Follow-up issues for PR #105 #112
Reference in New Issue
Block a user
No description provided.
Delete Branch "%!s()"
Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?
Follow-up issues for PR #105
Issue templates ready to paste into Gitea after PR #105 lands. Each
section is a standalone issue. Headings are suggested titles.
All items below were surfaced during the code review of the upstream
merge in PR #105.
1. Verify XEP-0359
byattribute via disco before trustingstanza-idLabels: security · xmpp
Severity: medium (dedup poisoning)
Problem
src/xmpp/message.c:1090and:1399accept thebyattribute on<stanza-id>after only checking that the value matches the expectedJID (MUC bare-jid for groupchat, own bare-jid for chat). Per
XEP-0359 §7 Business Rules
and §8 Security Considerations:
CProof currently skips that disco check. Combined with the new UNIQUE
constraint on
archive_id(introduced in64fcdfaa), this turns anon-XEP-0359 server into a dedup poisoner: replay any earlier
stanza-idfor a different message and the second message issilently dropped as a duplicate.
Acceptance criteria
<stanza-id by=…>for dedup, look up thecached features for
byand requireurn:xmpp:sid:0.disco completes, or fall back to not deduping that message.
stanza-idfrom anentity not announcing the namespace and asserts it does not
poison the archive.
Out of scope
Reworking dedup itself, MAM catchup pipeline. Scope is limited to the
by-trust gate.2. Audit existing on-disk account names against the new validator
Labels: compatibility · accounts
Severity: low (UX regression risk)
Problem
src/config/accounts.c:37introduces a stricter validator on accountnames. Existing user installations may already contain account files
with names that the new validator would reject — meaning a working
configuration can become unloadable after upgrade.
Acceptance criteria
versions (and inherited from upstream Profanity) — gather from
git history of the validator and from any user reports.
on first launch with a clear log message;
(lenient inbound, strict outbound).
3. OTR interop matrix before next release
Labels: otr · testing
Severity: low (nothing observed broken yet)
Problem
src/otr/otr.c:274carries aTODO: test with other popular messenger to ensure that this logic works correctly. Until that pass is run wedon't know whether the recent OTR changes interoperate with mainstream
clients.
Acceptance criteria
Conversations (with OTR plugin), Pidgin.
session re-keying, end-of-session.
sub-issue per failure mode.
4. Clarify the "similar method" hint in
src/ui/window.cLabels: question · refactor
Problem
The PR #105 review noted that
_win_ensure_pad_capacity(window.c, line ~47) overlaps with another method, but the comment
anchor sits on its closing
}. The two pad-related candidates wefound —
_win_ensure_pad_capacity(grow on append) andwin_resize(handle terminal resize) — have different concerns.
Acceptance criteria
issue if the original concern is already covered by
_win_ensure_pad_capacityalone.5. Re-introduce stricter warnings + sanitizer build, Pikaur-friendly
Labels: build · ci
Background
PR #105 originally landed a build commit (
5459e78e8) that:-Wno-sign-compareand added-Wsign-compare+-Wconversionto the GCC-specific warning probe loop;--enable-sanitizers(ASan + UBSan +-fsanitize=unsigned-integer-overflow) as an opt-in flag;PACKAGE_STATUS=developmentso thenew sign-warnings did not turn into hard errors immediately
(
-Wno-error=sign-conversion,-Wno-error=sign-compare);glib_CFLAGS/gio_CFLAGSthrough-isystemso macroslike
GPOINTER_TO_UINTinglibconfig.hdid not generate noiseunder
-Wconversion.That commit was reverted (
a7ad9ac0a) in favour of master's0722dc9e3 build(pikaur): Fix failure due to duplicated flag and warnings, which goes the opposite direction — keeps-Wno-sign-compare, drops-Wnull-dereferenceand-D_FORTIFY_SOURCE=2. The two directions cannot trivially coexist:the warnings PR #105 wants to enable are exactly the ones the Pikaur
fix had to silence to build through.
TODO
0722dc9e3(which warning fired, what flag duplicationhappened, on which Arch + Pikaur version).
AX_APPEND_FLAGso a duplicate-Wno-Xfromthe makepkg side cannot cancel ours;
-Wnull-dereference,-D_FORTIFY_SOURCE=2)behind
--enable-hardeningorPACKAGE_STATUS=developmentsothey only show up where we control the toolchain;
-Wsign-conversion/-Wconversionper-file via#pragma GCC diagnosticuntil callers are clean.--enable-sanitizersas a separate, opt-in option(it does not conflict with Pikaur and is worth on its own).
glib_CFLAGS/gio_CFLAGSthrough-isystemregardless of the rest — that cleanup is independent.
-Wno-error=sign-*escape-hatchesonce the warnings are enabled again, otherwise
-Werrorwillhard-fail every dev build.
CONTRIBUTING.md.What's already merged
5459e78e8enabledremain in tree (commit
9feff00ea); they don't depend on thewarnings being on, they just made the codebase cleaner. So when
the warnings are re-enabled, the flood from the source tree
itself should be much smaller than the original ~327 hits.
