Block all three code paths in message_send_chat_pgp that previously
fell back to sending unencrypted messages: encryption failure, missing
PGP key, and missing LibGPGME. Each path now shows a specific error
in the chat window and returns NULL so the caller skips logging and
display.
Also replace the generic cons_show for OX signcrypt failure with a
win_println on the current window, ensuring the user sees the error
even when the chat window is not focused.
Improve p_gpg_encrypt error reporting by adding a gchar** err
out-parameter. Each failure path now sets a descriptive message
(e.g. missing recipient key, missing sender key, GPGME context
failure, encryption failure) so the caller can display the exact
reason to the user.
Fix a memory leak: gpgme_key_unref(receiver_key) was missing from
the sender_key failure path.
- OTR: strip the whitespace tag by shifting the full message tail incl. the NUL, not tag_length bytes, so the body is no longer duplicated for messages longer than the tag.
- presence: snapshot the resource fields before connection_add_available_resource() takes ownership, removing a use-after-free in the own-presence path.
- OMEMO: propagate _omemo_finalize_identity_load() failure on connect (log + cons_show_error + stop) instead of leaving OMEMO silently unavailable.
- OMEMO: guard NULL fingerprint decode in _omemo_fingerprint_decode / omemo_is_trusted_identity / omemo_trust and log every decode failure instead of failing silently.
- stanza-id: gate XEP-0359 dedup on disco urn:xmpp:sid:0 (the `by` JID or its domain), falling back to no-dedup when caps are unknown; add functional tests for trusted vs untrusted server.
- accounts: narrow the group-name sanitizer to the characters GKeyFile forbids in headers ([ ] \n \r), keeping `=` and `#`, so read/write stays symmetric.
- build: re-introduce compiler/sanitizer flags in a Pikaur-safe form (opt-in sanitizers, -Wsign-compare) and fix the resulting -Wsign-compare warnings (incl. proftest _mkdir_recursive).fix: OTR/presence/OMEMO correctness, stanza-id disco gate, build hardening
Author: jabber.developer2 <jabber.developer2@jabber.space>
A flat-file alternative to the SQLite chatlog backend with runtime
switching, full migration tooling, integrity verification, and a
synthetic load harness. SQLite remains the default; both backends share
one dispatch layer (db_backend_t vtable) so callers don't change.
Storage layout
- Per-contact append-only `flatlog/<account>/<contact>/history.log`
under XDG_DATA_HOME, one line per message
- Single-line file header with embedded format-version marker
(FLATFILE_FORMAT_VERSION); reader warns on missing or mismatched
marker, writer and checker stay in sync via preprocessor
stringification
- Deterministic key=value metadata (`id`, `aid`, `corrects`, `to`,
`to_res`, `read`) plus escaped body \u2014 `\|`, `\]`, `\\`, `\n`, `\r`
literals prevent log injection
- Sparse byte-offset index (FF_INDEX_STEP=500) per contact for
O(log n) time-range lookups; rebuilt on inode / size / mtime
change, extended in-place when the file just grew
- Per-contact GHashTable caches for archive_id presence and
stanza_id \u2192 from_jid mapping (O(1) MAM dedup, O(1) LMC sender
validation)
Hardening
- Path-traversal protection: JID directory name normalisation
(`@` \u2192 `_at_`, slashes and `..` rejected at construction); every
per-contact path is anchored under the account's flatlog/
directory and validated before open
- Symlink-attack protection: every fopen / open uses O_NOFOLLOW; on
ELOOP the operation aborts with an error rather than following
- Filesystem permissions: log files created with mode 0600,
directories with mode 0700; both enforced at creation, verified
on each open and reported on drift by `/history verify`
- Atomic crash-safe export: write to a temp file via mkstemp (mode
0600, random suffix, no name collisions between concurrent
exports), fsync, then rename \u2014 partial state never replaces the
live file
- Concurrency: advisory flock(LOCK_EX) held for the duration of
every write, including append from live messages and full rewrite
