- src/xmpp/jid.c: add missing #include "log.h" — d3d7c328b
introduced a log_debug() call in jid_create without pulling in
the header, so the source tree did not actually build.
- src/omemo/omemo.c omemo_on_message_send: add the missing
NULL-check after the gcry_malloc_secure calls for 'tag' /
'key_tag' so a real OOM does not sail into the memcpy/encrypt
path. (The 'key' check d3d7c328b added is defensive only —
gcry_random_bytes_secure aborts internally on failure.)
- src/omemo/omemo.c _cache_device_identity: drop the second
'if (!fingerprint) return' on the autocomplete path. fingerprint
is already NULL-checked at the top of the function and is not
reassigned in between, so the second guard is dead code (upstream
artefact).
- src/tools/editor.c launch_editor: replace the
g_main_context_acquire/release pair with
g_child_watch_source_new(getpid()) + g_source_unref.
acquire/release does not install GLib's SIGCHLD handler — that
handler is registered as a side effect of constructing a
GChildWatchSource. Now we actually pre-arm SIGCHLD before
forking, which is what d3d7c328b's comment claimed.
- src/ui/statusbar.c status_bar_inactive / _create_tab: switch the
remaining two literal '10' tab-id values to the CONSOLE_TAB_ID
define introduced by d3d7c328b, then inline the expression
directly into the GINT_TO_POINTER() argument so the one-shot
local 'true_win' goes away.
Verified with ci-build.sh in Debian docker: all 4 configs pass
(644/0, 605/0, 605/0, 644/0 unit + 130/0 functional).
- Sanitize account names to prevent GKeyFile config injection by
blocking special characters like #, \n, and \r.
- Ensure GLib's SIGCHLD handler is initialized before forking
external editors to prevent zombie processes.
- Add missing error check for OMEMO random key generation.
- Replace hardcoded console tab ID with a named constant.
- Log invalid JIDs safely to prevent potential null pointer issues.
- src/log.c: log_stderr_init no longer closes STDERR_FILENO immediately
after dup2(). The previous 'close(dup_fd)' closed fd 2 because dup2
returns newfd on success; the in-app stderr capture pipe was silently
dead, dropping libstrophe/openssl error output. Close the original
stderr_pipe[1] instead and remember that the write end now lives at
STDERR_FILENO so _log_stderr_close stays correct.
- src/database_sqlite.c: NULL-check sqlite3_mprintf result before
passing it to sqlite3_exec in the DbVersion bootstrap path.
- src/tools/editor.c: drop three orphan #includes (<fcntl.h>,
<pthread.h>, <readline/readline.h>) left behind when 9b03e3a50
removed the async-editor path.
- src/xmpp/jid.c: match the g_new0 allocation in jid_create with
g_free in jid_destroy. Same behaviour on glibc but stops being a
foot-gun under custom glib allocators.
Verified with ci-build.sh in Debian docker: all 4 configs pass
(644/0, 605/0, 605/0, 644/0 unit + 130/0 functional).
#1222 (src/xmpp/roster_list.c): remove dead 'resource = NULL' inside
roster_update_presence() — assigning to a value parameter never
affects the caller. Document the ownership contract: the function
consumes 'resource' on every return path and callers must null
their own pointer afterwards. The existing caller in
roster_process_pending_presence already does that, and
resource_destroy() is NULL-safe.
#1226 (src/tools/editor.{c,h}): remove get_message_from_editor[_async]
and the surrounding async-editor infrastructure (editor_thread,
editor_task global, editor_process polling, EditorTask typedef).
The upstream callback-based launch_editor API has replaced every
call site (cmd_funcs.c, inputwin.c). Also drop the now-unused
'background_mode' global (only the obsolete async path ever set it
to TRUE) and the editor_process() call in profanity.c main loop.
Verified with ci-build.sh in Debian docker — all 4 build configs
pass (644/0, 605/0, 605/0, 644/0 unit + 130/0 functional each).
Add stub for ui_is_suspended() in tests/unittests/ui/stub_ui.c so
the unit-test binary links cleanly against any code path that calls
it from non-UI translation units.
When the receipts-request preference is on but we have no cached
EntityCapabilities for the recipient (new session, bare-jid only,
disco not finished), the previous check via caps_jid_has_feature()
defaulted to 'not supported' and silently suppressed the receipt.
Per XEP-0184 we should send the receipt request unless we have
positive knowledge that the peer does not advertise the feature.
Restore that behaviour: look up caps with caps_lookup(); only flip
request_receipt off when caps are present AND the feature is
missing from the list. If caps are NULL, leave the request enabled
(falls back to the user preference).
The SQLite-backend code now lives in database_sqlite.c (master split
src/database.c into a thin backend dispatcher); the upstream changes
that PR 105 had folded into the monolithic database.c were not
ported across when we took master's dispatcher version. This brings
forward the v3 schema work and folds in upstream 42a849d16
(fix(database): resolve migration failure and improve init safety):
- latest_version bumped 2 -> 3; ChatLogs.archive_id gains UNIQUE
constraint; _migrate_to_v3 dedupes existing rows via the
ChatLogs_v3_migration intermediate table
- DbVersion bookkeeping uses DELETE+INSERT instead of UPDATE so
multiple rows do not trip the unique-constraint failure reported
upstream (#2105)
- Initial INSERT INTO DbVersion uses latest_version via
sqlite3_mprintf, so brand-new databases are stamped at the current
schema and skip redundant migrations
- server_events.c now checks log_database_init's return so a broken
DB init is logged instead of silently leaving the handle half-open
(644/0, 605/0, 605/0, 644/0 unit + 130/0 functional each).
Bring in master commits since the previous merge:
- 4776c1f1e fix(ai): properly decode \uXXXX JSON escape sequences as UTF-8
- 53cdf488b fix(ai): resolve UAF and require provider argument instead of defaults
- 3b673150b chore(chatlog): disable background message file logging (stage 1)
Conflict in src/chatlog.c: master stubs out all chat_log_* function
bodies (project policy — disable plain-text per-day chatlogs), while
the upstream-merged version in this branch still had upstream's full
implementation. Taking master's version entirely keeps the no-op
chatlog API surface that the ~20 call sites in event/, otr/ and
profanity.c depend on.
Functional test stbbr fixture used the old Profanity caps verification
hash (hAkb1xZdJV9BQpgGNw8zG5Xsals=) for buddy1's simulated presence
and the corresponding disco#info reply. The current build computes
JNkIRQChhYM8+Co3IypmMtMJnOE= for the same identity+features set, so
align the fixture with what the running client now produces.
My earlier merge-resolution Edit on src/xmpp/jid.c only covered the
=======/>>>>>>> half of the hunk and left an orphan <<<<<<< HEAD on
line 82 of jid_is_valid. CI caught it. Removed.
Resolve conflicts after master gained the flat-file database backend,
AI client, and other cproof-fork features:
- CHANGELOG: keep cproof-fork unreleased section atop full upstream
history (0.17.0 / 0.16.0 / 0.15.1)
- src/command/cmd_ac.c: keep both upstream spellcheck AC and cproof
/history switch|verify|export|import autocompletion
- src/config/preferences.c: merge upstream [spellcheck] group with the
cproof [ai]/[ai/<provider>] groups
- src/database.c: take master (thin dispatcher); upstream SQLite
improvements (v3 migration, auto_gchar) belong in database_sqlite.c
and will land in a follow-up commit
- src/tools/autocomplete.c: take upstream unescape of search_str
- src/ui/statusbar.c: keep guint signatures (per project preference)
and adapt _status_bar_draw_dbbackend to guint as well
- src/xmpp/jid.c: combine the new jid_is_valid/jid_is_valid_user_jid
with the "(null)" legacy-placeholder guard in
jid_create_from_bare_and_resource; use auto_gchar
- tests/functionaltests/proftest.c: keep unsigned-safe pre-check on
output_len before subtracting OUTPUT_BUF_SIZE
- tests/unittests/unittests.c: keep upstream subdirectory include
layout plus cproof-only test_ai_client/database_export/database_stress
- tests/unittests/test_jid.c: drop orphan top-level copy (the
restructured version lives in tests/unittests/xmpp/test_jid.c)
Upstream is included up to 1ac05754b (release 0.18.0 era). Follow-up:
pull 1ac05754b..upstream/master (esp. 42a849d16 db migration fix and
4749645c7 receipt-request restore), and adapt the SQLite improvements
into database_sqlite.c.
