Ge0rGSigh. How one should not design XMPP clients: https://github.com/KaidanIM/Kaidan/issues/220
marmistrzhas joined
KevSwift autoaccepts requests too, but only for bidirectional
Kev(If you send a subscription request to someone, it'll approve the one they send back)
jonaswthat makes sense
blablahas left
daniel> (If you send a subscription request to someone, it'll approve the one they send back)
Conversations does that too.
danielEven though that's actually what pre-approval is for
Ge0rGit makes sense in a world where subscription shouldn't consist of directed graphs
danielOr pre Auth
Ge0rGexcept pre-approval is not guaranteed
danielWhat ever that was called
Ge0rGyaxim will do both
Guushas left
KevBut Swift doesn't talk about subscription requests, it just talks about Add Contact.
danielDid ejabberd start announcing that stream feature?
danielBecause at some point it had support but didn't announce the feature which doesn't make sense this the RFC tells clients to only use it if the feature is announced
Ge0rGI wonder how many of my Swift issues got fixed for 4.0.
Ge0rGdaniel: I'm using it anyway.
Ge0rGis a lazy and ignorant client dev
jonaswGe0rG, you do know that prosody doesn’t support it?
Ge0rGjonasw: I know.
ludohas joined
Ge0rGjonasw: but what's the worst thing that can happen if I send a pre-approval to a non-supporting server?
jonasw<malformed-request/> stream error.
danielStream error
daniel😂
jonaswah, <invalid-xml/>
Ge0rGbut it is valid xml. It just comes at the wrong time
jonaswGe0rG, invalid XML is for things which do not pass schema validation
Ge0rGshe-what? :P
jonaswgranted, I’d argue that such a server would be pretty weirdly designed to be gin with
jonaswgranted, I’d argue that such a server would be pretty weirdly designed to begin with
Ge0rGjonasw: auto-generated by the schema-to-code thing we talked about yesternight.
Ge0rG&
jonaswfg
ludohas left
LNJhas left
LNJhas joined
Ge0rGBad memory access (SIGBUS)
Andrew Nenakhovhas left
Andrew Nenakhovhas joined
LNJhas left
LNJhas joined
Andrew Nenakhovhas left
Andrew Nenakhovhas joined
SaltyBoneshas left
tahas joined
nycohas left
Valerianhas joined
winfriedhas left
Steve Killehas left
Andrew Nenakhovhas left
ludohas joined
Andrew Nenakhovhas joined
Andrew Nenakhovhas left
Andrew Nenakhovhas joined
Andrew Nenakhovhas left
Andrew Nenakhovhas joined
Steve Killehas left
alexishas left
marmistrzhas left
ludohas left
Steve Killehas joined
jubalhhas joined
jubalhhas left
ralphmhas left
marmistrzhas left
ludohas joined
winfriedhas left
Steve Killehas left
ludohas left
ralphmhas joined
Guushas left
alexishas joined
ThibGhas left
valohas joined
intosihas left
intosihas joined
LNJhas left
alexishas left
Zashhas left
alexishas joined
Zashhas joined
Zashhas left
Dave Cridlandhas left
Zashhas joined
ludohas joined
alexishas left
Dave Cridlandhas left
alexishas joined
LNJhas joined
Dave Cridlandhas left
Dave Cridlandhas left
Dave Cridlandhas left
alexishas left
danielhas left
Dave Cridlandhas left
alexishas joined
ludohas left
rionhas joined
alexishas left
jubalhhas joined
jubalhhas left
Alexhas joined
jubalhhas joined
jubalhhas left
Kevhas left
vanitasvitaehas left
Kevhas joined
jubalhhas joined
jubalhhas left
danielhas left
