Commit Graph

224 Commits

Author SHA1 Message Date
c5dd0cf9df fix(xmpp): obfuscate client identity in protocol exchanges
All checks were successful
CI Code / Check spelling (pull_request) Successful in 12s
CI Code / Check coding style (pull_request) Successful in 24s
CI Code / Code Coverage (pull_request) Successful in 3m54s
CI Code / Linux (debian) (pull_request) Successful in 5m16s
CI Code / Linux (ubuntu) (pull_request) Successful in 5m22s
CI Code / Linux (arch) (pull_request) Successful in 6m56s
CI Code / Check spelling (push) Successful in 13s
CI Code / Check coding style (push) Successful in 27s
CI Code / Code Coverage (push) Successful in 3m35s
CI Code / Linux (debian) (push) Successful in 5m41s
CI Code / Linux (ubuntu) (push) Successful in 5m52s
CI Code / Linux (arch) (push) Successful in 7m36s
Modify version responses to return a generic client name and omit
version strings. Drop the "profanity." prefix from dynamically
generated JID resources. Spoof the XEP-0115 capabilities node URI to
prevent service discovery/presence fingerprinting. These adjustments
reduce the client's attack surface by minimizing identifiable metadata.
2026-07-10 08:54:24 +00:00
72f4f186da merge: sync upstream profanity-im/profanity
All checks were successful
CI Code / Check spelling (push) Successful in 18s
CI Code / Check coding style (push) Successful in 34s
CI Code / Code Coverage (push) Successful in 2m36s
CI Code / Linux (debian) (push) Successful in 4m41s
CI Code / Linux (ubuntu) (push) Successful in 4m52s
CI Code / Linux (arch) (push) Successful in 5m40s
Sync with upstream profanity-im/profanity.

Major upstream changes incorporated:

Memory management
  - Replace malloc+memset with g_new0 throughout codebase
  - Adopt auto_gchar / auto_gcharv / auto_gerror / auto_jid cleanup macros
  - Replace free() with g_free() for GAlloc'd memory

Editor rewrite
  - Remove pthread-based async editor; use GChildWatch callback API
  - New launch_editor(initial_content, callback, user_data) interface
  - Proper signal handling (SIGINT, SIGTSTP, SIGPIPE reset in child)
  - ui_suspend()/ui_resume() integration for TTY management

OMEMO improvements
  - Dual backend support: libsignal-protocol-c and libomemo-c
  - Proper pre-key removal after use (XEP-0384 compliance)
  - Automatic pre-key regeneration when store drops below threshold
  - New functions: omemo_is_device_active(), omemo_is_jid_trusted()
  - omemo_get_jid_untrusted_fingerprints() for better error messages
  - Fingerprint notifications on new device identity discovery
  - Deterministic pre-key ID generation tracking max_pre_key_id
  - omemo_trust_changed() UI updates on trust state changes

JID validation
  - RFC 6122-compliant validation in jid_is_valid()
  - Character-level checks (RFC 6122 forbidden chars: & ' / : < > @)
  - Length limits: 1023 per component, 3071 total
  - New jid_is_valid_user_jid() for user vs. service JID distinction

Database
  - Schema migration v3: UNIQUE constraint on archive_id for deduplication
  - Triggers for corrected message tracking (replaces_db_id / replaced_by_db_id)
  - db_history_result_t return type, _truncate_datetime_suffix()

UI / console
  - win_warn_needed() / win_warn_sent() warning deduplication hash table
  - PAD_MIN_HEIGHT dynamic pad sizing with PAD_THRESHOLD auto-cleanup
  - Spellcheck integration in input field with Unicode word detection
  - cons_spellcheck_setting() for /settings ui output
  - /[command]? shortcut for command help

Account config
  - Account name sanitization for GKeyFile special chars ([ ] = # \n \r)
  - Replace popen() with g_spawn_sync() for eval_password
  - TLS policy: add "direct" option alongside legacy

Connection
  - Port validation with g_assert (0–65535)
  - SHA-256 certificate fingerprint support (XMPP_CERT_PUBKEY_FINGERPRINT_SHA256)
  - "direct" TLS policy alias for legacy SSL

Common utilities
  - str_xml_sanitize() for XML 1.0 illegal character removal
  - string_matches_one_of() with formatted error messages
  - valid_tls_policy_option() helper
  - prof_date_time_format_iso8601() utility
  - Improved strip_arg_quotes() with backslash unescaping
  - prof_occurrences() uses g_slist_prepend + reverse for performance