- ui/window.c win_show_subwin (#1144): unconditional newpad without
freeing the previous pad leaks the ncurses subwin if the function
is invoked twice without an intervening win_hide_subwin. Added a
delwin guard.
- omemo/omemo.c omemo_on_disconnect (#1126): hash tables and
libsignal handles are destroyed unconditionally even when a full
init never ran (e.g. shutdown after a failed load), and neither
g_hash_table_destroy nor signal_*_destroy are documented as
NULL-safe. NULL-check each handle before tearing it down.
- xmpp/roster_list.c (#1140 / #1141 / #1160): null the caller's
pointer immediately after resource_destroy() so a stale reference
cannot trigger a double-free; resource_destroy itself only zeroes
the struct fields it owns and cannot reach back to the caller.
Cleanup of the conversion-safety warnings exposed by enabling
-Wconversion / -Wsign-compare in the previous commit, plus guard
clauses at the few places where unsigned arithmetic could actually
misbehave.
Build:
- configure.ac drops -Wno-error=conversion and
-Wno-error=float-conversion. Only -Wno-error=sign-conversion and
-Wno-error=sign-compare remain, gating the ~230 sign warnings
inherited from upstream that will be cleaned up in follow-ups.
Type / conversion fixes (no behaviour change):
- Length-like locals in command/cmd_ac.c, command/cmd_funcs.c,
pgp/gpg.c, tools/autocomplete.c, tools/parser.c and ui/mucwin.c
switched from int to size_t / glong (matching strlen /
g_utf8_strlen return type) so we no longer need an (int) cast and
loop counters / array sizes stay in their natural unsigned domain.
- g_timer_elapsed / GTimeSpan -> int casts in session.c, iq.c,
core.c, server_events.c, window.c.
- _win_print_wrapped: indent parameter and local curx/maxx switched
from size_t to int to match _win_indent / getcurx / getmaxx.
- Port casts (int -> unsigned short) at the libstrophe boundary in
connection.c and session.c, each preceded by
g_assert(port >= 0 && port <= UINT16_MAX) so the truncation is
documented at the call-site.
- curl_off_t / fread size_t results cast at usage in http_upload.c,
http_download.c, omemo/crypto.c.
- strtoul results cast to uint32_t in xmpp/omemo.c and omemo/omemo.c
where device/prekey IDs are genuinely 32-bit.
- config/color.c: fg/bg/palette indices switched to `short`
end-to-end (find_col, color_hash, find_closest_col,
_color_pair_cache_get, cache.pairs), so the ncurses init_pair
boundary needs at most one (short)i cast for the cache index. Also
TODO-noted: init_extended_pair is needed for >15-bit palettes.
- xmpp/avatar.c: float arithmetic explicitly casts its int operands.
- tests/functionaltests/proftest.c: read() result handling uses
size_t for the accumulator, _read_output returns ssize_t, and the
buffer-shift check happens before space subtraction so the
expression cannot underflow.
Real-risk guard clauses (the part that actually fixes bugs):
- src/ui/statusbar.c _tabs_width: `end > opened_tabs - 1` rewritten
as `end < opened_tabs` so opened_tabs == 0 no longer underflows.
- src/ui/statusbar.c _status_bar_draw_extended_tabs: the mirror
comparison rewritten as `end >= opened_tabs`.
- src/ui/statusbar.c status_bar_draw: replaced
`MAX(0, getmaxx - (int)_tabs_width)` with an explicit precheck
before subtraction.
- src/omemo/omemo.c prekey selection: prekey_index is now uint32_t
and randomized into an unsigned buffer, so modulo with prekeys_len
cannot yield a negative index for g_list_nth_data.
- src/omemo/crypto.c omemo_decrypt_func: PKCS#5/PKCS#7 unpadding
reads `plaintext[plaintext_len - 1]`, which would underflow on a
malformed empty ciphertext and read past the heap buffer. Reject
plaintext_len == 0 before the padding peek and validate the
padding byte against the buffer length before the unpad loop.
Initialise plaintext = NULL so the early `goto out` cannot free
uninitialised memory.
- src/ui/inputwin.c (4 mbrlen sites) and src/ui/window.c
_win_print_wrapped: mbrlen() returns 0 for the null wide
character. The existing checks rejected (size_t)-1 / -2 but
treated 0 as a valid step, so the surrounding loops would either
advance by SIZE_MAX (i += ch_len - 1) or spin in place
(word_pos += 0 forever). Add `|| ch_len == 0` to each guard;
inside the spell-check word-emission loop also fall back to a
one-byte advance.
- Defensive `len > 0 ? len - 1 : 0` prechecks at the strlen-based
g_strndup / loop sites in ui/console.c, plugins/c_api.c and
plugins/python_plugins.c.
Turn on the stricter conversion-safety warnings and wire in an optional
sanitizer build mode. Nothing is promoted to a hard error yet: the
warnings become part of the build output and can be cleaned up
incrementally without blocking development.
- Drop -Wno-sign-compare and add -Wsign-compare + -Wconversion to the
GCC-specific warnings loop (probed for compiler support).
- Add --enable-sanitizers flag that enables ASan + UBSan +
-fsanitize=unsigned-integer-overflow with -fno-sanitize-recover=all.
Off by default; intended for a dedicated CI job.
- Under PACKAGE_STATUS=development (-Werror), opt out of turning the
new conversion/sign-compare warnings into hard errors via
-Wno-error=sign-conversion/-conversion/-float-conversion/-sign-compare.
Existing codebase has ~240 sign-conversion, ~87 other narrowing and a
handful of sign-compare warnings (mostly inherited from upstream);
they stay visible but don't block development builds.
- Route glib/gio CFLAGS through -isystem so macros like
GPOINTER_TO_UINT in glibconfig.h don't generate noise.
Arch Linux ships a stripped ld-linux-x86-64.so.2, so Valgrind cannot
find the memcmp/memcpy/strlen symbols it must redirect and exits at
startup with "Fatal error at startup: a function redirection which is
mandatory for this platform-tool combination cannot be set up".
debuginfod is already installed in the image but was never wired up.
Set DEBUGINFOD_URLS to the official Arch debuginfod server so Valgrind
fetches the missing glibc debug symbols on demand and caches them.
Apply fixes, refactors and test additions requested by reviewer on PR #105.
Fixes:
- database: warn and notify user on duplicate archive_id instead of
silently debug-logging it (R05).
- database: add missing '[' in "[DB Migration]" log prefix (R06).
- xmpp/resource: NULL-out name/status after g_free to avoid double-free
via roster_list.c cleanup path (R09, R23).
- common: widen strtoi_range internal storage from int to long so that
values in (INT_MAX, LONG_MAX] are rejected as out-of-range instead of
being silently truncated on 64-bit platforms (R25).
Refactors:
- xmpp/message: extract _receive_omemo helper, removing three copies of
the OMEMO receive block in groupchat / MUC-PM / chat handlers (R04).
- omemo: flatten deeply nested device-list processing via guard-clause
continues (R11).
- tools/autocomplete: merge two nested ifs into a single && condition
(R13).
- ui/titlebar: extract _show_trust_indicator and inline _wprintw_withattr
wrapper, collapsing three near-identical trust-indicator blocks (R22).
- config/tlscerts: drop _checked_g_strdup wrapper; g_strdup is
NULL-safe per glib documentation (R19).
- ui/inputwin: use auto_gchar for spellcheck word instead of manual
g_free (R20).
- tools/editor: drop outdated "Deprecated synchronous" comment that
no longer matches the callback-based implementation (R28).
Tests:
- tests/command/cmd_ac: rename segfaults_when_empty ->
no_segfault_when_empty; expand cycling coverage to three files plus
backward SHIFT-TAB traversal (R16, R17).
