jabber.developer2 5f39dd4939
All checks were successful
CI Code / Check spelling (pull_request) Successful in 20s
CI Code / Check coding style (pull_request) Successful in 35s
CI Code / Code Coverage (pull_request) Successful in 4m47s
CI Code / Linux (debian) (pull_request) Successful in 6m8s
CI Code / Linux (ubuntu) (pull_request) Successful in 6m14s
CI Code / Linux (arch) (pull_request) Successful in 6m26s
security: validate <delay> from and <stanza-id> by attributes
XEP-0203 §4 (Delayed Delivery):
Remote clients could inject <delay xmlns='urn:xmpp:delay'> elements
with arbitrary timestamps, causing messages to appear at incorrect
positions in chat history.  The spec mandates checking the 'from'
attribute to verify the delay was added by a trusted source.

- stanza.c: add stanza_get_oldest_delay_from(stanza, from) that
  filters <delay>/<x> children by the 'from' attribute; refactor
  stanza_get_oldest_delay() to delegate with from=NULL.  Add
  NULL-safety for tmp timestamp in comparison logic.
- stanza.h: declare stanza_get_oldest_delay_from().
- message.c (_handle_chat): replace unfiltered stanza_get_delay()
  with trust-ordered fallback: our domain → sender domain → now.
- message.c (_handle_groupchat): replace stanza_get_oldest_delay()
  with fallback: room bare JID → room domain → our domain → now.
- message.c (_handle_muc_private_message): same pattern.

MAM path deliberately unchanged — <delay> inside <forwarded> is
already from our own server's archive.

XEP-0359 §5 (Unique and Stable Stanza IDs):
The <stanza-id> element was accepted without checking the 'by'
attribute, allowing a remote client to inject forged archive IDs.

- stanza.h: add STANZA_ATTR_BY define.
- message.c (_handle_groupchat): only accept <stanza-id> when
  by == room bare JID.
- message.c (_handle_chat): only accept <stanza-id> when
  by == our server domain.
2026-02-21 18:24:53 +03:00
2021-12-24 13:49:07 +01:00
2025-03-27 20:27:09 +01:00
2016-03-09 12:55:57 +01:00
2025-03-11 12:15:09 +01:00
2022-02-01 15:01:28 +01:00
2025-01-28 16:43:13 +01:00
2025-03-27 20:06:38 +01:00
2021-08-26 00:30:55 +00:00
2026-02-18 17:39:25 +01:00
2019-04-24 01:08:38 +02:00
2025-04-10 07:23:35 +02:00
2025-09-01 16:57:10 +02:00
2025-06-20 18:20:47 +00:00
2020-05-21 09:16:18 +02:00

CProof

Build Status

CProof is a console based XMPP chat client based on Profanity.

alt tag

See the Quick Start Guide for information on installing and using CProof.

Project

CProof enables you to communicate with privacy, freedom and comfort. Our open-source chat application delivers secure, end-to-end encrypted messaging (OTR, PGP, OMEMO, OX) built on the trusted XMPP protocol. With a decentralized design, you can connect directly or even host your own server, keeping your data in your hands. Whether you're chatting with friends or collaborating securely, CProof makes private communication simple, reliable, and truly yours.

Installation

Check our installation guide for detailed instructions.

How to contribute

See our Helping Out page for a concise summary of ways to help us.

Review the Contributing Guide and Code Overview pages for advanced technical details.

Getting help

Prior to asking questions, check our User Guide, then check out the FAQ.

If you are still having a problem then search the issue tracker.

As a last resort, feel free to write us on support@jabber.tech or create a new issue depending on what your problem is.

Website

Feel free to visit our website: jabber.space.

You may also check the repository if you like, available on git.jabber.space/devs/profanity.

Plugins

Plugins repository: https://git.jabber.space/devs/cproof-plugins

Description
No description provided
Readme 40 MiB
Languages
C 95.2%
Python 1.7%
Makefile 0.9%
M4 0.8%
Shell 0.7%
Other 0.6%