XSF logo XSF Discussion - 2019-09-10


  1. Ge0rG has left
  2. marc_ has left
  3. aj has joined
  4. pdurbin has joined
  5. sonny has left
  6. neshtaxmpp has left
  7. neshtaxmpp has joined
  8. peter has joined
  9. stpeter has joined
  10. debacle has left
  11. pdurbin has left
  12. peter has left
  13. j.r has left
  14. j.r has joined
  15. zach has left
  16. zach has joined
  17. stpeter has left
  18. UsL has left
  19. UsL has joined
  20. lskdjf has left
  21. lskdjf has joined
  22. lskdjf has left
  23. lskdjf has joined
  24. lskdjf has left
  25. lskdjf has joined
  26. mukt2 has joined
  27. stpeter has joined
  28. peter has joined
  29. lskdjf has left
  30. lskdjf has joined
  31. mukt2 has left
  32. lskdjf has left
  33. lskdjf has joined
  34. lskdjf has left
  35. lskdjf has joined
  36. remko has joined
  37. lskdjf has left
  38. remko has left
  39. neshtaxmpp has left
  40. neshtaxmpp has joined
  41. zach has left
  42. zach has joined
  43. pdurbin has joined
  44. peter has left
  45. pdurbin has left
  46. zach has left
  47. zach has joined
  48. stpeter has left
  49. adiaholic has joined
  50. adiaholic has left
  51. adiaholic has joined
  52. adiaholic has left
  53. Yagiza has joined
  54. pdurbin has joined
  55. UsL has left
  56. adiaholic has joined
  57. UsL has joined
  58. adiaholic has left
  59. adiaholic has joined
  60. adiaholic has left
  61. adiaholic has joined
  62. adiaholic has left
  63. mukt2 has joined
  64. adiaholic has joined
  65. andy has joined
  66. zach has left
  67. neshtaxmpp has left
  68. zach has joined
  69. jrmu has joined
  70. mukt2 has left
  71. adiaholic has left
  72. remko has joined
  73. mukt2 has joined
  74. adiaholic has joined
  75. Nekit has joined
  76. murabito has left
  77. murabito has joined
  78. zach has left
  79. zach has joined
  80. mukt2 has left
  81. rion has left
  82. rion has joined
  83. remko has left
  84. adiaholic has left
  85. jabberjocke has left
  86. jabberjocke has joined
  87. adiaholic has joined
  88. zach has left
  89. zach has joined
  90. mukt2 has joined
  91. lumi has joined
  92. adiaholic has left
  93. adiaholic has joined
  94. mimi89999 has left
  95. neshtaxmpp has joined
  96. karoshi has joined
  97. mimi89999 has joined
  98. mukt2 has left
  99. mukt2 has joined
  100. rion has left
  101. rion has joined
  102. jabberjocke has left
  103. mukt2 has left
  104. moparisthebest has left
  105. mukt2 has joined
  106. moparisthebest has joined
  107. goffi has joined
  108. zach has left
  109. zach has joined
  110. Steve Kille has left
  111. U+061C has joined
  112. marc_ has joined
  113. adiaholic has left
  114. Ge0rG has joined
  115. jonas’ pep., ask a vegetarian
  116. zach has left
  117. zach has joined
  118. Steve Kille has joined
  119. jabberjocke has joined
  120. flow ralphm, if I am not mistaken, the current rules of rfc7622 disallow unassigned to in resourceparts, domainparts and probably also localparts
  121. flow i'd say the spec is sound and as sensible as possible, it is the implementations that do not follow the rules and so, once in a while, an invalid jid slips through. That's the main motivation for creating the jid/xmpp strings testframework and the valid/invalid jid corpus
  122. jonas’ flow, except that RFC 7622 does not pin the unicode version
  123. jonas’ so one entity running on Unicode 10 could consider something as legitimate which an entity on Unicode 9 would not
  124. mukt2 has left
  125. mukt2 has joined
  126. flow jonas’, right, but as I said earlier, I would consider this to be very rare. But I could be wrong. And I don't think there is a better solution, happy to be proven wrong though
  127. zach has left
  128. zach has joined
  129. flow That is, I think the tradeoff of not pinning the unicode version is justified
  130. flow At least the troubles we had so far are not caused by not pinning the unicode version, as far as i can tell
  131. adiaholic has joined
  132. Ge0rG No, but they have the same symptoms
  133. marc_ has left
  134. ralphm Isn't my example a sign of why this is a problem? Emoji are all Symbols (So), I believe, and as such valid in parts of JIDs. Differing Unicode versions have different ideas on newer codepoints, so also on validity of JIDs?
  135. Mikaela has joined
  136. Ge0rG If we don't want to break the experience for everybody when somebody employs new unicode, we need to accept unassigned as valid from remote entities
  137. ralphm The problem with that, though, is unassigneds that become prohibited.
  138. remko has joined
  139. ralphm Like U+061C.
  140. ralphm Since the foremost expert on this is Peter, I suggest someone write an email about this to standards@. He's busy, but it's more likely he can respond there.
  141. Ge0rG I'm not sure he'll be able to solve that problem either ;)
  142. ralphm No, but he can at least confirm we have this problem and/or know about strategies.
  143. wurstsalat has joined
  144. adiaholic has left
  145. jonas’ 07:07:12 Ge0rG> If we don't want to break the experience for everybody when somebody employs new unicode, we need to accept unassigned as valid from remote entities
  146. jonas’ that’s only a partial solution
  147. jonas’ codepoints may change categories and stuff between unicode versions
  148. jonas’ and an unassigned codepoint in one version may well be a RTL-codepoint in another version
  149. jonas’ so by accepting unassigned input, you may accept something which someone else will consider invalid.
  150. jonas’ unicode is a mess.
