Commit Graph

243 Commits

Author SHA1 Message Date
adab585c09 fix(review): address PR #105 review follow-ups
- src/log.c: log_stderr_init no longer closes STDERR_FILENO immediately
  after dup2(). The previous 'close(dup_fd)' closed fd 2 because dup2
  returns newfd on success; the in-app stderr capture pipe was silently
  dead, dropping libstrophe/openssl error output. Close the original
  stderr_pipe[1] instead and remember that the write end now lives at
  STDERR_FILENO so _log_stderr_close stays correct.

- src/database_sqlite.c: NULL-check sqlite3_mprintf result before
  passing it to sqlite3_exec in the DbVersion bootstrap path.

- src/tools/editor.c: drop three orphan #includes (<fcntl.h>,
  <pthread.h>, <readline/readline.h>) left behind when 9b03e3a50
  removed the async-editor path.

- src/xmpp/jid.c: match the g_new0 allocation in jid_create with
  g_free in jid_destroy. Same behaviour on glibc but stops being a
  foot-gun under custom glib allocators.

Verified with ci-build.sh in Debian docker: all 4 configs pass
(644/0, 605/0, 605/0, 644/0 unit + 130/0 functional).
2026-05-21 15:40:25 +03:00
9b03e3a508 refactor: address PR #105 review (#1222, #1226)
#1222 (src/xmpp/roster_list.c): remove dead 'resource = NULL' inside
roster_update_presence() — assigning to a value parameter never
affects the caller. Document the ownership contract: the function
consumes 'resource' on every return path and callers must null
their own pointer afterwards. The existing caller in
roster_process_pending_presence already does that, and
resource_destroy() is NULL-safe.

#1226 (src/tools/editor.{c,h}): remove get_message_from_editor[_async]
and the surrounding async-editor infrastructure (editor_thread,
editor_task global, editor_process polling, EditorTask typedef).
The upstream callback-based launch_editor API has replaced every
call site (cmd_funcs.c, inputwin.c). Also drop the now-unused
'background_mode' global (only the obsolete async path ever set it
to TRUE) and the editor_process() call in profanity.c main loop.

Verified with ci-build.sh in Debian docker — all 4 build configs
pass (644/0, 605/0, 605/0, 644/0 unit + 130/0 functional each).
2026-05-21 12:50:19 +03:00
508de43da9 Merge branch 'master' into merge/upstream-full
Resolve conflicts after master gained the flat-file database backend,
AI client, and other cproof-fork features:

- CHANGELOG: keep cproof-fork unreleased section atop full upstream
  history (0.17.0 / 0.16.0 / 0.15.1)
- src/command/cmd_ac.c: keep both upstream spellcheck AC and cproof
  /history switch|verify|export|import autocompletion
- src/config/preferences.c: merge upstream [spellcheck] group with the
  cproof [ai]/[ai/<provider>] groups
- src/database.c: take master (thin dispatcher); upstream SQLite
  improvements (v3 migration, auto_gchar) belong in database_sqlite.c
  and will land in a follow-up commit
- src/tools/autocomplete.c: take upstream unescape of search_str
- src/ui/statusbar.c: keep guint signatures (per project preference)
  and adapt _status_bar_draw_dbbackend to guint as well
- src/xmpp/jid.c: combine the new jid_is_valid/jid_is_valid_user_jid
  with the "(null)" legacy-placeholder guard in
  jid_create_from_bare_and_resource; use auto_gchar
- tests/functionaltests/proftest.c: keep unsigned-safe pre-check on
  output_len before subtracting OUTPUT_BUF_SIZE
- tests/unittests/unittests.c: keep upstream subdirectory include
  layout plus cproof-only test_ai_client/database_export/database_stress
- tests/unittests/test_jid.c: drop orphan top-level copy (the
  restructured version lives in tests/unittests/xmpp/test_jid.c)

Upstream is included up to 1ac05754b (release 0.18.0 era). Follow-up:
pull 1ac05754b..upstream/master (esp. 42a849d16 db migration fix and
4749645c7 receipt-request restore), and adapt the SQLite improvements
into database_sqlite.c.
2026-05-18 11:42:48 +03:00
9e5dfb14f8 feat(ai): add AI client with multi-provider chat support
Add an AI client module that integrates with OpenAI-compatible API
providers (OpenAI, Perplexity, and custom endpoints) to provide
AI-assisted chat within CProof. Users can start sessions with /ai start,
send prompts, receive responses in a dedicated AI window, switch between
providers and models, and manage API keys — all with tab-completion.

Providers are configured via /ai set commands with per-provider API keys,
endpoints, default models, and custom settings. Two default providers
(openai, perplexity) are seeded on first use. Provider state persists in
[ai/<name>] sections of the preferences keyfile with automatic migration
from the previous flat-key format.

