c5dd0cf9df
fix(xmpp): obfuscate client identity in protocol exchanges
...
CI Code / Check spelling (pull_request) Successful in 12s
CI Code / Check coding style (pull_request) Successful in 24s
CI Code / Code Coverage (pull_request) Successful in 3m54s
CI Code / Linux (debian) (pull_request) Successful in 5m16s
CI Code / Linux (ubuntu) (pull_request) Successful in 5m22s
CI Code / Linux (arch) (pull_request) Successful in 6m56s
CI Code / Check spelling (push) Successful in 13s
CI Code / Check coding style (push) Successful in 27s
CI Code / Code Coverage (push) Successful in 3m35s
CI Code / Linux (debian) (push) Successful in 5m41s
CI Code / Linux (ubuntu) (push) Successful in 5m52s
CI Code / Linux (arch) (push) Successful in 7m36s
Modify version responses to return a generic client name and omit
version strings. Drop the "profanity." prefix from dynamically
generated JID resources. Spoof the XEP-0115 capabilities node URI to
prevent service discovery/presence fingerprinting. These adjustments
reduce the client's attack surface by minimizing identifiable metadata.
2026-07-10 08:54:24 +00:00
830479cf20
fix: OTR/presence/OMEMO correctness, stanza-id disco gate, build hardening
...
CI Code / Check spelling (push) Successful in 17s
CI Code / Check coding style (push) Successful in 32s
CI Code / Code Coverage (push) Successful in 3m45s
CI Code / Linux (debian) (push) Successful in 4m42s
CI Code / Linux (ubuntu) (push) Successful in 4m49s
CI Code / Linux (arch) (push) Successful in 6m25s
- OTR: strip the whitespace tag by shifting the full message tail incl. the NUL, not tag_length bytes, so the body is no longer duplicated for messages longer than the tag.
- presence: snapshot the resource fields before connection_add_available_resource() takes ownership, removing a use-after-free in the own-presence path.
- OMEMO: propagate _omemo_finalize_identity_load() failure on connect (log + cons_show_error + stop) instead of leaving OMEMO silently unavailable.
- OMEMO: guard NULL fingerprint decode in _omemo_fingerprint_decode / omemo_is_trusted_identity / omemo_trust and log every decode failure instead of failing silently.
- stanza-id: gate XEP-0359 dedup on disco urn:xmpp:sid:0 (the `by` JID or its domain), falling back to no-dedup when caps are unknown; add functional tests for trusted vs untrusted server.
- accounts: narrow the group-name sanitizer to the characters GKeyFile forbids in headers ([ ] \n \r), keeping `=` and `#`, so read/write stays symmetric.
- build: re-introduce compiler/sanitizer flags in a Pikaur-safe form (opt-in sanitizers, -Wsign-compare) and fix the resulting -Wsign-compare warnings (incl. proftest _mkdir_recursive).fix: OTR/presence/OMEMO correctness, stanza-id disco gate, build hardening
Author: jabber.developer2 <jabber.developer2@jabber.space >
2026-06-20 10:30:23 +00:00
5b45b35b3e
refactor: rename argument to avoid C++ keyword conflict
...
CI Code / Check spelling (pull_request) Successful in 20s
CI Code / Check coding style (pull_request) Successful in 34s
CI Code / Linux (debian) (pull_request) Successful in 4m56s
CI Code / Linux (ubuntu) (pull_request) Successful in 5m4s
CI Code / Code Coverage (pull_request) Successful in 8m13s
CI Code / Linux (arch) (pull_request) Successful in 11m18s
CI Code / Check spelling (push) Successful in 16s
CI Code / Check coding style (push) Successful in 31s
CI Code / Linux (ubuntu) (push) Successful in 4m32s
CI Code / Linux (debian) (push) Successful in 6m44s
CI Code / Code Coverage (push) Successful in 8m17s
CI Code / Linux (arch) (push) Successful in 11m11s
The parameter `template` in format_call_external_argv() was renamed
to `template_fmt` to avoid collision with the `template` keyword in
C++. This improves compatibility when the header is included in
C++ code.
2026-06-16 11:21:11 +00:00
72f4f186da
merge: sync upstream profanity-im/profanity
...