  151. jonas’ ah, ralphm said that alread
  152. jonas’ ah, ralphm said that already
  153. zach has left
  154. zach has joined
  155. U+061C has left
  156. adiaholic has joined
  157. mukt2 has left
  158. mukt2 has joined
  159. jubalh has joined
  160. zach has left
  161. zach has joined
  162. aj has left
  163. mukt2 has left
  164. Dele (Mobile) has joined
  165. mukt2 has joined
  166. marc_ has joined
  167. flow well, since the problem is mostly in resourceparts, localparts and domainparts forbid emojis, we should probably establish a pattern that resourceparts are not user-configurable nor user-visible. Shame on you xep45! I wonder what the state in MIX is
  168. flow And we should probably add a note to xep45 that the use of certain unicode categories is discouraged
  169. flow But I don't want to be the person to discourage emojis in muc usernames…
  170. jonas’ flow, passwords and such are also affected.
  171. flow jonas’, how's that?
  172. Ge0rG localparts can be Emoji as well.
  173. jonas’ flow, passwords are also passed through stringprep/precis
  174. flow Ge0rG, localparts are UsernmaeCaseMapped profile of the IdentifierClass, and that class forbids symbols under which emojis fall, no?
  175. flow Maybe not all emojis, haven't check them all
  176. ralphm In MIX, nicks are an attribute of a participant, not part of their identity. However, it also says you have to follow https://tools.ietf.org/html/rfc7700
  177. ralphm Which in turn depends on Precis FreeformClass, and thus has the same issues as resources.
  178. lumi has left
  179. flow guess users just want emojis in their nickname
  180. marc_ has left
  181. marc_ has joined
  182. flow maybe there is a reserved for future emojis unicode range?
  183. jonas’ there’s still the problem that you can’t do proper normalisation if you don’t know the codepoints
  184. flow well if the reserved range also states the properties of the eventually assigned codepoints?
  185. jonas’ that won’t work
  186. jonas’ then they could just be assigned
  187. zach has left
  188. zach has joined
  189. jonas’ stuff like how they combine with fitzpatrick modifiers
  190. flow No because you don't now yet what they are assigned to
  191. flow but if this codepoint is assigned to, then it has the following properties
  192. mukt2 has left
  193. flow btw, there is an excellent post about this topic at https://hsivonen.fi/string-length/
  194. Ge0rG flow: I have a user ♥@ツ.op-co.de
  195. flow Ge0rG, I am not suprised that you do, if that's the question
  196. ralphm flow: no, when we think of as emoji is all over the place in several Unicode blocks.
  197. flow ralphm, I suspected that to be the case
  198. Ge0rG flow: I'm not aware of it being illegag.
  199. Ge0rG flow: I'm not aware of it being illegal.
  200. ralphm http://www.unicode.org/charts/PDF/Unicode-12.0/
  201. UsL has left
  202. UsL has joined
  203. flow Anyhow, yes the situation is not perfect, and I am happy if we could improve it. I just don't know how, and I can probably live with the status quo
  204. ralphm I like the one on chess symbols: https://www.unicode.org/charts/PDF/Unicode-12.0/U120-1FA00.pdf
  205. ralphm Actually https://tools.ietf.org/html/rfc7564#section-12.3 spells out the issue quite clearly: “Strings that conform to the FreeformClass and many profiles thereof can include virtually any Unicode character. This makes the FreeformClass quite expressive, but also problematic from the perspective of possible user confusion. Protocol designers are hereby warned that the FreeformClass contains code points they might not understand, and are encouraged to profile the IdentifierClass wherever feasible; however, if an application protocol requires more code points than are allowed by the IdentifierClass, protocol designers are encouraged to define a profile of the FreeformClass that restricts the allowable code points as tightly as possible.”
  206. ralphm (there's a similar remark in the interop section 13.
  207. ralphm )
  208. jonas’ *sigh*
  209. flow sad that the emoji which could express my feelings right now is only coming in unicode 13: Smiling Face With Tear
  210. flow But is the situation really that bad? Implementation could get the latest unicode standard over some sort of data network once in a while. You don't even have to update the involved libraries etc.
  211. XSF has left
  212. jonas’ flow, is that true?
  213. jonas’ I think that highly depends on the libraries
  214. jonas’ I’m not sure how to update python unicodedata for example without updating python
  215. ralphm There are libraries that still do just resourceprep instead of Precis, simply because RFC 6122 is directly linked from RFC 6120, even though it is obsoleted by RFC 7622.
  216. ralphm One example is Twisted, which I am author of.
  217. aj has joined
  218. ralphm One could argue that with resourceprep being more restrictive, just having that is at least a bit clearer as an interop goal.
  219. ralphm To be honest, I don't know what the best course of action is in this regard.
  220. jonas’ stay with unicode 3.2 forever
  221. Ge0rG ralphm: be liberal in what you accept and strict in what you emit
  222. mukt2 has joined
  223. Zash s/emit/allow users to send/
  224. jonas’ would a MUC service be strict or liberal, regarding nicknames for example? :)
  225. ralphm Ge0rG: my argument here is that this means that something like U+-061C causes problems.
  226. adiaholic has left
  227. Ge0rG Zash: yes, I implied that
  228. ralphm It was unassigned before (so not valid), then assigned (but still invalid).
  229. zach has left
  230. zach has joined
  231. ralphm But 🥓 was unassigned before (so not valid), and now assigned (but valid)
  232. Ge0rG ralphm: yes, but if the MUC service accepts it, other servers or clients receiving it from the MUC shouldn't freak out
  233. Ge0rG i.e. a MUC service can strictly police the nickname, but not the resourcepart of the users' real JID.
  234. jonas’ ralphm, it’s not invalid, it’s only invalid if used with LTR characters :)
  235. ralphm A MUC service is not something magical. It is just another server that connects to other servers over s2s and uses JIDs in addressing of stanzas.
