jdev - 2020-11-11


  1. Zash has left
  2. Zash has joined
  3. Neustradamus has left
  4. Neustradamus has joined
  5. Yagizа has joined
  6. Vaulor has joined
  7. test2 has joined
  8. wurstsalat has joined
  9. DebXWoody has joined
  10. test2 has left
  11. floretta has left
  12. mac has joined
  13. goffi has joined
  14. moparisthebest has left
  15. moparisthebest has joined
  16. debacle has joined
  17. mac has left
  18. moparisthebest has left
  19. moparisthebest has joined
  20. Alex has left
  21. Alex has joined
  22. Beherit has left
  23. Beherit has joined
  24. floretta has joined
  25. mac has joined
  26. raghavgururajan has left
  27. raghavgururajan has joined
  28. Beherit has left
  29. Beherit has joined
  30. floretta has left
  31. shachontal has joined
  32. test2 has joined
  33. floretta has joined
  34. pulkomandy has left
  35. pulkomandy has joined
  36. floretta has left
  37. mac has left
  38. alacer has left
  39. pulkomandy has left
  40. pulkomandy has joined
  41. DebXWoody has left
  42. test2 has left
  43. alacer has joined
  44. alacer has left
  45. alacer has joined
  46. Martin What characters have to be escaped within a message body? Do I find a list somewhere? Searching for it I only find stuff about JID escaping. :)
  47. Zash Only XML rules apply.
  48. Martin So only quot, amp, apos, gt and lt?
  49. Zash Must be valid UTF-8, must not have ASCII NUL. IIRC also ASCII control characters (\0 .. \31 or somesuch)
  50. Zash And yes, when serialized those would be entity-escaped, but I sure hope you don't need to handle that yourself.
  51. Martin Yep, that's the issue.
  52. Martin \022
  53. Martin active xmlns="http://jabber.org/protocol/chatstates"/><request xmlns="urn:xmpp:receipts"/></message>
  54. Martin Sorry, I'll have to use a pastebin. ^^
  55. Martin https://paste.debian.net/1171434/
  56. Ge0rG that message id makes my eyes bleed.
  57. Ge0rG Martin: but yes, clearly a client (library) bug
  58. Zash Is that the Profanity hmac-signed uuid in base64?
  59. Martin Yep
  60. Link Mauve Martin, your XML library should prevent you from ever being able to serialise that kind of message.
  61. Martin Profanity uses libstrophe. Let's see what jubalh and pasis say.
  62. adrien has left
  63. adrien has joined
  64. pulkomandy has left
  65. pulkomandy has joined
  66. floretta has joined
  67. paul has left
  68. DebXWoody has joined
  69. lovetox has joined
  70. paul has joined
  71. lovetox has left
  72. floretta has left
  73. pulkomandy has left
  74. pulkomandy has joined
  75. Beherit has left
  76. Beherit has joined
  77. jonnj has left
  78. pulkomandy has left
  79. pulkomandy has joined
  80. Beherit has left
  81. Beherit has joined
  82. jonnj has joined
  83. alex-a-soto has left
  84. alex-a-soto has joined
  85. floretta has joined
  86. SouL has left
  87. SouL has joined
  88. pulkomandy has left
  89. pulkomandy has joined
  90. mac has joined
  91. Wojtek has joined
  92. mac has left
  93. DebXWoody has left
  94. Beherit has left
  95. Beherit has joined
  96. DebXWoody has joined
  97. DebXWoody has left
  98. jonas’ Martin, note that there is no way to escape \022
  99. jonas’ it is simply not legal in XML character data
  100. jonas’ it is simply not legal in XML 1.0 character data
  101. Zash UNACCEPTABLE
  102. jonas’ so if you tried to escape it with &#x12; or somesuch, that would still be not-well-formed
  103. Martin It's also interesting how it ends up there: https://bugs.debian.org/974205
  104. pulkomandy has left
  105. jonas’ hah
  106. pulkomandy has joined
  107. Martin > Switch to console, run > profanity, and try some escape sequence such as hitting CTRL+V twice, > then enter. Disconnects from the server again. This one triggered it for me too.
