jdev - 2024-08-21


  1. Schimon

    https://xmpp.pimux.de/file_share/70f6118c-1b33-4a9c-a9ab-7d3375b1edde/blasta_manual_xml_console_20240821-122400.png

  2. Schimon

    This can be thought also as of an idea for Libervia, Movim, and other HTML based XMPP services. The idea is to make/urge people to install XMPP chat clients.

  3. Schimon

    singpolyma. Does Cheogram has an XML Console?

  4. Menel

    Cheogram has no console

  5. Menel

    But prosody has a raw debug module šŸ™‚

  6. edhelas

    Real devs does that with telnet

  7. Schimon

    https://github.com/movim/movim/issues/1353 Store settings in account Jabber ID

  8. Schimon

    goffi. singpolyma. That might be of interest to you as well.

  9. Schimon

    cal0pteryx. lovetox. And to Gajim too.

  10. lovetox

    Schimon: gajims has a node browser

  11. lovetox

    You can delete nodes via gui

  12. lovetox

    Advanced - PEP configuration check it out

  13. Schimon

    lovetox. Can you store the settings of Gajim inside a Jabber ID PEP node?

  14. lovetox

    No we don't store settings

  15. lovetox

    What setting are you thinking about?

  16. Schimon

    This is a good idea. Suppose I use Gajim on my home computer. I install Gajim on a new machine at office or. The setting of Gajim of theme, behaviour (i.e. Show on Startup, Action on Close, Show Status Change etc.) are retrieved from PEP `xmpp:org.gajim:settings`.

  17. Schimon

    > What setting are you thinking about? All the most common settings that Gajim offers, excluding Advanced.

  18. Schimon

    Maybe advanced too, with a warning concerning to proxy, if proxy is set to something else than default.

  19. Zash

    This was what https://xmpp.org/extensions/xep-0049.html was used for, but it fell out of favor for client settings. And https://xmpp.org/extensions/xep-0223.html is the PEP-based successor to that.

  20. lovetox

    Easier said then done

  21. lovetox

    Many settings are Gajims settings, but pep is per account

  22. lovetox

    Would need to sync Gajims settings to multiple accounts I guess .. but not pretty

  23. lovetox

    But it's complicated if different accounts have different settings

  24. edhelas

    > https://github.com/movim/movim/issues/1353 > Store settings in account Jabber ID It is already the case

    šŸ‘ 1
  25. edhelas

    https://github.com/movim/movim/blob/master/app/Widgets/Config/Config.php#L126

  26. edhelas

    You can close the ticket

  27. Schimon

    edhelas. Sorry. Thank you for the reference. I am closing it now.

  28. edhelas

    Schimon https://github.com/movim/movim/blob/master/src/Moxl/Stanza/Storage.php

  29. Schimon

    edhelas. It appears that you are using XML. Is that so?

  30. edhelas

    No, I just serialize/deserialize a PHP array, it's purely Movim stuff, I don't need to standardize my internal settings

    šŸ˜±ļø 1
  31. edhelas

    I could do JSON, but this was done a long time ago, "don't fix if it ain't broke".

  32. Schimon

    This is the most important part that I am engaged with, this week: `$node = 'movim:prefs';`. I will see what I would do with Blasta.

  33. edhelas

    Uh ?

  34. Schimon

    The argument of naming nodes, that is.

  35. Schimon

    edhelas. Thank you for the references. I am always happy to receive them and I think of them to be very useful.

  36. Schimon

    lovetox > Many settings are Gajims settings, but pep is per account In case PEP is not available (i.e. creation of a node fails), Gajim would display a message that it can not use Jabber ID to synchronize account settings, and it would offer to contact the system administrator or switch a provider. > But it's complicated if different accounts have different settings In that case, similarly to "dot new" files of Salix and Slackware, Gajim would prompt to synchronize settings or keep them local. Psi has a similar option to group chat to auto-join "only from this computer".

