jdev - 2020-11-11

  1. Zash has left

  2. Zash has joined

  3. Neustradamus has left

  4. Neustradamus has joined

  5. Yagizа has joined

  6. Vaulor has joined

  7. test2 has joined

  8. wurstsalat has joined

  9. DebXWoody has joined

  10. test2 has left

  11. floretta has left

  12. mac has joined

  13. goffi has joined

  14. moparisthebest has left

  15. moparisthebest has joined

  16. debacle has joined

  17. mac has left

  18. moparisthebest has left

  19. moparisthebest has joined

  20. Alex has left

  21. Alex has joined

  22. Beherit has left

  23. Beherit has joined

  24. floretta has joined

  25. mac has joined

  26. raghavgururajan has left

  27. raghavgururajan has joined

  28. Beherit has left

  29. Beherit has joined

  30. floretta has left

  31. shachontal has joined

  32. test2 has joined

  33. floretta has joined

  34. pulkomandy has left

  35. pulkomandy has joined

  36. floretta has left

  37. mac has left

  38. alacer has left

  39. pulkomandy has left

  40. pulkomandy has joined

  41. DebXWoody has left

  42. test2 has left

  43. alacer has joined

  44. alacer has left

  45. alacer has joined

  46. Martin

    What characters have to be escaped within a message body? Do I find a list somewhere? Searching for it I only find stuff about JID escaping. :)

  47. Zash

    Only XML rules apply.

  48. Martin

    So only quot, amp, apos, gt and lt?

  49. Zash

    Must be valid UTF-8, must not have ASCII NUL. IIRC also ASCII control characters (\0 .. \31 or somesuch)

  50. Zash

    And yes, when serialized those would be entity-escaped, but I sure hope you don't need to handle that yourself.

  51. Martin

    Yep, that's the issue.

  52. Martin

    \022

  53. Martin

    active xmlns="http://jabber.org/protocol/chatstates"/><request xmlns="urn:xmpp:receipts"/></message>

  54. Martin

    Sorry, I'll have to use a pastebin. ^^

  55. Martin

    https://paste.debian.net/1171434/

  56. Ge0rG

    that message id makes my eyes bleed.

  57. Ge0rG

    Martin: but yes, clearly a client (library) bug

  58. Zash

    Is that the Profanity hmac-signed uuid in base64?

  59. Martin

    Yep

  60. Link Mauve

    Martin, your XML library should prevent you from ever being able to serialise that kind of message.

  61. Martin

    Profanity uses libstrophe. Let's see what jubalh and pasis say.

  62. adrien has left

  63. adrien has joined

  64. pulkomandy has left

  65. pulkomandy has joined

  66. floretta has joined

  67. paul has left

  68. DebXWoody has joined

  69. lovetox has joined

  70. paul has joined

  71. lovetox has left

  72. floretta has left

  73. pulkomandy has left

  74. pulkomandy has joined

  75. Beherit has left

  76. Beherit has joined

  77. jonnj has left

  78. pulkomandy has left

  79. pulkomandy has joined

  80. Beherit has left

  81. Beherit has joined

  82. jonnj has joined

  83. alex-a-soto has left

  84. alex-a-soto has joined

  85. floretta has joined

  86. SouL has left

  87. SouL has joined

  88. pulkomandy has left

  89. pulkomandy has joined

  90. mac has joined

  91. Wojtek has joined

  92. mac has left

  93. DebXWoody has left

  94. Beherit has left

  95. Beherit has joined

  96. DebXWoody has joined

  97. DebXWoody has left

  98. jonas’

    Martin, note that there is no way to escape \022

  99. jonas’

    it is simply not legal in XML character data

  100. jonas’

    it is simply not legal in XML 1.0 character data

  101. Zash

    UNACCEPTABLE

  102. jonas’

    so if you tried to escape it with &#x12; or somesuch, that would still be not-well-formed

  103. Martin

    It's also interesting how it ends up there: https://bugs.debian.org/974205

  104. pulkomandy has left

  105. jonas’

    hah

  106. pulkomandy has joined

  107. Martin

    > Switch to console, run > profanity, and try some escape sequence such as hitting CTRL+V twice, > then enter. Disconnects from the server again. This one triggered it for me too.

