jdev - 2020-11-11

00:28:46 Zash has left
00:29:06 Zash has joined
01:13:46 Neustradamus has left
01:15:37 Neustradamus has joined
05:18:50 Yagizа has joined
05:46:04 Vaulor has joined
05:52:12 test2 has joined
06:21:34 wurstsalat has joined
06:25:23 DebXWoody has joined
06:32:13 test2 has left
07:08:06 floretta has left
07:08:39 mac has joined
07:11:07 goffi has joined
07:21:26 moparisthebest has left
07:38:22 moparisthebest has joined
07:48:40 debacle has joined
07:52:19 mac has left
08:15:33 moparisthebest has left
08:17:04 moparisthebest has joined
08:19:54 Alex has left
08:19:55 Alex has joined
08:49:42 Beherit has left
08:52:06 Beherit has joined
09:00:25 floretta has joined
09:16:53 mac has joined
09:34:00 raghavgururajan has left
09:38:45 raghavgururajan has joined
09:42:51 Beherit has left
09:42:52 Beherit has joined
09:43:18 floretta has left
09:43:57 shachontal has joined
09:47:10 test2 has joined
09:55:24 floretta has joined
09:56:26 pulkomandy has left
09:56:30 pulkomandy has joined
10:21:49 floretta has left
10:34:03 mac has left
10:37:34 alacer has left
10:47:10 pulkomandy has left
10:47:13 pulkomandy has joined
10:50:28 DebXWoody has left
10:53:23 test2 has left
10:54:09 alacer has joined
10:57:12 alacer has left
10:57:48 alacer has joined
11:01:08 Martin What characters have to be escaped within a message body? Do I find a list somewhere? Searching for it I only find stuff about JID escaping. :)
11:01:35 Zash Only XML rules apply.
11:02:51 Martin So only quot, amp, apos, gt and lt?
11:04:01 Zash Must be valid UTF-8, must not have ASCII NUL. IIRC also ASCII control characters (\0 .. \31 or somesuch)
11:04:51 Zash And yes, when serialized those would be entity-escaped, but I sure hope you don't need to handle that yourself.
11:06:24 Martin Yep, that's the issue.
11:06:41 Martin \022
11:06:42 Martin active xmlns="http://jabber.org/protocol/chatstates"/><request xmlns="urn:xmpp:receipts"/></message>
11:07:08 Martin Sorry, I'll have to use a pastebin. ^^
11:07:40 Martin https://paste.debian.net/1171434/
11:12:58 Ge0rG that message id makes my eyes bleed.
11:13:14 Ge0rG Martin: but yes, clearly a client (library) bug
11:16:14 Zash Is that the Profanity hmac-signed uuid in base64?
11:17:13 Martin Yep
11:35:04 Link Mauve Martin, your XML library should prevent you from ever being able to serialise that kind of message.
11:35:37 Martin Profanity uses libstrophe. Let's see what jubalh and pasis say.
11:38:42 adrien has left
11:41:39 adrien has joined
11:47:10 pulkomandy has left
11:47:14 pulkomandy has joined
12:02:26 floretta has joined
12:05:00 paul has left
12:06:24 DebXWoody has joined
12:10:45 lovetox has joined
12:11:12 paul has joined
12:20:30 lovetox has left
12:30:57 floretta has left
12:47:11 pulkomandy has left
12:47:14 pulkomandy has joined
13:16:54 Beherit has left
13:26:15 Beherit has joined
13:29:01 jonnj has left
13:47:11 pulkomandy has left
13:47:19 pulkomandy has joined
13:49:55 Beherit has left
13:53:53 Beherit has joined
13:55:12 jonnj has joined
14:02:51 alex-a-soto has left
14:03:08 alex-a-soto has joined
14:16:15 floretta has joined
14:46:10 SouL has left
14:46:13 SouL has joined
14:47:12 pulkomandy has left
14:47:20 pulkomandy has joined
15:04:47 mac has joined
15:10:45 Wojtek has joined
15:15:05 mac has left
15:19:37 DebXWoody has left
15:21:41 Beherit has left
15:21:42 Beherit has joined
15:22:02 DebXWoody has joined
15:28:59 DebXWoody has left
15:31:11 jonas’ Martin, note that there is no way to escape \022
15:31:16 jonas’ ~~it is simply not legal in XML character data~~ ✎
15:31:19 jonas’ it is simply not legal in XML 1.0 character data ✏
15:31:29 Zash UNACCEPTABLE
15:31:49 jonas’ so if you tried to escape it with  or somesuch, that would still be not-well-formed
15:32:35 Martin It's also interesting how it ends up there: https://bugs.debian.org/974205
15:32:55 pulkomandy has left
15:33:07 jonas’ hah
15:33:08 pulkomandy has joined
15:35:33 Martin > Switch to console, run > profanity, and try some escape sequence such as hitting CTRL+V twice, > then enter. Disconnects from the server again. This one triggered it for me too.
