Commit Graph

28 Commits

Author SHA1 Message Date
d3d7c328b4 fix: address config injection and SIGCHLD handling
- Sanitize account names to prevent GKeyFile config injection by
  blocking special characters like #, \n, and \r.
- Ensure GLib's SIGCHLD handler is initialized before forking
  external editors to prevent zombie processes.
- Add missing error check for OMEMO random key generation.
- Replace hardcoded console tab ID with a named constant.
- Log invalid JIDs safely to prevent potential null pointer issues.
2026-05-23 16:13:39 +03:00
adab585c09 fix(review): address PR #105 review follow-ups
- src/log.c: log_stderr_init no longer closes STDERR_FILENO immediately
  after dup2(). The previous 'close(dup_fd)' closed fd 2 because dup2
  returns newfd on success; the in-app stderr capture pipe was silently
  dead, dropping libstrophe/openssl error output. Close the original
  stderr_pipe[1] instead and remember that the write end now lives at
  STDERR_FILENO so _log_stderr_close stays correct.

- src/database_sqlite.c: NULL-check sqlite3_mprintf result before
  passing it to sqlite3_exec in the DbVersion bootstrap path.

- src/tools/editor.c: drop three orphan #includes (<fcntl.h>,
  <pthread.h>, <readline/readline.h>) left behind when 9b03e3a50
  removed the async-editor path.

- src/xmpp/jid.c: match the g_new0 allocation in jid_create with
  g_free in jid_destroy. Same behaviour on glibc but stops being a
  foot-gun under custom glib allocators.

Verified with ci-build.sh in Debian docker: all 4 configs pass
(644/0, 605/0, 605/0, 644/0 unit + 130/0 functional).
2026-05-21 15:40:25 +03:00
9b03e3a508 refactor: address PR #105 review (#1222, #1226)
#1222 (src/xmpp/roster_list.c): remove dead 'resource = NULL' inside
roster_update_presence() — assigning to a value parameter never
affects the caller. Document the ownership contract: the function
consumes 'resource' on every return path and callers must null
their own pointer afterwards. The existing caller in
roster_process_pending_presence already does that, and
resource_destroy() is NULL-safe.

#1226 (src/tools/editor.{c,h}): remove get_message_from_editor[_async]
and the surrounding async-editor infrastructure (editor_thread,
editor_task global, editor_process polling, EditorTask typedef).
The upstream callback-based launch_editor API has replaced every
call site (cmd_funcs.c, inputwin.c). Also drop the now-unused
'background_mode' global (only the obsolete async path ever set it
to TRUE) and the editor_process() call in profanity.c main loop.

Verified with ci-build.sh in Debian docker — all 4 build configs
pass (644/0, 605/0, 605/0, 644/0 unit + 130/0 functional each).
2026-05-21 12:50:19 +03:00
4401e817d0 refactor: address PR #105 review feedback
Apply fixes, refactors and test additions requested by reviewer on PR #105.

Fixes:
- database: warn and notify user on duplicate archive_id instead of
  silently debug-logging it (R05).
- database: add missing '[' in "[DB Migration]" log prefix (R06).
- xmpp/resource: NULL-out name/status after g_free to avoid double-free
  via roster_list.c cleanup path (R09, R23).
- common: widen strtoi_range internal storage from int to long so that
  values in (INT_MAX, LONG_MAX] are rejected as out-of-range instead of
  being silently truncated on 64-bit platforms (R25).

Refactors:
- xmpp/message: extract _receive_omemo helper, removing three copies of
  the OMEMO receive block in groupchat / MUC-PM / chat handlers (R04).
- omemo: flatten deeply nested device-list processing via guard-clause
  continues (R11).
- tools/autocomplete: merge two nested ifs into a single && condition
  (R13).
- ui/titlebar: extract _show_trust_indicator and inline _wprintw_withattr
  wrapper, collapsing three near-identical trust-indicator blocks (R22).
- config/tlscerts: drop _checked_g_strdup wrapper; g_strdup is
  NULL-safe per glib documentation (R19).
- ui/inputwin: use auto_gchar for spellcheck word instead of manual
  g_free (R20).
- tools/editor: drop outdated "Deprecated synchronous" comment that
  no longer matches the callback-based implementation (R28).