- tests/common: add strtoi_range overflow/underflow and strtol-parsing
consistency tests (R25).
- tests/xmpp/jid: add test for '@' inside resourcepart per RFC 6122
section 2.4 (R26).
Misc:
- xmpp/omemo: change omemo_error_to_string return type from char* to
gchar* for glib consistency (R01).
- subprojects/libstrophe: point wrap-git at our fork at
git.jabber.space/devs/libstrophe-gh (R24).
- RELEASE_GUIDE: drop "Updating website" section referring to an
upstream site that is not ours (R18).
Updated tooling builds supported XEP list from profanity.doap file
The profanity.doap file is a git submodule in the website repository.
It is used as an input to create the supported XEPs webpage.
3cd439d172Fixes: #2154
Signed-off-by: Benson Muite <benson_muite@emailplus.org>
We recently made the jid validation and creation functions more strict.
So this is a sideffect of it. We need to use `jid_fulljid_or_barejid`
instead of jidp->fulljid here since it now treats just the barejid not
as a fulljid.
Ref: 09757da5df
Ref: f251cc8bb3
Ref: fa64b135df
Signed-off-by: Michael Vetter <jubalh@iodoru.org>
If we build Profanity without GTK we dont iterate the context so we will
never know when the editor exited. Calling `g_main_context_iteration()`
or finally switching to GMainLoop fixes this.
So far calling `tray_update()` does this for us in GTK builds.
So this went unnoticed.
The editor will inherit ignored signal handlers (SIGINT, SIGTSTP, SIGPIPE)
from us. Neovim uses libuv which seems to check SIGINT on startup to
determine whether the environment is interactive or not.
We now reset these signals to SIG_DFL in the child process before execvp.
Profanity uses readline which still competed for terminal input with the
editor. We only took care about other Profanity UI processes in our
previous commit. This led to misordered characters in the editor.
In my tests with vim everything worked fine and these bugs were
discovered when a user used neovim.
Fixes: https://github.com/profanity-im/profanity/issues/2148
Ref: 36ec2b0ae1
Signed-off-by: Michael Vetter <jubalh@iodoru.org>
For key transport messages, Monal at least doesn't append the
authentication tag to the plaintext key contents as that only makes
sense if the key was used to encrypt something. This causes the key
length check to fail and show the
OMEMO message received but decryption failed.
error to the user which is confusing because there is no user-originated
message involved.
Skip the length check for key transport messages as profanity only uses
these to advance the ratchet and makes no use of the decrypted contents.
Signed-off-by: Karel Balej <balejk@matfyz.cz>
ASan and Valgrind both intercept memory allocations and management at
runtime. Running them simultaneously might lead to conflicts in memory
tracking.
This change ensures that during the Valgrind phase of the build matrix,
only Valgrind is responsible for memory analysis, avoiding redundant
overhead and ensuring more reliable results.
Signed-off-by: Michael Vetter <jubalh@iodoru.org>
Remove IDE specific entries, they belong in the global conf of the user.
Remove autotools specific files.
Ref: bc777c56b2
Signed-off-by: Michael Vetter <jubalh@iodoru.org>
Move from blocking fork/wait logic to nonblocking fork and
g_child_watch_add.
This ensures that the Profanity main loop continues to run while an
external editor is open. So we don't loose connection and react to
pings.
We change editor handling also in vcard and muc subject editing.
In the new implementation we are launching the editor and passing a
callback which we will use once the editor exited.
We use the recently added ui_susped() and ui_resume().
To not clutter the UI we need to check whether Profanity UI is suspended
and omit drawing in this case.
Fixes: https://github.com/profanity-im/profanity/issues/1888
Ref: 9b112904a9bc7250dc013d901187ca8622580d98
Signed-off-by: Michael Vetter <jubalh@iodoru.org>
There was way too much repetition here.
This is in preparation for future changes regarding the editor.
Signed-off-by: Michael Vetter <jubalh@iodoru.org>
Commit 81f92f1fe introduced a selective update mechanism to
_accounts_save() to prevent overwrites when running multiple instances
by only modifying the specific account being saved.
Commit 5c484c fixed a problem with that commit regarding empty accounts.
It turns there was another bug introduced:
The new implementation only set the keys that existed in memory.
So removal of keys was not possible anymore.
Fixes: 81f92f1fed
Ref: 5c484c26ed
Signed-off-by: Michael Vetter <jubalh@iodoru.org>
Replace g_spawn_command_line_sync with g_spawn_sync with the
G_SPAWN_CHILD_INHERITS_STDIN flag.
This is actually needed to so that interactive commands can access the
terminal.
Otherwise they cannot ask the user for the passphrase.
Ref: f5787fb31f
Fixes: https://github.com/profanity-im/profanity/issues/2143
Signed-off-by: Michael Vetter <jubalh@iodoru.org>
I think this bug happens when a user scrolls up a window, triggering
iq_mam_request_older() to load older history, in the case when the
database is empty for that contact.
The initial MAM fetch is triggered when the window is opened which
should get the latest history.
Fixes: https://github.com/profanity-im/profanity/issues/2142
Signed-off-by: Michael Vetter <jubalh@iodoru.org>
Allow building the latest libstrophe from upstream Git automatically when
-Dforce_fallback_for=libstrophe is passed.
Default to find and link against system-provided libstrophe stays the same.
Signed-off-by: Paul Fertser <fercerpav@gmail.com>
Use XSetIOErrorExitHandler on X11 to detect connection loss and
disable GTK features (tray, clipboard, notifications).
Signed-off-by: Michael Vetter <jubalh@iodoru.org>
Signed-off-by: Paul Fertser <fercerpav@gmail.com>
Co-authored-by: Paul Fertser <fercerpav@gmail.com>
Replace 'INSERT OR IGNORE' with 'INSERT ... ON CONFLICT(`archive_id`) DO
NOTHING RETURNING id'. This is only available since sqlite 3.35.0.
So deduplication only happens for `archive_id` and we don't silently
ignore other errors or constraints (like not null).
We can now detect if an insertion was skipped due to duplication by
checking the result of 'RETURNING id'.
We don't print out when we don't insert duplicated messages since this
will happen often and will be too noisy. So we match the behaviour of
what Dino is doing.
Signed-off-by: Michael Vetter <jubalh@iodoru.org>
Unescape any character following a backslash. This fixes autocompletion
for names with escaped spaces.
For example: `/msg Thor\ Odinson hello`
Signed-off-by: Michael Vetter <jubalh@iodoru.org>
Implement backslash based escaping in the command parser and autocompletion
logic to handle contact names containing double quotes.
This stops the parser from splitting nicknames into multiple tokens, which
previously caused "Invalid usage" errors.
The parser now sees \ as an escape character for quotes and spaces in
_parse_args_helper, count_tokens and get_start. Autocomplete results are
escaped when they contain spaces, and search prefixes are unescaped before
matching. strip_arg_quotes() has also been updated to handle unescaping.
Fixes: https://github.com/profanity-im/profanity/issues/1844
Signed-off-by: Michael Vetter <jubalh@iodoru.org>
Implement security checks to ensure the 'archive_id' (XEP-0359) used
for database deduplication originates from a trusted source.
XEP-0359 Section 3.1: "The 'by' attribute MUST be the XMPP
address (JID) of the entity assigning the unique and stable stanza ID."
Furthermore, Section 4 (Security Considerations) specifies: "A client
SHOULD only trust <stanza-id/> elements from its own server or from
a MUC service it is joined to."
XEP-0313 Section 4.1.2: "The 'by' attribute of the <result/> element is
the JID of the archive being queried." and "If the 'by' attribute is not
present, the recipient MUST assume that the results are from their own
personal archive."
Let _handle_chat verify <stanza-id/> 'by' attribute matches our bare JID.
Let _handle_groupchat verify <stanza-id/> 'by' attribute matches the MUC
s bare JID.
Let _handle_mam verify the <result/> 'by' attribute matches the outer
message 'from' (archive JID). If 'by' is missing then 'from' matches our
own bare JID (personal archive).