15:37:32 jubalh has joined
15:49:43 debacle Martin, IMHO such sequences should be filtered by the UI already, before it ever reaches the XML or XMPP library. I.e. ncurses.
15:51:05 jubalh how will one define 'such sequences'?
15:51:19 jubalh list all of them? only allow certain characters? what about unicode then?
15:51:39 Zash https://www.w3.org/TR/2008/REC-xml-20081126/#charsets
15:59:48 jonas’ oh my, where to start with this
16:00:01 jonas’ https://www.joelonsoftware.com/2003/10/08/the-absolute-minimum-every-software-developer-absolutely-positively-must-know-about-unicode-and-character-sets-no-excuses/
16:00:56 Link Mauve :)
16:06:18 debacle jubalh Not sure. Check whether input is valid UTF-8? I hope, either glib or ncurses or expat have a function to check that? In case invalid input, blame user and throw away their input.
16:07:41 Martin >Is the German letter ß a real letter or just a fancy way of writing ss? Eszet not SS! OMG…
16:08:34 Link Mauve Martin, uppercasing might not agree with you. :p
16:09:20 Martin Sorry, I don't get it.
16:09:58 Link Mauve uppercase("weiß") might give "WEISS".
16:10:07 Link Mauve I think it depends on the Unicode version.
16:10:21 Martin We have an uppercased eszet now!
16:10:32 Martin https://en.wikipedia.org/wiki/Capital_%E1%BA%9E
16:11:00 Link Mauve Turns out, Unicode is from before 2017.
16:11:16 Link Mauve So it had to support the only existing rule back then.
16:11:55 Martin goes on the street and demands inclusion of ẞ
16:13:21 jonas’ jubalh, so, easy. On input, you convert everything to unicode (please see the link). You’ll then have to filter out all codepoints between U+0000 and U+001F (incl.) except U+0009, U+000A and U+000D
16:13:28 jonas’ then you pass that to the XML library for serialisation as XML
16:13:42 jonas’ (the XML library should hit you if you don’t do the filtering; if it doesn’t, fix it)
16:16:01 mac has joined
16:22:47 DebXWoody has joined
16:30:56 mac has left
16:34:46 mac has joined
16:35:00 zapb has joined
16:38:15 goffi has left
16:47:33 jubalh jonas’: will note it down, thanks
16:48:55 mac has left
16:52:49 zapb has left
16:53:10 zapb has joined
16:56:21 Beherit has left
16:56:22 Beherit has joined
16:57:40 mac has joined
16:57:50 zapb has left
16:58:50 zapb has joined
16:59:37 floretta has left
17:06:06 floretta has joined
17:06:58 mac has left
17:10:09 lovetox has joined
17:24:49 mac has joined
17:25:32 lovetox has left
17:37:13 test2 has joined
17:38:05 mac has left
17:40:49 zapb has left
17:43:28 zapb has joined
17:43:29 test2 has left
18:17:04 flow the problem is already that the "XMPP (or XML) library" allows such codepoints in CDATA, is there even an XMPP (or XML) library invovled?
18:17:41 Zash If you think there isn't, then *YOU* are the XML library!
18:18:39 flow well depends, is printf(SOCKET, "<foo bar='baz'>asdf</foo>") an XML library?
18:19:07 flow *fprintf
18:25:00 test2 has joined
18:31:54 Ge0rG flow: you forgot some format strings that get passed attacker-supplied data
18:35:04 lovetox has joined
18:37:38 Alex has left
18:40:12 test2 has left
18:44:41 Alex has joined
18:48:51 lovetox has left
18:54:46 Beherit has left
19:09:21 Beherit has joined
19:32:01 lovetox has joined
20:04:52 Yagizа has left
20:10:10 alex-a-soto has left
20:10:25 alex-a-soto has joined
20:12:59 stpeter has joined
20:15:47 Beherit has left
20:18:05 Beherit has joined
20:20:34 zapb has left
20:21:27 zapb has joined
20:39:04 DebXWoody has left
20:42:13 DebXWoody has joined
21:09:26 mac has joined
21:20:33 Zash has left
21:33:25 zapb has left
21:33:40 zapb has joined
21:54:12 mac has left
22:14:19 lovetox has left
22:19:44 Zash has joined
22:19:44 Zash has left
22:24:26 zapb has left
22:37:19 Beherit has left
22:37:20 Beherit has joined
22:41:27 shachontal has left
22:42:44 raghavgururajan has left
22:54:45 Caska has joined
22:56:01 Caska has left
23:18:07 Wojtek has left
23:22:37 stpeter has left
23:24:28 stpeter has joined