LNJhas left
alexishas joined
alexishas left
alexishas joined
Dave Cridlandhas left
alexishas left
alexishas joined
winfriedhas left
Valerianhas left
jubalhhas joined
Dave Cridlandhas left
Dave Cridlandhas left
Yagizahas left
Dave Cridlandhas left
ludohas joined
Yagizahas joined
mr-Lhas joined
marmistrzhas left
mr-Lhas left
alexishas left
alexishas joined
Dave Cridlandhas left
ludohas left
Valerianhas joined
danielhas left
Dave Cridlandhas left
alexishas left
alexishas joined
Dave Cridlandhas left
tahas left
Dave Cridlandhas left
vanitasvitaehas left
ludohas joined
Dave Cridlandhas left
marmistrzhas joined
marmistrzhas joined
Dave Cridlandhas left
Holgerhas left
Dave Cridlandhas left
ludohas left
jubalhhas left
la|r|mahas joined
Syndacehas left
Syndacehas joined
Dave Cridlandhas left
Dave Cridlandhas left
lskdjfhas joined
jerehas joined
Andrew Nenakhovhas left
Andrew Nenakhovhas joined
jubalhhas joined
Andrew Nenakhovhas left
Andrew Nenakhovhas joined
Valerianhas left
Dave Cridlandhas left
Dave Cridlandhas left
Kevhas left
Dave Cridlandhas left
Dave Cridlandhas left
valohas joined
lumihas joined
j.rhas joined
Valerianhas joined
vanitasvitaehas left
Dave Cridlandhas left
Dave Cridlandhas left
Dave Cridlandhas left
Dave Cridlandhas left
jubalhhas left
Dave Cridlandhas left
Andrew Nenakhovhas left
Andrew Nenakhovhas joined
Dave Cridlandhas left
Andrew Nenakhovhas left
Andrew Nenakhovhas joined
j.rhas joined
Dave Cridlandhas left
Dave Cridlandhas left
Dave Cridlandhas left
Dave Cridlandhas left
valohas joined
Dave Cridlandhas left
la|r|mahas left
la|r|mahas joined
Dave Cridlandhas left
la|r|mahas left
la|r|mahas joined
Dave Cridlandhas left
Dave Cridlandhas left
Dave Cridlandhas left
la|r|mahas left
la|r|mahas joined
Dave Cridlandhas left
Dave Cridlandhas left
Dave Cridlandhas left
Ge0rGhas left
Ge0rGhas left
Ge0rGhas left
Dave Cridlandhas left
Ge0rGhas left
tahas left
j.rhas joined
Dave Cridlandhas left
jubalhhas joined
Dave Cridlandhas left
jubalhhas left
Ge0rGhas left
Dave Cridlandhas left
moparisthebesthas joined
Ge0rGhas left
Dave Cridlandhas left
SamWhitedhas left
Dave Cridlandhas left
Ge0rGhas left
Ge0rGhas left
Dave Cridlandhas left
SamWhitedhas left
Ge0rGhas left
valohas joined
Dave Cridlandhas left
Dave Cridlandhas left
Dave Cridlandhas left
Ge0rGhas left
Ge0rGhas left
Ge0rGhas left
moparisthebesthas left
Ge0rGhas left
j.rhas joined
Ge0rGhas left
Andrew Nenakhovhas left
Ge0rGhas left
Guushas left
Andrew Nenakhovhas joined
Ge0rGhas left
Ge0rGhas left
Alexhas left
Ge0rGhas left
Ge0rGhas left
Ge0rGhas left
alexishas left
Nekithas left
Nekithas joined
Ge0rGhas left
jubalhhas joined
jubalhhas left
Ge0rGhas left
LNJhas joined
mimi89999has left
Guushas joined
Guushas joined
winfriedhas left
winfriedhas left
winfriedhas joined
Dave Cridlandhas left
zinidhas joined
LNJhas left
Andrew Nenakhovhas left
Andrew Nenakhovhas joined
Andrew Nenakhovhas left
Andrew Nenakhovhas joined
j.rhas joined
tahas left
tim@boese-ban.dehas left
j.rhas joined
j.rhas joined
Guushas joined
lovetoxhas joined
lovetoxin attic there is missing version 3.0 and 3.1 of httpupload https://xmpp.org/extensions/xep-0363.html
Steve Killehas left
jonaswthere is no 3.0
jonaswor 3.1
jonaswdo you mean 0.3.0 and 0.3.1?