6. Clarify the "cleanup later" hint in
src/ui/inputwin.cLabels: question · refactor
Problem
The PR #105 review left a "we should also clean it up its definition
later" note anchored on line 1017, which is the closing
}of_inp_rl_win_pagedown_handler. The intended target (which symbol /prototype / struct field) is not obvious from the anchor alone.
Acceptance criteria
close this one.
7.
_migrate_to_v3dedupe is non-deterministic and can break LMC chainsLabels: database · correctness
Severity: medium (silent data loss for corrected messages)
Shall be closed by #128
Problem
src/database_sqlite.c_migrate_to_v3deduplicates rows bySQLite extension semantics let bare columns appear with
GROUP BY— butthe kept row per group is implementation-defined (effectively
arbitrary). When the duplicate set was produced by MAM rebroadcast of a
message that was later corrected via XEP-0308 LMC, the kept row's
replaces_db_id/replaced_by_db_idmay point at rows that getdropped, leaving dangling local FKs in the chain.
Real-world incidence is low (MAM rebroadcast of the same
archive_idisrare on well-behaved servers), but the migration runs once per upgrade
and is irreversible without a backup.
Acceptance criteria
archive_idgroup —MAX(id)is thesimplest "keep the latest insert" rule.
replaces_db_id/replaced_by_db_idandNULL out references to rows that no longer exist (or remap them
to the survivor).
archive_idduplicates including an LMC chain spanning theduplicates, runs the migration, and asserts no dangling FKs.
Out of scope
Changing the dedup strategy for live inserts (already handled by the
explicit
duplicate_check_queryand the newarchive_id UNIQUE).8. OTR whitespace-tag stripping uses wrong
memmovelengthLabels: otr · ui · pre-existing
Severity: low (cosmetic, narrow trigger)
Problem
src/otr/otr.cotr_on_message_recvstrips the OTR whitespace tagfrom an incoming message with
The third argument is the tag length, not the length of the message
tail that needs to shift left. Result: the tag area is overwritten with
the first
tag_lengthbytes of the rest of the message, but the restitself is not shifted — the user sees
<first 24 bytes of body><full body>duplication whenever the opportunistic/always OTR policytriggers a whitespace-tag handoff.
Pre-existing in
origin/master— PR #105 only tightened thestrstr→strncmpprecondition next to it, which is why we noticed.Acceptance criteria
memmove(whitespace_base, whitespace_base + tag_length, strlen(whitespace_base + tag_length) + 1).otr_on_message_recvthat feeds a messagewith a synthetic whitespace tag plus a known body and asserts the
body is preserved verbatim after stripping.
9.
resourcepointer is read after ownership-transfer in presence handlerLabels: xmpp · use-after-free risk · pre-existing
Severity: low (no current UAF, fragile pattern)
Problem
In
src/xmpp/presence.c(own-jid branch, around line 624):Safe in the current control flow because nothing else does a
g_hash_table_replacewith the same key (resource->name) betweenthe ownership transfer and the last read. Any future change that
adds such a path silently introduces a use-after-free.
Pre-existing pattern, not introduced by PR #105.
Acceptance criteria
connection_add_available_resource(resource), then deref thelocals afterwards.
and add a brief assertion (e.g., a
g_hash_table_lookupcross-check) that catches the bad case in debug builds.
10.
omemo_on_connectdiscards_omemo_finalize_identity_loadreturnLabels: omemo · error-handling
Severity: low (no user-visible failure observed)
Shall be closed by #128
Problem
src/omemo/omemo.c:263calls_omemo_finalize_identity_load(account)and ignores the boolean return. The function returns
FALSEonly onfiles_file_in_account_data_pathfailure (out-of-disk / permissiondenied) — in which case
omemo_ctx.loadedis leftFALSEand thecaller proceeds as if init succeeded. Subsequent OMEMO operations
hit the
omemo_ctx.loadedguards and silently no-op, so the usersees encryption "not available" with no log line pointing at the
storage failure.
Pre-existing pattern, surfaced during PR #105 review.
Acceptance criteria
FALSE, log a user-visible message(
cons_show_error) explaining that OMEMO state could not beloaded from disk.
omemo_on_connectearly so we don'tleave the partially-initialised
omemo_ctx.signal/omemo_ctx.storelying around.11.
_migrate_to_v3:INSERT … SELECT *depends on positional column matchLabels: database · tech-debt
Severity: low
Problem
src/database_sqlite.c_migrate_to_v3copies rows withThis is safe today because the v2 schema has exactly the same column
list / order as the new v3 table. Any out-of-band schema patch between
v2 and v3 (e.g., a side branch that adds a column to ChatLogs) would
silently mis-bind columns at migration time.
Acceptance criteria
SELECT *with an explicit column list matching the v3destination table. Same change for the
WHERE archive_id IS NULLandGROUP BY archive_idbranches.changes need a matching update to the migration column list.
cleanup later was obviously regarding our now-obsolete editor_async
jabber.developer2 referenced this issue2026-05-27 11:30:53 +00:00
jabber.developer referenced this issue2026-06-20 10:02:59 +00:00
jabber.developer referenced this issue2026-06-20 10:03:16 +00:00
Fixed by #130