  236. ralphm jonas’: it is invalid as it is a control character.
  237. Ge0rG ralphm: a regular server should police the resourcepart of local users, but not of remote users.
  238. ralphm jonas’: (for FreeformClass)
  239. pdurbin has left
  240. jonas’ ralphm, ah, fun
  241. remko has left
  242. remko has joined
  243. adiaholic has joined
  244. ralphm Ge0rG: well, that might be sensible approach, indeed. I'm not sure how well that works with mapping on new code points, and what kind of normalization issues arrise from that, but ok.
  245. ralphm In any case it deserves some wider attention. Maybe even to the XMPPWG mailing list.
  246. Ge0rG ralphm: framed differently: you shouldn't police any JIDs that you don't have the authority over, except when they are illegal in a breaking way, i.e. contain " or '
  247. ralphm does that include localpart?
  248. Ge0rG ralphm: what?
  249. ralphm Ge0rG: should a server do precis processing on localparts of a remote JID?
  250. aj has left
  251. ralphm Ge0rG: also, for resourcepart, should it a) use incoming JIDs as is (no processing), b) allow unassigneds, but still do Precis, c) something else.
  252. Ge0rG ralphm: I'm not sure yet where the point of no return between a and b is, for either localpart or resourcepart
  253. Ge0rG If you do a, that probably opens up some very interesting ways to break your clients
  254. jonas’ I think it boils down to: treat JIDs as opaque if you don’t have authority over them
  255. ralphm Yep, things like IV and Ⅳ.
  256. jonas’ don’t do normalisation on them, or any processing at all, just treat them as opaque sequences of codepoints
  257. ralphm (I followed by V, vs. ROMAN NUMBER 4)
  258. Ge0rG ralphm: I don't think _that_ would break things
  259. jonas’ it is the domain authorities responsibility to ensure that stuff is valid and comparable when it is emitted from there
  260. flow jonas’, I think so. You sure could bulid an python library that does so
  261. ralphm but you can then have different people with arguably the same nick
  262. Ge0rG ralphm: this is something the MUC has authority over.
  263. mimi89999 has left
  264. Ge0rG ralphm: if you try to enforce that on your user's server, your user will get kicked
  265. mimi89999 has joined
  266. ralphm Right
  267. flow > jonas’> ralphm, it’s not invalid, it’s only invalid if used with LTR characters :) I think it is invalid regardless the context with rfc7622
  268. ralphm But I definitely don't want to be so lenient for localpart
  269. jonas’ ralphm, why?
  270. Ge0rG ralphm: just tear down s2s and blacklist the remote server as incompliant.
  271. ralphm flow: it is invalid in resourceprep because unassigned in 3.2, and invalid in Precis FreeformClass because it is an a prohibited class
  272. Ge0rG Conveniently, it also prevents you from contacting the server admin
  273. debacle has joined
  274. ralphm jonas’: because (bare) JIDs are identity
  275. jonas’ ralphm, from whose perspective are you currently arguing?
  276. ralphm jonas’: I don't want to accept incoming stanzas that fail precis processing on localpart
  277. jonas’ as a client? as a MUC service? as a server? as anyone?
  278. ralphm all, I guess
  279. jonas’ I see
  280. flow > jonas’> don’t do normalisation on them, or any processing at all, just treat them as opaque sequences of codepoints That would probably open up another box of issues
  281. Nekit has left
  282. Nekit has joined
  283. mukt2 has left
  284. mukt2 has joined
  285. COM8 has joined
  286. adiaholic has left
  287. adiaholic has joined
  288. flow Since Unicode does us so much good, I'l like to suggest that the XSF adopts a character (for as little as 100$, but maybe we could got for silver) before matrix does it: https://www.unicode.org/consortium/adopted-characters.html
  289. zach has left
  290. zach has joined
  291. sonny has joined
  292. COM8 has left
  293. jonas’ +1
  294. jonas’ flow, send this to board
  295. flow on my way
  296. jonas’ and find a good character thing to sponsor
  297. flow U+1F5E9 probably
  298. flow but I am open for suggestions
  299. Ge0rG I propose U+1F926
  300. Ge0rG 💡 U+1F4A1 would be too obvious, right?
  301. jonas’ uhh
  302. Seve Would be nice to havethe logo as a character :D
  303. Seve Ge0rG, nope :(
  304. Seve flow's suggestion makes more sense ;)
  305. Ge0rG Seve: that can only mean you are too young.
  306. jonas’ Seve, https://www.jabber.org/
  307. Seve Nah, but I want to go forward!
  308. jonas’ ;)
  309. Seve Gaze at our bright future, my friends!
  310. debacle has left
  311. Ge0rG https://upload.yax.im/upload/8O5TitoHucjZZDeW/Screenshot_20190910-111700_Firefox.jpg
  312. jonas’ same here
  313. jonas’ we’re the future!
  314. jonas’ (a.k.a. WTF)
  315. Ge0rG Looks rather like a SEMI OPAQUE RECTANGLE
  316. ralphm flow: Discourse already has Gold on U+1F4AC, so yeah.
  317. COM8 has joined
  318. ralphm To be honest, funny as it is, I don't think we should spend any money on this.
  319. COM8 has left
  320. COM8 has joined
  321. COM8 has left
  322. COM8 has joined
  323. COM8 has left
  324. Nameless RTL person has left
  325. zach has left
  326. zach has joined
  327. remko has left
  328. pep. What's the conclusion of all this btw?
  329. pep. (Not the Unicode sponsoring bits)
  330. jonas’ pep., everything is terrible
  331. jonas’ I think the most sensible statement is around 08:38:12 ralphm> In any case it deserves some wider attention. Maybe even to the XMPPWG mailing list.