Tests:
- tests/command/cmd_ac: rename segfaults_when_empty ->
  no_segfault_when_empty; expand cycling coverage to three files plus
  backward SHIFT-TAB traversal (R16, R17).
- tests/common: add strtoi_range overflow/underflow and strtol-parsing
  consistency tests (R25).
- tests/xmpp/jid: add test for '@' inside resourcepart per RFC 6122
  section 2.4 (R26).

Misc:
- xmpp/omemo: change omemo_error_to_string return type from char* to
  gchar* for glib consistency (R01).
- subprojects/libstrophe: point wrap-git at our fork at
  git.jabber.space/devs/libstrophe-gh (R24).
- RELEASE_GUIDE: drop "Updating website" section referring to an
  upstream site that is not ours (R18).
2026-04-24 15:13:38 +03:00
a5fe32b245 Merge remote-tracking branch 'upstream/master' into merge/upstream-full
# Conflicts:
#	CONTRIBUTING.md
#	src/profanity.c
#	src/tools/editor.c
2026-04-18 12:26:52 +03:00
Michael Vetter
dd76f9087f fix: resolve issues with async editor
If we build Profanity without GTK we dont iterate the context so we will
never know when the editor exited. Calling `g_main_context_iteration()`
or finally switching to GMainLoop fixes this.
So far calling `tray_update()` does this for us in GTK builds.
So this went unnoticed.

The editor will inherit ignored signal handlers (SIGINT, SIGTSTP, SIGPIPE)
from us. Neovim uses libuv which seems to check SIGINT on startup to
determine whether the environment is interactive or not.
We now reset these signals to SIG_DFL in the child process before execvp.

Profanity uses readline which still competed for terminal input with the
editor. We only took care about other Profanity UI processes in our
previous commit. This led to misordered characters in the editor.

In my tests with vim everything worked fine and these bugs were
discovered when a user used neovim.

Fixes: https://github.com/profanity-im/profanity/issues/2148
Ref: 36ec2b0ae1
Signed-off-by: Michael Vetter <jubalh@iodoru.org>
2026-04-11 23:45:36 +02:00
4319172758 Merge upstream/master into merge/upstream-full
Merge profanity-im/profanity master (373 commits) into cproof fork.

Source changes (manual merge):
- src/command/: cmd_defs, cmd_funcs, cmd_ac — upstream g_new0, auto_gchar,
  launch_editor callback; keep our XEP-0308 LMC, force-encryption, CWE-134
- src/config/: preferences, tlscerts, account — upstream UNIQUE dedup,
  dynamic pad capacity; keep our db_history_result_t, scroll logic
- src/database.*: upstream g_new0 memory mgmt; keep our return types,
  add null-check fix for msg->timestamp
- src/omemo/, src/pgp/: upstream _gpgme_key_get_email, g_new0;
  keep our replace_id in omemo_on_message_send
- src/tools/: editor, http_upload, bookmark_ignore — upstream launch_editor
  callback API
- src/ui/: console, window, chatwin, mucwin, inputwin, buffer —
  upstream win_warn_needed/sent dedup, PAD_MIN_HEIGHT dynamic pads;
  keep our y_start_pos scroll, _truncate_datetime_suffix
- src/xmpp/: message, stanza, presence, roster_list, iq, session —
  upstream connection_get_available_resources; keep our LMC stanza logic
- src/common.c: fix format-security (cons_show)

Build system:
- Makefile.am: updated test paths to subdirectory structure, added
  test_cmd_ac, test_forced_encryption
- Restored autotools files deleted by upstream meson migration:
  bootstrap.sh, autogen.sh, m4/ax_valgrind_check.m4, configure-debug