CI Code / Check spelling (push) Successful in 18s
CI Code / Check coding style (push) Successful in 34s
CI Code / Code Coverage (push) Successful in 2m36s
CI Code / Linux (debian) (push) Successful in 4m41s
CI Code / Linux (ubuntu) (push) Successful in 4m52s
CI Code / Linux (arch) (push) Successful in 5m40s
Sync with upstream profanity-im/profanity.
Major upstream changes incorporated:
Memory management
- Replace malloc+memset with g_new0 throughout codebase
- Adopt auto_gchar / auto_gcharv / auto_gerror / auto_jid cleanup macros
- Replace free() with g_free() for GAlloc'd memory
Editor rewrite
- Remove pthread-based async editor; use GChildWatch callback API
- New launch_editor(initial_content, callback, user_data) interface
- Proper signal handling (SIGINT, SIGTSTP, SIGPIPE reset in child)
- ui_suspend()/ui_resume() integration for TTY management
OMEMO improvements
- Dual backend support: libsignal-protocol-c and libomemo-c
- Proper pre-key removal after use (XEP-0384 compliance)
- Automatic pre-key regeneration when store drops below threshold
- New functions: omemo_is_device_active(), omemo_is_jid_trusted()
- omemo_get_jid_untrusted_fingerprints() for better error messages
- Fingerprint notifications on new device identity discovery
- Deterministic pre-key ID generation tracking max_pre_key_id
- omemo_trust_changed() UI updates on trust state changes
JID validation
- RFC 6122-compliant validation in jid_is_valid()
- Character-level checks (RFC 6122 forbidden chars: & ' / : < > @)
- Length limits: 1023 per component, 3071 total
- New jid_is_valid_user_jid() for user vs. service JID distinction
Database
- Schema migration v3: UNIQUE constraint on archive_id for deduplication
- Triggers for corrected message tracking (replaces_db_id / replaced_by_db_id)
- db_history_result_t return type, _truncate_datetime_suffix()
UI / console
- win_warn_needed() / win_warn_sent() warning deduplication hash table
- PAD_MIN_HEIGHT dynamic pad sizing with PAD_THRESHOLD auto-cleanup
- Spellcheck integration in input field with Unicode word detection
- cons_spellcheck_setting() for /settings ui output
- /[command]? shortcut for command help
Account config
- Account name sanitization for GKeyFile special chars ([ ] = # \n \r)
- Replace popen() with g_spawn_sync() for eval_password
- TLS policy: add "direct" option alongside legacy
Connection
- Port validation with g_assert (0–65535)
- SHA-256 certificate fingerprint support (XMPP_CERT_PUBKEY_FINGERPRINT_SHA256)
- "direct" TLS policy alias for legacy SSL
Common utilities
- str_xml_sanitize() for XML 1.0 illegal character removal
- string_matches_one_of() with formatted error messages
- valid_tls_policy_option() helper
- prof_date_time_format_iso8601() utility
- Improved strip_arg_quotes() with backslash unescaping
- prof_occurrences() uses g_slist_prepend + reverse for performance
PGP / OX
- Proper GPGME resource cleanup with goto-cleanup pattern
- g_string_free(xmppuri) leak fix in _ox_key_lookup
CSV export
- Use GString + g_file_set_contents instead of raw write() syscalls
Tests
- Restructured into subdirectories: command/, config/, xmpp/, ui/, omemo/, otr/, pgp/
- New test_cmd_ac.c for autocompleter unit tests
- Updated stubs for new UI suspend/resume functions
License headers
- Migrate to SPDX-3.0 identifiers (GPL-3.0-or-later WITH OpenSSL-exception)
────────────────────────────────────────────────────
cproof-specific preservations:
- XEP-0308 LMC: replace_id ?: id logic in message/stanza/omemo
- Force encryption: cmd_force_encryption, test_forced_encryption
- CWE-134: format string protection (cons_show("%s", ...))