The /ai command integrates into the existing command system with 8
subcommands covering provider management, session lifecycle, model
fetching, and conversation clearing. Autocomplete uses the standard
flat prefix-matching chain for reliable tab-completion at every nesting
level. A new ProfAiWin window type is added to the window system.

Architecture:

Async design: HTTP requests run on a background thread (pthread) to avoid blocking the ncurses UI loop; results are displayed on the main thread via direct function calls
Thread safety: AIProvider and AISession use atomic ref-counting and mutex-protected session state; the request thread snapshots all session data before making the HTTP call
Window validation: wins_ai_exists() prevents use-after-free when the user closes the AI window during an in-flight HTTP request (~60s)
Privacy: store:false is sent with every request to prevent providers from persisting conversations or using them for training
Response size limit: 10MB cap with immediate curl abort via CURL_WRITEFUNC_ERROR to prevent OOM
JSON parsing uses unified helpers for both chat responses and error
envelopes with consistent escape decoding. The response parser tries
Perplexity /v1/responses "text" field first, then falls back to OpenAI
"content". Error parsing extracts provider error.message from the
standard envelope format. Model parsing handles multiple API response
formats (OpenAI list, Perplexity, array) including edge cases.

Tests include 470+ lines of unit tests covering provider management,
session lifecycle, JSON parsing (multiple formats), autocomplete cycling,
and error handling, plus functional tests for /ai command dispatch.
A stub_ai.c module isolates unit tests from UI dependencies.
2026-05-15 02:21:54 +00:00
9feff00ead refactor: clean narrowing conversions and harden unsigned arithmetic
Cleanup of the conversion-safety warnings exposed by enabling
-Wconversion / -Wsign-compare in the previous commit, plus guard
clauses at the few places where unsigned arithmetic could actually
misbehave.

Build:
- configure.ac drops -Wno-error=conversion and
  -Wno-error=float-conversion. Only -Wno-error=sign-conversion and
  -Wno-error=sign-compare remain, gating the ~230 sign warnings
  inherited from upstream that will be cleaned up in follow-ups.

Type / conversion fixes (no behaviour change):
- Length-like locals in command/cmd_ac.c, command/cmd_funcs.c,
  pgp/gpg.c, tools/autocomplete.c, tools/parser.c and ui/mucwin.c
  switched from int to size_t / glong (matching strlen /
  g_utf8_strlen return type) so we no longer need an (int) cast and
  loop counters / array sizes stay in their natural unsigned domain.
- g_timer_elapsed / GTimeSpan -> int casts in session.c, iq.c,
  core.c, server_events.c, window.c.
- _win_print_wrapped: indent parameter and local curx/maxx switched
  from size_t to int to match _win_indent / getcurx / getmaxx.
- Port casts (int -> unsigned short) at the libstrophe boundary in
  connection.c and session.c, each preceded by
  g_assert(port >= 0 && port <= UINT16_MAX) so the truncation is
  documented at the call-site.
- curl_off_t / fread size_t results cast at usage in http_upload.c,
  http_download.c, omemo/crypto.c.
- strtoul results cast to uint32_t in xmpp/omemo.c and omemo/omemo.c
  where device/prekey IDs are genuinely 32-bit.
- config/color.c: fg/bg/palette indices switched to `short`
  end-to-end (find_col, color_hash, find_closest_col,
  _color_pair_cache_get, cache.pairs), so the ncurses init_pair
  boundary needs at most one (short)i cast for the cache index. Also
  TODO-noted: init_extended_pair is needed for >15-bit palettes.
- xmpp/avatar.c: float arithmetic explicitly casts its int operands.
- tests/functionaltests/proftest.c: read() result handling uses
  size_t for the accumulator, _read_output returns ssize_t, and the
  buffer-shift check happens before space subtraction so the
  expression cannot underflow.