  37. lovetox

    Yeah lots of work for very little gain

  38. lovetox

    It's not like you setup a desktop client every week on a new machine

  39. Schimon

    > I could do JSON, but this was done a long time ago, "don't fix if it ain't broke". Why JSON, and not TOML? I suppose that both can be considered the same, aside from JSON which would probably be smaller due to no requirement to name "dictionary" type and allows `null` which TOML does not allow (i.e. `None` type is not allowed).

  40. edhelas

    > Why JSON, and not TOML? > I suppose that both can be considered the same, aside from JSON which would probably be smaller due to no requirement to name "dictionary" type and allows `null` which TOML does not allow (i.e. `None` type is not allowed). "don't fix if it ain't broke"

  41. Schimon

    > It's not like you setup a desktop client every week on a new machine lovetox. I agree, yet many might find it useful.

  42. Schimon

    > "don't fix if it ain't broke" Fine. I agree with that statement.

  43. Schimon

    > Yeah lots of work for very little gain lovetox. I am thinking this through. I was thinking: "What if you are connecting with Gajim on a friend's machine?". One might want to have another set of settings when he is a guest of that machine. So a profile indicator would be needed: `xmpp:org.gajim:settings:desktop`, `xmpp:org.gajim:settings:guest`, `xmpp:org.gajim:settings:travel` etc.

  44. Schimon

    I suggest we discuss about it on the issue tracker.

  45. Schimon

    > But it's complicated if different accounts have different settings Pardon. I did not thought about it. I suppose that different directories would solve it.

  46. Schimon

    > Advanced - PEP configuration check it out lovetox. That browser is useflu and beautiful. More XMPP clients should gave that type of a browser too.

  47. Schimon

    Thank you for that browser. It definitely helpful.

    šŸ‘ 1
  48. Schimon

    Thank you for that browser. It is definitely helpful.

  49. moparisthebest

    Schimon: I notice you suggesting to a ton of clients to synchronize settings across clients using PEP but none of the issues you created even mentions the huge gigantic footguns this brings with it, if implemented in a naive way it'll end up causing those clients to crash when trying to log in with no remedy

  50. moparisthebest

    Consider that the format would require both backwards *and* forwards compatibility

  51. moparisthebest

    You need newer versions to be able to handle settings from older versions, this is relatively easy, but you also need older versions to be able to handle settings from newer versions which is damn near impossible or at least a massive footgun

  52. Schimon

    moparisthebest. That is a consideration. - A crash control can be added; - The selection of settings to be stored can be limited; - A prompt dialog can be added: "Do you want to synchronize configurations?".

  53. Schimon

    > if implemented in a naive way What do you mean by "native way"?

  54. Schimon

    > Consider that the format would require both backwards *and* forwards compatibility If there is no compatibility, then settings stored on PEP be ignored.

  55. Schimon

    I do think that this would be useful.

  56. singpolyma

    It might be for some clients. I think the way movim does it makes sense for their case for example

  57. moparisthebest

    Consider the simple case of logging into an ancient gajim on some Debian machine, and logging into new gajim on Arch, what's even the desired behavior? And would you want it determined by which you logged into first/last ?

  58. lovetox

    yeah, thats what i meant, it starts like a naive idea, hey store some settings there in the pep node

  59. moparisthebest

    > No, I just serialize/deserialize a PHP array, it's purely Movim stuff, I don't need to standardize my internal settings edhelas: how do you handle different movim versions? (Or if PHP can (de) serialize differently by PHP version, how is that handled?)

  60. lovetox

    and then you work a year to iron out all edge cases and bugs

  61. moparisthebest

    100% that lovetox , and it's unclear to me what the desired behavior even should be

  62. moparisthebest

    >> if implemented in a naive way > What do you mean by "native way"? No https://www.wordnik.com/words/naive

  63. Schimon

    > No https://www.wordnik.com/words/naive Pardon. I read it differently.

  64. Schimon

    > and then you work a year to iron out all edge cases and bugs Gentlemen. It can always be a "development" feature that can be tested on a span of years and only after it has been tested, you can offer it as a feature.

