUL)
vcard.c: NULL guard for filename before g_file_set_contents
api.c: broken log_warning() calls with extra format argument
Format mismatch fixes:

chatwin.c: Jid* → char* for %s
connection.c: %x → %lx for long flags
cmd_funcs.c: %d → %zu for size_t; cast gpointer to char* for %s
cmd_defs.c: %d → %u for g_list_length() return (guint)
iq.c: barejid → fulljid for from_jid
console.c, mucwin.c, privwin.c, account.c, omemo.c, presence.c:
gpointer → (char*) casts for %s
Const-correctness and cleanup:

database.c: const for type, query, sort variables
form.c/xmpp.h: const for form_set_value parameter
files.c: refactor to early return, eliminating NULL logfile path
muc.c/muc.h: remove meaningless top-level const on return type
common.c: const for URL string literal
Remove stale declarations: cons_show_desktop_prefs (ui.h),
connection_set_priority (connection.h),
omemo_devicelist_configure_and_request (omemo.h)
test_common.c: add currb NULL check to silence -Wnull-dereference
Tooling (check-cwe134.sh):

Reduce from 5 checks to 2 (checks 1-3 redundant with -Wformat=2)
Check 1: verify known wrappers have G_GNUC_PRINTF attribute
Check 2: auto-detect unannotated variadic printf-like functions
Match both const char* and const gchar* in variadic patterns

Author: jabber.developer2 <jabber.developer2@jabber.space>
2026-03-07 11:55:50 +01:00
85c817ee8c ci: speed up builds 4x with parallel tests, coverage, and ccache
All checks were successful
CI Code / Check spelling (push) Successful in 18s
CI Code / Check coding style (push) Successful in 31s
CI Code / Code Coverage (push) Successful in 15m25s
CI Code / Linux (debian) (push) Successful in 15m57s
CI Code / Linux (ubuntu) (push) Successful in 16m0s
CI Code / Linux (arch) (push) Successful in 16m6s
Split functional tests into 4 parallel groups and add check-functional-parallel target (~3x faster CI runs).
Add branch-aware LCOV coverage reporting with new --enable-coverage option and lcov summary in CI pipeline.
Enable ccache via -C configure flag for faster recompilations.
Install lcov in all Docker images and use --depth 1 git clones + parallel make -j$(nproc) for quicker container builds.
Update CONTRIBUTING.md with instructions for parallel test groups and adding new ones.

All changes are tightly related CI/performance improvements developed in sequence. No external service uploads (e.g. Codecov skipped due to Gitea incompatibility).
2026-01-21 16:35:17 +01:00
889a6e2b63 build: enable functional tests unconditionally
- Remove conditional compilation for functional tests
- Always build with stabber/cmocka when available
- Simplify test configuration in Makefile.am
2026-01-07 11:46:40 +01:00
Michael Vetter
640fb1904f Start new cycle 2025-03-27 20:27:09 +01:00
Michael Vetter
07dfeec816 Release 0.15.0 2025-03-27 20:06:38 +01:00
Steffen Jaeckel
9fc0326428 Add Valgrind to CI
* Also pass `$*` to `configure` when invoking `ci-build.sh`, so one can
  e.g. run `./ci-build.sh --without-xscreensaver`

Signed-off-by: Steffen Jaeckel <s@jaeckel.eu>
2025-03-11 12:15:09 +01:00
Steffen Jaeckel
f67c76c032 Add make target my-prof.supp
This creates a "as personal as possible" Valgrind suppressions file.

Signed-off-by: Steffen Jaeckel <s@jaeckel.eu>
2025-01-28 16:43:13 +01:00
Michael Vetter
b223b7ebac Start new cycle 2023-08-03 08:06:19 +02:00
Michael Vetter
6b0fddd925 Release 0.14.0 2023-08-03 08:01:43 +02:00
Michael Vetter
3f034c46cd Depend on libstrophe 0.12.3
Among other things for:
* https://github.com/profanity-im/profanity/issues/915
* https://github.com/profanity-im/profanity/issues/1849
2023-08-02 16:34:34 +02:00
Dmitry Podgorny
4a8d14c5a6 Fix OMEMO autodetection in autotools
This commit fixes few issues related to OMEMO autodetection:

1. Absence of libsignal-protocol-c doesn't turn OMEMO off, just prints a
   notice message. It should (a) set BUILD_OMEMO=false and (b) terminate
   with an error on --enable-omemo=yes.
2. Check for gcrypt continues even if libsignal-protocol-c fails. In this
   case, LIBS variable can be updated with unneeded -lgcrypt.
3. Similarly to item 2., if libsignal-protocol-c is present, but gcrypt
   isn't, variable LIBS is updated with unneeded library.