Real-risk guard clauses (the part that actually fixes bugs):
- src/ui/statusbar.c _tabs_width: `end > opened_tabs - 1` rewritten
  as `end < opened_tabs` so opened_tabs == 0 no longer underflows.
- src/ui/statusbar.c _status_bar_draw_extended_tabs: the mirror
  comparison rewritten as `end >= opened_tabs`.
- src/ui/statusbar.c status_bar_draw: replaced
  `MAX(0, getmaxx - (int)_tabs_width)` with an explicit precheck
  before subtraction.
- src/omemo/omemo.c prekey selection: prekey_index is now uint32_t
  and randomized into an unsigned buffer, so modulo with prekeys_len
  cannot yield a negative index for g_list_nth_data.
- src/omemo/crypto.c omemo_decrypt_func: PKCS#5/PKCS#7 unpadding
  reads `plaintext[plaintext_len - 1]`, which would underflow on a
  malformed empty ciphertext and read past the heap buffer. Reject
  plaintext_len == 0 before the padding peek and validate the
  padding byte against the buffer length before the unpad loop.
  Initialise plaintext = NULL so the early `goto out` cannot free
  uninitialised memory.
- src/ui/inputwin.c (4 mbrlen sites) and src/ui/window.c
  _win_print_wrapped: mbrlen() returns 0 for the null wide
  character. The existing checks rejected (size_t)-1 / -2 but
  treated 0 as a valid step, so the surrounding loops would either
  advance by SIZE_MAX (i += ch_len - 1) or spin in place
  (word_pos += 0 forever). Add `|| ch_len == 0` to each guard;
  inside the spell-check word-emission loop also fall back to a
  one-byte advance.
- Defensive `len > 0 ? len - 1 : 0` prechecks at the strlen-based
  g_strndup / loop sites in ui/console.c, plugins/c_api.c and
  plugins/python_plugins.c.
2026-04-28 10:24:52 +03:00
4401e817d0 refactor: address PR #105 review feedback
Apply fixes, refactors and test additions requested by reviewer on PR #105.

Fixes:
- database: warn and notify user on duplicate archive_id instead of
  silently debug-logging it (R05).
- database: add missing '[' in "[DB Migration]" log prefix (R06).
- xmpp/resource: NULL-out name/status after g_free to avoid double-free
  via roster_list.c cleanup path (R09, R23).
- common: widen strtoi_range internal storage from int to long so that
  values in (INT_MAX, LONG_MAX] are rejected as out-of-range instead of
  being silently truncated on 64-bit platforms (R25).

Refactors:
- xmpp/message: extract _receive_omemo helper, removing three copies of
  the OMEMO receive block in groupchat / MUC-PM / chat handlers (R04).
- omemo: flatten deeply nested device-list processing via guard-clause
  continues (R11).
- tools/autocomplete: merge two nested ifs into a single && condition
  (R13).
- ui/titlebar: extract _show_trust_indicator and inline _wprintw_withattr
  wrapper, collapsing three near-identical trust-indicator blocks (R22).
- config/tlscerts: drop _checked_g_strdup wrapper; g_strdup is
  NULL-safe per glib documentation (R19).
- ui/inputwin: use auto_gchar for spellcheck word instead of manual
  g_free (R20).
- tools/editor: drop outdated "Deprecated synchronous" comment that
  no longer matches the callback-based implementation (R28).

Tests:
- tests/command/cmd_ac: rename segfaults_when_empty ->
  no_segfault_when_empty; expand cycling coverage to three files plus
  backward SHIFT-TAB traversal (R16, R17).
- tests/common: add strtoi_range overflow/underflow and strtol-parsing
  consistency tests (R25).
- tests/xmpp/jid: add test for '@' inside resourcepart per RFC 6122
  section 2.4 (R26).

Misc:
- xmpp/omemo: change omemo_error_to_string return type from char* to
  gchar* for glib consistency (R01).
- subprojects/libstrophe: point wrap-git at our fork at
  git.jabber.space/devs/libstrophe-gh (R24).
- RELEASE_GUIDE: drop "Updating website" section referring to an
  upstream site that is not ours (R18).
2026-04-24 15:13:38 +03:00
a5fe32b245 Merge remote-tracking branch 'upstream/master' into merge/upstream-full
# Conflicts:
#	CONTRIBUTING.md
#	src/profanity.c
#	src/tools/editor.c
2026-04-18 12:26:52 +03:00
Michael Vetter
dd76f9087f fix: resolve issues with async editor
If we build Profanity without GTK we dont iterate the context so we will
never know when the editor exited. Calling `g_main_context_iteration()`
or finally switching to GMainLoop fixes this.
So far calling `tray_update()` does this for us in GTK builds.
So this went unnoticed.

The editor will inherit ignored signal handlers (SIGINT, SIGTSTP, SIGPIPE)
from us. Neovim uses libuv which seems to check SIGINT on startup to
determine whether the environment is interactive or not.
We now reset these signals to SIG_DFL in the child process before execvp.

Profanity uses readline which still competed for terminal input with the
editor. We only took care about other Profanity UI processes in our
previous commit. This led to misordered characters in the editor.

In my tests with vim everything worked fine and these bugs were
discovered when a user used neovim.

Fixes: https://github.com/profanity-im/profanity/issues/2148
Ref: 36ec2b0ae1
Signed-off-by: Michael Vetter <jubalh@iodoru.org>
2026-04-11 23:45:36 +02:00
4319172758 Merge upstream/master into merge/upstream-full
Merge profanity-im/profanity master (373 commits) into cproof fork.