- y_start_pos-based paging in window.c
- db_history_result_t return type, _truncate_datetime_suffix()
Merge-time fixes:
- common.c: format-security (-Werror) — cons_show(errmsg) → cons_show("%s", errmsg)
- database.c: null-deref guard — !msg->timestamp → msg && !msg->timestamp
- console.c: implicit size_t → int cast — (int)(maxlen + 1)
- tlscerts.c: %d for size_t — %zu
Build system:
- Kept autotools (Makefile.am, configure.ac); upstream uses Meson
- Restored deleted files: bootstrap.sh, autogen.sh, ax_valgrind_check.m4, configure-debug
- Updated Makefile.am test paths for subdirectory structure
- Added test_cmd_ac, test_forced_encryption to test sources
Functional tests:
- Use cproof version; upstream requires stbbr_for_xmlns from updated stabber
- Not yet available in devs/stabber fork
Closes #64
Merge author: jabber.developer2
Commits authors:
Michael Vetter <jubalh@iodoru.org >
& Steffen Jaeckel <s@jaeckel.eu >
2026-05-26 17:48:14 +00:00
9ec01fa8cc
fix: CWE-134 format string audit and compiler hardening
...
CI Code / Check spelling (push) Successful in 20s
CI Code / Check coding style (push) Successful in 36s
CI Code / Code Coverage (push) Successful in 5m38s
CI Code / Linux (ubuntu) (push) Successful in 7m1s
CI Code / Linux (debian) (push) Successful in 7m5s
CI Code / Linux (arch) (push) Successful in 7m19s
Security:
Fix CWE-134 in iq.c: user-controlled string passed as format argument
Add G_GNUC_PRINTF annotations to all variadic printf-like wrappers
in ui.h, log.h and http_common.h
Compiler flags (configure.ac):
Replace basic -Wformat/-Wformat-nonliteral with -Wformat=2
Add -Wextra, -Wnull-dereference, -Wpointer-arith,
-Wimplicit-function-declaration, -Wundef, -Wfloat-equal,
-Wredundant-decls, -Walloc-zero
Add -fstack-protector-strong, -fno-common, -D_FORTIFY_SOURCE=2
Add GCC-specific flags via AC_COMPILE_IFELSE: -Wlogical-op,
-Wduplicated-cond, -Wduplicated-branches, -Wstringop-overflow,
-Warray-bounds=2
Suppress noisy -Wextra sub-warnings: -Wno-unused-parameter,
-Wno-missing-field-initializers, -Wno-sign-compare,
-Wno-cast-function-type
Remove AM_CFLAGS/CFLAGS duplication
Bug fixes found by new warnings:
chatlog.c: non-MUCPM redact path passed resourcepart instead of NULL
rosterwin.c: merge duplicated if/else branches into single condition
omemo.c: redundant else-if in omemo_automatic_start; remove
unnecessary scope block and goto, use early return
console.c: pointer compared to integer 0 instead of NULL
stanza.c: increase pri_str/idle_str buffers from 10 to 12 bytes
(INT_MIN = -2147483648 needs 12 bytes including NUL)
vcard.c: NULL guard for filename before g_file_set_contents
api.c: broken log_warning() calls with extra format argument
Format mismatch fixes:
chatwin.c: Jid* → char* for %s
connection.c: %x → %lx for long flags
cmd_funcs.c: %d → %zu for size_t; cast gpointer to char* for %s
cmd_defs.c: %d → %u for g_list_length() return (guint)
iq.c: barejid → fulljid for from_jid
console.c, mucwin.c, privwin.c, account.c, omemo.c, presence.c:
gpointer → (char*) casts for %s
Const-correctness and cleanup:
database.c: const for type, query, sort variables
form.c/xmpp.h: const for form_set_value parameter
files.c: refactor to early return, eliminating NULL logfile path
muc.c/muc.h: remove meaningless top-level const on return type
common.c: const for URL string literal
Remove stale declarations: cons_show_desktop_prefs (ui.h),
connection_set_priority (connection.h),
omemo_devicelist_configure_and_request (omemo.h)
test_common.c: add currb NULL check to silence -Wnull-dereference
Tooling (check-cwe134.sh):
Reduce from 5 checks to 2 (checks 1-3 redundant with -Wformat=2)
Check 1: verify known wrappers have G_GNUC_PRINTF attribute
Check 2: auto-detect unannotated variadic printf-like functions
Match both const char* and const gchar* in variadic patterns
Author: jabber.developer2 <jabber.developer2@jabber.space >
2026-03-07 11:55:50 +01:00
467222d0ca
fix(ui,db): harden NULL handling, fix CWE-134, optimize iterations
...
