Ge0rGMartin: but yes, clearly a client (library) bug
ZashIs that the Profanity hmac-signed uuid in base64?
MartinYep
Link MauveMartin, your XML library should prevent you from ever being able to serialise that kind of message.
MartinProfanity uses libstrophe. Let's see what jubalh and pasis say.
adrienhas left
adrienhas joined
pulkomandyhas left
pulkomandyhas joined
florettahas joined
paulhas left
DebXWoodyhas joined
lovetoxhas joined
paulhas joined
lovetoxhas left
florettahas left
pulkomandyhas left
pulkomandyhas joined
Beherithas left
Beherithas joined
jonnjhas left
pulkomandyhas left
pulkomandyhas joined
Beherithas left
Beherithas joined
jonnjhas joined
alex-a-sotohas left
alex-a-sotohas joined
florettahas joined
SouLhas left
SouLhas joined
pulkomandyhas left
pulkomandyhas joined
machas joined
Wojtekhas joined
machas left
DebXWoodyhas left
Beherithas left
Beherithas joined
DebXWoodyhas joined
DebXWoodyhas left
jonas’Martin, note that there is no way to escape \022
jonas’it is simply not legal in XML character data
jonas’it is simply not legal in XML 1.0 character data
ZashUNACCEPTABLE
jonas’so if you tried to escape it with  or somesuch, that would still be not-well-formed
MartinIt's also interesting how it ends up there:
https://bugs.debian.org/974205
pulkomandyhas left
jonas’hah
pulkomandyhas joined
Martin> Switch to console, run
> profanity, and try some escape sequence such as hitting CTRL+V twice,
> then enter. Disconnects from the server again.
This one triggered it for me too.
jubalhhas joined
debacleMartin, IMHO such sequences should be filtered by the UI already, before it ever reaches the XML or XMPP library. I.e. ncurses.
jubalhhow will one define 'such sequences'?
jubalhlist all of them? only allow certain characters? what about unicode then?
debaclejubalh Not sure. Check whether input is valid UTF-8? I hope, either glib or ncurses or expat have a function to check that? In case invalid input, blame user and throw away their input.
Martin>Is the German letter ß a real letter or just a fancy way of writing ss?
Eszet not SS! OMG…
Link MauveMartin, uppercasing might not agree with you. :p
MartinSorry, I don't get it.
Link Mauveuppercase("weiß") might give "WEISS".
Link MauveI think it depends on the Unicode version.
Link MauveSo it had to support the only existing rule back then.
Martingoes on the street and demands inclusion of ẞ
jonas’jubalh, so, easy. On input, you convert everything to unicode (please see the link). You’ll then have to filter out all codepoints between U+0000 and U+001F (incl.) except U+0009, U+000A and U+000D
jonas’then you pass that to the XML library for serialisation as XML
jonas’(the XML library should hit you if you don’t do the filtering; if it doesn’t, fix it)
machas joined
DebXWoodyhas joined
machas left
machas joined
zapbhas joined
goffihas left
jubalhjonas’: will note it down, thanks
machas left
zapbhas left
zapbhas joined
Beherithas left
Beherithas joined
machas joined
zapbhas left
zapbhas joined
florettahas left
florettahas joined
machas left
lovetoxhas joined
machas joined
lovetoxhas left
test2has joined
machas left
zapbhas left
zapbhas joined
test2has left
flowthe problem is already that the "XMPP (or XML) library" allows such codepoints in CDATA, is there even an XMPP (or XML) library invovled?
ZashIf you think there isn't, then *YOU* are the XML library!
flowwell depends, is printf(SOCKET, "<foo bar='baz'>asdf</foo>") an XML library?
flow*fprintf
test2has joined
Ge0rGflow: you forgot some format strings that get passed attacker-supplied data