  332. pep. Can somebody(tm) put that to the agenda if they think it's appropriate?
  333. andy has left
  334. pep. So that we don't get stuck here and realize we still have the same issues in 4 years
  335. andy has joined
  336. Zash Gotta have this discussion every 4 years
  337. COM8 has joined
  338. COM8 has left
  339. COM8 has joined
  340. COM8 has left
  341. COM8 has joined
  342. zach has left
  343. zach has joined
  344. COM8 has left
  345. flow hmm, I wonder if there is a backstory behind the pile of poo gold sponsor: https://www.unicode.org/consortium/adopted-characters.html
  346. Guus I'd like to think that friends of Jason raised the money and did this behind his back.
  347. COM8 has joined
  348. COM8 has left
  349. COM8 has joined
  350. COM8 has left
  351. COM8 has joined
  352. larma has left
  353. Ge0rG Maybe that name is a kind of pseudonym with a secondary meaning?
  354. waqas has left
  355. COM8 has left
  356. COM8 has joined
  357. COM8 has left
  358. marc_ has left
  359. Guus Random quote found through google: "that's a shitty way to spend 5000 USD"
  360. COM8 has joined
  361. COM8 has left
  362. Ge0rG I suppose there are enough rich brogrammers in the valley
  363. COM8 has joined
  364. debacle has joined
  365. kokonoe has joined
  366. COM8 has left
  367. larma has joined
  368. remko has joined
  369. debacle has left
  370. Douglas Terabyte has left
  371. kokonoe has left
  372. Douglas Terabyte has joined
  373. Nameless RTL person has joined
  374. kokonoe has joined
  375. pdurbin has joined
  376. Douglas Terabyte has left
  377. Douglas Terabyte has joined
  378. pdurbin has left
  379. remko has left
  380. nyco has joined
  381. andrey.g has left
  382. sonny has left
  383. murabito has left
  384. murabito has joined
  385. zach has left
  386. zach has joined
  387. andrey.g has joined
  388. debacle has joined
  389. marc_ has joined
  390. zach has left
  391. zach has joined
  392. marc_ has left
  393. jcbrand has joined
  394. stpeter has joined
  395. peter has joined
  396. sonny has joined
  397. zach has left
  398. zach has joined
  399. lumi has joined
  400. mukt2 has left
  401. mukt2 has joined
  402. Maranda has left
  403. Maranda has joined
  404. zach has left
  405. zach has joined
  406. marc_ has joined
  407. nyco has left
  408. adiaholic has left
  409. adiaholic has joined
  410. marc_ has left
  411. zach has left
  412. zach has joined
  413. larma has left
  414. COM8 has joined
  415. COM8 has left
  416. COM8 has joined
  417. COM8 has left
  418. larma has joined
  419. lskdjf has joined
  420. kokonoe has left
  421. remko has joined
  422. COM8 has joined
  423. COM8 has left
  424. COM8 has joined
  425. zach has left
  426. zach has joined
  427. COM8 has left
  428. adiaholic has left
  429. adiaholic has joined
  430. pdurbin has joined
  431. LNJ has joined
  432. jabberjocke has left
  433. pdurbin has left
  434. jabberjocke has joined
  435. zach has left
  436. zach has joined
  437. peter has left
  438. dele has joined
  439. dele has left
  440. jabberjocke has left
  441. dele has joined
  442. dele has left
  443. zach has left
  444. zach has joined
  445. stpeter has left
  446. Daniel has left
  447. Daniel has joined
  448. eevvoor has joined
  449. Daniel has left
  450. Daniel has joined
  451. Zash has left
  452. Zash has joined
  453. stpeter has joined
  454. COM8 has joined
  455. COM8 has left
  456. zach has left
  457. zach has joined
  458. adiaholic has left
  459. edhelas has left
  460. lumi has left
  461. marc_ has joined
  462. edhelas has joined
  463. stpeter has left
  464. jabberjocke has joined
  465. zach has left
  466. zach has joined
  467. aj has joined
  468. COM8 has joined
  469. COM8 has left
  470. COM8 has joined
  471. COM8 has left
  472. COM8 has joined
  473. COM8 has left
  474. COM8 has joined
  475. COM8 has left
  476. COM8 has joined
  477. zach has left
  478. zach has joined
  479. COM8 has left
  480. stpeter has joined
  481. COM8 has joined
  482. COM8 has left
  483. Zash has left
  484. Zash has joined
  485. stpeter has left
  486. j.r has left
  487. alameyo has left
  488. alameyo has joined
  489. zach has left
  490. zach has joined
  491. stpeter has joined
  492. peter has joined
  493. pdurbin has joined
  494. Chobbes has joined
  495. adiaholic has joined
  496. balu_der_baer has joined
  497. zach has left
  498. zach has joined
  499. adiaholic has left
  500. adiaholic has joined
  501. ralphm For those involved in the Unicode discussion: I wrote to the XMPPWG mailinglist: https://mailarchive.ietf.org/arch/msg/xmpp/a-WhzOTyOq168GujQHgzQ1-DURI
  502. pep. thanks
  503. j.r has joined
  504. jonas’ <3 thanks
  505. jonas’ where do I subscribe?
  506. ralphm https://www.ietf.org/mailman/listinfo/xmpp
  507. Zash thanks ralphm!
  508. ralphm and beware IETF Note Well https://www.ietf.org/about/note-well/
  509. pep. "there are implementations and deployments performing the obsoleted stringprep." you mean all (at least public) implementations? :P
  510. Kev I raised this sooooo long ago (back when we were discussing using precis for JIDs in the first place).
  511. Chobbes has left
  512. Kev The opinion then, as I remember it, was mostly to not worry about it and assume it won't cause practical interop problems that people might be talking different versions of unicode.