Signed-off-by: Michael Vetter <jubalh@iodoru.org>
Implement a UNIQUE constraint on the archive_id column (XEP-0359 stanza-id)
to prevent duplicate messages in the chat log. This addresses problems where
the same message could be stored multiple times if received via both MAM
and regular.
Signed-off-by: Michael Vetter <jubalh@iodoru.org>
Standardize how PreKeys are handled during OMEMO message reception to
align with XEP-0384 best practices.
Previously Profanity replaced a consumed PreKey by generating a new
one with the same ID. This behavior could lead to decryption failures if
multiple senders attempted to use the same PreKey ID before the client
could successfully update its bundle on the server.
Remove consumed PreKeys from the local store.
New PreKeys are generated in batches (100) when the local supply runs
low (< 10).
Republish OMEMO bundle after replenishment.
Signed-off-by: Michael Vetter <jubalh@iodoru.org>
Introduce optional spellcheck highlighting in the input window using
the Enchant-2 library.
```
/spellcheck on
/spellcheck lang en_US
```
New theme color `input.misspelled`.
Fixes: https://github.com/profanity-im/profanity/issues/183
Signed-off-by: Michael Vetter <jubalh@iodoru.org>
Introduce meaningful color feedback for background tasks like file
downloads and uploads. Progress is displayed in a neutral color,
while successful completions turn green and failures turn red.
We reuse the existing THEME colors for now.
Add new UI flags ENTRY_COMPLETED and ENTRY_ERROR to
the buffer entry system. So we don't misuse delivery receipts anymore.
Fixes: https://github.com/profanity-im/profanity/issues/1758
Signed-off-by: Michael Vetter <jubalh@iodoru.org>
Use the original aesgcm:// URL when downloading OMEMO downloads. Then
in the final message use the decrypted file destination instead of the
internal temporary path.
Use the unique download ID instead of the URL for message updates to
have proper progress reporting.
Unify the final transfer status to "done" across both downloads and
uploads.
Fixes: https://github.com/profanity-im/profanity/issues/1939
Signed-off-by: Michael Vetter <jubalh@iodoru.org>
Centralize heartbeat detection and have a function for error to string
mapping. So we don't need the same code in multiple handlers.
Signed-off-by: Michael Vetter <jubalh@iodoru.org>
Correctly handle OMEMO stanzas that contain a <header> but no <payload>.
These "Key Transport Messages" (heartbeats) are used by some clients
for session maintenance and establishing trust.
Ref: a2726b6a7 made the <payload> element mandatory in the parser.
Ref: 4d49c2b74 the bug became user-visible.
Fixes: https://github.com/profanity-im/profanity/issues/2129
Signed-off-by: Michael Vetter <jubalh@iodoru.org>
Earlier ci/meson-build.sh and ci/ci-build.sh.
The latter we then renamed to the more descriptive build-configuration-matrix.sh.
Both scripts are doing the same thing but for different build systems.
So lets merge them together.
Signed-off-by: Michael Vetter <jubalh@iodoru.org>
Enable adding oneself to the roster.
Self subscriptions are implicit according to XEP-0060 / XEP-0163.
So we adapt the /sub command to handle this gracefully by just printing
an informative message.
Profanitys logic didn't handle own presence/when adding to roster
correctly. This got fixed now.
Fixes: https://github.com/profanity-im/profanity/issues/2084
Signed-off-by: Michael Vetter <jubalh@iodoru.org>
Replace the hardcoded "me" stamp for outgoing messages that are
sometimes used with the value from PREF_OUTGOING_STAMP.
It was never implemented in all code paths. Like with receipts for
example.
Additionally fix the confusing description and variable names.
Ref: 2c003dd2 (Add /stamp feature)
Ref: 3a4cd7da (Broke the variables)
Fixes: https://github.com/profanity-im/profanity/issues/2125
Signed-off-by: Michael Vetter <jubalh@iodoru.org>
Disable the functional tests in the case of meson as well.
They don't seem to work in the CI or take too long.
This needs further investigation. For now let's run them locally and
before each release.
Signed-off-by: Michael Vetter <jubalh@iodoru.org>
This will result in smaller and cleaner tarballs for distributions to use.
Additionally it is a logical step towards moving fully to the Meson build system.
While the last release provided two tarballs (one generated with
Autotools and one with Meson), the next release will only provide a
Meson-generated tarball.
These attributes are respected by `git archive` and `meson dist` which
means they will take effect for the Meson generated tarballs and the
GitHub autogenerated tarballs as well.
As a consequence of switching to `meson dist`, pre-generated files like
`configure` will no longer be included in the tarballs. Users and
distributions that still wish to use the Autotools build system from
these tarballs will now need to run `./bootstrap.sh` or `autoreconf -fi`
themselves, which requires automake, autoconf, and libtool to be
installed.
Since many distributions are slowly dropping the usage of vendor
generated tarballs and are moving to checking out git tags this should
not be a problem.
Arch Linux is for example doing
`source=("git+https://github.com/user/project.git#tag=v1.2.3")` and
Debian has the `git-buildpackage` too. So both of them require require
autoreconf already.
Autotools support might be removed entirely in a future
release since I find them much easier to edit and maintain.
Instead of:
```
CI / Check coding style
CI / Check spelling
CI / debian | Autotools | unit | signal
CI / debian | Meson | unit+func | libomemo
CI / debian | Meson | unit+func | signal
CI / fedora | Autotools | unit | signal
CI / ubuntu | Autotools | unit | signal
Cygwin / cygwin-build
```
We will sort them into "Style", "Linux" and "Cygwin".
Triggered by unit tests. In Profanity itself the situation is probably
rarely happening. We would have to disconnect/exit after receiving
presence but before the roster arrives.
Locally valgrind is quiet. But on CI valgrind complains. This is due to
an older valgrind version which doesn't handle AVX2-optimized strings
properly. So we need to add it to the suppression file.
Have a better overview, we are interested in which tests are run, which
distro, which build system and which omemo backend.
debian | Autotools | unit+func | signal
debian | Meson | unit+func | signal
debian | Meson | unit+func | libomemo
fedora | Autotools | unit+func | signal
ubuntu | Autotools | unit+func | signal
The ncurses pad used for rendering window history had a fixed height of 100
lines, which caused "Ncurses Overflow!" errors and broke scrolling once
the content exceeded this limit.
This commit replaces the fixed limit with a dynamic resizing strategy.
We use a minimum height of 100 lines.
If a pad reaches its threshold of 3000 lines, a full redraw is triggered
to reclaim space from discarded messages and reset the pad height.
Pads are shrunk back to the minimum height during every redraw to
minimize memory usage for inactive windows.
Message history should always be smoothly scrollable now.
d7e46d64fe set it from 1000 to 10000.
f27fa98717 set it from 1000 to 100.
Probably also relevant is 4fe2c423b1.
Close: https://github.com/profanity-im/profanity/pull/2074
Fixes: https://github.com/profanity-im/profanity/issues/2045
Add support for <report-origin/> and <third-party/>.
When a server forwards a report to an administrator, the original reporter
(report-origin) and the offender (third-party) are preserved even
if the 'from' address is modified during forwarding.
Also display this information in case we receive a report.
Update `blocked_add` to use the `<body>` tag with the `jabber:client`
namespace when reporting spam, as specified in XEP-0377 Example 5.
Other report types continue to use the `<text>` tag.
Fixes: https://github.com/profanity-im/profanity/issues/1971
Filter out control characters (U+0000 to U+001F) from outgoing
messages, as they are illegal in XML 1.0 (except for \t, \n, and \r).
This prevents XMPP servers from closing the connection when such
characters are accidentally or intentionally included in a message.
Fixes: https://github.com/profanity-im/profanity/issues/1437
Allow sending byte sequences to the Profanity PTY without a newline.
Now we can simulate control characters, specifically the `TAB` key
(`\t`), to trigger autocompletion.
Autocompletion failed for nicknames using non Latin scripts. We used
`g_str_to_ascii`, which replaces characters it cannot transliterate with
'?', leading search failures and false matches between different
scripts.