Source changes (manual merge):
- src/command/: cmd_defs, cmd_funcs, cmd_ac — upstream g_new0, auto_gchar,
  launch_editor callback; keep our XEP-0308 LMC, force-encryption, CWE-134
- src/config/: preferences, tlscerts, account — upstream UNIQUE dedup,
  dynamic pad capacity; keep our db_history_result_t, scroll logic
- src/database.*: upstream g_new0 memory mgmt; keep our return types,
  add null-check fix for msg->timestamp
- src/omemo/, src/pgp/: upstream _gpgme_key_get_email, g_new0;
  keep our replace_id in omemo_on_message_send
- src/tools/: editor, http_upload, bookmark_ignore — upstream launch_editor
  callback API
- src/ui/: console, window, chatwin, mucwin, inputwin, buffer —
  upstream win_warn_needed/sent dedup, PAD_MIN_HEIGHT dynamic pads;
  keep our y_start_pos scroll, _truncate_datetime_suffix
- src/xmpp/: message, stanza, presence, roster_list, iq, session —
  upstream connection_get_available_resources; keep our LMC stanza logic
- src/common.c: fix format-security (cons_show)

Build system:
- Makefile.am: updated test paths to subdirectory structure, added
  test_cmd_ac, test_forced_encryption
- Restored autotools files deleted by upstream meson migration:
  bootstrap.sh, autogen.sh, m4/ax_valgrind_check.m4, configure-debug

Tests:
- Unit tests: upstream unittests.c base + our forced_encryption tests
  (482 passed, 0 failed across all 4 configurations)
- Functional tests: kept our version (93 passed, 0 failed)
  upstream version requires stbbr_for_xmlns not yet in our stabber fork
- Updated test stubs: stub_xmpp.c, stub_omemo.c from upstream

Compile fixes:
- src/common.c: cons_show(errmsg) -> cons_show("%s", errmsg)
- src/database.c: null-check before msg->timestamp access
- src/ui/console.c: size_t -> (int) cast for format width
- src/config/tlscerts.c: %d -> %zu for size_t
2026-04-11 13:44:50 +03:00
Michael Vetter
35bf9df0a9 refactor: Make Launching the editor more robust
Signed-off-by: Michael Vetter <jubalh@iodoru.org>
2026-04-03 08:40:14 +02:00
Michael Vetter
36ec2b0ae1 feat: implement asynchronous external editor support
Move from blocking fork/wait logic to nonblocking fork and
g_child_watch_add.

This ensures that the Profanity main loop continues to run while an
external editor is open. So we don't loose connection and react to
pings.

We change editor handling also in vcard and muc subject editing.
In the new implementation we are launching the editor and passing a
callback which we will use once the editor exited.

We use the recently added ui_susped() and ui_resume().

To not clutter the UI we need to check whether Profanity UI is suspended
and omit drawing in this case.

Fixes: https://github.com/profanity-im/profanity/issues/1888
Ref: 9b112904a9bc7250dc013d901187ca8622580d98
Signed-off-by: Michael Vetter <jubalh@iodoru.org>
2026-04-02 22:47:26 +02:00
Michael Vetter
b56498adcb Merge pull request #2139 from profanity-im/fix/1844
Improve autocompleter and command parsing in relation to quoting
2026-04-02 12:31:58 +02:00
Michael Vetter
8eac31e5e1 fix: handle X11 connection loss gracefully
Use XSetIOErrorExitHandler on X11 to detect connection loss and
disable GTK features (tray, clipboard, notifications).

Signed-off-by: Michael Vetter <jubalh@iodoru.org>
Signed-off-by: Paul Fertser <fercerpav@gmail.com>
Co-authored-by: Paul Fertser <fercerpav@gmail.com>
2026-04-01 23:14:46 +02:00
Michael Vetter
df1f1e5ef1 fix: ensure consistent unescaping and space handling
Unescape any character following a backslash. This fixes autocompletion
for names with escaped spaces.
For example: `/msg Thor\ Odinson hello`

Signed-off-by: Michael Vetter <jubalh@iodoru.org>
2026-03-30 18:33:59 +02:00
Michael Vetter
bda5b0f844 fix(tools): implement backslash escaping for contact names
Implement backslash based escaping in the command parser and autocompletion
logic to handle contact names containing double quotes.
This stops the parser from splitting nicknames into multiple tokens, which
previously caused "Invalid usage" errors.

The parser now sees \ as an escape character for quotes and spaces in
_parse_args_helper, count_tokens and get_start. Autocomplete results are
escaped when they contain spaces, and search prefixes are unescaped before
matching. strip_arg_quotes() has also been updated to handle unescaping.