CI Code / Code Coverage (push) Failing after 10m34s
CI Code / Check spelling (push) Failing after 10m47s
CI Code / Check coding style (push) Failing after 11m4s
CI Code / Linux (ubuntu) (push) Failing after 11m19s
CI Code / Linux (debian) (push) Failing after 11m28s
CI Code / Linux (arch) (push) Failing after 11m38s
security(CWE-134): fix format string injections + add CI check
fix(ui): subwindow lifecycle, newwin/newpad guards, fallback timestamps
fix(db): sqlite cleanup on failures, sqlite3_close_v2
fix(xmpp): queued_messages loop, barejid leak
perf(core): g_hash_table_iter_init instead of g_hash_table_get_keys
refactor(ui): CLAMP macro in _check_subwin_width
test: XEP-0012 and XEP-0045 functional tests
Author: jabber.developer2
Closes #58 , #85
2026-02-06 19:27:40 +01:00
Steffen Jaeckel
9b1cb6ab85
If config keyfile does not exist, create it.
...
CI / Check spelling (pull_request) Successful in 22s
CI / Check coding style (pull_request) Successful in 36s
CI / Linux (ubuntu) (pull_request) Successful in 14m11s
CI / Linux (debian) (pull_request) Successful in 16m2s
CI / Linux (arch) (pull_request) Successful in 20m21s
CI / Check spelling (push) Successful in 19s
CI / Check coding style (push) Successful in 34s
CI / Linux (debian) (push) Successful in 13m41s
CI / Linux (ubuntu) (push) Successful in 15m3s
CI / Linux (arch) (push) Successful in 20m23s
Fixes #1911
Alternative to #2056
Signed-off-by: Steffen Jaeckel <s@jaeckel.eu >
(cherry picked from commit b12521ca21 )
2025-09-10 14:20:08 +02:00
0d7a859a20
fix: curl parameter type correction
CI / Check coding style (pull_request) Successful in 34s
CI / Check spelling (pull_request) Successful in 24s
CI / Linux (ubuntu) (pull_request) Successful in 10m8s
CI / Linux (debian) (pull_request) Successful in 12m7s
CI / Linux (fedora) (pull_request) Successful in 13m44s
CI / Linux (arch) (pull_request) Successful in 16m39s
2025-06-20 14:58:30 +02:00
Michael Vetter
07dfeec816
Release 0.15.0
2025-03-27 20:06:38 +01:00
Michael Vetter
b5f0cc0bd4
Fix more potential leaks in aesgcm_download
2025-03-13 09:48:27 +01:00
Michael Vetter
569e37f018
Update copyright to 2024
2024-01-22 16:03:48 +01:00
Steffen Jaeckel
fdfe3e2ad9
Rework OMEMO handling on disconnect
...
* Fix missing destruction of `session_store` and mutex
* Replace `glib_hash_table_free()`
The glib API `g_hash_table_destroy()` does exactly the same.
* Use the default libsignal `destroy_func` instead of doing that manually
* Set internal state to `0` after everything is cleaned up
Signed-off-by: Steffen Jaeckel <jaeckel-floss@eyet-services.de >
2023-12-12 18:26:21 +01:00
Steffen Jaeckel
835ea397ac
Tidy up some code
...
Signed-off-by: Steffen Jaeckel <jaeckel-floss@eyet-services.de >
2023-12-12 18:26:21 +01:00
Steffen Jaeckel
ca2df180d8
Introduce a shared implementation for keyfile loading
...
Instead of copy&pasting the same code over again, use a common
implementation.
Signed-off-by: Steffen Jaeckel <jaeckel-floss@eyet-services.de >
2023-09-04 09:59:09 +02:00
Steffen Jaeckel
b7f964fe64
Resolve symlinks recursively in get_file_or_linked()
...
Signed-off-by: Steffen Jaeckel <jaeckel-floss@eyet-services.de >
2023-09-04 09:59:09 +02:00
Steffen Jaeckel
d3b6ebb1d7
Less allocations in str_replace()
...