PGP / OX
  - Proper GPGME resource cleanup with goto-cleanup pattern
  - g_string_free(xmppuri) leak fix in _ox_key_lookup

CSV export
  - Use GString + g_file_set_contents instead of raw write() syscalls

Tests
  - Restructured into subdirectories: command/, config/, xmpp/, ui/, omemo/, otr/, pgp/
  - New test_cmd_ac.c for autocompleter unit tests
  - Updated stubs for new UI suspend/resume functions

License headers
  - Migrate to SPDX-3.0 identifiers (GPL-3.0-or-later WITH OpenSSL-exception)

────────────────────────────────────────────────────
cproof-specific preservations:

  - XEP-0308 LMC: replace_id ?: id logic in message/stanza/omemo
  - Force encryption: cmd_force_encryption, test_forced_encryption
  - CWE-134: format string protection (cons_show("%s", ...))
  - y_start_pos-based paging in window.c
  - db_history_result_t return type, _truncate_datetime_suffix()

Merge-time fixes:

  - common.c: format-security (-Werror) — cons_show(errmsg) → cons_show("%s", errmsg)
  - database.c: null-deref guard — !msg->timestamp → msg && !msg->timestamp
  - console.c: implicit size_t → int cast — (int)(maxlen + 1)
  - tlscerts.c: %d for size_t — %zu

Build system:
  - Kept autotools (Makefile.am, configure.ac); upstream uses Meson
  - Restored deleted files: bootstrap.sh, autogen.sh, ax_valgrind_check.m4, configure-debug
  - Updated Makefile.am test paths for subdirectory structure
  - Added test_cmd_ac, test_forced_encryption to test sources

Functional tests:
  - Use cproof version; upstream requires stbbr_for_xmlns from updated stabber
  - Not yet available in devs/stabber fork

Closes #64

Merge author: jabber.developer2
Commits authors:
 Michael Vetter <jubalh@iodoru.org>
& Steffen Jaeckel <s@jaeckel.eu>
2026-05-26 17:48:14 +00:00
9ec01fa8cc fix: CWE-134 format string audit and compiler hardening
All checks were successful
CI Code / Check spelling (push) Successful in 20s
CI Code / Check coding style (push) Successful in 36s
CI Code / Code Coverage (push) Successful in 5m38s
CI Code / Linux (ubuntu) (push) Successful in 7m1s
CI Code / Linux (debian) (push) Successful in 7m5s
CI Code / Linux (arch) (push) Successful in 7m19s
Security:
Fix CWE-134 in iq.c: user-controlled string passed as format argument
Add G_GNUC_PRINTF annotations to all variadic printf-like wrappers
in ui.h, log.h and http_common.h
Compiler flags (configure.ac):

Replace basic -Wformat/-Wformat-nonliteral with -Wformat=2
Add -Wextra, -Wnull-dereference, -Wpointer-arith,
-Wimplicit-function-declaration, -Wundef, -Wfloat-equal,
-Wredundant-decls, -Walloc-zero
Add -fstack-protector-strong, -fno-common, -D_FORTIFY_SOURCE=2
Add GCC-specific flags via AC_COMPILE_IFELSE: -Wlogical-op,
-Wduplicated-cond, -Wduplicated-branches, -Wstringop-overflow,
-Warray-bounds=2
Suppress noisy -Wextra sub-warnings: -Wno-unused-parameter,
-Wno-missing-field-initializers, -Wno-sign-compare,
-Wno-cast-function-type
Remove AM_CFLAGS/CFLAGS duplication
Bug fixes found by new warnings:

chatlog.c: non-MUCPM redact path passed resourcepart instead of NULL
rosterwin.c: merge duplicated if/else branches into single condition
omemo.c: redundant else-if in omemo_automatic_start; remove
unnecessary scope block and goto, use early return
console.c: pointer compared to integer 0 instead of NULL
stanza.c: increase pri_str/idle_str buffers from 10 to 12 bytes
(INT_MIN = -2147483648 needs 12 bytes including NUL)
vcard.c: NULL guard for filename before g_file_set_contents
api.c: broken log_warning() calls with extra format argument
Format mismatch fixes:

chatwin.c: Jid* → char* for %s
connection.c: %x → %lx for long flags
cmd_funcs.c: %d → %zu for size_t; cast gpointer to char* for %s
cmd_defs.c: %d → %u for g_list_length() return (guint)
iq.c: barejid → fulljid for from_jid
console.c, mucwin.c, privwin.c, account.c, omemo.c, presence.c:
gpointer → (char*) casts for %s
Const-correctness and cleanup:

database.c: const for type, query, sort variables
form.c/xmpp.h: const for form_set_value parameter
files.c: refactor to early return, eliminating NULL logfile path
muc.c/muc.h: remove meaningless top-level const on return type
common.c: const for URL string literal
Remove stale declarations: cons_show_desktop_prefs (ui.h),
connection_set_priority (connection.h),
omemo_devicelist_configure_and_request (omemo.h)
test_common.c: add currb NULL check to silence -Wnull-dereference
Tooling (check-cwe134.sh):

Reduce from 5 checks to 2 (checks 1-3 redundant with -Wformat=2)
Check 1: verify known wrappers have G_GNUC_PRINTF attribute
Check 2: auto-detect unannotated variadic printf-like functions
Match both const char* and const gchar* in variadic patterns

Author: jabber.developer2 <jabber.developer2@jabber.space>
2026-03-07 11:55:50 +01:00
Hanspeter Portner
cb395b7c09 Make muc_nick return a const char* const
In the documentation of the `muc_nick` function we can read:

> The nickname is owned by the chat room and should not be modified or freed

We should reflect that in the return type and `strdup` the value for the
plugin API.

Fixes: https://github.com/profanity-im/profanity/issues/2013
2025-01-26 18:16:14 +01:00
Michael Vetter
22b1d14b67 Add helper function to create version string
And remove all the duplicate code.

Depending on the situation prof_get_version() will return:
* 0.13.1
* 0.13.1dev
* 0.13.1dev.master.69d8c1f9
2023-07-25 20:58:15 +02:00
John Hernandez
029f1caa52 Cleanup jid_destroy to auto_jid
Remove unused variables
Apply minor cleanups
2023-07-13 17:05:07 +02:00
John Hernandez
8304ac86ff g_free() to auto_gfree, introduce auto_guchar
Fix 11 potential mem leaks in theme.c
2023-07-13 17:04:59 +02:00
John Hernandez
e1d137f4e6 Change char->free to auto_char char for autocleanup
Replace `gchar` and `g_free` to `auto_gchar`
Correct certain  `char` functions/variables to `gchar`

Related to #1819.

Edited by @jubalh.
2023-07-11 13:26:37 +02:00
Steffen Jaeckel
d8eea87f60 Fix -Werror=maybe-uninitialized
When compiling with `CFLAGS="-O2 -fexceptions -Wp,-D_FORTIFY_SOURCE=2"`, as
done per default when creating an AUR package e.g. via `makepkg`, this
error is produced.

Refactor `stanza_create_mam_iq()` in order to fix said warning-turned-into-
an-error.

Edit by jubalh:
I still think the error message is a false positive. But this commit improves the
code a lot.

Signed-off-by: Steffen Jaeckel <jaeckel-floss@eyet-services.de>
2023-05-12 08:39:29 +02:00
John Hernandez
7f3fca2bd0 Cleanup: gchar as gchar instead of char
Use gchar instead of char in most of the cases where gchar is intended.

Reason: improve compatibility and stability. Issue #1819

Minor refactoring.
2023-05-04 16:15:09 +02:00
IsaacM88
ecdeb750f3 Add ability to disable avatar publishing
Add "/avatar disable" to comply with point "3.5 Publisher Disables
Avatar Publishing" in XEP-0084.

src/command/cmd_defs.c:2416
Add "disable" argument. Reword the "/avatar" command description
so it flows better.

src/command/cmd_ac.c:1101
Add "disable" to the "/avatar" autocomplete dictionary.

src/command/cmd_funcs.c:9277
Split "/avatar" commands into two groups with an if statement; those
with a parameter and those without. "cons_bad_cmd_usage()" is in both
groups, which is messy. "disable" has similar logic to "set", but it
includes a failure message.

src/xmpp/avatar.c:152
"avatar_publishing_disable()" uses the same logic to publish metadata
as in "avatar_set()".

