Security fixes for 7 vulnerabilities in database_flatfile.c:
1. Path traversal via crafted JID (HIGH):
_ff_jid_to_dir() now strips '/', '\' -> '_' and collapses '..' -> '__',
preventing a malicious federated JID from escaping the log directory.
2. Log injection via unescaped message body (HIGH):
Add _ff_escape_message()/_ff_unescape_message() -- escape \n, \r, \\
in message text on write, unescape on read. Prevents remote contacts
from injecting fake log lines with forged sender/timestamp/encryption.
3. Metadata field injection (HIGH):
Add _ff_escape_meta_value()/_ff_unescape_meta_value() -- escape |, ],
\\, \n, \r in stanza_id/archive_id/replace_id. Parser uses escape-aware
_ff_find_unescaped_char() and _ff_split_meta() instead of strchr/strsplit.
4. Sender ": " parsing confusion (MEDIUM):
Escape ": " -> "\: " in XMPP resource on write. Parser uses
_ff_find_unescaped_colonspace() + _ff_unescape_sender_resource().
5. LMC correction chain cycle -> infinite loop (MEDIUM):
Add visited hash-set and FF_MAX_LMC_DEPTH (100) limit to chain walker.
6. Unbounded getline() -> OOM (MEDIUM):
Add FF_MAX_LINE_LEN (10 MB) cap in _ff_readline(); overlength lines
are skipped with a warning. Replaces all char buf[8192]/fgets() sites
with dynamic getline() + truncated-line detection at EOF.
7. Symlink attack + TOCTOU on file creation (MEDIUM):
Replace fopen("a") with open(O_WRONLY|O_APPEND|O_CREAT|O_EXCL|O_NOFOLLOW)
+ fdopen() -- atomic new-file detection, symlink rejection via O_NOFOLLOW.
_ff_ensure_dir() checks g_lstat() for symlinks. File permissions 0600
set via open() mode, not post-hoc g_chmod().
103 lines
4.4 KiB
C
103 lines
4.4 KiB
C
/*
|
|
* database.h
|
|
* vim: expandtab:ts=4:sts=4:sw=4
|
|
*
|
|
* Copyright (C) 2020 - 2025 Michael Vetter <jubalh@iodoru.org>
|
|
*
|
|
* This file is part of Profanity.
|
|
*
|
|
* Profanity is free software: you can redistribute it and/or modify
|
|
* it under the terms of the GNU General Public License as published by
|
|
* the Free Software Foundation, either version 3 of the License, or
|
|
* (at your option) any later version.
|
|
*
|
|
* Profanity is distributed in the hope that it will be useful,
|
|
* but WITHOUT ANY WARRANTY; without even the implied warranty of
|
|
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
|
* GNU General Public License for more details.
|
|
*
|
|
* You should have received a copy of the GNU General Public License
|
|
* along with Profanity. If not, see <https://www.gnu.org/licenses/>.
|
|
*
|
|
* In addition, as a special exception, the copyright holders give permission to
|
|
* link the code of portions of this program with the OpenSSL library under
|
|
* certain conditions as described in each individual source file, and
|
|
* distribute linked combinations including the two.
|
|
*
|
|
* You must obey the GNU General Public License in all respects for all of the
|
|
* code used other than OpenSSL. If you modify file(s) with this exception, you
|
|
* may extend this exception to your version of the file(s), but you are not
|
|
* obligated to do so. If you do not wish to do so, delete this exception
|
|
* statement from your version. If you delete this exception statement from all
|
|
* source files in the program, then also delete it here.
|
|
*
|
|
*/
|
|
|
|
#ifndef DATABASE_H
|
|
#define DATABASE_H
|
|
|
|
#include <glib.h>
|
|
#include "config/account.h"
|
|
#include "xmpp/xmpp.h"
|
|
|
|
#define MESSAGES_TO_RETRIEVE 100
|
|
|
|
typedef enum {
|
|
DB_RESPONSE_ERROR,
|
|
DB_RESPONSE_EMPTY,
|
|
DB_RESPONSE_SUCCESS
|
|
} db_history_result_t;
|
|
|
|
// Integrity verification issue levels
|
|
typedef enum {
|
|
INTEGRITY_ERROR,
|
|
INTEGRITY_WARNING,
|
|
INTEGRITY_INFO
|
|
} integrity_level_t;
|
|
|
|
// A single integrity issue found during verification
|
|
typedef struct
|
|
{
|
|
integrity_level_t level;
|
|
char* file;
|
|
int line;
|
|
char* message;
|
|
} integrity_issue_t;
|
|
|
|
void integrity_issue_free(integrity_issue_t* issue);
|
|
|
|
// Backend vtable: pluggable storage backends implement this interface
|
|
typedef struct db_backend_t
|
|
{
|
|
const char* name;
|
|
gboolean (*init)(ProfAccount* account);
|
|
void (*close)(void);
|
|
void (*add_incoming)(ProfMessage* message);
|
|
void (*add_outgoing_chat)(const char* const id, const char* const barejid, const char* const message, const char* const replace_id, prof_enc_t enc);
|
|
void (*add_outgoing_muc)(const char* const id, const char* const barejid, const char* const message, const char* const replace_id, prof_enc_t enc);
|
|
void (*add_outgoing_muc_pm)(const char* const id, const char* const barejid, const char* const message, const char* const replace_id, prof_enc_t enc);
|
|
db_history_result_t (*get_previous_chat)(const gchar* const contact_barejid, const gchar* start_time, const gchar* end_time, gboolean from_start, gboolean flip, GSList** result);
|
|
ProfMessage* (*get_limits_info)(const gchar* const contact_barejid, gboolean is_last);
|
|
GSList* (*verify_integrity)(const gchar* const contact_barejid);
|
|
} db_backend_t;
|
|
|
|
// Active backend (set during init based on PREF_DBLOG)
|
|
extern db_backend_t* active_db_backend;
|
|
|
|
// Backend registry
|
|
db_backend_t* db_backend_sqlite(void);
|
|
db_backend_t* db_backend_flatfile(void);
|
|
|
|
// Public API (dispatches to active_db_backend)
|
|
gboolean log_database_init(ProfAccount* account);
|
|
void log_database_add_incoming(ProfMessage* message);
|
|
void log_database_add_outgoing_chat(const char* const id, const char* const barejid, const char* const message, const char* const replace_id, prof_enc_t enc);
|
|
void log_database_add_outgoing_muc(const char* const id, const char* const barejid, const char* const message, const char* const replace_id, prof_enc_t enc);
|
|
void log_database_add_outgoing_muc_pm(const char* const id, const char* const barejid, const char* const message, const char* const replace_id, prof_enc_t enc);
|
|
db_history_result_t log_database_get_previous_chat(const gchar* const contact_barejid, const gchar* start_time, const gchar* end_time, gboolean from_start, gboolean flip, GSList** result);
|
|
ProfMessage* log_database_get_limits_info(const gchar* const contact_barejid, gboolean is_last);
|
|
void log_database_close(void);
|
|
GSList* log_database_verify_integrity(const gchar* const contact_barejid);
|
|
|
|
#endif // DATABASE_H
|