Security fixes for 7 vulnerabilities in database_flatfile.c:
1. Path traversal via crafted JID (HIGH):
_ff_jid_to_dir() now strips '/', '\' -> '_' and collapses '..' -> '__',
preventing a malicious federated JID from escaping the log directory.
2. Log injection via unescaped message body (HIGH):
Add _ff_escape_message()/_ff_unescape_message() -- escape \n, \r, \\
in message text on write, unescape on read. Prevents remote contacts
from injecting fake log lines with forged sender/timestamp/encryption.
3. Metadata field injection (HIGH):
Add _ff_escape_meta_value()/_ff_unescape_meta_value() -- escape |, ],
\\, \n, \r in stanza_id/archive_id/replace_id. Parser uses escape-aware
_ff_find_unescaped_char() and _ff_split_meta() instead of strchr/strsplit.
4. Sender ": " parsing confusion (MEDIUM):
Escape ": " -> "\: " in XMPP resource on write. Parser uses
_ff_find_unescaped_colonspace() + _ff_unescape_sender_resource().
5. LMC correction chain cycle -> infinite loop (MEDIUM):
Add visited hash-set and FF_MAX_LMC_DEPTH (100) limit to chain walker.
6. Unbounded getline() -> OOM (MEDIUM):
Add FF_MAX_LINE_LEN (10 MB) cap in _ff_readline(); overlength lines
are skipped with a warning. Replaces all char buf[8192]/fgets() sites
with dynamic getline() + truncated-line detection at EOF.
7. Symlink attack + TOCTOU on file creation (MEDIUM):
Replace fopen("a") with open(O_WRONLY|O_APPEND|O_CREAT|O_EXCL|O_NOFOLLOW)
+ fdopen() -- atomic new-file detection, symlink rejection via O_NOFOLLOW.
_ff_ensure_dir() checks g_lstat() for symlinks. File permissions 0600
set via open() mode, not post-hoc g_chmod().
CProof
CProof is a console based XMPP chat client based on Profanity.
See the Quick Start Guide for information on installing and using CProof.
Project
CProof enables you to communicate with privacy, freedom and comfort. Our open-source chat application delivers secure, end-to-end encrypted messaging (OTR, PGP, OMEMO, OX) built on the trusted XMPP protocol. With a decentralized design, you can connect directly or even host your own server, keeping your data in your hands. Whether you're chatting with friends or collaborating securely, CProof makes private communication simple, reliable, and truly yours.
Installation
Check our installation guide for detailed instructions.
How to contribute
See our Helping Out page for a concise summary of ways to help us.
Review the Contributing Guide and Code Overview pages for advanced technical details.
Getting help
Prior to asking questions, check our User Guide, then check out the FAQ.
If you are still having a problem then search the issue tracker.
As a last resort, feel free to write us on support@jabber.tech or create a new issue depending on what your problem is.
Links
Website
Feel free to visit our website: jabber.space.
You may also check the repository if you like, available on git.jabber.space/devs/profanity.
Plugins
Plugins repository: https://git.jabber.space/devs/cproof-plugins