Now we do:
Use `g_utf8_casefold` for case-insensitive UTF-8 comparison. This
ensures that like 'Σ' correctly match 'σ' across all Unicode scripts,
providing correct results for non English nicknames.
If we don't fine anything typing a base ASCII character matches an
accented one (typing `e` matches `è`). This pass uses `g_str_to_ascii`
followed by `g_ascii_strdown` for comparison. It is now restricted to
run if the search string itself is valid ASCII, preventing the
"everything matches '?'" bug in non Latin scripts.
Autocomplete items are sorted using `strcmp`. `g_utf8_collate` provides
linguistical ordering for a specific language. But its behavior is
locale dependent and undefined when comparing strings from different
scripts. `strcmp` does byte-wise ordering that correctly follows Unicode
code order for UTF-8 strings.
Modify omemo_set_device_list to check against the persistent
known_devices.txt file before notifying the user. This prevents
false-positive security alerts on every restart for devices
that have already been registered and trusted.
Check against the persistent known_devices.txt file before notifying
the user. This ensures that "New OMEMO device" alerts are only shown
for devices that are truly new to this client.
Ref: ce9b5140d
Removing the UI notification in omemo_start_device_session to reduce
noise during /omemo start.
The information is still available in the debug logs.
And I think for existing sessions its just too much without value.
Ref: b20e3f1a
When sending OMEMO messages, we print a warning message for every
participant without a device ID on every single send:
```
Can't find a OMEMO device id for my@jid.org
```
This clutters the UI due to the high volume of repetitive information.
This is solved by tracking suppressed warnings within the window
structure. A warning for a specific JID and type is only shown once
per window context.
Suppression state is stored in the base ProfWin structure and managed
via helper functions (win_warn_needed, win_warn_sent). The state is
lazily initialized to save resources and automatically cleaned up when
the window is closed.
Warnings are explicitly reset when an OMEMO session is started or
ended to ensure users see fresh alerts when toggling encryption.
Instead of repeating the same pattern over and over, introduce a helper
function that either outputs a formatted timestamp if one is given as
argument or returns the current time if no argument is given.
Signed-off-by: Steffen Jaeckel <s@jaeckel.eu>
In the process of trying to bring down the time of sending an OMEMO
encrypted message I noticed that a lot of time was spent in generating the
random key and IV (~0.54s on my machine).
By changing this to a single call to `gcry_random_bytes_secure()` I have
been able to slash the time by 50% to ~0.27s.
Signed-off-by: Steffen Jaeckel <s@jaeckel.eu>
Instead of flushing the OMEMO store to disk after each operation, do it
only once after all recipients are processed.
A user reported a long delay between hitting enter on the keyboard and the
message being sent on the wire in an OMEMO-enabled group chat. This patch
hopefully improves this situation.
Signed-off-by: Steffen Jaeckel <s@jaeckel.eu>
It's not guaranteed that `log_database_get_limits_info()` returns a
non-NULL value or that `timestamp` is non-NULL.
Signed-off-by: Steffen Jaeckel <s@jaeckel.eu>
Synchronize theme_template with the current codebase by adding all
themeable preferences and color attributes that were previously
undocumented.
Remove 'wins.autotidy' option which is no longer used.
The idea is that we keep our DOAP file updated.
Then we always know which version of a XEP we implemented.
By running this script we can then find out if a new version of a XEP
came out.
And we can check whether we need to update our code to adhere to the
latest version or whether we can just version bump.
a26cdf386b / #2104 added OMEMO trust status to the
title bar, but it was being re-calculated on UI refresh.
Update only on certain operations (like `/omemo trust`, new device
discoveries and even incoming OMEMO messages for example).
Commit 81f92f1fe introduced a selective update mechanism to
_accounts_save() to prevent overwrites when running multiple instances
by only modifying the specific account being saved.
There was one mistake: the logic for adding a new
account was tied to the final iteration of a loop over
existing accounts.
When starting with an empty accounts file, the
loop never executes though.
We can call g_key_file_set_value() directly and don't need the loop
because this function will only modify one entry or add it if it doesn't
exist.
Add __attribute__((nonnull) hints to omemo_receive_message and
omemo_on_message_recv declarations to catch NULL arguments at
compiletime.
So we can set the error state unconditionally in the functions.
If an incoming OMEMO message failed to decrypt (due to missing session
keys or untrusted identities), Profanity would fall back to displaying
the raw XMPP body. This usually contained a generic string like "This
message is encrypted with OMEMO,".
We wrote the detailed reason in the debug logs but the user only saw the
fallback message and probably wondered *why* the message wasn't
displayed properly.
I'm unsure if we should display the fallback message as well though.
After typing `/omemo start` a user was not informed of what exactly
happens.
Profanity is fetching the device list and the key bundle for each
device. This happens asynchronously. It could be that it takes some time
and the user already starts typing a message, believing OMEMO is
working.
Now we print:
* Initiating OMEMO session..
* Fetching device list and key bundles
* OMEMO session ready
So the user understands much better the current situation.
The /omemo fingerprint command provided a list of all keys ever
seen for a contact but did not indicate which keys were currently "active"
(present in the latest server device list). This made it difficult for users
to identify which fingerprints actually required verification to fix
encryption issues.
Users can now easily distinguish between devices currently in use and
historical keys that no longer matter.
When encryption fails users can immediately see which "active" key is
"untrusted," allowing them to verify the correct fingerprint fast.
Function `omemo_is_device_active` will check if a fingerprint belongs
to a device currently announced by the contacts server.
When OMEMO encryption failed due to untrusted devices, the
user was presented with a generic error message. This made it difficult
to identify which specific fingerprints were causing the issue, forcing
users to manually hunt for untrusted keys using /omemo fingerprint.
New function `omemo_get_jid_untrusted_fingerprints` to specifically
identify unverified identities for a contact.
`omemo_on_message_send` will now catch encryption failures and
explicitly list the untrusted fingerprints in the chat window.
Previously, Profanity silently updated OMEMO device lists and identity
caches in the background. This often led to confusion when a contact
added a new device, as encryption or decryption would eventually fail
due to untrusted keys without any prior warning to the user.
The `notifying` flag will distinguish between initial data loading and
realtime discovery.
We now print a message both when a contact publishes a new device ID or
when a new fingerprint is discovered.
Previously the titlebar only showed [OMEMO], regardless of whether the
active session contained untrusted devices. This forced users to manually
run /omemo fingerprint to check the security status of their conversation,
making it difficult to know at a glance if a session was truly secure.
New function `omemo_is_jid_trusted()` to check if all active devices for a JID are trusted.
Update chat and MUC titlebar to display [trusted] or [untrusted] tags when an OMEMO session is active.
Not sure if MUC makes sense here?
GKeyFile parses ini-like config files. So the characters '[', ']',
and '=' cannot be used.
We will replace them with '_' now.
This bug was found when a user wanted to connect to an IPv6 address (user@[ipv6:address]).
One problem could be that we get duplicate account names with they would
use one of those 3 characters. But I consider this very unlikely.
Fix https://github.com/profanity-im/profanity/issues/2103
Make jid_is_valid() allow JIDs ending with a slash (`user@domain/`).
In these cases, the parser now treats the input as a Bare JID with no
resource part, rather than rejecting it as invalid.
We will then just get `user@domain`.
This one will need a localpart as well.
It should be used when we want to message a user for example.
While jid_is_valid() also returns TRUE for domain/server JIDs.
They were disabled in 171b6e73c9.
Enable the functional test suite and replaces the
dependency on libexpect with a custom solution.
The native solution allows for specific optimizations like automatic
ANSI code stripping, which is essential for reliable pattern matching in
an ncurses interface.
Custom PTY management via libutil provides full control over the process
lifecycle, resolving issues where tests would hang indefinitely.
We use forkpty from libutil.
Addiiotnally this commit implements automatic ANSI escape sequence
filtering to improve matching consistency.
This will get rid of the colors in matches. It's still something that we
need to think about more since basically we will not test out
color/theme system this way.