jonasw(which are also missing, indeed)
jubalhhas joined
jonaswI’ll regenerate them
jubalhhas left
Neustradamushas joined
lovetoxyes i meant those
jonaswwill be up shortly
lovetoxthanks
jonaswspoiler: 0.3.1 is only a typo fix ;)
jonaswlovetox, will be available within the next five minutes
Ge0rGstarts tea timer
Dave Cridlandhas left
lovetoxhas left
SamWhitedhas left
jubalhhas joined
Alexhas joined
lovetoxhas joined
waqashas joined
jubalhhas left
lovetoxwhat funny attack can you do if you have newline chars in a header value
lovetoxtalking about httpupload
Valerianhas left
Valerianhas joined
j.rhas joined
j.rhas joined
jonaswlovetox, escape from the header, depending on the brokenness of implementations involved
lovetoxthe authorizartion value is base64 encoded
lovetoxthis means i execute on that value .strip('\n')
intosihas left
intosihas joined
lovetoxnot decode it and execute it on that
MattJCorrect
lovetoxkk thanks
jonaswlovetox, that’s not sufficient
MattJThe client is not expected to understand what the headers are
jonasw.replace("\n", "") is safer
jonaswor if "\n" in header_value: raise RuntimeError("gtfo")
lovetoxthats indeed better
jubalhhas joined
lovetoxi should just not upload to a service providing xep violating stuff
jonaswprobably
alexishas joined
alexishas left
alexishas joined
lovetoxups strip is only for beginn and end, indeed that would not be enough
jonaswt
alexishas left
alexishas joined
Dave Cridlandhas left
alexishas left
alexishas joined
jubalhhas left
Holgerhas left
alexishas left
alexishas joined
vanitasvitaehas left
jubalhhas joined
Dave Cridlandhas left
Nekithas left
Nekithas joined
lovetoxhas left
Dave Cridlandhas left
jubalhhas left
jubalhhas joined
alexishas left
alexishas joined
marmistrzhas joined
alexishas left
alexishas joined
jubalhhas left
danielhas left
danielhas left
Valerianhas left
Valerianhas joined
jubalhhas joined
jubalhhas left
tahas left
danielhas left
Dave Cridlandhas left
Andrew Nenakhovhas left
Andrew Nenakhovhas joined
tuxhas left
Marandahas left
danielhas left
Dave Cridlandhas left
Dave Cridlandhas left
danielhas left
Dave Cridlandhas left
Dave Cridlandhas left
Valerianhas left
Dave Cridlandhas left
Valerianhas joined
danielhas left
Nekithas left
Nekithas joined
sezuanhas left
jerehas joined
jerehas joined
Dave Cridlandhas left
Valerianhas left
marmistrzhas left
Valerianhas joined
mrdoctorwhohas left
jerehas left
jerehas joined
Yagizahas left
Guushas left
danielhas left
Valerianhas left
jerehas left
Andrew Nenakhovhas left
Andrew Nenakhovhas joined
ralphmhas left
jubalhhas joined
Guushas left
jubalhhas left
jubalhhas joined
jubalhhas left
jubalhhas joined
tahas joined
j.rhas joined
jubalhhas joined
jubalhhas joined
j.rhas left
j.rhas joined
lovetoxhas joined
Tobiashas left
ralphmhas joined
Dave Cridlandhas left
alexishas left
alexishas joined
Ge0rGHttp upload is a small security nightmare.
Ge0rGBTW, was there a change already restricting the legal header values?
Ge0rG> Requesting entities MUST ensure that only the headers that are explicitly allowed by this XEP (Authorization, Cookie, Expires) are copied from the slot response to the HTTP request.
Ah, yes. But it's still not enforced at protocol level
rionI've applied this restriction to Psi
Ge0rG> MUST strip any newline characters
I wonder whether "newline characters" is too vague, as it's implementation defined
jjrhhas left
alexishas left
jubalhhas joined
Dave Cridlandhas left
Dave Cridlandhas left
Neustradamushas left
moparisthebesthas anyone tried (ab)using SOCKS5 Bytestreams https://xmpp.org/extensions/xep-0065.html to poke at internal network stuff?
Dave Cridlandhas left
moparisthebestthere aren't any security considerations about it
winfriedhas left
rionDo you mean sending something w/o opening filetransfer session of something?
rionof traffic encryption
Zashmoparisthebest: but both parties connect to the server, the server doesn't initiate anything outbound
Zashmoparisthebest: you might be able to trick remote clients into such things tho
Dave Cridlandhas left
moparisthebestlike, the server has access to a 10.X.X.X private subnet external users do not have access to, can an external client do bad things
moparisthebestyea that's another way to do it
rionhas left
Dave Cridlandhas left
Ge0rGYou'd have to trick the client to connect to a "proxy" you defined
Dave Cridlandhas left
ZashI forget the details, but doesn't one party pick the proxies, the other responds with one it can connect to.