Sigh. How one should not design XMPP clients: https://github.com/KaidanIM/Kaidan/issues/220
marmistrzhas joined
Kev
Swift autoaccepts requests too, but only for bidirectional
Kev
(If you send a subscription request to someone, it'll approve the one they send back)
jonasw
that makes sense
blablahas left
daniel
> (If you send a subscription request to someone, it'll approve the one they send back)
Conversations does that too.
daniel
Even though that's actually what pre-approval is for
Ge0rG
it makes sense in a world where subscription shouldn't consist of directed graphs
daniel
Or pre Auth
Ge0rG
except pre-approval is not guaranteed
daniel
What ever that was called
Ge0rG
yaxim will do both
Guushas left
Kev
But Swift doesn't talk about subscription requests, it just talks about Add Contact.
daniel
Did ejabberd start announcing that stream feature?
daniel
Because at some point it had support but didn't announce the feature which doesn't make sense this the RFC tells clients to only use it if the feature is announced
Ge0rG
I wonder how many of my Swift issues got fixed for 4.0.
Ge0rG
daniel: I'm using it anyway.
Ge0rGis a lazy and ignorant client dev
jonasw
Ge0rG, you do know that prosody doesn’t support it?
Ge0rG
jonasw: I know.
ludohas joined
Ge0rG
jonasw: but what's the worst thing that can happen if I send a pre-approval to a non-supporting server?
jonasw
<malformed-request/> stream error.
daniel
Stream error
daniel
😂
jonasw
ah, <invalid-xml/>
Ge0rG
but it is valid xml. It just comes at the wrong time
jonasw
Ge0rG, invalid XML is for things which do not pass schema validation
Ge0rG
she-what? :P
jonasw
granted, I’d argue that such a server would be pretty weirdly designed to be gin with✎
jonasw
granted, I’d argue that such a server would be pretty weirdly designed to begin with ✏
Ge0rG
jonasw: auto-generated by the schema-to-code thing we talked about yesternight.
Ge0rG&
jonasw
fg
ludohas left
LNJhas left
LNJhas joined
Ge0rG
Bad memory access (SIGBUS)
Andrew Nenakhovhas left
Andrew Nenakhovhas joined
LNJhas left
LNJhas joined
Andrew Nenakhovhas left
Andrew Nenakhovhas joined
SaltyBoneshas left
tahas joined
nycohas left
Valerianhas joined
winfriedhas left
Steve Killehas left
Andrew Nenakhovhas left
ludohas joined
Andrew Nenakhovhas joined
Andrew Nenakhovhas left
Andrew Nenakhovhas joined
Andrew Nenakhovhas left
Andrew Nenakhovhas joined
Steve Killehas left
alexishas left
marmistrzhas left
ludohas left
Steve Killehas joined
jubalhhas joined
jubalhhas left
ralphmhas left
marmistrzhas left
ludohas joined
winfriedhas left
Steve Killehas left
ludohas left
ralphmhas joined
Guushas left
alexishas joined
ThibGhas left
valohas joined
intosihas left
intosihas joined
LNJhas left
alexishas left
Zashhas left
alexishas joined
Zashhas joined
Zashhas left
Dave Cridlandhas left
Zashhas joined
ludohas joined
alexishas left
Dave Cridlandhas left
alexishas joined
LNJhas joined
Dave Cridlandhas left
Dave Cridlandhas left
Dave Cridlandhas left
alexishas left
danielhas left
Dave Cridlandhas left
alexishas joined
ludohas left
rionhas joined
alexishas left
jubalhhas joined
jubalhhas left
Alexhas joined
jubalhhas joined
jubalhhas left
Kevhas left
vanitasvitaehas left
Kevhas joined
jubalhhas joined
jubalhhas left