  513. jonas’ given that we had a fun unicode version interop problem the other day, I think we can safely bury that assumption
  514. Kev That's ok, I didn't believe it at the time :)
  515. jonas’ good :)
  516. ralphm :-D
  517. Ge0rG 🤖 will disagree on that
  518. jonas’ that is also PRECISely my problem with it.
  519. jonas’ someone had to say this, and now it’s out of the way, you can all thank me.
  520. jonas’ ;)
  521. pdurbin has left
  522. ralphm 🤦‍♂️
  523. ralphm Kev: I guess that was all before we got gazillions of emoji that are valid in resources.
  524. balu_der_baer has left
  525. balu_der_baer has joined
  526. rion has left
  527. Ge0rG Yeah, somebody hijacked the Unicode consortium to do things actually relevant to the bigger populace
  528. Zash 𒈜
  529. balu_der_baer has left
  530. COM8 has joined
  531. zach has left
  532. zach has joined
  533. Wojtek has joined
  534. Wojtek has left
  535. balu_der_baer has joined
  536. COM8 has left
  537. mukt2 has left
  538. COM8 has joined
  539. COM8 has left
  540. mukt2 has joined
  541. COM8 has joined
  542. j.r has left
  543. COM8 has left
  544. COM8 has joined
  545. jonas’ where was this repository where Daniel explains how the push service for Conversations works and which data is passed to google exactly?
  546. zach has left
  547. zach has joined
  548. jonas’ ah, found it
  549. jonas’ https://github.com/iNPUTmice/p2
  550. lumi has joined
  551. COM8 has left
  552. winfried has left
  553. winfried has joined
  554. j.r has joined
  555. COM8 has joined
  556. COM8 has left
  557. COM8 has joined
  558. jabberjocke has left
  559. jabberjocke has joined
  560. zach has left
  561. zach has joined
  562. mukt2 has left
  563. COM8 has left
  564. mukt2 has joined
  565. jabberjocke has left
  566. mukt2 has left
  567. adiaholic has left
  568. zach has left
  569. zach has joined
  570. adiaholic has joined
  571. winfried has left
  572. winfried has joined
  573. mukt2 has joined
  574. mukt2 has left
  575. winfried has left
  576. winfried has joined
  577. zach has left
  578. zach has joined
  579. mukt2 has joined
  580. Steve Kille has left
  581. Steve Kille has joined
  582. pdurbin has joined
  583. rion has joined
  584. jabberjocke has joined
  585. adiaholic has left
  586. winfried has left
  587. winfried has joined
  588. pdurbin has left
  589. debacle has left
  590. marc_ has left
  591. zach has left
  592. zach has joined
  593. mukt2 has left
  594. mukt2 has joined
  595. Zash Cool story bro
  596. eevvoor has left
  597. mukt2 has left
  598. alameyo has left
  599. alameyo has joined
  600. winfried has left
  601. winfried has joined
  602. winfried has left
  603. winfried has joined
  604. mukt2 has joined
  605. alameyo has left
  606. adiaholic has joined
  607. aj has left
  608. alameyo has joined
  609. zach has left
  610. zach has joined
  611. marc_ has joined
  612. zach has left
  613. zach has joined
  614. alameyo has left
  615. alameyo has joined
  616. waqas has joined
  617. alameyo has left
  618. waqas has left
  619. zach has left
  620. zach has joined
  621. waqas has joined
  622. waqas has left
  623. waqas has joined
  624. mr.fister has joined
  625. stpeter has left
  626. peter has left
  627. stpeter has joined
  628. peter has joined
  629. waqas has left
  630. alameyo has joined
  631. zach has left
  632. zach has joined
  633. lovetox has joined
  634. zach has left
  635. zach has joined
  636. pep. > 𒈜 What was that
  637. Zash 😉
  638. pdurbin has joined
  639. Guus Hmm, I'm missing the message to which Zash responded "cool story bro"
  640. Guus https://igniterealtime.org:443/httpfileupload/5c99fd39-7a01-40ab-8da9-b3e97d387824/rnGY3VwZTG6XbONXbZUg_g.jpg
  641. Zash Odd, it's in Dino but not poezio
  642. Guus I saw it in Converse, not Conversations.
  643. Guus More unicode magic?
  644. pep. indeed I don't see it.
  645. Ge0rG Something something message dedup?
  646. Guus It's only in Converse that I noticed the "I am groot" message.
  647. peter has left
  648. Guus I already wondered why Zash was reacting with that on the message that I saw before it.
  649. Ge0rG Guus: me too
  650. Ge0rG Now I want to see the xml
  651. Guus Unsure if it's in MAM
  652. Zash It's not in the MUC MAM
  653. mukt2 has left
  654. Zash Ok, what trickery is this
  655. Ge0rG Can anybody post the XML?
  656. jonas’ and I was wondering why Zash thought my finding of the p2 repository was a cool stoyr
  657. Zash Can't post the XML. Can't even find the corresponding line in my logs.
  658. zach has left
  659. pdurbin has left
  660. zach has joined
  661. Daniel it's not in my dino
  662. moparisthebest it showed up in my dino
  663. Ge0rG It's a carbon.
  664. Daniel a carbon in a muc?
  665. neshtaxmpp has left
  666. moparisthebest https://burtrum.org/up/7fa35ad6-3c2e-4f19-b0a2-acb54255d6ee/open-screeny-16761.png
  667. Ge0rG <message to="georg@yax.im/poezio" id="718d40df-3948-4798-a99b-35cc9f03cc4f-641" type="groupchat" from="xsf@muc.xmpp.org/balu_der_baer"> <received xmlns="urn:xmpp:carbons:2"> <forwarded xmlns="urn:xmpp:forward:0"> <message xmlns="jabber:client" to="xsf@muc.xmpp.org" type="groupchat" from="xsf@muc.xmpp.org/i_am_groot"> <body>I am groot.</body> </message> </forwarded> </received> </message>