  108. jubalh has joined
  109. debacle Martin, IMHO such sequences should be filtered by the UI already, before it ever reaches the XML or XMPP library. I.e. ncurses.
  110. jubalh how will one define 'such sequences'?
  111. jubalh list all of them? only allow certain characters? what about unicode then?
  112. Zash https://www.w3.org/TR/2008/REC-xml-20081126/#charsets
  113. jonas’ oh my, where to start with this
  114. jonas’ https://www.joelonsoftware.com/2003/10/08/the-absolute-minimum-every-software-developer-absolutely-positively-must-know-about-unicode-and-character-sets-no-excuses/
  115. Link Mauve :)
  116. debacle jubalh Not sure. Check whether input is valid UTF-8? I hope, either glib or ncurses or expat have a function to check that? In case invalid input, blame user and throw away their input.
  117. Martin >Is the German letter ß a real letter or just a fancy way of writing ss? Eszet not SS! OMG…
  118. Link Mauve Martin, uppercasing might not agree with you. :p
  119. Martin Sorry, I don't get it.
  120. Link Mauve uppercase("weiß") might give "WEISS".
  121. Link Mauve I think it depends on the Unicode version.
  122. Martin We have an uppercased eszet now!
  123. Martin https://en.wikipedia.org/wiki/Capital_%E1%BA%9E
  124. Link Mauve Turns out, Unicode is from before 2017.
  125. Link Mauve So it had to support the only existing rule back then.
  126. Martin goes on the street and demands inclusion of ẞ
  127. jonas’ jubalh, so, easy. On input, you convert everything to unicode (please see the link). You’ll then have to filter out all codepoints between U+0000 and U+001F (incl.) except U+0009, U+000A and U+000D
  128. jonas’ then you pass that to the XML library for serialisation as XML
  129. jonas’ (the XML library should hit you if you don’t do the filtering; if it doesn’t, fix it)
  130. mac has joined
  131. DebXWoody has joined
  132. mac has left
  133. mac has joined
  134. zapb has joined
  135. goffi has left
  136. jubalh jonas’: will note it down, thanks
  137. mac has left
  138. zapb has left
  139. zapb has joined
  140. Beherit has left
  141. Beherit has joined
  142. mac has joined
  143. zapb has left
  144. zapb has joined
  145. floretta has left
  146. floretta has joined
  147. mac has left
  148. lovetox has joined
  149. mac has joined
  150. lovetox has left
  151. test2 has joined
  152. mac has left
  153. zapb has left
  154. zapb has joined
  155. test2 has left
  156. flow the problem is already that the "XMPP (or XML) library" allows such codepoints in CDATA, is there even an XMPP (or XML) library invovled?
  157. Zash If you think there isn't, then *YOU* are the XML library!
  158. flow well depends, is printf(SOCKET, "<foo bar='baz'>asdf</foo>") an XML library?
  159. flow *fprintf
  160. test2 has joined
  161. Ge0rG flow: you forgot some format strings that get passed attacker-supplied data
  162. lovetox has joined
  163. Alex has left
  164. test2 has left
  165. Alex has joined
  166. lovetox has left
  167. Beherit has left
  168. Beherit has joined
  169. lovetox has joined
  170. Yagizа has left
  171. alex-a-soto has left
  172. alex-a-soto has joined
  173. stpeter has joined
  174. Beherit has left
  175. Beherit has joined
  176. zapb has left
  177. zapb has joined
  178. DebXWoody has left
  179. DebXWoody has joined
  180. mac has joined
  181. Zash has left
  182. zapb has left
  183. zapb has joined
  184. mac has left
  185. lovetox has left
  186. Zash has joined
  187. Zash has left
  188. zapb has left
  189. Beherit has left
  190. Beherit has joined
  191. shachontal has left
  192. raghavgururajan has left
  193. Caska has joined
  194. Caska has left
  195. Wojtek has left
  196. stpeter has left
  197. stpeter has joined