To resolve the above issues, use intermediate variable OMEMO_LIBS to
accumulate required libraries and set BUILD_OMEMO only when all checks
are passed.
2023-07-11 03:24:23 +03:00
Steffen Jaeckel
f7c6f38e1b Consider global CFLAGS and use libstrophe CFLAGS
global `CFLAGS` were ignore before

Signed-off-by: Steffen Jaeckel <jaeckel-floss@eyet-services.de>
2023-05-12 08:39:09 +02:00
Paul Fertser
e19a15fd27 Fix xscreensaver detection
In 28a9605a1 we migrated from AC_CHECK_LIB which defines HAVE_LIBXSS automatically. With pkg-config way you need it explicit. And also x11 is needed or else linking will fail missing XFree().

Patch provided by Paul Fertser and comitted by jubalh.
Thanks Paul!

Fix https://github.com/profanity-im/profanity/issues/1695
2023-01-11 16:08:42 +01:00
Michael Vetter
e8c927b2c9 Start new cycle 2022-10-12 17:00:29 +02:00
Michael Vetter
3e7457f42a Release 0.13.1 2022-10-12 16:56:20 +02:00
Michael Vetter
fcc20628d5 Merge pull request #1753 from wahjava/master
Fix typo in configure.ac
2022-09-19 10:00:27 +02:00
Ashish SHUKLA
6c01df040f Fix typo in configure.ac
Signed-off-by: Ashish SHUKLA <ashish.is@lostca.se>
2022-09-15 17:37:57 +00:00
Omar Polo
39675be808 typo in configure: enable_gdk_pixbuf not enable_pixbuf
Otherwise gdk-pixbuf is always added as dependency even if disabled,
when found.
2022-09-15 18:39:54 +02:00
Michael Vetter
446027ce6c Start new cycle 2022-09-13 11:54:02 +02:00
Michael Vetter
a8e6b26ee1 Release 0.13.0 2022-09-13 11:50:49 +02:00
Michael Vetter
fc8ea4ec4f Require libstrophe 0.12.2
0.12.2 has some important fixes.
Let's require it so users don't stumble upon bugs like https://github.com/profanity-im/profanity/issues/1743
2022-08-08 12:55:19 +02:00
Michael Vetter
7713223ddb build: otr cflags -> CFLAGS 2022-06-29 09:47:13 +02:00
Michael Vetter
3557e46b6d build: dont define HAVE_QRENCODE at all in case not present
Before we got an error when libqrencode was not installed:
`src/ui/console.c:52:10: fatal error: qrencode.h: No such file or
directory`

Which looked like HAVE_QRENCODE was true.

config.status showed:
`config.status:D["HAVE_QRENCODE"]=" 0"`

Holger pointed to me that there is not just true and false but defined
and undefined.
So one solution was to use `#if HAVE_QRENCODE == 1` to check for the
actual value.

Or dont define HAVE_QRENCODE in the non present case at all.

In all the other HAVE_ variables we use this approach.
I think i at first chose the wrong way out of confusion with BUILD_ and
HAVE_.
2022-05-31 08:50:44 +02:00
Michael Vetter
1a7017e44c build: set HAVE_QRENCODE only once
and use CLFAGS not cflags
2022-05-30 19:45:05 +02:00
Michael Vetter
0c7350e2e6 Make qrencode optional and add to CI 2022-05-30 18:06:13 +02:00
Michael Vetter
cf83976b51 Add basic qrcode functions 2022-05-30 18:04:36 +02:00
Michael Vetter
3aafffded9 Add pixbuf building to CI 2022-05-30 17:49:09 +02:00
Michael Vetter
d510f3a430 Final touches for /avatar set 2022-05-27 10:46:36 +02:00
MarcoPolo-PasTonMolo
0cff111249 Add checks for whether gdk-pixbuf exists before using avatar set 2022-05-26 21:06:27 +03:00
Paul Fertser
b4857c6043 Fix xscreensaver detection
Using pkg-config to find libraries requires explicit mention of the
relevant _CFLAGS and _LIBS variables.