  668. Daniel so any client that shows it potentially has f'uped carbon parsing?
  669. Zash Royally
  670. moparisthebest yep missing from my Conversations though, neat
  671. moparisthebest I love that mysterious bug finder
  672. winfried has left
  673. winfried has joined
  674. Daniel Ge0rG, do you just dump all the xml?
  675. winfried has left
  676. winfried has joined
  677. Ge0rG Daniel: that's from poezio debug log file
  678. Ge0rG Everything old is new again. https://www.cvedetails.com/cve/CVE-2017-5589/
  679. Daniel sadly i think dino even existed back then
  680. Guus It's interesting to ponder on how this can be utilized to have covert discussions en plein public
  681. Ge0rG moparisthebest: Guus: can you open bug reports?
  682. moparisthebest Daniel, but you said it *didn't* display in your dino? but it did in mine... what version do you have?
  683. winfried has left
  684. winfried has joined
  685. Zash Guus, MUC PMs seems simpler
  686. Daniel HEAD
  687. Daniel but maybe it wasn’t stored in muc history
  688. Guus Zash: where's the fun in that though
  689. Daniel so don’t count on that
  690. moparisthebest AH that makes more sense
  691. Guus Ge0rG: wilco
  692. moparisthebest mine is built from git HEAD too, but trying to figure out exactly when...
  693. winfried has left
  694. Ge0rG Also I need to talk to our content manager because the advisory url is 404
  695. winfried has joined
  696. Zash Mine is whatever Debian package from OBS, and I saw it.
  697. Guus jcbrand: ^^
  698. Daniel converse showed it as well?
  699. Ge0rG Funny how the month changed... https://rt-solutions.de/en/2017/01/cve-2017-5589_xmpp_carbons/
  700. Daniel sigh
  701. Ge0rG Converse was affected back then.
  702. stpeter has left
  703. Ge0rG balu_der_baer: are you a pentester or is your client broken?
  704. Daniel that does not look like a broken client
  705. Daniel (on the sending end)
  706. winfried has left
  707. winfried has joined
  708. Ge0rG Daniel: something like delayed delivery gone very much wrong?
  709. Daniel how? why?
  710. Ge0rG Next up: unrequested MAM impersonation
  711. moparisthebest the `i_am_groot` seems like a dead giveaway for deliberate test
  712. moparisthebest otherwise that'd be an insanely odd client bug
  713. winfried has left
  714. winfried has joined
  715. Daniel there is so much long hanging fruit to pick in the xmpp world
  716. Ge0rG It's good that somebody does the testing. And this place is actually well suited
  717. Zash So what's next, shall we try the MEGALOL-attack?
  718. Guus It would have been nice to share findings though.
  719. Guus I found out by accident.
  720. moparisthebest isn't that what that was? :D
  721. Daniel i mean i was wondering why Zash found the p2 story so interesting…
  722. pep. Daniel, same :D
  723. Ge0rG Heh.
  724. Nekit has left
  725. Ge0rG "complain loudly if you can read this"
  726. pep. haha
  727. moparisthebest so you can probably impersonate actual people that are in the MUC right?
  728. Ge0rG moparisthebest: yes
  729. Nekit has joined
  730. Daniel depending on how fucked it is not just muc
  731. Ge0rG moparisthebest: most probably you can impersonate anyone, even outside of the MUC
  732. Ge0rG moparisthebest: read the CVE
  733. moparisthebest right, sweet
  734. remko has left
  735. moparisthebest yea I just meant the XML groot just sent was MUC only, and implied you could impersonate anyone
  736. moparisthebest I'd seen the old general carbons CVE before though
  737. Ge0rG It's not really new
  738. zach has left
  739. zach has joined
  740. Ge0rG We should have a test suite for clients.
  741. Daniel i wouldn’t be shocked if dino was vulnerable to CVE-2015-8688
  742. Douglas Terabyte has left
  743. Ge0rG https://wiki.xmpp.org/web/Client_Test_Cases
  744. Douglas Terabyte has joined
  745. lovetox so is this covered by this line in the XEP
  746. Daniel someone should try; probably...
  747. lovetox Any forwarded copies received by a Carbons-enabled client MUST be from that user's bare JID
  748. lovetox ?
  749. Daniel lovetox, yes
  750. lovetox someone cant fake a message from a bare muc jid
  751. Guus Uff, this was hard on mobile. https://github.com/conversejs/converse.js/issues/1704
  752. Guus Please augment if needed
  753. Daniel lovetox, it not bare jid. just the users bare jid is allowed
  754. Daniel there shouldn’t be carbons in mucs
  755. lovetox yeah but the server is responsible that there are none
  756. lovetox at least that says the xep
  757. Daniel huh?
  758. Daniel your carbons parsing code needs to be wrapped in a if from == null || from == my_account_jid
  759. lovetox ah i get it
  760. lovetox yes must be from my account bare jid
  761. lovetox not a "user"
  762. Daniel which excludes the shit balu send
  763. lovetox yes
  764. adiaholic has left
  765. adiaholic has joined
  766. lovetox # Carbon must be from our bare jid if not stanza.getFrom() == own_jid.getBare(): raise InvalidFrom('Invalid from: %s' % stanza.getAttr('from'))
  767. lovetox was scared i fucked up :) but seems i did this right
  768. pep. That's not a new bug, gajim would have probably been tested at that time :)
  769. Ge0rG I've added a section to the test cases
  770. pep. thanks
  771. Ge0rG Still looking for somebody who can implement them
  772. Ge0rG Would probably have to be a component for the MUC parts
  773. Ge0rG OTOH, a bot could fake being a MUC, right?
  774. lovetox yes pep. but as of course i think i can do everything better i reimplement much code, also carbon parsing
  775. Zash This carbons thing could be done by a bot
  776. pep. hehe
  777. pep. lovetox, tests!