from export, so two profanity processes can't interleave bytes
on the same log
- DoS / abuse guards:
* FF_MAX_LINE_LEN = 10 MB \u2014 lines longer than this are rejected
at read with a warning; the parser will not allocate
unbounded memory for a single record
* FF_MAX_LMC_DEPTH = 100 \u2014 `corrects:` chain walk stops at this
depth and emits a warning, preventing a malicious correction
cycle from spinning the apply pass
* FF_VERSION_SCAN_MAX = 16 \u2014 header version probe never reads
past 16 leading comment lines, even on garbage input
* Empty / inverted byte-range early-return in page-up read path
so a malformed time filter cannot cause an unbounded scan
* Zero-entry index guard so a file whose every line failed to
parse cannot cause a NULL deref on later page-up
- LMC sender validation: an incoming correction whose sender does
not match the original message's sender is rejected at write
time and surfaced via cons_show_error; a cycle in the apply pass
is broken via a visited-set
- jid_create_from_bare_and_resource treats NULL, empty string, and
the literal "(null)" as no resource and returns a bare jid;
similar normalisation for barejid eliminates the legacy
"user@host/(null)" artefact that leaked into stored fulljids
whenever g_strdup_printf("%s", NULL) ran inside create_fulljid
Commands
- `/history switch sqlite|flatfile` \u2014 runtime backend swap, closes
the old backend and opens the new one without reconnecting
- `/history export [<jid>]` \u2014 SQLite -> flat-file, merging with any
existing flatlog (dedup keyed on a SHA-256 hash mixing stanza_id,
timestamp, from_jid, body \u2014 robust against id reuse by older
clients)
- `/history import [<jid>]` \u2014 flat-file -> SQLite, same merge
semantics, runs inside a single SQLite transaction with rollback
on per-contact failure
- `/history verify [<jid>]` \u2014 integrity check; emits a structured
list of issues (ERROR / WARNING / INFO) per file:
* file-level: missing log, wrong permissions (\u2260 0600), UTF-8
BOM present, CRLF line endings, empty file
* line-level: invalid UTF-8 (with byte offset), embedded
control characters, unparsable lines, timestamps out of
order, duplicate `id:` and `aid:` (tracked separately so a
stanza/archive id collision isn't double-reported)
* cross-line: broken `corrects:` references whose target id is
not present in the file
- `/history backend` \u2014 show currently active backend
- Active backend indicator `[sqlite]` / `[flatfile]` in the status
bar next to the JID
- Roster-JID autocomplete for verify / export / import
- export and import open a SQLite handle on demand when the
flatfile backend is currently active, so migration works
regardless of which backend is live
Tests
- Unit: database_export (parser round-trip, escape/unescape, dedup
key stability, JID normalisation), database_stress (14 cases
exercising rapid writes, large messages, deep LMC chains, MAM
dedup, concurrent contacts)
- Functional: history persistence across reconnects, export /
import round-trip with content equality, MUC migration,
timestamp normalisation across timezones
- Bench harness P1\u2013P5 (synthetic load: bulk insert, time-range
read, page-up scroll, MAM ingest, mixed workload) and failure
modes F1\u2013F17 (page-up cursor and forward-iteration symmetry,
oversized lines, MAM dedup, LMC depth and cycles, BOM/CRLF,
missing log, empty file, mtime+inode flip, broken corrects, etc.)
- All bench tests integrate with the existing make targets and
emit CSV rows for baseline comparison
Author: jabber.developer2 <jabber.developer2@jabber.space>
Reviewed-by: jabber.developer <jabber.developer@jabber.space>
While trying to get the unit tests working again I stumbled over all those
things that I thought could be better^TM.
Now we also know "TODO: why does this make the test fail?" - because
the unit tests are brittle AF ... and we have to init the subsystems
we use in the test, otherwise the cleanup will fail...
BTW. you can now also only run a single test ... or a pattern or so ...
you'd have to read how `cmocka_set_test_filter()` works exactly.