  65. moparisthebest

    >> Consider that the format would require both backwards *and* forwards compatibility > If there is no compatibility, then settings stored on PEP be ignored. Ok but then is it useful? I would imagine under normal circumstances users will almost always end up using different versions of the same client, if this can only sync settings between identical versions it's useless

  66. Schimon

    This is how settings are stored on PEP node `xmpp:blasta:settings:0` of every JID which interacts with the Blasta system: ``` <item id="routine" xmlns="http://jabber.org/protocol/pubsub"> <value>private</value> </item> <item id="enrollment" xmlns="http://jabber.org/protocol/pubsub"> <value>1</value> </item> ```

  67. moparisthebest

    My point is it's easy to say "sync'ing settings would be nice and should be implemented!" (fwiw I agree it'd be nice) but it's far from simple and all the requirements (*especially* for edge cases) need ironed out before you can even think of a design

  68. moparisthebest

    Schimon: and how does blasta implement backwards and forwards compatibility ?

  69. Schimon

    I do not know. I jhave only implemented it for the first time, 30 minutes ago.

  70. Schimon

    I suppose I will use the digits as versions `xmpp:blasta:settings:0`, `xmpp:blasta:settings:1` etc.

  71. moparisthebest

    Right, the naive way I mentioned that will shoot you in the foot later šŸ˜ž

  72. Schimon

    Blasta does not have many settings yet. I doubt Blasta would even reach to 10 settings.

  73. Schimon

    Blasta does not have many settings yet. I doubt Blasta would even reach to ten (10) settings.

  74. moparisthebest

    Ah, version number: so then you run v1 and it migrates settings from v0 once and you change some things and go back to v0 (maybe v1 breaks your workflow somehow) and those changes aren't there! So you make the changes again in v0 and keep using it and making changes for a year then v2 comes out which fixes your workflow so you upgrade and it migrates your settings from v1 so you've lost a years worth of settings !!!!!

  75. Schimon

    Then download those settings to file and inform the men who uses it.

  76. Schimon

    And the settings that Blasta offers are afew. In any case that settings are not reachable, it will default to regular settings.

  77. moparisthebest

    > Then download those settings to file and inform the men who uses it. What version downloads which settings to a file ?

  78. edhelas

    > edhelas: how do you handle different movim versions? (Or if PHP can (de) serialize differently by PHP version, how is that handled?) https://www.php.net/manual/en/function.serialize.php

  79. edhelas

    There since PHP4

  80. edhelas

    And what I'm actually handling is an array, the syntax didn't changed for something like 20 years

  81. moparisthebest

    An array of what though?

  82. jonasā€™

    > If you need to unserialize externally-stored serialized data, consider using hash_hmac() for data validation. Make sure data is not modified by anyone but you.

  83. jonasā€™

    I'm just gonna leave that here

  84. moparisthebest

    Yea PHP unserialize will totally run arbitrary code and is unsafe to use on untrusted input...

  85. jonasā€™

    you're in a real pickle with that one if you feed it untrusted input

  86. moparisthebest

    No that's python šŸ¤£

  87. jonasā€™

    :D

  88. moparisthebest

    (for context that's an absolutely terrible joke about https://docs.python.org/3/library/pickle.html )

  89. jonasā€™

    hey!

  90. moparisthebest

    edhelas: hey can't I log into my server with your movim ? Which means I can set malicious settings which will run code on your server as your PHP process? šŸ’€

  91. Schimon

    > What version downloads which settings to a file ? moparisthebest. Currently, there is only one version of both.

  92. moparisthebest

    Schimon: right but planning for the future...

  93. Schimon

    > Yea PHP unserialize will totally run arbitrary code and is unsafe to use on untrusted input... This is an issue. The settings are store on JIDs, which means that people can set anything they want, and Blasta must consider a situation of arvitrary code.

  94. Schimon

    > Yea PHP unserialize will totally run arbitrary code and is unsafe to use on untrusted input... This is an issue. The settings are store on JIDs, which means that people can set anything they want, and Blasta must consider a situation of malicious code.