Tests:
- Unit tests: upstream unittests.c base + our forced_encryption tests
  (482 passed, 0 failed across all 4 configurations)
- Functional tests: kept our version (93 passed, 0 failed)
  upstream version requires stbbr_for_xmlns not yet in our stabber fork
- Updated test stubs: stub_xmpp.c, stub_omemo.c from upstream

Compile fixes:
- src/common.c: cons_show(errmsg) -> cons_show("%s", errmsg)
- src/database.c: null-check before msg->timestamp access
- src/ui/console.c: size_t -> (int) cast for format width
- src/config/tlscerts.c: %d -> %zu for size_t
2026-04-11 13:44:50 +03:00
Michael Vetter
35bf9df0a9 refactor: Make Launching the editor more robust
Signed-off-by: Michael Vetter <jubalh@iodoru.org>
2026-04-03 08:40:14 +02:00
Michael Vetter
36ec2b0ae1 feat: implement asynchronous external editor support
Move from blocking fork/wait logic to nonblocking fork and
g_child_watch_add.

This ensures that the Profanity main loop continues to run while an
external editor is open. So we don't loose connection and react to
pings.

We change editor handling also in vcard and muc subject editing.
In the new implementation we are launching the editor and passing a
callback which we will use once the editor exited.

We use the recently added ui_susped() and ui_resume().

To not clutter the UI we need to check whether Profanity UI is suspended
and omit drawing in this case.

Fixes: https://github.com/profanity-im/profanity/issues/1888
Ref: 9b112904a9bc7250dc013d901187ca8622580d98
Signed-off-by: Michael Vetter <jubalh@iodoru.org>
2026-04-02 22:47:26 +02:00
Michael Vetter
798edce22a chore: Move to SPDX license header 2026-03-09 12:55:37 +01:00
Michael Vetter
434a887834 Fix -Wanalyzer-deref-before-check warning in get_message_from_editor
Let's add an explicit check.
2026-02-28 09:55:33 +01:00
Michael Vetter
f1acf702a9 chore: Update copyright year 2026-02-20 16:13:31 +01:00
Steffen Jaeckel
48ac88de08 Fix GError handling
Several users have reported segfaults when starting up profanity which
has OMEMO support, but OMEMO is not set up yet.

@StefanKropp has been able to reproduce this and tracked it down to
`_load_identity()` calling `omemo_known_devices_keyfile_save()`.
The latter then calls `save_keyfile()` which calls
`g_key_file_save_to_file()`. This can then fail if one of the first two
strings is NULL and won't set the `error` on return. In its error handling
`save_keyfile()` unconditionally dereferences `error` which leads to the
segfault.

Fix this and also go through the entire codebase and verify that the usage
of `GError` is done correctly.

Signed-off-by: Steffen Jaeckel <s@jaeckel.eu>
2025-11-18 12:16:29 +01:00
ad294cdd6d feat(editor): add asynchronous external editor support
The synchronous `get_message_from_editor` blocked the main loop (`prof_run`) while launching an external editor like `vim`, halting network I/O in `session_process_events` and preventing incoming message reception.

Introduced `get_message_from_editor_async` for `cmd_editor` to run the editor asynchronously. It forks and execs the editor in a thread (`editor_thread`), suspending NCurses to free the terminal. The main loop skips `inp_readline` and `ui_update` via a new `background_mode` flag while the editor runs, allowing `session_process_events` to keep the connection alive.

On editor completion, `editor_process` (called per loop iteration) resumes NCurses with `ui_resize`, inserts the result into the readline buffer and clears `background_mode`.

Retained synchronous `get_message_from_editor` for ~20 existing code paths (e.g., `vcard_nickname`) to avoid breaking them.

Tested with `vim` and `nano`: confirms no rendering conflicts, messages received during editing, and seamless resume. Edge cases like editor crashes handled via error logging and seamless resume.
2025-08-07 03:03:43 +02:00
Michael Vetter
07dfeec816 Release 0.15.0 2025-03-27 20:06:38 +01:00
Michael Vetter
569e37f018 Update copyright to 2024 2024-01-22 16:03:48 +01:00
Steffen Jaeckel
847a86de50 add connection_get_jid()
Use a singleton `Jid` inside the connection instead of always re-creating
a `Jid` from the same string.