Fixes #1695.
2022-04-21 13:24:00 +03:00
Michael Vetter
060a5e3491 Start new cycle 2022-04-04 18:17:20 +02:00
Michael Vetter
e87d09aabf Release 0.12.1 2022-04-04 18:13:32 +02:00
Michael Vetter
7301c99676 Start new cycle 2022-03-30 14:08:49 +02:00
Michael Vetter
9214b0a10a Release 0.12.0 2022-03-30 14:08:49 +02:00
Paul Fertser
ca782b5385 Add debug information to binary
Option -ggdb3 (same as -g3) doesn't affect code-generation, just adds
to the binary size of an executable. Automake strips installed
binaries automatically when "make install-strip" is run so enabling
this option permanently doesn't affect the end result while allowing
for hassle-free interactive debugging.

If one is running a stripped binary it's still possible to attach GDB
by process PID and then use "file /path/to/unstripped/profanity" to
get all symbols and lines data.
2022-03-28 16:37:07 +03:00
Paul Fertser
08212a839a Fix AM_CFLAGS assignments (including libstrophe flags)
Autoconf can pre-populate this variable with essential parameters so
it should be appended to rather than overridden.

While at it, don't miss to append CFLAGS for libstrope which is needed
if it's installed to a non-default location.
2022-03-27 20:49:19 +03:00
Paul Fertser
90ea2fabe6 Fix autoconf warning about AC_CANONICAL_TARGET ordering
AM_INIT_AUTOMAKE requires AC_ARG_PROGRAM so should go after
AC_CANONICAL_TARGET for proper program name mangling.

This fixes "AC_ARG_PROGRAM was called before AC_CANONICAL_TARGET"
warning as emitted by autoconf 2.69.
2022-03-27 20:40:27 +03:00
Michael Vetter
35b7555399 build: Use CPPFLAGS for obsd
Fixing build failure detected by sr.ht for OpenBSD:

```
src/ui/inputwin.c: In function '_inp_rl_startup_hook':
src/ui/inputwin.c:444:5: error: implicit declaration of function 'rl_bind_keyseq'; did you mean 'rl_bind_key'? [-Werror=implicit-function-declaration]
  444 |     rl_bind_keyseq("\\e1", _inp_rl_win_1_handler);
      |     ^~~~~~~~~~~~~~
      |     rl_bind_key
cc1: all warnings being treated as errors
```

Seems like both OSX and OpenBSD need CPPFLAGS here.
2022-02-23 12:50:03 +01:00
Michael Vetter
32f6798964 Remove link to python bug
Since 5676159aa5 the python_CPPFLAGS
isn't needed anymore. We can use python_CFLAGS.
So let's remove the comment about https://bugs.python.org/issue15018.
2022-02-18 20:16:44 +01:00
j.r
5676159aa5 Fix python executed during configure
Previously it relied on AX_PYTHON_DEVEL, which in turn executes
python-config to get the build flags. However this does not work while
cross compiling because we can't execute the python-config build for the
target platform. To circumvent this problem the python build flags are
now queried via pkgconfig, which has the drawback of not having some
extra build flags, but they do not seem to be needed.

I tested this patch with the termux build system and it build without
their existing hack of injecting python after the configure step. I also
tested non cross compile build on Arch Linux and it also still works.

Fixes #851
2022-02-18 19:45:31 +01:00
Michael Vetter
fc13a69f43 build: use target instead of host
If I understand https://www.gnu.org/software/autoconf/manual/autoconf-2.68/html_node/Canonicalizing.html
correctly then we should use target and not host.

Will only matter in case of crosscompiling.
2022-02-18 17:36:03 +01:00
Michael Vetter
28a9605a1f build: use PKG_CHECK_MODULES to check for xscreensaver 2022-02-18 17:35:30 +01:00
Michael Vetter
38ff3699b4 build: use CFLAGS instead of CPPFLAGS where possible
OSX seems to need CPPFLAGS for readline.
2022-02-18 15:07:27 +01:00
Michael Vetter
33106ecf9c build: remove otr3 support
All the distributions I checked have libotr 4.1.1 now.
2022-02-18 14:01:28 +01:00
Michael Vetter
3f8720d70f build: remove support for old libsignal
Remove support for libsignal-protocol-c < 2.3.2.
Debian 10 uses 2.3.2, Debian 11 and 12 use 2.3.3.
openSUSE from 15.2 onward uses 2.3.3.
Fedora since 28 uses 2.3.2.

We should be good.
2022-02-18 14:01:28 +01:00
Michael Vetter
1856c1e7fc build: remove xmpp_lib variable
Since cad934b9a0 we only support
libstrophe. libmesode is deprecated.
2022-02-18 14:01:28 +01:00
Michael Vetter
7a6a37e717 build: group related parts better together 2022-02-18 14:01:27 +01:00