src/xmpp/avatar.c:238
Add a message to inform users when they do not receive an avatar after
using "/avatar get" and "/avatar open". In case of a failure, the user
will be subscribed to future avatar updates as long as they continue
to use their current instance of profanity. Adding
"caps_remove_feature()" after "cons_show()" will unsubscribe the user
from avatar updates and prevent the user from downloading an avatar
unexpectedly hours later without issuing an "/avatar" command.

src/xmpp/stanza.c:2698
The new "disable" function follows the same logic as
"stanza_create_avatar_metadata_publish_iq()".
2023-05-02 14:45:54 -06:00
Michael Vetter
abaf96dcef Fix memleak in stanza_create_caps_query_element
Got introduced with 5d3c8ce7c.
2023-04-18 20:26:24 +02:00
John Hernandez
5d3c8ce7c1 Allow setting client identification name/version manually
Add changes allowing user to switch client name and version.

Useful for enhancing user privacy.

Minor cleanup.
2023-04-09 14:17:01 +02:00
Michael Vetter
a04031cec9 Apply codigng style on new MAM code 2022-10-21 16:55:18 +02:00
Michael Vetter
3bdc14dbcf Merge MAM improvements from #1724
I think this PR already solves and improves the MAM situation a lot.

What's @MarcoPolo-PasTonMolo still wanted to do in this branch is:
* MAM for mucs
* Check if url and quotes autocompletion works fine
* Check if the api still works fine
* Resolve conflicts

Conflicts are solved with this commit.

MAM for mucs can be another feature PR.

The rest we can check while being on master. And more people can help
testing.
2022-10-21 13:30:43 +02:00
Marouane L
f934c5b59f Add vCard support
Only nicknames, photos, birthdays, addresses, telephone numbers, emails,
JIDs, titles, roles, notes, and URLs are supported

Due to the synopsis array not having enough space, `/vcard photo
open-self` and `/vcard photo save-self` are not documented properly in
the synopsis section of the `/vcard` command, but they are documented in
the arguments section

Fixed memory leak in vcard autocomplete (thanks to debXwoody)
2022-10-18 23:24:30 +01:00
Michael Vetter
4b2bbe59ea Format Maxis commit properly 2022-09-29 11:11:01 +02:00
Maxi Wuttke
021927a549 Use G_GSIZE_FORMAT instead of "%lu" for portability
In the function stanza_create_avatar_metadata_publish_iq, use the format
string `"%"G_GSIZE_FORMAT` instead of "%lu", for an argument of type
gsize.
2022-09-29 10:46:32 +02:00
MarcoPolo-PasTonMolo
6429698f18 Fix initial MAM not displaying
Did this by waiting for a batch of MAM messages to arrive before
prepending them to the buffer. Also limited the number of messages
to fetch to 10 so that the user gets more frequent updates.
2022-07-05 00:06:04 +03:00
MarcoPolo-PasTonMolo
f0202a2fe0 On new chatwin fetch mam according to guidelines.
Taken from here:
cd3e871e55
2022-07-03 21:23:07 +03:00
Michael Vetter
b3b76d9f5c stanza: remove strange assignment 2022-06-29 12:31:06 +02:00
MarcoPolo-PasTonMolo
6a44e18853 Add /avatar set command to publish avatar
Use `/avatar set <path>` where <path> is an image file to upload a new
avatar for the current user. When the avatar is too big it gets scaled
down. Scaling code copied from dino.

Fixes https://github.com/profanity-im/profanity/issues/1687
2022-05-26 17:49:34 +03:00
Steffen Jaeckel
9cf78e59d5 auto-format
Signed-off-by: Steffen Jaeckel <jaeckel-floss@eyet-services.de>
2022-02-01 15:01:28 +01:00
Steffen Jaeckel
ffc0b49ab1 first step to remove libmesode
Signed-off-by: Steffen Jaeckel <jaeckel-floss@eyet-services.de>
2021-10-27 22:45:44 +02:00
Michael Vetter
46c8245af9 Format new register code correctly 2021-10-13 21:32:44 +02:00
Michael Vetter
e0e45b7b24 Merge pull request #1574 from binex-dsk/master
Add in-band account registration
Fix https://github.com/profanity-im/profanity/issues/199
2021-10-13 21:19:22 +02:00
swirl
0653200965 registration: memory leaks, error checking 2021-10-13 15:02:05 -04:00
Michael Vetter
f21595597f Format code correctly 2021-10-05 10:01:27 +02:00
MarcoPolo-PasTonMolo
97551aa131 Fix history timestamp
Fixes https://github.com/profanity-im/profanity/issues/1423