We also add non-blocking poll() and SIGKILL based teardown logic to
ensure clean test termination.
We added the functional tests to both autotools and meson.
They are only build when tests are enabled and stabber + libutil are
present.
Meson will print this out nicely in the summary.
Regards https://github.com/profanity-im/profanity/issues/789
When targeting a specific preference (`/time console off`)
the loop would continue to iterate through the remaining
categories after finding and applying the setting.
Because subsequent items would not match, it always resulted in
"invalid usage" printed as well after the success message.
The /connect command supports several optional parameters
server, port, tls, and auth.
This was implemented in ac410445af but
this change in the command definitions probably were forgotten.
Fix several issues in cmd_ac_complete_filepath:
* Prevent a segfault when input is empty.
* Fix a double free where acstring was managed by both auto_gchar and GArray.
* Fix a memory leak when reassigning inpcp during quote stripping.
* Restore the ability to cycle through files on repeated TAB presses by
caching the last input and skipping updates if the input is already a
known completion.
* Preserve user input style (e.g. ~, ./) in autocompletion strings to
ensure matches are correctly displayed and filtered.
Bug got introduced when "cleaning" code with new compiler flags and
sanitizers: aec8e48268.
Add unit tests so this doesn't happen again.
Before that commit we didn't use the static variable but used
autocomplete_update instead. Now we avoid redundat updates and preserve
the state across tab presses. We should look at this again later.
Fix https://github.com/profanity-im/profanity/issues/2098
Usually we point to the website. But honestly it's cumbersome for
developers to update the website. Let's decide later whether we remove
the section there or how we keep it in sync.
But for now let's just add a detailed build section here.
Especially since now we ship autotools *and* meson.
Also mention the convention that we use `build_run` as the meson build
dir. The quality script will depend on this.
Update the gh workflow to pin clang-format to version 21.
Mention the version we use in CONTRIBUTING.md.
And hint to the workflow file if we want to change it.
Move the `make doublecheck` functionality into a build system agnostic
script.
`scripts/quality-check.sh` can now be used to check for spelling via
codespell, formatting clang-format and run the unit tests.
`make doublecheck` and `meson compile doublecheck` will call this
script.
Sometimes we have issues with different versions of clang-format locally
vs our CI. In this case SKIP_FORMAT env variable can be set.
Use a behavior-driven naming convention for unit tests.
Functions are now named using the pattern: [unit]__[verb]__[scenario]
The __ works as a semantic separator.
Examples:
* jid_create__returns__null_from_null()
* cmd_connect__shows__usage_when_no_server_value
Benefits:
* Easy to find all tests associated with a specific function using the
mandatory prefix.
* Test output in CI now explicitly describes the unit, the expected
outcome, and the scenario being tested.
Also disabled keyhandlers tests due to missing code in src/ui.
For example cmd_account() is located in src/command/cmd_funcs.c.
The unit test was located in tests/unittests/test_cmd_account.c.
Let's move it to a subdirectory like tests/unittests/command/test_cmd_account.c
to correpsond to the same structure.
Only handle self-presence for rooms we are actively managing.
Earlier we blindly react to any self-presence
stanza by calling 'ui_room_join'.
The join could have been initiated by another client or an external
Gateway. In the case of #731 this was Slack.
I remember that more people reported this kind of bug in our MUC.
We then would open a window and the nick would be (null) because we
don't have any nickname for that room set.
So only react on self-presence if we manage the MUC.
Other XMPP clients do the same.
Fix https://github.com/profanity-im/profanity/issues/731
When an OMEMO bundle is received with an empty <prekeys/> element,
`prekeys_list` remains empty. In omemo_start_device_session(),
performing a modulo operation on the length of an empty list
(0) triggered a SIGFPE (Floating point exception).
torsocks likely affected the network environment where such empty
or incomplete bundles could be intercepted.
Fix https://github.com/profanity-im/profanity/issues/1997
Should help us find the following bugs early.
ASan:
* Out-of-bounds accesses
* Use-after-free
* Memory leaks
* Double free / Invalid free
UBSan:
* Undefined Behavior
* Signed integer overflow
* Null pointer dereference
* Pointer misalignment
* Division by zero
* Bit-shifting out of bounds
This needs works during runtime. But let's add it here so that at least
basic --version run is test and as a reminder for developer to add it.
I will also adjust documentation later on.
Simplify how field values are updated and ensure memory is correctly
managed.
The previous implementation relied on manual manipulation of the
GSList internal `data` member and only handled cases where a field
had zero or one existing value.
The function now correctly handles fields that may
already contain multiple values by using 'g_slist_free_full' to
clear the entire list and its contents before setting the new
value.
Adding an explicit NULL check for 'input' at the start of
cmd_ac_complete to prevent a potential crash and resolve
a GCC static analyzer warning.
Quirk Explanation:
The analyzer found a "deref-before-check" warning for:
`if ((strncmp(input, "/", 1) == 0) && (!strchr(input, ' ')))`
The analyzer interpreted 'strchr(input, ' ')' as a point where the
validity of 'input' is being questioned (a "check"), even though it is
actually checking the return value. This is due to GCC's internal model
of certain standard string functions having a 'nonnull' attribute or
being categorized as pointer "interrogations" in its state machine.
Because 'strncmp' dereferences 'input' earlier in the same line, the
analyzer saw a logical contradiction: "You treat it as safe in strncmp,
but then you call a function (strchr) that 'requires/checks' it to be
safe, implying you weren't sure."
Even though we are using with GNU extensions I will add this flag
since I prefer the explicit writing style that we have to use wich
this flag enabled.
Let's build with -fanalyzer in debug mode.
These commits are related to issues found by gccs static analyzer.
Also bulid with -fstack-protector-strong compiler flag.
This flag adds a canary to stack frames, causing the program to terminate immediately if stack corruption is detected.
This helps identify memory safety bugs earlier during development by
turning silent corruption into an immediate crash.
* _rotate_log_file(): guard against NULL mainlogfile before g_strdup/strlen
* log_stderr_init(): move dup2 after malloc checks to avoid fd leak on
allocation failure.
Also remove explicit close(STDERR_FILENO) before dup2
since dup2 closes the target atomically. Close the fd returned by
dup2 immediately.
We were sequentially checking for errors from 'curl_easy_perform',
'ftell', and 'fclose'. Each time overwriting the last one, resulting in
a leak. This commit ensures that 'err' is only set if it is currently
NULL, preserving the first and most specific error encountered.
`userdata` was not freed if a handler could not be registered.
This occurs when the 'id' parameter is NULL. In such cases, the
handler cannot be stored in the 'id_handlers' table, but ownership
of 'userdata' has already been transferred to this function. This
commit ensures 'free_func' is called if 'id' is NULL since we always
need to have an ID.
recp elements were accessed without verifying the success of
_ox_key_lookup().
Also fix several memory leaks.
gpgme_data_new() followed 'gpgme_data_new_from_mem' was redundant.
Usually we use `/help command`. Additionally there is a shortcut
`/comamnd?`. 54fea4afcf tried to introduce
to have `/command help`. Which doesn't really work since most commands
get this as parameters. So it never worked. Additionally it introduced
at segfault because it tried to set *question_mark to NULL even we can
also get there without the `?` but by having the `help` as parameter.
Modernize the /export command implementation by adopting GLib-based
patterns for string manipulation and file handling.
* Replace _writecsv with _append_csv_escaped to efficiently handle CSV
quote doubling directly within a GString buffer
* Refactor cmd_export to build the CSV content in memory using GString,
minimizing system calls
* Use g_file_set_contents for atomic writing
* Cache strlen() result
* Check for malloc() failure to prevent null pointer dereference
* Ensure the output buffer is null-terminated for safe use with cons_show()
* Simplify the quote escaping logic for better readability.
Make get_random_string() return a gchar*.
This is part of the effort to migrate string declarations and
allocations from char to gchar, replacing standard C allocators
(malloc/calloc/strdup) with their glib equivalents
(g_malloc/g_new0/g_strdup).