  778. Ge0rG It was a huge strain to my eyes, my fingers and my patience to add those three lines to the wiki from my android phone.
  779. lovetox though its much harder wth MAM
  780. lovetox i only accept mam messages with query-id s that im actually waiting for
  781. Daniel well you do…
  782. Daniel and yes can confirm that dino is vuln to https://gultsch.de/gajim_roster_push_and_message_interception.html
  783. Daniel why does this shit keep happening
  784. Daniel #BSG
  785. Zash BSG!
  786. pep. BSG?
  787. Daniel so question is do i fix it now?
  788. Nekit has left
  789. Ge0rG Daniel: can you do a roster push through a MUC?
  790. zach has left
  791. zach has joined
  792. Daniel Ge0rG: looking at the code I'm relatively certain you could
  793. Ge0rG Yay.
  794. pep. let's try?
  795. Daniel Haven't tested that one tho
  796. Daniel You have to get lucky to get your iq routed I guess. Lol
  797. adiaholic has left
  798. adiaholic has joined
  799. Ge0rG Daniel: only with MSN
  800. moparisthebest is there a generic bot/component someplace that can just try all of these things against a JID
  801. pep. Which is probably the default in this MUC
  802. pep. So not a correct target
  803. moparisthebest so it can be used across projects
  804. Ge0rG moparisthebest: write one please! https://wiki.xmpp.org/web/Client_Test_Cases#Staying_inside
  805. moparisthebest it would probably be hard to write it with most existing libraries, they tend to try to insist on you sending proper things
  806. Daniel Glad the Spammer haven't found out how to but themselves right into your roster
  807. Daniel The cool thing about that CVE is due to roster version it also won't go away
  808. moparisthebest I'd gladly accept spam from such a smart spammer though
  809. Daniel So my Dino will be stuck with that test jid I injected
  810. moparisthebest might even buy what he's selling
  811. Yagiza has left
  812. Ge0rG moparisthebest: it would get propagated into the spam sending tools and used by dozens spammers within some weeks
  813. Daniel So who is going to collect the CVE for mam injection in multiple clients?
  814. adiaholic has left
  815. lumi has left
  816. Ge0rG Daniel: let's wait half a year until there is a significant deployed base
  817. Daniel 🔥
  818. Douglas Terabyte has left
  819. Douglas Terabyte has joined
  820. Ge0rG Other than that, I'll gladly volunteer. I need some more CVEs on my CV
  821. jcbrand has left
  822. Zash CVEs go on your CV?
  823. Ge0rG Zash: yes
  824. lovetox thats why they start with CV..
  825. Zash :D
  826. Ge0rG Curriculum Vitae Extension.
  827. Ge0rG Do we have an up to date entity caps database?
  828. lumi has joined
  829. lovetox has left
  830. balu_der_baer Can you see me?
  831. pep. Only the hash? Or all features? If it's just hashes, movim probably has a few up to some point in the past(?) https://nl.movim.eu/?about#caps_widget_tab, otherwise I'm sure you can gather some by running code on prosody
  832. pep. balu_der_baer, yes
  833. zach has left
  834. zach has joined
  835. Zash A wild haxxor appears
  836. Ge0rG balu_der_baer: no
  837. Ge0rG pep.: all the features. Looking for clients with MAM
  838. Daniel Mam doesn't show up in Caps
  839. Daniel Shouldn't show up. Lpl
  840. Ge0rG Then I'll hack something into mod_mam
  841. Daniel Shouldn't show up. 😂
  842. Zash Nothing says you can't do client-to-client MAM ;)
  843. Ge0rG Zash: MAM Push!
  844. Zash Idea from long ago: Make a bot that connects to your account and enables carbons, then lets you query it.
  845. pep. Zash: that's actually been mentioned a few times..
  846. Ge0rG Like posting some Carbons when upgrading from 1:1 to a private MUC!
  847. pep. (c2c MAM)
  848. Daniel There used to be an ad hoc command that did something like that
  849. Zash pep.: nothing new under the sun.
  850. Daniel Only for unread I believe
  851. Zash Yeah, that too
  852. Daniel from reading the code it looks like dino has disabled code that would have checked for the origin of a mam message
  853. j.r has left
  854. j.r has joined
  855. Link Mauve has left
  856. Link Mauve has joined
  857. Daniel and yes it is in fact vulnerable
  858. Daniel (just wanted to beat Ge0rG to it)
  859. Guus Daniel: a worthy goal.
  860. zach has left
  861. zach has joined
  862. U+061C has joined
  863. pep. I don't want to swear that slix isn't.
  864. pep. (or poezio)
  865. eevvoor has joined
  866. mathieui vulnerable to what?
  867. Daniel to the MAM thing? no i bet it will be more than just dino
  868. mathieui we don’t check the origin, but you have to guess the (fully-random) mam ID
  869. mathieui (slix matchers make checking for multiple things a bit tricky, so to fix that we would have to write an "xml mask")
  870. Ge0rG Daniel: keep us updated on your advisory
  871. moparisthebest so this time balu_der_baer 's "Can you see me?" showed up in Conversations but not dino, fun stuff
  872. Daniel was that anything critical?
  873. moparisthebest Ge0rG, got raw XML for that one?