If `n` is the number of `substr` replace operations, the old
implementation did `n+1` allocations and always first copied start,
then replacement, then the remaining (unsearched) part of the original
string.
Now calculate the number of occurences of `substr` before allocating the
resulting string.
Change the algorithm to parse through the original string and only
copy the parts that must be kept into the resulting string plus the
replacements where they belong at.
Now we also only have to go through the original string twice plus we only
do a single allocation.
Signed-off-by: Steffen Jaeckel <jaeckel-floss@eyet-services.de >
2023-09-01 12:12:44 +02:00
Michael Vetter
22b1d14b67
Add helper function to create version string
...
And remove all the duplicate code.
Depending on the situation prof_get_version() will return:
* 0.13.1
* 0.13.1dev
* 0.13.1dev.master.69d8c1f9
2023-07-25 20:58:15 +02:00
John Hernandez
09f217d667
Improve documentation
2023-07-13 21:22:42 +02:00
John Hernandez
8304ac86ff
g_free() to auto_gfree, introduce auto_guchar
...
Fix 11 potential mem leaks in theme.c
2023-07-13 17:04:59 +02:00
John Hernandez
e1d137f4e6
Change char->free to auto_char char for autocleanup
...
Replace `gchar` and `g_free` to `auto_gchar`
Correct certain `char` functions/variables to `gchar`
Related to #1819 .
Edited by @jubalh.
2023-07-11 13:26:37 +02:00
Michael Vetter
6247c28e31
Merge pull request #1842 from H3rnand3zzz/feature/plugins-download
...
New Feature: Plugins Download
2023-06-06 18:35:18 +02:00
John Hernandez
95e06ad169
Add url support (downloading) to /plugins install
...
Additional changes include code refactoring.
2023-05-16 15:57:07 +02:00
John Hernandez
7f3fca2bd0
Cleanup: gchar as gchar instead of char
...
Use gchar instead of char in most of the cases where gchar is intended.
Reason: improve compatibility and stability. Issue #1819
Minor refactoring.
2023-05-04 16:15:09 +02:00
Michael Vetter
e59c401c84
Adapt to g_string_free glib 2.75.3 change
...
glib 2.75.3 changes warning behaviour of `g_string_free()`.
See:
* https://gitlab.gnome.org/GNOME/glib/-/merge_requests/3219
* https://gitlab.gnome.org/GNOME/glib/-/merge_requests/3226
Use this opportunity to replace the use of GString with
`g_strdup_printf()` where possible.
Otherwise correctly take the return value of `g_string_free()`
which is nicer anyways.
2023-03-21 10:53:10 +01:00
Steffen Jaeckel
7167760bdd
fix #1761 by changing the implementation from recursive
...
... to an iterative approach
Signed-off-by: Steffen Jaeckel <jaeckel-floss@eyet-services.de >
2023-03-11 15:05:03 +01:00
Steffen Jaeckel
99ffaf0a00
introduce auto_gcharv
...
This also fixes memory leaks in `_omemo_autocomplete()`.
Signed-off-by: Steffen Jaeckel <jaeckel-floss@eyet-services.de >
2023-01-19 10:40:25 +01:00
Steffen Jaeckel
698aefa005
fix memory leaks in OMEMO
...
Signed-off-by: Steffen Jaeckel <jaeckel-floss@eyet-services.de >
2023-01-18 20:11:13 +01:00
Steffen Jaeckel
b1b6c6f62d
add /strophe command to modify libstrophe-specific settings
...
Signed-off-by: Steffen Jaeckel <jaeckel-floss@eyet-services.de >
2023-01-18 17:04:41 +01:00
Michael Vetter
3adc399da0
Update copyright year
2023-01-10 10:37:25 +01:00
Marouane L
2d11a35ee1
Spawn external programs asynchronously
...
Drawback is that we can't check the exitcode anymore.
But we were unsure why/when we need this, see:
https://github.com/profanity-im/profanity/pull/1760/files#r980868708
Fixes https://github.com/profanity-im/profanity/issues/1759
2022-10-12 12:25:00 +02:00
nandesu-utils
e1ed012f72
support for formatting in avatar executable
...
in before it just used the input command line as it was but this fixes
this by adding formatting using `format_call_external_argv` which is
already used in `url open` executable.