The primary goal is to prevent mismatched allocator bugs. While char and
gchar are binary compatible, mixing their respective deallocators is
dangerous:
* Freeing malloc'd memory with g_free() (or vice versa) can lead to
memory corruption, double-frees, or crashes.
* This is seems to be the case especiall on non Linux platforms or when
using hardened memory allocators where the GLib slice allocator or
wrappers may differ from the system heap.
By standardizing on gchar, we ensure that our automatic cleanup macros
(like auto_gchar) always invoke the correct deallocator (g_free).
Migrate structure allocations from calloc to glibs g_new0 macro to
improve type safety and memory robustness.
* Type Safety: The macro takes the type name directly, ensuring the
allocated size always matches the pointer type.
* Static Analysis: It guarantees a non-NULL return by aborting on
failure, which silences -fanalyzer warnings regarding potential NULL
pointer dereferences.
* Readability: Removes redundant sizeof() calls and is the glib way
Enable gccs static analyzer to detect memory bugs at compile-time. This
validates our __attribute__((__cleanup__)) macros and improves security
when parsing external XMPP data with zero runtime overhead.
Add security hardening via _FORTIFY_SOURCE=2 and switch to -Og to
provide the necessary optimization for these checks while remaining
debugger friendly.
The goal is to catch many buffer overflows and format string errors
at compile-time or runtime.
-Og may occasionally optimize out very short-lived
local variables, making them invisible in the debugger.
So i'm not sure this is a very good idea. But I hope that we will find
bugs earlier and don't even need to debug that often. We might revert
this change later though in case we run into problems too often.
I'm not aware of any other downsides.
Enable stack protection to detect buffer overflows and harden the binary.
This flag adds a canary to stack frames, causing the
program to terminate immediately if stack corruption is detected.
This helps identify memory safety bugs earlier during development by
turning silent corruption into an immediate crash, and provides
protection against stack-smashing exploits at runtime with negligible
performance overhead.
We don't add this generally because we wan't distributions/users to
decide if they want it. But it can help us find problems early on during
development.
Also refactor the function so we pass it the current version
and don't rely on the define inside of it.
This function only allows version format in the style of "x.y.z".
Optimize prof_occurrences by using pointer arithmetic and
g_utf8_next_char instead of calls to g_utf8_offset_to_pointer.
Improve list construction efficiency in prof_occurrences by
using g_slist_prepend and g_slist_reverse instead of appends.
Also fix a slight oversight that could lead to trouble:
When empty search strings (e.g. empty nicks) are passed
it caused matches at every position.
Update the test case to test for empty nicks.
See last commit with comment regarding cons_show().
In this test here we can see that if we pass NULL cons_show() isn't
called. Making it a bit different that other invalid test cases.
It seems like we didn't even check whether the operations succeed or
not.
* `clear_empty()`
Add assertion to confirm a newly created autocomplete object is empty.
* `find_after_create()`:
Add assertion to ensure `autocomplete_complete()` returns NULL when no
entries are present in th object.
The gpgme_set_passphrase_cb function expects a function
pointer of type gpgme_passphrase_cb_t.
The gpgme_passphrase_cb_t typedef specifies a function that returns
gpgme_error_t so return GPG_ERR_NO_ERROR instead of 0.
Fix https://github.com/profanity-im/profanity/issues/1002.
Was already started in 2021 in https://github.com/profanity-im/profanity/pull/1619 but then abandoned it.
I want to take this opportunity to change a couple of other things regarding building:
* The `--plugins` switch is gone. Use `--python-plugins` and `--c-plugins` instead.
* We don't autoenable depending on dependencies being present. Every feature needs to be enabled explicitly. This helps with having deterministic builds.
* Instead of setting `PACKAGE_STATUS="development/release"` in the configure.ac file we will use the default meson `buildtype`.
Autotools will probably stay a while. The next release will contain both with a note for packagers to try to use meson and give us feedback.
Meson/Ninja is significantly faster and the syntax is much easier to read.
The faster build times eventually will also help when waiting for CI results.
There are some things missing still like our `make dist`, `make doublecheck` and such.
Usage example:
```
meson setup build --buildtype=release -Domemo=enabled -Dpgp=enabled
meson compile -C build
```
The changes described above are only on meson. Autotools still behaves the same. The plan is to keep it as is and remove it once we know everything works in meson.
Use disabler() for optional dependencies.
Extract repeated build type checks into is_debug/is_release variables.
Consolidate compiler flags into single add_project_arguments() calls.
Simplify dependency list building (Meson auto-ignores disabled deps).
Streamline platform checks using 'in' operator.
Remove redundant variables (xscrnsaver_found, gtk_version, config_h_inc).
Simplify ncurses and header detection with clearer fallback chains.
Consolidate install_data() calls for files in same directory.
For meson we dont just check for the presence of a dependency and
then auto enable it.
Users must enable features explicit. This helps with having
deterministic results.
Also remove the general `plugins` switch which was used to
enable/disable both python and c plugins. Users can just use
those switches.
In out autotools build we check for all kinds of curses and their
support for wide character.
Let's focus on more modern systems until someone complains.
For autotools this was added in:
75bb00368f
Regarding:
https://github.com/profanity-im/profanity/issues/1334
I think libstrophe is rather common now and should be treated
like all the other dependencies anyways.
So I'll remove this from the meson files at least. Since my
goal is to have a cleaner build system.
In autotools we had `package_status` which we set to either
`release` or `development`.
When converting from autotools to meson we used that mechanism
as well. But actually meson has a default way of handling this
with the option `buildtype`.
The following values are possible:
debug, debugoptimized, release, plain
So our `package_status = development` will now be
`if get_option('buildtype') == 'debug' or get_option('buildtype') ==
'debugoptimized'`. Probably we could also use
`if get_option('buildtype') == 'release'. But like this the
`plain` will be really plain.
Usage:
```
meson setup build --buildtype=debug
meson compile -C build
```
Add a GitHub Actions workflow to build with Cygwin on Windows.
Fixes issues by forcing Cygwin bash for all steps, handling temporary script paths,
stripping CRLF line endings, and enabling igncr.
Make profanity exit gracefully when it receives either SIGTERM or
SIGHUP. This means that various cleanups will happen as if the user
issued the /quit command, whereas before these signals would terminate
profanity immediately leaving for instance the connection to the server
unterminated.
The main motivation for this change is so that profanity will exit
gracefully when the user closes the terminal that it's running in, which
is a handy shortcut (but can also happen on accident) and won't now lead
to the connection slowly timing out on the server instead. Similarly for
SIGTERM: profanity now for instance needs not be manually closed before
shutting down the computer to avoid the above as it will instead receive
this signal from the init process.
* No need to call `g_key_file_has_key()` before calling a getter.
* Add helper to convert `gcharv` to `glist`.
Signed-off-by: Steffen Jaeckel <s@jaeckel.eu>
If one is running multiple instances of profanity, the behavior of the
accounts module was to constantly overwrite the accounts file with the
version that was on-disk of the first instance of profanity started.
This is changed now in order to only write what we modified, we keep a
copy of the accounts file and when "saving" we re-read accounts from disk
and only update the values of the modified account.
This is not 100% fool proof if one modifies the same account from two
different instances, but still better than before.
Signed-off-by: Steffen Jaeckel <s@jaeckel.eu>
* Less `GString`.
* Don't `g_free()` a `strdup()`'ed string.
* Don't lookup the `console` window X times, but only once.
Signed-off-by: Steffen Jaeckel <s@jaeckel.eu>
* Add new TLS policy `direct` as a replacement for `legacy`.
* Document that `/[command]?` prints the help of a command.
* Add option to get help via `/command help`.
* Fix `my-prof.supp` generation and tests for out-of-source builds.
Signed-off-by: Steffen Jaeckel <s@jaeckel.eu>
* use `gchar` instead of `char`.
* improve situations when strings must be duplicated or can pass ownership.
* encapsulate the X.509 name details into a struct.
* prevent memory leaks if a name detail is contained multiple times.
Signed-off-by: Steffen Jaeckel <s@jaeckel.eu>
* add can simply do a `memcpy()`.