  874. pep. 04:48:04 IN <message xml:lang="en" from="xsf@muc.xmpp.org/Daniel" type="groupchat" to="pep@bouah.net/poezio-C7iY" id="e682bdd7-d98c-4cfd-9c59-fb9e5f9a6d8a"><origin-id xmlns="urn:xmpp:sid:0" id="e682bdd7-d98c-4cfd-9c59-fb9e5f9a6d8a" /><replace xmlns="urn:xmpp:message-correct:0" id="00dc00d3-ae5f-4572-b6c3-4b9e95445e5b" /><body>Shouldn&apos;t show up. 😂 </body><stanza-id xmlns="urn:xmpp:sid:0" by="xsf@muc.xmpp.org" id="2019-09-10-f3fa92f3f7cb7366" /></message>
  875. pep. heh
  876. U+061C it's not my fault this time!
  877. Ge0rG Daniel: no, just interested. I'd be glad to co-author as well
  878. pep. noo, poezio has only 2k lines in the xml_tab.. gonna grep logs now
  879. moparisthebest didn't see that one in either place pep.
  880. pep. moparisthebest, neither did I, just looking at xml logs
  881. Daniel pep., what's that?
  882. Ge0rG moparisthebest: sigh
  883. Ge0rG <message to="georg@yax.im/poezio-IS8H" id="718d40df-3948-4798-a99b-35cc9f03cc4f-13F5" type="groupchat" from="xsf@muc.xmpp.org/balu_der_baer"> <body>Can you see me?</body> <received xmlns="urn:xmpp:carbons:2"> <forwarded xmlns="urn:xmpp:forward:0"> <message xmlns="jabber:client" to="xsf@muc.xmpp.org" type="groupchat" from="xsf@muc.xmpp.org/balu_der_baer" /> </forwarded> </received>
  884. Ge0rG It was a message that also contained a carbon
  885. Daniel but that's ok to show up?
  886. Daniel probably?
  887. moparisthebest strange that dino doesn't show that one but Conversations does
  888. Daniel i mean both is fine i guess
  889. Ge0rG Yes, that's okay
  890. moparisthebest so dino does have filtering? it's just wrong
  891. pep. What was that XEP that says "don't send everything in the same payload"
  892. Daniel no i wouldn’t blame dino for not showing that
  893. Ge0rG balu_der_baer: next time add another body to the carbon
  894. Daniel moparisthebest, no it just goes down the carbons pipe
  895. Daniel and then the carbon doesn’t have anything
  896. Daniel Ge0rG, well that will show up in dino
  897. Daniel but with the message from within the carbon
  898. U+061C out of curiosity, can you put carbon into carbon?
  899. Daniel no
  900. Ge0rG pep.: https://xmpp.org/extensions/xep-0226.html
  901. pep. right that
  902. U+061C i mean, what will clients do if they receive carbon within carbon?
  903. Daniel just ignore it
  904. moparisthebest I'm just awaiting the circular fastening
  905. Daniel or parse the outer body if there is one
  906. pep. Daniel, that's what you'd hope they do
  907. Daniel well at least for dino (even with the bug) and Conversations
  908. Daniel and almost def Gajim
  909. Daniel until we bring full stanza in the mix
  910. Daniel then other funny things might happen
  911. Ge0rG U+061C: only if the client has a recursive carbon parser
  912. moparisthebest it'd be odd to have code to parse carbons recursively
  913. Daniel yes
  914. moparisthebest any clients written in lisp around? :D
  915. U+061C that emacs client?
  916. dele has joined
  917. Ge0rG moparisthebest: a message parsing function that extracts the forwarded payload and passes it to the message parsing function? Sounds rather plausible
  918. Daniel but hey with Xabber doing their own thing we will soon have new CVE instead of having to recycle the old ones
  919. moparisthebest could be
  920. dele has left
  921. pep. Zash, unrelated, what conversejs version is running on xmpp.org btw?
  922. dele has joined
  923. Zash Probably just the CDN version.
  924. pep. ah it says on the page
  925. pep. 5.0.1
  926. Nekit has joined
  927. dele has left
  928. dele has joined
  929. pdurbin has joined
  930. balu_der_baer Anyone knows if this is the latest version of Prosody running here?
  931. Zash It's not
  932. Zash /version xmpp.org
  933. Daniel is today the picking low hanging fruit day?
  934. Zash s/day/week/?
  935. Daniel i also kinda want to rewatch BSG now
  936. sonny has left
  937. pdurbin has left
  938. dele has left
  939. Zash All this has happened before, and it will happen again, and again, and again
  940. balu_der_baer
  941. jonas’ has left
  942. jonas’ has joined
  943. grooty has joined
  944. grooty has left
  945. sonny has joined
  946. Daniel so yeah since people have started to exploit the dino roster push i should probably take this offline
  947. zach has left
  948. zach has joined
  949. david has left
  950. david has joined
  951. zach has left
  952. zach has joined
  953. lumi has left
  954. debacle has joined
  955. j.r has left
  956. eevvoor has left
  957. LNJ has left
  958. goffi has left
  959. Nekit has left
  960. Zash Anyone got examples of strings that'd be different between IDNA 2003 and 2008?
  961. mr.fister has left
  962. jabberjocke has left
  963. jubalh has left
  964. gav has left
  965. gav has joined
  966. zach has left
  967. zach has joined
  968. wurstsalat has left
  969. mukt2 has joined
  970. mukt2 has left
  971. mukt2 has joined
  972. mukt2 has left
  973. mukt2 has joined
  974. zach has left
  975. zach has joined
  976. mukt2 has left
  977. mukt2 has joined
  978. Mikaela has left
  979. pdurbin has joined
  980. mukt2 has left
  981. pdurbin has left
  982. mukt2 has joined
  983. U+061C has left
  984. mukt2 has left
  985. Zash Ha
  986. andy has left
  987. marc_ has left
  988. stpeter has joined
  989. remko has joined
  990. Guus has left
  991. Guus has joined
  992. stpeter has left
  993. zach has left
  994. zach has joined
  995. remko has left
  996. kokonoe has joined
  997. UsL has left
  998. UsL has joined
  999. stpeter has joined
  1000. zach has left
  1001. zach has joined
  1002. stpeter has left
  1003. mukt2 has joined