Signed-off-by: Steffen Jaeckel <s@jaeckel.eu>
Use a singleton `Jid` inside the connection instead of always re-creating
a `Jid` from the same string.
Signed-off-by: Steffen Jaeckel <jaeckel-floss@eyet-services.de>
Disallow correcting historical MUC messages, as the XEP-308 requires.
Previous changes introduce problem with
"Illicit LMC attempt from conference@server/user for message from user"
During investigation it was revealed that XEP does not recommend support
of historical MUC messages correction.
```
When used in a Multi-User Chat (XEP-0045) context,
corrections must not be allowed (by the receiver)
for messages received before the sender joined the room -
particularly a full JID leaving the room
then rejoining and correcting a message SHOULD be disallowed,
as the entity behind the full JID in the MUC may have changed.
```
https://xmpp.org/extensions/xep-0308.html#rules
XEP details mentioned by @jubalh
Bug discovered and solution improved by @jaeckel
Sometimes the server is too busy sending other stanzas or our connection is
saturated because of something else, so the pong arrives too late.
Prevent the autoping disconnect event by extending the timeout
each time a stanza is received.
Signed-off-by: Steffen Jaeckel <jaeckel-floss@eyet-services.de>
This also fixes a memory leak from within `_handle_groupchat()` in [0].
[0] src/xmpp/message.c
Signed-off-by: Steffen Jaeckel <jaeckel-floss@eyet-services.de>
Messages would get duplicated when you chat with yourself, worse if you
had omemo enabled the duplicated message would say something along the
lines of "Your client doesn't support OMEMO". The cause was carbons
when the message was sent from another client, whilst it was a sent
and received message when profanity was the one to send it. This commit
ignores the carbon message in the 1st case and ignores the received one
in the 2nd.
Fixes https://github.com/profanity-im/profanity/issues/1595
Muc configuration in profanity used to not update until next login, ie:
make muc non_anonymous and members_only but be unable to start omemo
until next login. Now a disco info request is sent after forrm submit
and chatroom details are changed accordingly.
Fixes https://github.com/profanity-im/profanity/issues/1347
We only want to have the decrypted message or the alternative body in
message->plain.
Also let's print error messages if it makes sense and log other issues.
Partly addresses the commit in the comit mesage of:
2dc0cc489c
Fix https://github.com/profanity-im/profanity/issues/1693
```
@StefanKropp @DebXWoody please check `_handle_ox_chat()` I don't
understand what you are doing there.
1)
First plain is assigned `message->plain =
p_ox_gpg_decrypt(xmpp_stanza_get_text(ox));`
and then in the same if block you overwrite this with `message->plain =
xmpp_stanza_get_text(b);` without freeing the old value as far as I can
see.
2)
Sometimes even doing `message->plain = "OX error: No payload found";`.
Shouldn't there be a `strdup()`? I think later on we try to free the
whole message struct. So we can't mix this static things.
```
Like mentioned on the review at
https://github.com/profanity-im/profanity/pull/1605 I don't ge why
@DebXWoody changed the code like he did.
I changed it to something that made more sense to me now.
Instead of looking for headline in two places and checking for pubsub in
a headline place (only).
I didn't check this deeply. And still have a feeling that this is not
the best way to go. But I didn't read the XEP yet.
Added a TODO to the code regarding this too.
A quick skimming through https://xmpp.org/extensions/xep-0107.html
doesn't show me anything regarding headline. So I really don't see why
this needs to go here.
Hopefully @DebXWoody checks this in the future. But since he didn't
react on the PR I decided to make some adjustments myself so we can
merge it.
We came into the carbons checking code when we received `<private
xmlns="urn:xmpp:carbons:2"/>`. Which actually marks a message to _not_
be a carbon.
In this code we also make sure that carbons only come from us.
If not we don't call the message handler code.
So we should actually only check for `<sent xmlns='urn:xmpp:carbons:2'>`
and `<received xmlns='urn:xmpp:carbons:2'>`.
Thanks pukkamustard and Holger.
Fixes https://github.com/profanity-im/profanity/issues/1614