2022-09-06 12:51:27 +02:00
nandesu-utils
056b19eb91
refactored call_external code
...
unluckily here the code neglected the fact that glib will set an error
to a location that was pointed by the error pointer if it is not null.
but it was of an undefined value hence profanity crashed. now it is null
as it must be.
also spawn error is returned when glib could not spawn the task for
some reason like the executable file does not exist but if the exit
status was non-zero it neglected the exit error and tried to output a
spawn error instead. now we check whether the process that we
instantiated has exited successfully
also now code uses `g_spawn_check_wait_status` which
`g_spawn_check_exit_status` has been aliased to.
2022-08-27 16:25:15 +03:00
Michael Vetter
932e7826aa
common: dont use GError twice
...
We need to use a new one or call `g_clear_error()`.
Fix segfault in https://github.com/profanity-im/profanity/issues/1738
2022-08-02 14:13:28 +02:00
Michael Vetter
9df4bd29ea
Check for error before trying to append it
...
Related to https://github.com/profanity-im/profanity/issues/1738
2022-08-02 08:55:18 +02:00
Michael Vetter
1330ad4e1e
Update copyright year
2022-05-09 15:43:33 +02:00
Steffen Jaeckel
705b6f7806
use g_mkdir_with_parents() instead of home-baked solution
...
Signed-off-by: Steffen Jaeckel <jaeckel-floss@eyet-services.de >
2022-03-14 13:17:46 +01:00
Michael Vetter
8e588d6764
Fix random string generation
...
Our variable `alphabet` contains 62 alphanumeric symbols + '\0'.
When we use sizeof(alphabet) we will get 63 due to that.
But we want to choose a random numbers from the 62 alphanumeric letters only.
This mistake caused us to have strings with a max length of `length`
instead of the exact length.
When doing https://github.com/profanity-im/profanity/issues/1520
this caused our algo for muc reflection to not catch since we expect the
random ID to be exactly 15 symbols long in `message_is_sent_by_us()`.
2021-04-17 22:37:21 +02:00
Michael Vetter
1ec606540e
Get rid of asprintf and _GNU_SOURCE define
...
_GNU_SOURCE was even in some files where it was not needed at all
(http*).
Let's replace asprintf() with g_strdup_printf().
2021-03-30 17:38:13 +02:00
Maximilian Wuttke
1576ac11cb
Remove "file://" from file names
...
Rationale: When copying an image in some application, a URL instead of a
path is copied to the clipboard.
2021-03-09 20:45:29 +01:00
Michael Vetter
8c08e64f37
Update copyright
2021-01-08 16:36:30 +01:00
William Wennerström
0437fae1a8
Do not inherit stdin of main process
...
I see no reason to inherit the stdin, so let's have it disabled.
2020-12-15 15:48:51 +01:00
William Wennerström
32cfea4bd2
Refactor call_external
2020-12-11 15:51:01 +01:00
William Wennerström
073412b845
Remove stray +2 for path string in get_expanded_path
2020-12-09 19:24:15 +01:00
Michael Vetter
b525befe67
Allocate memory for realpath in both cases
...
Forgot about that :(
2020-12-09 16:22:06 +01:00
Michael Vetter
a2291b36c4
Expand ~ in unique_filename_from_url()
...
unique_filename_from_url() is used for `/url save`.
It doesn't recognize ~ by itself, we need to expand it first.
Mentioned in
https://github.com/profanity-im/profanity/pull/1375#pullrequestreview-547892462
2020-12-09 08:44:26 +01:00
William Wennerström
ac03037847
Rework url to filename
2020-12-06 17:02:09 +01:00
William Wennerström
1d2c0a8836
Move unique_filename_from_url functions to common
2020-12-04 16:13:13 +01:00
William Wennerström
3a6597ee29
Refactor for threaded external executable for built-in download methods
2020-12-03 16:54:06 +01:00
Michael Vetter
35aecd425f
Declare counter var inside loop
...
We require c99/gnu99 anyways.
2020-11-09 11:33:33 +01:00
Michael Vetter
3d307fe341
Get rid of str_contains()
...
We can use strchr() here.
2020-11-02 18:52:25 +01:00