Compare commits

..

2 Commits

Author SHA1 Message Date
4fce333c9a fix(xmpp): show message for empty disco#items results (XEP-0030)
All checks were successful
CI Code / Check spelling (pull_request) Successful in 23s
CI Code / Check coding style (pull_request) Successful in 34s
CI Code / Code Coverage (pull_request) Successful in 4m45s
CI Code / Linux (debian) (pull_request) Successful in 6m10s
CI Code / Linux (ubuntu) (pull_request) Successful in 6m17s
CI Code / Linux (arch) (pull_request) Successful in 6m24s
CI Code / Check spelling (push) Successful in 17s
CI Code / Check coding style (push) Successful in 30s
CI Code / Linux (debian) (push) Successful in 6m16s
CI Code / Linux (ubuntu) (push) Successful in 6m22s
CI Code / Linux (arch) (push) Successful in 6m27s
CI Code / Code Coverage (push) Successful in 9m41s
Per XEP-0030 section 3.1: 'if an entity has no associated items,
it MUST return an empty <query/> element.'

The client should display 'No service discovery items for X' when
receiving an empty result, not silently ignore it.

Previous version introduced in commit f28655c5c (2016-05-08) which added an early
return when child == NULL, preventing the message from being shown.
2026-02-11 01:10:55 +03:00
467222d0ca fix(ui,db): harden NULL handling, fix CWE-134, optimize iterations
Some checks failed
CI Code / Code Coverage (push) Failing after 10m34s
CI Code / Check spelling (push) Failing after 10m47s
CI Code / Check coding style (push) Failing after 11m4s
CI Code / Linux (ubuntu) (push) Failing after 11m19s
CI Code / Linux (debian) (push) Failing after 11m28s
CI Code / Linux (arch) (push) Failing after 11m38s
security(CWE-134): fix format string injections + add CI check
fix(ui): subwindow lifecycle, newwin/newpad guards, fallback timestamps
fix(db): sqlite cleanup on failures, sqlite3_close_v2
fix(xmpp): queued_messages loop, barejid leak
perf(core): g_hash_table_iter_init instead of g_hash_table_get_keys
refactor(ui): CLAMP macro in _check_subwin_width
test: XEP-0012 and XEP-0045 functional tests

Author: jabber.developer2
Closes #58, #85
2026-02-06 19:27:40 +01:00
3 changed files with 2 additions and 5 deletions

View File

@@ -152,7 +152,7 @@ We have a static analyzer `check-cwe134.sh` that detects CWE-134 format string v
./check-cwe134.sh
```
This checks for unsafe patterns where user-controlled data could be passed directly as a format string to functions like `cons_show`, `log_error`, `win_println`, etc. Always use `"%s"` format specifier when printing user data.
This checks for unsafe patterns where data could be passed directly as a format string to functions like `printf`, `cons_show`, etc. Never pass a raw string for formatting; use `"%s"` format specifier instead.
### Finding typos

View File

@@ -2532,9 +2532,6 @@ _disco_items_result_handler(xmpp_stanza_t* const stanza)
}
xmpp_stanza_t* child = xmpp_stanza_get_children(query);
if (child == NULL) {
return;
}
while (child) {
const char* stanza_name = xmpp_stanza_get_name(child);

View File

@@ -23,7 +23,7 @@ responds_to_last_activity_request(void **state)
"</iq>"
);
// Verify profanity responds with last activity info
// Verify that CProof responds with last activity info
// The 'seconds' attribute indicates idle time
assert_true(stbbr_received(
"<iq id='last1' type='result' to='buddy1@localhost/mobile'>"