Fixes: https://github.com/profanity-im/profanity/issues/1844
Signed-off-by: Michael Vetter <jubalh@iodoru.org>
2026-03-29 00:15:23 +01:00
Michael Vetter
ed2fdf88ac feat: Add /spellcheck list command
To list all available dictionaries.

Signed-off-by: Michael Vetter <jubalh@iodoru.org>
2026-03-26 23:34:13 +01:00
Michael Vetter
4922366366 feat: add spellcheck highlighting support
Introduce optional spellcheck highlighting in the input window using
the Enchant-2 library.

```
/spellcheck on
/spellcheck lang en_US
```

New theme color `input.misspelled`.

Fixes: https://github.com/profanity-im/profanity/issues/183
Signed-off-by: Michael Vetter <jubalh@iodoru.org>
2026-03-26 23:34:06 +01:00
Michael Vetter
63af72773c feat: Implement color coded status messages for file transfers
Introduce meaningful color feedback for background tasks like file
downloads and uploads. Progress is displayed in a neutral color,
while successful completions turn green and failures turn red.

We reuse the existing THEME colors for now.

Add new UI flags ENTRY_COMPLETED and ENTRY_ERROR to
the buffer entry system. So we don't misuse delivery receipts anymore.

Fixes: https://github.com/profanity-im/profanity/issues/1758
Signed-off-by: Michael Vetter <jubalh@iodoru.org>
2026-03-25 17:40:10 +01:00
Michael Vetter
a9ef000328 fix: Improve status reporting and filename handling for /url save
Use the original aesgcm:// URL when downloading OMEMO downloads.  Then
in the final message use the decrypted file destination instead of the
internal temporary path.

Use the unique download ID instead of the URL for message updates to
have proper progress reporting.

Unify the final transfer status to "done" across both downloads and
uploads.

Fixes: https://github.com/profanity-im/profanity/issues/1939
Signed-off-by: Michael Vetter <jubalh@iodoru.org>
2026-03-24 22:37:54 +01:00
Michael Vetter
e9c6b3b3d8 feat(tools): support UTF-8 characters in autocompletion
Autocompletion failed for nicknames using non Latin scripts. We used
`g_str_to_ascii`, which replaces characters it cannot transliterate with
'?', leading search failures and false matches between different
scripts.

Now we do:
Use `g_utf8_casefold` for case-insensitive UTF-8 comparison. This
ensures that like 'Σ' correctly match 'σ' across all Unicode scripts,
providing correct results for non English nicknames.

If we don't fine anything typing a base ASCII character matches an
accented one (typing `e` matches `è`). This pass uses `g_str_to_ascii`
followed by `g_ascii_strdown` for comparison. It is now restricted to
run if the search string itself is valid ASCII, preventing the
"everything matches '?'" bug in non Latin scripts.

Autocomplete items are sorted using `strcmp`. `g_utf8_collate` provides
linguistical ordering for a specific language. But its behavior is
locale dependent and undefined when comparing strings from different
scripts. `strcmp` does byte-wise ordering that correctly follows Unicode
code order for UTF-8 strings.
2026-03-19 08:41:50 +01:00
Michael Vetter
798edce22a chore: Move to SPDX license header 2026-03-09 12:55:37 +01:00
9ec01fa8cc fix: CWE-134 format string audit and compiler hardening
Security:
Fix CWE-134 in iq.c: user-controlled string passed as format argument
Add G_GNUC_PRINTF annotations to all variadic printf-like wrappers
in ui.h, log.h and http_common.h
Compiler flags (configure.ac):

Replace basic -Wformat/-Wformat-nonliteral with -Wformat=2
Add -Wextra, -Wnull-dereference, -Wpointer-arith,
-Wimplicit-function-declaration, -Wundef, -Wfloat-equal,
-Wredundant-decls, -Walloc-zero
Add -fstack-protector-strong, -fno-common, -D_FORTIFY_SOURCE=2
Add GCC-specific flags via AC_COMPILE_IFELSE: -Wlogical-op,
-Wduplicated-cond, -Wduplicated-branches, -Wstringop-overflow,
-Warray-bounds=2
Suppress noisy -Wextra sub-warnings: -Wno-unused-parameter,
-Wno-missing-field-initializers, -Wno-sign-compare,
-Wno-cast-function-type
Remove AM_CFLAGS/CFLAGS duplication
Bug fixes found by new warnings:

chatlog.c: non-MUCPM redact path passed resourcepart instead of NULL
rosterwin.c: merge duplicated if/else branches into single condition
omemo.c: redundant else-if in omemo_automatic_start; remove
unnecessary scope block and goto, use early return
console.c: pointer compared to integer 0 instead of NULL
stanza.c: increase pri_str/idle_str buffers from 10 to 12 bytes
(INT_MIN = -2147483648 needs 12 bytes including NUL)
vcard.c: NULL guard for filename before g_file_set_contents
api.c: broken log_warning() calls with extra format argument
Format mismatch fixes:

chatwin.c: Jid* → char* for %s
connection.c: %x → %lx for long flags
cmd_funcs.c: %d → %zu for size_t; cast gpointer to char* for %s
cmd_defs.c: %d → %u for g_list_length() return (guint)
iq.c: barejid → fulljid for from_jid
console.c, mucwin.c, privwin.c, account.c, omemo.c, presence.c:
gpointer → (char*) casts for %s
Const-correctness and cleanup:

database.c: const for type, query, sort variables
form.c/xmpp.h: const for form_set_value parameter
files.c: refactor to early return, eliminating NULL logfile path
muc.c/muc.h: remove meaningless top-level const on return type
common.c: const for URL string literal
Remove stale declarations: cons_show_desktop_prefs (ui.h),
connection_set_priority (connection.h),
omemo_devicelist_configure_and_request (omemo.h)
test_common.c: add currb NULL check to silence -Wnull-dereference
Tooling (check-cwe134.sh):

Reduce from 5 checks to 2 (checks 1-3 redundant with -Wformat=2)
Check 1: verify known wrappers have G_GNUC_PRINTF attribute
Check 2: auto-detect unannotated variadic printf-like functions
Match both const char* and const gchar* in variadic patterns

Author: jabber.developer2 <jabber.developer2@jabber.space>
2026-03-07 11:55:50 +01:00
Michael Vetter
434a887834 Fix -Wanalyzer-deref-before-check warning in get_message_from_editor
Let's add an explicit check.
2026-02-28 09:55:33 +01:00
Michael Vetter
286e563fbe fix: fix redundant error reporting in http download
We were sequentially checking for errors from 'curl_easy_perform',
'ftell', and 'fclose'. Each time overwriting the last one, resulting in
a leak. This commit ensures that 'err' is only set if it is currently
NULL, preserving the first and most specific error encountered.
2026-02-27 22:29:45 +01:00
Michael Vetter
8a36ca6d97 refactor: start to standardize on gchar
Make get_random_string() return a gchar*.

This is part of the effort to migrate string declarations and
allocations from char to gchar, replacing standard C allocators
(malloc/calloc/strdup) with their glib equivalents
(g_malloc/g_new0/g_strdup).

The primary goal is to prevent mismatched allocator bugs. While char and
gchar are binary compatible, mixing their respective deallocators is
dangerous:

* Freeing malloc'd memory with g_free() (or vice versa) can lead to
  memory corruption, double-frees, or crashes.
* This is seems to be the case especiall on non Linux platforms or when
  using hardened memory allocators where the GLib slice allocator or
  wrappers may differ from the system heap.

By standardizing on gchar, we ensure that our automatic cleanup macros
(like auto_gchar) always invoke the correct deallocator (g_free).
2026-02-26 19:06:44 +01:00
Michael Vetter
e1fd2a1cf6 refactor: replace calloc with g_new0 for struct allocations
Migrate structure allocations from calloc to glibs g_new0 macro to
improve type safety and memory robustness.

* Type Safety: The macro takes the type name directly, ensuring the
  allocated size always matches the pointer type.
* Static Analysis: It guarantees a non-NULL return by aborting on
  failure, which silences -fanalyzer warnings regarding potential NULL
  pointer dereferences.
* Readability: Removes redundant sizeof() calls and is the glib way
2026-02-26 19:06:39 +01:00
Michael Vetter
657de5f22f Merge pull request #2089 from profanity-im/cleanup
Cleanup
2026-02-23 11:10:38 +01:00
Michael Vetter
f1acf702a9 chore: Update copyright year 2026-02-20 16:13:31 +01:00
Michael Vetter
6e61383e97 cleanup: Adapt loop counter to proper type
Fixing a couple of -Wsign-compare warnings.
2026-02-20 16:02:27 +01:00
467222d0ca fix(ui,db): harden NULL handling, fix CWE-134, optimize iterations
security(CWE-134): fix format string injections + add CI check
fix(ui): subwindow lifecycle, newwin/newpad guards, fallback timestamps
fix(db): sqlite cleanup on failures, sqlite3_close_v2
fix(xmpp): queued_messages loop, barejid leak
perf(core): g_hash_table_iter_init instead of g_hash_table_get_keys
refactor(ui): CLAMP macro in _check_subwin_width
test: XEP-0012 and XEP-0045 functional tests

Author: jabber.developer2
Closes #58, #85
2026-02-06 19:27:40 +01:00
Steffen Jaeckel
2fb56b8536 Fix some more untyped APIs
Signed-off-by: Steffen Jaeckel <s@jaeckel.eu>
2025-11-18 12:16:29 +01:00
Steffen Jaeckel
48ac88de08 Fix GError handling
Several users have reported segfaults when starting up profanity which
has OMEMO support, but OMEMO is not set up yet.