danielhas left
LNJhas left
alexishas joined
alexishas left
alexishas joined
Dave Cridlandhas left
alexishas left
alexishas joined
winfriedhas left
Valerianhas left
jubalhhas joined
Dave Cridlandhas left
Dave Cridlandhas left
Yagizahas left
Dave Cridlandhas left
ludohas joined
Yagizahas joined
mr-Lhas joined
marmistrzhas left
mr-Lhas left
alexishas left
alexishas joined
Dave Cridlandhas left
ludohas left
Valerianhas joined
danielhas left
Dave Cridlandhas left
alexishas left
alexishas joined
Dave Cridlandhas left
tahas left
Dave Cridlandhas left
vanitasvitaehas left
ludohas joined
Dave Cridlandhas left
marmistrzhas joined
marmistrzhas joined
Dave Cridlandhas left
Holgerhas left
Dave Cridlandhas left
ludohas left
jubalhhas left
la|r|mahas joined
Syndacehas left
Syndacehas joined
Dave Cridlandhas left
Dave Cridlandhas left
lskdjfhas joined
jerehas joined
Andrew Nenakhovhas left
Andrew Nenakhovhas joined
jubalhhas joined
Andrew Nenakhovhas left
Andrew Nenakhovhas joined
Valerianhas left
Dave Cridlandhas left
Dave Cridlandhas left
Kevhas left
Dave Cridlandhas left
Dave Cridlandhas left
valohas joined
lumihas joined
j.rhas joined
Valerianhas joined
vanitasvitaehas left
Dave Cridlandhas left
Dave Cridlandhas left
Dave Cridlandhas left
Dave Cridlandhas left
jubalhhas left
Dave Cridlandhas left
Andrew Nenakhovhas left
Andrew Nenakhovhas joined
Dave Cridlandhas left
Andrew Nenakhovhas left
Andrew Nenakhovhas joined
j.rhas joined
Dave Cridlandhas left
Dave Cridlandhas left
Dave Cridlandhas left
Dave Cridlandhas left
valohas joined
Dave Cridlandhas left
la|r|mahas left
la|r|mahas joined
Dave Cridlandhas left
la|r|mahas left
la|r|mahas joined
Dave Cridlandhas left
Dave Cridlandhas left
Dave Cridlandhas left
la|r|mahas left
la|r|mahas joined
Dave Cridlandhas left
Dave Cridlandhas left
Dave Cridlandhas left
Ge0rGhas left
Ge0rGhas left
Ge0rGhas left
Dave Cridlandhas left
Ge0rGhas left
tahas left
j.rhas joined
Dave Cridlandhas left
jubalhhas joined
Dave Cridlandhas left
jubalhhas left
Ge0rGhas left
Dave Cridlandhas left
moparisthebesthas joined
Ge0rGhas left
Dave Cridlandhas left
SamWhitedhas left
Dave Cridlandhas left
Ge0rGhas left
Ge0rGhas left
Dave Cridlandhas left
SamWhitedhas left
Ge0rGhas left
valohas joined
Dave Cridlandhas left
Dave Cridlandhas left
Dave Cridlandhas left
Ge0rGhas left
Ge0rGhas left
Ge0rGhas left
moparisthebesthas left
Ge0rGhas left
j.rhas joined
Ge0rGhas left
Andrew Nenakhovhas left
Ge0rGhas left
Guushas left
Andrew Nenakhovhas joined
Ge0rGhas left
Ge0rGhas left
Alexhas left
Ge0rGhas left
Ge0rGhas left
Ge0rGhas left
alexishas left
Nekithas left
Nekithas joined
Ge0rGhas left
jubalhhas joined
jubalhhas left
Ge0rGhas left
LNJhas joined
mimi89999has left
Guushas joined
Guushas joined
winfriedhas left
winfriedhas left
winfriedhas joined
Dave Cridlandhas left
zinidhas joined
LNJhas left
Andrew Nenakhovhas left
Andrew Nenakhovhas joined
Andrew Nenakhovhas left
Andrew Nenakhovhas joined
j.rhas joined
tahas left
tim@boese-ban.dehas left
j.rhas joined
j.rhas joined
Guushas joined
lovetoxhas joined
lovetox
in attic there is missing version 3.0 and 3.1 of httpupload https://xmpp.org/extensions/xep-0363.html
Steve Killehas left
jonasw
there is no 3.0
jonasw
or 3.1
jonasw
do you mean 0.3.0 and 0.3.1?
