Commit Graph

30 Commits

Author SHA1 Message Date
8868b79617 fix: harden flatfile backend, make SQLite optional
Some checks failed
CI Code / Check spelling (pull_request) Successful in 21s
CI Code / Check coding style (pull_request) Failing after 32s
CI Code / Code Coverage (pull_request) Successful in 4m50s
CI Code / Linux (debian) (pull_request) Successful in 6m13s
CI Code / Linux (ubuntu) (pull_request) Successful in 7m14s
CI Code / Linux (arch) (pull_request) Successful in 11m2s
Build system:
- Add --without-sqlite configure flag (AM_CONDITIONAL BUILD_SQLITE)
- Guard database_sqlite.c with HAVE_SQLITE in Makefile.am, database.c,
  database.h and stub_database.c
- Fall back to flatfile when SQLite not compiled in

Security (database_flatfile.c):
- MAM dedup: skip incoming messages with duplicate stanza-id (archive_id)
- LMC sender validation: reject corrections from mismatched JIDs
- Add flock() advisory locking to prevent interleaved writes from
  concurrent instances
- Check fprintf return when writing file header

Autocomplete (cmd_ac.c):
- Add 'flatfile' to /privacy logging autocomplete
- Add dedicated /history autocomplete with on/off/verify (was boolean-only)

Code quality:
- Fix fwrite return type: size_t not ssize_t (database_flatfile_parser.c)
- Fix mixed allocators in ff_readline: use malloc() consistently for
  overlength-line fallback instead of g_strdup()
- Fix index alignment in _ff_state_extend: use local counter so index
  step doesn't depend on total_lines from initial build

Documentation:
- Fix page: correct directory structure (history.log not per-day files)
- Fix page: add aid:{archive_id} to line format example
- Fix page: missing newline before .SH BUGS
2026-02-21 16:15:38 +03:00
b8cbe10cf1 fix(flatfile): harden flat-file backend against injection and traversal attacks
Security fixes for 7 vulnerabilities in database_flatfile.c:

1. Path traversal via crafted JID (HIGH):
   _ff_jid_to_dir() now strips '/', '\' -> '_' and collapses '..' -> '__',
   preventing a malicious federated JID from escaping the log directory.

2. Log injection via unescaped message body (HIGH):
   Add _ff_escape_message()/_ff_unescape_message() -- escape \n, \r, \\
   in message text on write, unescape on read. Prevents remote contacts
   from injecting fake log lines with forged sender/timestamp/encryption.

3. Metadata field injection (HIGH):
   Add _ff_escape_meta_value()/_ff_unescape_meta_value() -- escape |, ],
   \\, \n, \r in stanza_id/archive_id/replace_id. Parser uses escape-aware
   _ff_find_unescaped_char() and _ff_split_meta() instead of strchr/strsplit.

4. Sender ": " parsing confusion (MEDIUM):
   Escape ": " -> "\: " in XMPP resource on write. Parser uses
   _ff_find_unescaped_colonspace() + _ff_unescape_sender_resource().

5. LMC correction chain cycle -> infinite loop (MEDIUM):
   Add visited hash-set and FF_MAX_LMC_DEPTH (100) limit to chain walker.

6. Unbounded getline() -> OOM (MEDIUM):
   Add FF_MAX_LINE_LEN (10 MB) cap in _ff_readline(); overlength lines
   are skipped with a warning. Replaces all char buf[8192]/fgets() sites
   with dynamic getline() + truncated-line detection at EOF.

7. Symlink attack + TOCTOU on file creation (MEDIUM):
   Replace fopen("a") with open(O_WRONLY|O_APPEND|O_CREAT|O_EXCL|O_NOFOLLOW)
   + fdopen() -- atomic new-file detection, symlink rejection via O_NOFOLLOW.
   _ff_ensure_dir() checks g_lstat() for symlinks. File permissions 0600
   set via open() mode, not post-hoc g_chmod().
2026-02-18 19:58:41 +03:00
c3ad299e4a feat: add flat-file database backend for message history
Add pluggable storage backend abstraction (vtable) to the database layer,
allowing selection between SQLite (default) and a new flat-file backend
that stores messages as human-readable plain text files.

New files:
- database_sqlite.c: extracted SQLite backend from database.c
- database_flatfile.c: plain text backend with tolerant parser,
  LMC correction chains, UTF-8/BOM/CRLF handling, integrity checks

Commands:
- /privacy logging flatfile — switch to flat-file backend
- /history verify [<jid>] — check integrity of stored history

Fixes:
- Add missing 'off' guard in flatfile backend
- Enable CHLOG/HISTORY prefs when switching to flatfile mode

Logs stored in ~/.local/share/profanity/flatlog/{account}/{contact}/{date}.log
Format: {ISO8601} [{type}|{enc}|id:{id}|corrects:{id}] {sender}: {message}