@StefanKropp has been able to reproduce this and tracked it down to
`_load_identity()` calling `omemo_known_devices_keyfile_save()`.
The latter then calls `save_keyfile()` which calls
`g_key_file_save_to_file()`. This can then fail if one of the first two
strings is NULL and won't set the `error` on return. In its error handling
`save_keyfile()` unconditionally dereferences `error` which leads to the
segfault.

Fix this and also go through the entire codebase and verify that the usage
of `GError` is done correctly.

Signed-off-by: Steffen Jaeckel <s@jaeckel.eu>
2025-11-18 12:16:29 +01:00
Michael
a704887f14 Add types to function prototypes
Build fail under macOS, Clang 16.0.0.
Add parameters to the following prototypes
- bookmark_ignore_on_connect()
- cons_show_qrcode()
2025-09-13 12:36:05 +01:00
ad294cdd6d feat(editor): add asynchronous external editor support
The synchronous `get_message_from_editor` blocked the main loop (`prof_run`) while launching an external editor like `vim`, halting network I/O in `session_process_events` and preventing incoming message reception.

Introduced `get_message_from_editor_async` for `cmd_editor` to run the editor asynchronously. It forks and execs the editor in a thread (`editor_thread`), suspending NCurses to free the terminal. The main loop skips `inp_readline` and `ui_update` via a new `background_mode` flag while the editor runs, allowing `session_process_events` to keep the connection alive.

On editor completion, `editor_process` (called per loop iteration) resumes NCurses with `ui_resize`, inserts the result into the readline buffer and clears `background_mode`.

Retained synchronous `get_message_from_editor` for ~20 existing code paths (e.g., `vcard_nickname`) to avoid breaking them.

Tested with `vim` and `nano`: confirms no rendering conflicts, messages received during editing, and seamless resume. Edge cases like editor crashes handled via error logging and seamless resume.
2025-08-07 03:03:43 +02:00
Michael Vetter
091ff41c06 Merge pull request #2041 from profanity-im/some-improvements
Summary:
- Print the final storage location when successfully decrypting a file with `aesgcm://` source.
- Less GString
- Re-factor cmd_presence()
- Improve const correctness
- Use correct free function. Fixes: 75d7663 ("Free wins summary list")

Pull Request Source: https://github.com/profanity-im/profanity/pull/2041

Author: Steffen Jaeckel <s@jaeckel.eu>
2025-07-19 00:13:49 +02:00
Steffen Jaeckel
5810f49c97 url save: fix location printed
Print the final storage location when successfully decrypting a file with
`aesgcm://` source.

Signed-off-by: Steffen Jaeckel <s@jaeckel.eu>
2025-04-23 11:19:04 +02:00
Michael Vetter
07dfeec816 Release 0.15.0 2025-03-27 20:06:38 +01:00
Steffen Jaeckel
6d3f20fe8e Close FILE* before removing the filename.
Signed-off-by: Steffen Jaeckel <s@jaeckel.eu>
2025-03-18 17:00:58 +01:00
Steffen Jaeckel
4405f33884 Optionally return bytes received from http_file_get()
`http_dl->bytes_received` was already free'd when it was accessed inside
`aesgcm_file_get()`.

Change `http_file_get()` to optionally return the number of bytes received
so we know how much data we have to decrypt.

This fixes #1994

Signed-off-by: Steffen Jaeckel <s@jaeckel.eu>
2025-03-18 17:00:58 +01:00
Steffen Jaeckel
422f5fa6f9 Slightly improve http_download related allocations.
* use `calloc()` to allocate zero-initialized structs.
* order the allocation of members by their declaration.
* order the freeing of members in reverse order.
* move init of `silent` flag in plugin case.
* fix double free of `tmpname` in `aesgcm_file_get()`.
* make some functions static.