* in remove we don't have to put the array in a list in order to put it
back into an array again. Also we don't have to `strdup()` each entry,
which leads to even less allocations.
Signed-off-by: Steffen Jaeckel <s@jaeckel.eu>
With that command one can see the modifications of the runtime
configuration vs. the saved configuration.
Signed-off-by: Steffen Jaeckel <s@jaeckel.eu>
When setting up OMEMO for the first time via `/omemo gen` one had
to reconnect in order to make OMEMO work. This is fixed now.
Fixes: 5b6b5130 ("Fix OMEMO keyfile loading")
Signed-off-by: Steffen Jaeckel <s@jaeckel.eu>
Several users have reported segfaults when starting up profanity which
has OMEMO support, but OMEMO is not set up yet.
@StefanKropp has been able to reproduce this and tracked it down to
`_load_identity()` calling `omemo_known_devices_keyfile_save()`.
The latter then calls `save_keyfile()` which calls
`g_key_file_save_to_file()`. This can then fail if one of the first two
strings is NULL and won't set the `error` on return. In its error handling
`save_keyfile()` unconditionally dereferences `error` which leads to the
segfault.
Fix this and also go through the entire codebase and verify that the usage
of `GError` is done correctly.
Signed-off-by: Steffen Jaeckel <s@jaeckel.eu>
The previous implementation used strstr() which would match OTR tag patterns anywhere in the message. This caused normal messages containing these patterns to incorrectly trigger OTR session initialization.
Changed to use strncmp() to verify that V1/V2 tags immediately follow the base tag, ensuring only legitimate OTR whitespace tags trigger session establishment.
Fixes#1957
Add /opt/homebrew/{include,lib} flags for apple silicon macs, which are not included as default search paths by Clang/GCC. (Homebrew uses /usr/local/{include,lib} on intel macs)
On Cygwin, ./configure failed with:
./configure: line XXXX: syntax error near unexpected token ACX_PTHREAD([], [AC_MSG_ERROR([pthread is required])])'
Root cause: ACX_PTHREAD is a legacy macro not provided by modern
Autoconf; the maintained macro is AX_PTHREAD (from autoconf-archive).
Changes:
- Replace ACX_PTHREAD with AX_PTHREAD in configure.ac.
- Rely on system autoconf-archive; do not vendor m4/ax_pthread.m4.
- Keep AC_CONFIG_MACRO_DIR([m4]) (harmless even if empty).
Result:
- autoreconf -fi && ./configure && make succeeds on Cygwin x86_64.
- Linux builds continue to work.
Fixes: #2059
When running profanity under Valgrind with slashguard enabled, the
following error could occur:
```
[...]
==4021347== Invalid read of size 1
==4021347== at 0x4851F49: memchr (vg_replace_strmem.c:986)
==4021347== by 0x45CEAD: _inp_slashguard_check (inputwin.c:183)
==4021347== by 0x45CEAD: inp_readline (inputwin.c:225)
==4021347== by 0x431184: prof_run (profanity.c:121)
==4021347== by 0x42C609: main (main.c:176)
==4021347== Address 0xe850883 is 0 bytes after a block of size 3 alloc'd
==4021347== at 0x48477C4: malloc (vg_replace_malloc.c:446)
[...]
```
`memchr()` requires the complete memory that shall be searched to be
accessible. Using `strchr()` could work for shorter strings, but we only
want to search in the first 4 chars.
Instead of somehow working around those limitations, simply search manually
in the first 4 bytes.
Fixes: 3c56b289 ("Add slashguard feature")
Signed-off-by: Steffen Jaeckel <s@jaeckel.eu>
As 9f2abc75 accidentally got the ordering of some of the includes wrong,
I decided to propose my initial solution again.
Additional to that, I've opened a MR against CMocka to solve this on
their side, since I believe that the current way this is done is not
sustainable [0].
[0] https://gitlab.com/cmocka/cmocka/-/merge_requests/91
Fixes: 9f2abc75 ("Fix tests with gcc15 (uintptr_t)")
Signed-off-by: Steffen Jaeckel <s@jaeckel.eu>
In the past `Py_XDECREF()` was a macro. Preserve compat to ancient Python
versions by having a trampoline which calls `Py_XDECREF()`.
Fixes: #2043
Fixes: c0da36c4 ("Rage-cleanup.")
Signed-off-by: Steffen Jaeckel <s@jaeckel.eu>
Replace deprecated gpgme_key_get_string_attr with modern API
This commit fixes the build failure against GPGME >= 2.0.0 where
gpgme_key_get_string_attr and GPGME_ATTR_EMAIL were removed.
Changes made:
- Replaced direct call to gpgme_key_get_string_attr(key, GPGME_ATTR_EMAIL, NULL, 0)
- Added new helper function _gpgme_key_get_email() with backwards compatibility
- Function uses conditional compilation to support both old and new GPGME versions
Backwards Compatibility:
- GPGME < 2.0.0: Uses gpgme_key_get_string_attr() if GPGME_ATTR_EMAIL is available
- GPGME >= 2.0.0: Uses modern key->uids->email API
Forward Compatibility:
- Code compiles successfully with GPGME 2.0.0+ where deprecated functions are removed
- Uses modern GPGME API that iterates through key user IDs to find email addresses
Testing:
- Tested with GPGME 1.18.0 (backwards compatibility confirmed)
- Tested compilation compatibility for both old and new GPGME versions
- Verified the exact error from issue #2048 is resolved
- Confirmed no regression in functionality
Fixes: #2048
Resolves compilation error: 'gpgme_key_get_string_attr' undeclared
Resolves compilation error: 'GPGME_ATTR_EMAIL' undeclared
Will need to fix this soon. Lets temp remove arch to get results for the
other systems.
Build fail on Arch:
```
src/pgp/gpg.c: In function ‘p_gpg_decrypt’:
src/pgp/gpg.c:659:36: error: implicit declaration of function ‘gpgme_key_get_string_attr’ [-Wimplicit-function-declaration]
659 | const char* addr = gpgme_key_get_string_attr(key, GPGME_ATTR_EMAIL, NULL, 0);
| ^~~~~~~~~~~~~~~~~~~~~~~~~
src/pgp/gpg.c:659:67: error: ‘GPGME_ATTR_EMAIL’ undeclared (first use in this function)
659 | const char* addr = gpgme_key_get_string_attr(key, GPGME_ATTR_EMAIL, NULL, 0);
| ^~~~~~~~~~~~~~~~
src/pgp/gpg.c:659:67: note: each undeclared identifier is reported only once for each function it appears in
make[1]: *** [Makefile:2085: src/pgp/gpg.o] Error 1
make[1]: *** Waiting for unfinished jobs....
make: *** [Makefile:1314: all] Error 2
```
* This function constructs an argument vector (argv) based on the provided template string, replacing placeholders ("%u" and "%p") with the provided URL and filename, respectively.
*
* @param template_fmt The template string with placeholders.
* @param url The URL to replace "%u" (or NULL to skip).
* @param filename The filename to replace "%p" (or NULL to skip).
* @return The constructed argument vector (argv) as a null-terminated array of strings.
* @param template The template string with placeholders.
* @param url The URL to replace "%u" (or NULL to skip).
* @param filename The filename to replace "%p" (or NULL to skip).
* @return The constructed argument vector (argv) as a null-terminated array of strings.
*
* @note Remember to free the returned argument vector using `auto_gcharv` or `g_strfreev()`.
staticconstintPAD_THRESHOLD=12000;// above buffer cap (~9000): reclaims dead pad space, never fires while scrolling
staticconstintPAD_THRESHOLD=3000;
staticgboolean_in_redraw=FALSE;
staticvoid
@@ -67,20 +67,6 @@ _win_ensure_pad_capacity(ProfWin* window, WINDOW* win, int lines_needed)
}
}
}
// upper-bound estimate of rows a message body occupies (hard newlines + soft-wrap), to reserve pad space before printing so a tall message isn't clipped (a clipped height desyncs the scroll offset)
Blocking a user prevents them from interacting with repositories, such as opening or commenting on pull requests or issues. Learn more about blocking a user.