  95. moparisthebest

    Grep finds 18 calls to unserialize() in movim, I don't know about the rest yet but I'm 99% sure https://github.com/movim/movim/blob/master/src/Moxl/Xec/Action/Storage/Get.php#L23 is vulnerable to anyone running arbitrary code on any movim instance edhelas ! Unfortunate to discover this publicly but the cat is out of the bag now

  96. Schimon

    moparisthebest. Blasta already usese two settings: 1) Enrollment (opt-in or opt-out) which has a single character. So length must be checked and be one. ``` <item id="enrollment" xmlns="http://jabber.org/protocol/pubsub"> <value>1</value> </item> ``` 2) Preferred node (private, public, read). I suppose a single character would also be good. ``` <item id="routine" xmlns="http://jabber.org/protocol/pubsub"> <value>private</value> </item> ``` Could or would this (value as a single character) prevent the danger of malicious code?

  97. edhelas

    > Grep finds 18 calls to unserialize() in movim, I don't know about the rest yet but I'm 99% sure https://github.com/movim/movim/blob/master/src/Moxl/Xec/Action/Storage/Get.php#L23 is vulnerable to anyone running arbitrary code on any movim instance edhelas ! > > Unfortunate to discover this publicly but the cat is out of the bag now I know, the rest is internal DB stuff

  98. moparisthebest

    edhelas: even the 'headers' in app/Upload.php ? Not user supplied ?

  99. moparisthebest

    Also attributes like 'prekeys' sound suspiciously user-server-supplied

  100. edhelas

    moparisthebest Please ensure to explain all the details in this channel

  101. edhelas

    moparisthebest Please ensure to explain all the details in this public channel

  102. moparisthebest

    Yea sadly it was too late once jonasā€™ mentioned that... We can avoid making public (searchable) GitHub issues etc until a fix is published though, probably best that can be done

  103. moparisthebest

    Might want to turn off your public movims and maybe message other big instances if you can...

  104. jonasā€™

    I honestly did not expect this fallout.

  105. jonasā€™

    I don't write PHP and even *I* knew that unserialize on untrusted data is a terrible idea.

  106. jonasā€™

    apologies.

  107. moparisthebest

    Who did... If Schimon hadn't brought up sync'ing settings it could have been undiscovered for many more years...

  108. Guus

    I've got no PHP experience, but wonder if static analyzers could pick up on stuff like this. That might be a handy check to add, somewhere.

  109. moparisthebest

    Guus: do you do any deserialization in Java on untrusted data? Another common place these RCEs pop up :'(

  110. moparisthebest

    For years the json deserializer of choice in javaland was Jackson, which had the unfortunate default of being vulnerable to RCE on untrusted input, dozens of CVEs at least while they kept adding ever more classes to the blacklist

  111. Guus

    moparisthebest: I'm sure that's possible, although I don't think it's as easy to have something deserialize and automatically execute stuff

  112. moparisthebest

    iirc at some point they changed the default, but it's still a ghost

  113. moparisthebest

    Guus: it's very easy, Jackson's default was to support specifying class names to instantiate with reflection, and there are tons of classes you can create that way that'll run arbitrary code

  114. moparisthebest

    URLClassLoader is the easiest example

  115. Guus

    sure

  116. moparisthebest

    That's roughly the same way the unserialize (PHP) and pickle (python) vulns work too

  117. Guus

    the log4j stuff was similar, right?

  118. moparisthebest

    Haha yes, good times good times

  119. Guus

    I think that went through JNDI or something

  120. Guus

    like you said, ghosts.

  121. moparisthebest

    I quit my Java dev job for a Rust job literally 1 week before log4j hit the fan, best timing of my life

  122. edhelas

    Maybe the best is to actually make a small custom XML, at least the parser will do the job šŸ¤”

  123. Zash

    just use XEP-0004

  124. Zash

    I don't care what the problem is, XEP-0004 is the solution!

  125. edhelas

    This serialize/unserialize thing wasn't touched since almost the beginning of the project

  126. edhelas

    But 0004 was already there šŸ˜± !

  127. edhelas

    If I have to fix it, Lets Fix It Properly ā„¢

  128. moparisthebest

    As long as you don't have the wrong settings on your XML parser and enable billion laughs etc šŸ„²