Signed-off-by: Steffen Jaeckel <s@jaeckel.eu>
2025-03-18 17:00:58 +01:00
Steffen Jaeckel
cffd310744 Fix shadowing of msg resulting in invalid free.
```
==500714== Invalid free() / delete / delete[] / realloc()
==500714==    at 0x484A78B: free (in /usr/libexec/valgrind/vgpreload_memcheck-amd64-linux.so)
==500714==    by 0x5BDCD58: g_free (in /usr/lib64/libglib-2.0.so.0.8200.2)
==500714==    by 0x49016B: http_file_put (http_upload.c:175)
==500714==    by 0x5F613B1: start_thread (in /usr/lib64/libc.so.6)
==500714==    by 0x5FE63D3: clone (in /usr/lib64/libc.so.6)
==500714==  Address 0x86f6510 is 0 bytes inside a block of size 53 free'd
==500714==    at 0x484A78B: free (in /usr/libexec/valgrind/vgpreload_memcheck-amd64-linux.so)
==500714==    by 0x5BDCD58: g_free (in /usr/lib64/libglib-2.0.so.0.8200.2)
==500714==    by 0x490299: http_file_put (http_upload.c:324)
==500714==    by 0x5F613B1: start_thread (in /usr/lib64/libc.so.6)
==500714==    by 0x5FE63D3: clone (in /usr/lib64/libc.so.6)
==500714==  Block was alloc'd at
==500714==    at 0x48477C4: malloc (in /usr/libexec/valgrind/vgpreload_memcheck-amd64-linux.so)
==500714==    by 0x5F548A7: __vasprintf_internal (in /usr/lib64/libc.so.6)
==500714==    by 0x5C2DD1D: g_vasprintf (in /usr/lib64/libglib-2.0.so.0.8200.2)
==500714==    by 0x5BF8D97: g_strdup_vprintf (in /usr/lib64/libglib-2.0.so.0.8200.2)
==500714==    by 0x5BF8E58: g_strdup_printf (in /usr/lib64/libglib-2.0.so.0.8200.2)
==500714==    by 0x490264: http_file_put (http_upload.c:318)
==500714==    by 0x5F613B1: start_thread (in /usr/lib64/libc.so.6)
==500714==    by 0x5FE63D3: clone (in /usr/lib64/libc.so.6)
```

Signed-off-by: Steffen Jaeckel <s@jaeckel.eu>
2025-03-18 17:00:58 +01:00
Michael Vetter
5b9516b483 Merge pull request #2022 from profanity-im/fixes
Memory fixes
2025-03-13 09:58:09 +01:00
Michael Vetter
71b7d97dcb Get rid of unused define 2025-03-13 09:48:32 +01:00
Michael Vetter
b5f0cc0bd4 Fix more potential leaks in aesgcm_download 2025-03-13 09:48:27 +01:00
Steffen Jaeckel
c0da36c48d Rage-cleanup.
While trying to get the unit tests working again I stumbled over all those
things that I thought could be better^TM.

Now we also know "TODO: why does this make the test fail?" - because
the unit tests are brittle AF ... and we have to init the subsystems
we use in the test, otherwise the cleanup will fail...

BTW. you can now also only run a single test ... or a pattern or so ...
you'd have to read how `cmocka_set_test_filter()` works exactly.

Signed-off-by: Steffen Jaeckel <s@jaeckel.eu>
2025-03-10 11:45:15 +01:00
Steffen Jaeckel
72b99ceb6d Some minor improvements
* destroy/free/shutdown/close in reverse order of allocation
* more static/auto_Xfree
* less variables/strlen/GString
* properly `\0`-terminate string of testcase

Signed-off-by: Steffen Jaeckel <s@jaeckel.eu>
2025-03-10 11:45:15 +01:00
Michael Vetter
43bbb16e8e Close file in case of error 2025-03-06 11:19:28 +01:00
ike08
23fa4750ff Fix unable to download item twice
## Summary

Partial fix for https://github.com/profanity-im/profanity/issues/1939  

> When doing the same in an unencrypted (no e2ee) chat there is no Downloading… message at all but the file is downloaded.  

Download a file twice with `/url save`, the second download will not print download progress to the window.  

The cause is `HTTPDownload`'s `silent` variable is not initialized; so, `silent` points to a second-hand stack memory address with old data. `silent` references data, so the `if` statement will fail in **src/tools/http_download.c:206** and download progress will not print to the window.  

The fix is to initialize `silent` in both encrypted and unencrypted file download scenarios.  

## Testing

Valgrind: Yes  

- `/url save` without OMEMO  
  **SUCCESS**: Try three times with the same URL and download status will display every time.  

- `/url save` with OMEMO  
  **SUCCESS**: Try three times with the same URL and download status will display every time.  

- `/plugins install https://raw.githubusercontent.com/profanity-im/profanity-plugins/master/stable/sounds.py`  
  **SUCCESS**: Try once and download progress is hidden.
2024-02-28 07:23:59 -07:00
Michael Vetter
569e37f018 Update copyright to 2024 2024-01-22 16:03:48 +01:00
Steffen Jaeckel
847a86de50 add connection_get_jid()
Use a singleton `Jid` inside the connection instead of always re-creating
a `Jid` from the same string.

Signed-off-by: Steffen Jaeckel <jaeckel-floss@eyet-services.de>
2023-12-12 18:26:21 +01:00