Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Profanity doesn't prevent sending illegal sequences #1437

Open
mdosch opened this issue Nov 12, 2020 · 3 comments
Open

Profanity doesn't prevent sending illegal sequences #1437

mdosch opened this issue Nov 12, 2020 · 3 comments
Labels
improvement

Comments

@mdosch
Copy link
Contributor

mdosch commented Nov 12, 2020
edited

It was reported to Debian that profanity disconnects after pressing some keys and sending a message. This is due to illegal sequences are inserted from the key combos and the server replies with an "not well formed" error. Please see also yesterdays discussion in jdev@. This should probably be fixed in profanity but libstrophe should also prevent sending those sequences (CC: @pasis ).

Expected Behavior

Those sequences should not be sent over the wire.

Current Behavior

Those sequences are sent over the wire causing a "not well formed" error and a disconnect.

11/11/2020 11:56:19: prof: DBG: Input received: ^V    
11/11/2020 11:56:19: conn: DBG: SENT: <message id="YzhhMDE4YWMtMWNmYy00MDk2LWE5YmYtYjk3MWQ0NWNiZmVlNjdkZmMxYmU0YTM4MzcxNjdhZjBiMmVjYTU4NWI5ODEzOGIwNGNjMWFkMmM1MTg0MTBlMDk0MjEwNTZmNDRhOQ==" to="martin@mdosch.de" type="chat"><body>^V</body><                       
active xmlns="http://jabber.org/protocol/chatstates"/><request xmlns="urn:xmpp:receipts"/></message>    
11/11/2020 11:56:19: xmpp: DBG: RECV: <error xmlns="http://etherx.jabber.org/streams"><not-well-formed xmlns="urn:ietf:params:xml:ns:xmpp-streams"/></error>
11/11/2020 11:56:19: xmpp: DBG: RECV: </stream:stream>    
11/11/2020 11:56:19: xmpp: DBG: Closing socket.    
11/11/2020 11:56:19: prof: DBG: Connection handler: XMPP_CONN_DISCONNECT    
11/11/2020 11:56:19: prof: DBG: Connection handler: Lost connection for unknown reason

grep YzhhMDE4YWMtMWNmYy00MDk2LWE5YmYtYjk3MWQ0NWNiZmVlNjdkZmMxYmU0YTM4MzcxNjdhZjBiMmVjYTU4NWI5ODEzOGIwNGNjMWFkMmM1MTg0MTBlMDk0MjEwNTZmNDRhOQ== /var/log/prosody/prosody.debug                                     
Nov 11 11:56:19 mod_c2s debug   Received invalid XML (not well-formed (invalid token)) 300 bytes: "<message id=\"YzhhMDE4YWMtMWNmYy00MDk2LWE5YmYtYjk3MWQ0NWNiZmVlNjdkZmMxYmU0YTM4MzcxNjdhZjBiMmVjYTU4NWI5ODEzOGIwNGNjMWFkMmM1MTg0MTBlMDk0MjEwNTZmNDRhOQ==\" to=\"martin@mdosch.de\" type=\"chat\"><body>\022</body><active xmlns=\"http://jabber.org/protocol/chatstates\"/><request xmlns=\"urn:xmpp:receipts\"/></message>"

Possible Solution

@horazont wrote

https://www.joelonsoftware.com/2003/10/08/the-absolute-minimum-every-software-developer-absolutely-positively-must-know-about-unicode-and-character-sets-no-excuses/
On input, you convert everything to unicode (please see the link). You’ll then have to filter out all codepoints between U+0000 and U+001F (incl.) except U+0009, U+000A and U+000D then you pass that to the XML library for serialisation as XML

Steps to Reproduce (for bugs)

Switch to console, run profanity, and try some escape sequence such as hitting CTRL+V twice, then enter. Disconnects from the server again.

Environment

Happens with 0.9.5 (see linked Debian bug report) as well as with latest master (sorry, I don't have a profanity accessible right now for --version output.
@jubalh
Copy link
Member

jubalh commented Nov 12, 2020

There is also #1220 and #1226 where we started to filter out some characters upon receival.

@pasis pasis mentioned this issue Nov 26, 2020
Open
@jubalh jubalh mentioned this issue Feb 23, 2022
Closed
@mdosch mdosch mentioned this issue Feb 25, 2022
Closed
@mdosch
Copy link
Contributor Author

mdosch commented Aug 2, 2022
edited

depends-on-libstrophe: I think one should not solely rely on the lib to filter out those sequences as the lib can't do this on encrypted messages so profanity should also filter on user input (prior to encryption) and on incoming messages (after decryption).

@jubalh
Copy link
Member

jubalh commented Aug 2, 2022

Makes sense.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
improvement
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@jubalh @mdosch