Updated: CHANGELOG, CONTRIBUTING.md, profrc.example, man page, cmd_defs,
Makefile.am, test stubs, functional test support (PROF_FLATFILE=1)
2026-02-18 19:58:41 +03:00
f824cde45f fix(mam, log): improve datetime handling and memory management in MAM and log fetching
- Introduce static helper `_truncate_datetime_suffix()` to safely trim datetime strings, removing unwanted suffixes like timezone offsets
- Replace manual string management with auto_gchar and g_strdup for safer, clearer ownership and to prevent leaks
- Add safety checks and logging warnings for unexpected datetime string lengths or null pointers
- Refactor _mam_rsm_id_handler to use the helper function and updated string handling
- Change log_database_get_previous_chat parameters for consistent ownership semantics, avoiding double frees and mem leaks
- Overall improve stability and prevent memory leaks during log database queries
2025-07-02 14:59:31 +02:00
40b7a12543 Clarify and improve win_page_up() scrolling offset adjustment for smoother paging
All checks were successful
CI / Check spelling (pull_request) Successful in 17s
CI / Check coding style (pull_request) Successful in 29s
CI / Linux (ubuntu) (pull_request) Successful in 11m6s
CI / Linux (debian) (pull_request) Successful in 13m9s
CI / Linux (fedora) (pull_request) Successful in 15m14s
CI / Linux (arch) (pull_request) Successful in 37m59s
CI / Check spelling (push) Successful in 16s
CI / Check coding style (push) Successful in 32s
CI / Linux (debian) (push) Successful in 9m53s
CI / Linux (ubuntu) (push) Successful in 10m9s
CI / Linux (fedora) (push) Successful in 15m8s
CI / Linux (arch) (push) Successful in 15m28s
This commit refines the existing logic in win_page_up() by:
- Improving comments to clearly explain the rationale behind adjusting
  the scroll offset relative to the first buffer entry’s visual position,
  helping future maintainers understand why this is necessary.
- Fixing offset recalculation to better handle cases where older messages
  with variable heights are loaded from the DB, improving scroll smoothness.
- Changing the logging of negative *page_start values from warning to debug,
  recognizing that this can be a normal scenario when insufficient history is loaded.
- Simplifying some conditionals and renaming variables for clearer intent.

No changes yet applied to win_page_down(), but similar improvements could
be considered in the future.

Overall, this enhances the robustness and user experience of scrolling up
in chat windows, while preserving existing functional logic.
2025-07-01 20:53:18 +02:00
Michael Vetter
07dfeec816 Release 0.15.0 2025-03-27 20:06:38 +01:00
Michael Vetter
569e37f018 Update copyright to 2024 2024-01-22 16:03:48 +01:00
Michael Vetter
e853c121d9 Fix my email address
in all files
2023-07-31 16:51:58 +02:00
Steffen Jaeckel
76a8de891e Improve const-correctness of API
Signed-off-by: Steffen Jaeckel <jaeckel-floss@eyet-services.de>
2023-05-12 08:39:19 +02:00
Michael Vetter
3adc399da0 Update copyright year 2023-01-10 10:37:25 +01:00
MarcoPolo-PasTonMolo
85aaf40432 Have ability to scroll through history even without MAM 2022-07-10 11:17:35 +03:00
MarcoPolo-PasTonMolo
6429698f18 Fix initial MAM not displaying
Did this by waiting for a batch of MAM messages to arrive before
prepending them to the buffer. Also limited the number of messages
to fetch to 10 so that the user gets more frequent updates.
2022-07-05 00:06:04 +03:00
MarcoPolo-PasTonMolo
ea83165a35 Get messages from history when scrolling up. 2022-07-03 21:29:36 +03:00
MarcoPolo-PasTonMolo
f0202a2fe0 On new chatwin fetch mam according to guidelines.
Taken from here:
cd3e871e55
2022-07-03 21:23:07 +03:00
Michael Vetter
1330ad4e1e Update copyright year 2022-05-09 15:43:33 +02:00
Michael Vetter
a2726b6a7d Apply coding style 2020-07-07 14:18:57 +02:00
Michael Vetter
a4cadf78fa Revert "Apply coding style"
This reverts commit 9b55f2dec0.

Sorting the includes creates some problems.
2020-07-07 13:53:30 +02:00
Michael Vetter
9b55f2dec0 Apply coding style
Regards https://github.com/profanity-im/profanity/issues/1396
2020-07-07 09:43:28 +02:00
Michael Vetter
3b2976c9cb db: Use type from message struct instead of having individual functions 2020-04-06 19:15:06 +02:00
Michael Vetter
0942d98c61 Remove chat_log_get_previous()
We now dont get the log files from the text files via chat_log_get_previous() anymore.
We use the sql backend via log_database_get_previous_chat().

So far it just has the same behaviour like chat_log_get_previous(),
except that in _chatwin_history() we don't pass the sender to
win_print_history() which should be fixed in a commit soon.

And log_database_get_previous_chat() can later easily be expanded to fix
https://github.com/profanity-im/profanity/issues/205.
2020-04-06 14:42:52 +02:00
Michael Vetter
5d54bb228f Get regular chat history out of sql backend 2020-04-06 14:30:38 +02:00
Michael Vetter
a0a4fd0426 db: log all incoming and outgoing messages 2020-04-06 10:50:20 +02:00
Michael Vetter
def2123216 db: log outgoing message in one case
Not all cases covered yet.
2020-04-06 10:50:20 +02:00
Michael Vetter
628b86f57e db: add dedicated chat, muc, muc pm logging functions 2020-04-06 10:50:20 +02:00
Michael Vetter
af2630a289 db: insert message type 2020-04-06 10:50:20 +02:00
Michael Vetter
4a7a0f3e76 db: move includes 2020-04-06 10:50:20 +02:00
Michael Vetter
11663625cc db: Have one database per account 2020-04-06 10:50:20 +02:00
Michael Vetter
5cc3b469a8 database: log stanza_id and whether it is a muc message 2020-04-06 10:50:20 +02:00
Michael Vetter
8045a32c4a database: log incoming messages
First trial. Not covering all cases yet.
2020-04-06 10:50:20 +02:00
Michael Vetter
8bfb175d03 Start SQLite db module
I plan to save all messages in an SQLite db.
For retrieving information it's nicer than having it in a text file.
We will have more info in there and easier to parse it.

This will also be good for later MAM
(https://github.com/profanity-im/profanity/issues/660).

Regular text files will still be an option for users so that they can
easily grep them and do whatever they like.

Internally Profanity will only use the SQLite db.
2020-04-06 10:50:20 +02:00