Oldest stanza is fetched like before but now the timestamp is generated by creating date_time_from_iso8601 and then to_local, instead of trusting that the timestamp is in utc.
The procedure previously was stamp = time_val_from_iso8601() then date_time = date_time_from_utc(stamp) then local_date_time = to_local(date_time)
2021-10-05 09:56:24 +02:00
swirl
4d3f26154e hacky fix(?) for register
very bad and spaghetti will fix later
2021-08-17 14:09:48 -04:00
swirl
2cc354b6ae fixed some bugs, added some more
- Added JABBER_RAW_CONNECT[ING/ED] connection states
- Added cl_ev_connect_raw and session_connect_raw to conform to normal
connection functions
- Fixed SIGABRT during registration
- Added a check in cmd_register to ensure it's actually connected before
registering--but this will always fail atm
2021-08-17 14:09:48 -04:00
swirl
d9366a26d6 initial register command test 2021-08-17 14:09:48 -04:00
Michael Vetter
817a6bff54 XEP-0157: Print all available addresses 2021-06-30 11:23:22 +02:00
Michael Vetter
ef96bea82e XEP-0157: Print contact addresses 2021-06-30 10:45:59 +02:00
Michael Vetter
2f5aa124ca XEP-0157: Parse contact address stanza 2021-06-29 22:52:45 +02:00
Michael Vetter
1ec606540e Get rid of asprintf and _GNU_SOURCE define
_GNU_SOURCE was even in some files where it was not needed at all
(http*).

Let's replace asprintf() with g_strdup_printf().
2021-03-30 17:38:13 +02:00
Michael Vetter
d23c3dd065 stanza: simplify stanza_get_muc_destroy_alternative_room 2021-03-25 15:59:48 +01:00
Michael Vetter
caa2c7afd0 stanza: replae strcmp with g_strcmp0
since its NULL safe
2021-03-25 15:55:18 +01:00
Michael Vetter
fde0a0d1c6 Add support to register with a room
`/affiliation register` can now be used to register a nickname with a
MUC.

Tested with a server without forms. Couldn't find a server which
supports forms yet.

Implements https://github.com/profanity-im/profanity/issues/1210
2021-03-25 11:05:58 +01:00
Michael Vetter
5cec47c86a Add support to approve MUC voice requests
A form will open. One can then use `/field4 on` `/form submit`.

Implements https://github.com/profanity-im/profanity/issues/1507
2021-03-17 16:16:59 +01:00
Thorben Günther
ec6f9df486 MUC: Add voice request
closes https://github.com/profanity-im/profanity/issues/1211
2021-03-12 14:57:00 +01:00
Michael Vetter
a7ecda7773 Merge pull request #1501 from xenrox/change-password
Add command to change password of logged in user
2021-03-11 18:18:03 +01:00
Thorben Günther
b0aea2bcff Add command to change password of logged in user 2021-03-11 17:42:53 +01:00
Maximilian Wuttke
e217ed0b79 Update to the newest version of XEP 0363 (HTTP Upload)
Main changes:

1. Attributes instead of tags
2. Read the optional <header> tags and send them in the HTTP PUT header:

   * Authorization
   * Cookie
   * Expires

Co-authored-by: Martin Dosch <martin@mdosch.de>
2021-03-11 17:11:22 +01:00
Maximilian Wuttke
4124856100 Variadic version of stanza_attach_publish_options 2021-03-09 17:47:37 +01:00
Michael Vetter
db65255a5a wip: add rsm after we get the first couple of mam messages 2021-01-28 14:44:53 +01:00
Michael Vetter
35aecd425f Declare counter var inside loop
We require c99/gnu99 anyways.
2020-11-09 11:33:33 +01:00
Michael Vetter
17b1b431f5 Replace stanza_get_child_by_name_and_ns with xmpp_stanza_get_child_by_name_and_ns
Replace our own stanza_get_child_by_name_and_ns() with the upstreamed
xmpp_stanza_get_child_by_name_and_ns() provided by the new
libstrophe/libmesode 0.10.0.
2020-09-30 19:41:08 +02:00
Michael Vetter
a2726b6a7d Apply coding style 2020-07-07 14:18:57 +02:00
Michael Vetter
a4cadf78fa Revert "Apply coding style"
This reverts commit 9b55f2dec0.

Sorting the includes creates some problems.
2020-07-07 13:53:30 +02:00