Signed-off-by: Steffen Jaeckel <jaeckel-floss@eyet-services.de>
2023-12-12 18:26:21 +01:00
Steffen Jaeckel
12d76e4a21 Fix memleaks & more auto-free
`data_dir` would have been leaked if directory creation failed.

`editor_argv` was leaked at some point, no idea why.

```
==1244734== 118 (32 direct, 86 indirect) bytes in 1 blocks are definitely lost in loss record 6,299 of 7,824
==1244734==    at 0x4846CC3: realloc (vg_replace_malloc.c:1451)
==1244734==    by 0x5E85AD0: g_realloc (in /usr/lib/libglib-2.0.so.0.7600.1)
==1244734==    by 0x5E4A004: ??? (in /usr/lib/libglib-2.0.so.0.7600.1)
==1244734==    by 0x5E4A7B1: g_ptr_array_add (in /usr/lib/libglib-2.0.so.0.7600.1)
==1244734==    by 0x5EA4235: g_strsplit (in /usr/lib/libglib-2.0.so.0.7600.1)
==1244734==    by 0x1F143C: get_message_from_editor (editor.c:92)
==1244734==    by 0x193F6B: _inp_rl_send_to_editor (inputwin.c:950)
==1244734==    by 0x614642F: _rl_dispatch_subseq (readline.c:916)
==1244734==    by 0x6146C85: _rl_dispatch_callback (readline.c:823)
==1244734==    by 0x616739F: rl_callback_read_char (callback.c:241)
==1244734==    by 0x1923DB: inp_readline (inputwin.c:188)
==1244734==    by 0x149860: prof_run (profanity.c:117)
==1244734==    by 0x2283E8: main (main.c:186)
```

Signed-off-by: Steffen Jaeckel <jaeckel-floss@eyet-services.de>
2023-05-12 08:39:20 +02:00
Daniel Santos
007f623ad8 Editor executable support flags
* Make editor executable into a string to be able to support
   (multiple) flags.
 * Change /help executable to suit this new feature

Signed-off-by: Daniel Santos <dacs.git@brilhante.top>
2023-03-30 21:44:26 +01:00
Steffen Jaeckel
e886ba0c6f fix more memory leaks
Signed-off-by: Steffen Jaeckel <jaeckel-floss@eyet-services.de>
2023-01-18 20:11:13 +01:00
Michael Vetter
3adc399da0 Update copyright year 2023-01-10 10:37:25 +01:00
Michael Vetter
9eec0ce26e Include common.h and xmpp.h in editor.c
That was pulled in through log.h
2022-06-28 20:08:44 +02:00
MarcoPolo-PasTonMolo
ce152a82b4 Fix crash on /editor 2022-03-24 11:42:49 +02:00
Steffen Jaeckel
8c55294352 re-factor get_message_from_editor()
* use GLib functions to write&read compose file
* trim trailing new-line characters from compose file

Signed-off-by: Steffen Jaeckel <jaeckel-floss@eyet-services.de>
2022-03-14 15:45:01 +01:00
Steffen Jaeckel
764a7fb71b prevent segfault
In case we're not connected yet and press Alt+c a segfault occurred
since `conn.xmpp_conn` is dereferenced while it's still `NULL`.

Signed-off-by: Steffen Jaeckel <jaeckel-floss@eyet-services.de>
2022-03-13 13:21:40 +01:00
Michael Vetter
198ff3e9be Add stat.h to editor
Fix on openbsd:
`src/tools/editor.c:55:36: error: 'S_IRWXU' undeclared (first use in
this function)`
2022-03-04 21:09:24 +01:00
Michael Vetter
9578b03bf6 Include errno header in editor.c 2022-03-04 14:26:18 +01:00
MarcoPolo-PasTonMolo
3f78af2591 Move get_message_from_editor to appropriate file and change its keybinding 2022-03-03 12:56:03 +01:00