  108. jubalh has joined

  109. debacle

    Martin, IMHO such sequences should be filtered by the UI already, before it ever reaches the XML or XMPP library. I.e. ncurses.

  110. jubalh

    how will one define 'such sequences'?

  111. jubalh

    list all of them? only allow certain characters? what about unicode then?

  112. Zash

    https://www.w3.org/TR/2008/REC-xml-20081126/#charsets

  113. jonas’

    oh my, where to start with this

  114. jonas’

    https://www.joelonsoftware.com/2003/10/08/the-absolute-minimum-every-software-developer-absolutely-positively-must-know-about-unicode-and-character-sets-no-excuses/

  115. Link Mauve

    :)

  116. debacle

    jubalh Not sure. Check whether input is valid UTF-8? I hope, either glib or ncurses or expat have a function to check that? In case invalid input, blame user and throw away their input.

  117. Martin

    >Is the German letter ß a real letter or just a fancy way of writing ss? Eszet not SS! OMG…

  118. Link Mauve

    Martin, uppercasing might not agree with you. :p

  119. Martin

    Sorry, I don't get it.

  120. Link Mauve

    uppercase("weiß") might give "WEISS".

  121. Link Mauve

    I think it depends on the Unicode version.

  122. Martin

    We have an uppercased eszet now!

  123. Martin

    https://en.wikipedia.org/wiki/Capital_%E1%BA%9E

  124. Link Mauve

    Turns out, Unicode is from before 2017.

  125. Link Mauve

    So it had to support the only existing rule back then.

  126. Martin goes on the street and demands inclusion of ẞ

  127. jonas’

    jubalh, so, easy. On input, you convert everything to unicode (please see the link). You’ll then have to filter out all codepoints between U+0000 and U+001F (incl.) except U+0009, U+000A and U+000D

  128. jonas’

    then you pass that to the XML library for serialisation as XML

  129. jonas’

    (the XML library should hit you if you don’t do the filtering; if it doesn’t, fix it)

  130. mac has joined

  131. DebXWoody has joined

  132. mac has left

  133. mac has joined

  134. zapb has joined

  135. goffi has left

  136. jubalh

    jonas’: will note it down, thanks

  137. mac has left

  138. zapb has left

  139. zapb has joined

  140. Beherit has left

  141. Beherit has joined

  142. mac has joined

  143. zapb has left

  144. zapb has joined

  145. floretta has left

  146. floretta has joined

  147. mac has left

  148. lovetox has joined

  149. mac has joined

  150. lovetox has left

  151. test2 has joined

  152. mac has left

  153. zapb has left

  154. zapb has joined

  155. test2 has left

  156. flow

    the problem is already that the "XMPP (or XML) library" allows such codepoints in CDATA, is there even an XMPP (or XML) library invovled?

  157. Zash

    If you think there isn't, then *YOU* are the XML library!

  158. flow

    well depends, is printf(SOCKET, "<foo bar='baz'>asdf</foo>") an XML library?

  159. flow

    *fprintf

  160. test2 has joined

  161. Ge0rG

    flow: you forgot some format strings that get passed attacker-supplied data

  162. lovetox has joined

  163. Alex has left

  164. test2 has left

  165. Alex has joined

  166. lovetox has left

  167. Beherit has left

  168. Beherit has joined

  169. lovetox has joined

  170. Yagizа has left

  171. alex-a-soto has left

  172. alex-a-soto has joined

  173. stpeter has joined

  174. Beherit has left

  175. Beherit has joined

  176. zapb has left

  177. zapb has joined

  178. DebXWoody has left

  179. DebXWoody has joined

  180. mac has joined

  181. Zash has left

  182. zapb has left

  183. zapb has joined

  184. mac has left

  185. lovetox has left

  186. Zash has joined

  187. Zash has left

  188. zapb has left

  189. Beherit has left

  190. Beherit has joined

  191. shachontal has left

  192. raghavgururajan has left

  193. Caska has joined

  194. Caska has left

  195. Wojtek has left

  196. stpeter has left

  197. stpeter has joined