-
Ge0rG
Sigh. How one should not design XMPP clients: https://github.com/KaidanIM/Kaidan/issues/220
-
Kev
Swift autoaccepts requests too, but only for bidirectional
-
Kev
(If you send a subscription request to someone, it'll approve the one they send back)
-
jonasw
that makes sense
-
daniel
> (If you send a subscription request to someone, it'll approve the one they send back) Conversations does that too.
-
daniel
Even though that's actually what pre-approval is for
-
Ge0rG
it makes sense in a world where subscription shouldn't consist of directed graphs
-
daniel
Or pre Auth
-
Ge0rG
except pre-approval is not guaranteed
-
daniel
What ever that was called
-
Ge0rG
yaxim will do both
-
Kev
But Swift doesn't talk about subscription requests, it just talks about Add Contact.
-
daniel
Did ejabberd start announcing that stream feature?
-
daniel
Because at some point it had support but didn't announce the feature which doesn't make sense this the RFC tells clients to only use it if the feature is announced
-
Ge0rG
I wonder how many of my Swift issues got fixed for 4.0.
-
Ge0rG
daniel: I'm using it anyway.
- Ge0rG is a lazy and ignorant client dev
-
jonasw
Ge0rG, you do know that prosody doesn’t support it?
-
Ge0rG
jonasw: I know.
-
Ge0rG
jonasw: but what's the worst thing that can happen if I send a pre-approval to a non-supporting server?
-
jonasw
<malformed-request/> stream error.
-
daniel
Stream error
-
daniel
😂
-
jonasw
ah, <invalid-xml/>
-
Ge0rG
but it is valid xml. It just comes at the wrong time
-
jonasw
Ge0rG, invalid XML is for things which do not pass schema validation
-
Ge0rG
she-what? :P
-
jonasw
granted, I’d argue that such a server would be pretty weirdly designed to be gin with✎ -
jonasw
granted, I’d argue that such a server would be pretty weirdly designed to begin with ✏
-
Ge0rG
jonasw: auto-generated by the schema-to-code thing we talked about yesternight.
- Ge0rG &
-
jonasw
fg
-
Ge0rG
Bad memory access (SIGBUS)
-
lovetox
in attic there is missing version 3.0 and 3.1 of httpupload https://xmpp.org/extensions/xep-0363.html
-
jonasw
there is no 3.0
-
jonasw
or 3.1
-
jonasw
do you mean 0.3.0 and 0.3.1?
-
jonasw
(which are also missing, indeed)
-
jonasw
I’ll regenerate them
-
lovetox
yes i meant those
-
jonasw
will be up shortly
-
lovetox
thanks
-
jonasw
spoiler: 0.3.1 is only a typo fix ;)
-
jonasw
lovetox, will be available within the next five minutes
- Ge0rG starts tea timer
-
lovetox
what funny attack can you do if you have newline chars in a header value
-
lovetox
talking about httpupload
-
jonasw
lovetox, escape from the header, depending on the brokenness of implementations involved
-
lovetox
the authorizartion value is base64 encoded
-
lovetox
this means i execute on that value .strip('\n')
-
lovetox
not decode it and execute it on that
-
MattJ
Correct
-
lovetox
kk thanks
-
jonasw
lovetox, that’s not sufficient
-
MattJ
The client is not expected to understand what the headers are
-
jonasw
.replace("\n", "") is safer
-
jonasw
or if "\n" in header_value: raise RuntimeError("gtfo")
-
lovetox
thats indeed better
-
lovetox
i should just not upload to a service providing xep violating stuff
-
jonasw
probably
-
lovetox
ups strip is only for beginn and end, indeed that would not be enough
-
jonasw
t
-
Ge0rG
Http upload is a small security nightmare.
-
Ge0rG
BTW, was there a change already restricting the legal header values?
-
Ge0rG
> Requesting entities MUST ensure that only the headers that are explicitly allowed by this XEP (Authorization, Cookie, Expires) are copied from the slot response to the HTTP request. Ah, yes. But it's still not enforced at protocol level
-
rion
I've applied this restriction to Psi
-
Ge0rG
> MUST strip any newline characters I wonder whether "newline characters" is too vague, as it's implementation defined
-
moparisthebest
has anyone tried (ab)using SOCKS5 Bytestreams https://xmpp.org/extensions/xep-0065.html to poke at internal network stuff?
-
moparisthebest
there aren't any security considerations about it
-
rion
Do you mean sending something w/o opening filetransfer session of something?
-
rion
of traffic encryption
-
Zash
moparisthebest: but both parties connect to the server, the server doesn't initiate anything outbound
-
Zash
moparisthebest: you might be able to trick remote clients into such things tho
-
moparisthebest
like, the server has access to a 10.X.X.X private subnet external users do not have access to, can an external client do bad things
-
moparisthebest
yea that's another way to do it
-
Ge0rG
You'd have to trick the client to connect to a "proxy" you defined
-
Zash
I forget the details, but doesn't one party pick the proxies, the other responds with one it can connect to.
-
Ge0rG
I never knew the details, so...
-
peter
interesting reading: https://irisate.com/crdt-for-real-time-collaborative-apps/
-
MattJ
It feels like only yesterday when Operation Transformation was the best thing ever
-
Kev
You've gotten old.
-
MattJ
*Operational
-
MattJ
:(
-
Kev
Don't feel bad, I'll catch up soon.
-
lovetox
i found this in gajim code
-
lovetox
when creating TLS connection we pass a cipher list
-
lovetox
'HIGH:!aNULL:RC4-SHA'
-
lovetox
it this up to date?!
-
lovetox
i have no clue about ciphers :/
-
Zash
If it's using a modern OpenSSL then I don't think you need to worry.
-
Zash
Only 'HIGH' seems to matter. Removing ciphers without authentication (aNULL) from the set of "highly secure" ciphers (HIGH) does nothing.
-
Zash
And RC4 doesn't seem to exist anymore.
-
SamWhited
Still, that doesn't seem like a good sign…
-
Holger
Zash: Unless things changed recently, HIGH does include aNULL ciphers.
-
Zash
Oh
-
Zash
Indeed
-
Zash
Hidden among all the various auth mechanisms that aren't used either
-
SamWhited
I'm more concerned that they would try to select RC4, regardless of whether it still exists in openssl or not.
-
Zash
$ diff -u <(openssl ciphers -v HIGH) <(openssl ciphers -v 'HIGH:!aNULL')|q https://q.zash.se/324a465c00bf.txt
-
Zash
on Debian Stable with OpenSSL 1.1.0f
-
Zash
SamWhited: It's pretty good compared to cipher lists like this: https://q.zash.se/da0ffe1f3f82.txt
-
SamWhited
What's that from?
-
Zash
Oooooooooold Jitsi
-
Zash
Possibly from 2013
-
Zash
https://blog.thijsalkema.de/blog/2013/09/02/the-state-of-tls-on-xmpp-3/
-
Zash
From those days
-
SamWhited
fun… Java things always seem to be behind.
-
SamWhited
huh, apparently RC4 was considered broken later than I thought
-
Zash
Defaults were pretty bad back then in most things.
-
SamWhited
Still though, if you're still recomnending it today that's a pretty big red flag for gajim…
-
Zash
Hasn't RC4 been considered "icky but let's not worry too much about it" since forever?
-
SamWhited
I was thinking it was late 2013, but apparently it was 2015 that the IETF stopped telling people to use it in TLS.
-
Zash
Comparing the current situation with that post would probably be interesting.