jonasw
(which are also missing, indeed)
jubalhhas joined
jonasw
I’ll regenerate them
jubalhhas left
Neustradamushas joined
lovetox
yes i meant those
jonasw
will be up shortly
lovetox
thanks
jonasw
spoiler: 0.3.1 is only a typo fix ;)
jonasw
lovetox, will be available within the next five minutes
Ge0rGstarts tea timer
Dave Cridlandhas left
lovetoxhas left
SamWhitedhas left
jubalhhas joined
Alexhas joined
lovetoxhas joined
waqashas joined
jubalhhas left
lovetox
what funny attack can you do if you have newline chars in a header value
lovetox
talking about httpupload
Valerianhas left
Valerianhas joined
j.rhas joined
j.rhas joined
jonasw
lovetox, escape from the header, depending on the brokenness of implementations involved
lovetox
the authorizartion value is base64 encoded
lovetox
this means i execute on that value .strip('\n')
intosihas left
intosihas joined
lovetox
not decode it and execute it on that
MattJ
Correct
lovetox
kk thanks
jonasw
lovetox, that’s not sufficient
MattJ
The client is not expected to understand what the headers are
jonasw
.replace("\n", "") is safer
jonasw
or if "\n" in header_value: raise RuntimeError("gtfo")
lovetox
thats indeed better
jubalhhas joined
lovetox
i should just not upload to a service providing xep violating stuff
jonasw
probably
alexishas joined
alexishas left
alexishas joined
lovetox
ups strip is only for beginn and end, indeed that would not be enough
jonasw
t
alexishas left
alexishas joined
Dave Cridlandhas left
alexishas left
alexishas joined
jubalhhas left
Holgerhas left
alexishas left
alexishas joined
vanitasvitaehas left
jubalhhas joined
Dave Cridlandhas left
Nekithas left
Nekithas joined
lovetoxhas left
Dave Cridlandhas left
jubalhhas left
jubalhhas joined
alexishas left
alexishas joined
marmistrzhas joined
alexishas left
alexishas joined
jubalhhas left
danielhas left
danielhas left
Valerianhas left
Valerianhas joined
jubalhhas joined
jubalhhas left
tahas left
danielhas left
Dave Cridlandhas left
Andrew Nenakhovhas left
Andrew Nenakhovhas joined
tuxhas left
Marandahas left
danielhas left
Dave Cridlandhas left
Dave Cridlandhas left
danielhas left
Dave Cridlandhas left
Dave Cridlandhas left
Valerianhas left
Dave Cridlandhas left
Valerianhas joined
danielhas left
Nekithas left
Nekithas joined
sezuanhas left
jerehas joined
jerehas joined
Dave Cridlandhas left
Valerianhas left
marmistrzhas left
Valerianhas joined
mrdoctorwhohas left
jerehas left
jerehas joined
Yagizahas left
Guushas left
danielhas left
Valerianhas left
jerehas left
Andrew Nenakhovhas left
Andrew Nenakhovhas joined
ralphmhas left
jubalhhas joined
Guushas left
jubalhhas left
jubalhhas joined
jubalhhas left
jubalhhas joined
tahas joined
j.rhas joined
jubalhhas joined
jubalhhas joined
j.rhas left
j.rhas joined
lovetoxhas joined
Tobiashas left
ralphmhas joined
Dave Cridlandhas left
alexishas left
alexishas joined
Ge0rG
Http upload is a small security nightmare.
Ge0rG
BTW, was there a change already restricting the legal header values?
Ge0rG
> Requesting entities MUST ensure that only the headers that are explicitly allowed by this XEP (Authorization, Cookie, Expires) are copied from the slot response to the HTTP request.
Ah, yes. But it's still not enforced at protocol level
rion
I've applied this restriction to Psi
Ge0rG
> MUST strip any newline characters
I wonder whether "newline characters" is too vague, as it's implementation defined
jjrhhas left
alexishas left
jubalhhas joined
Dave Cridlandhas left
Dave Cridlandhas left
Neustradamushas left
moparisthebest
has anyone tried (ab)using SOCKS5 Bytestreams https://xmpp.org/extensions/xep-0065.html to poke at internal network stuff?
Dave Cridlandhas left
moparisthebest
there aren't any security considerations about it
winfriedhas left
rion
Do you mean sending something w/o opening filetransfer session of something?
rion
of traffic encryption
Zash
moparisthebest: but both parties connect to the server, the server doesn't initiate anything outbound
Zash
moparisthebest: you might be able to trick remote clients into such things tho
Dave Cridlandhas left
moparisthebest
like, the server has access to a 10.X.X.X private subnet external users do not have access to, can an external client do bad things
moparisthebest
yea that's another way to do it
rionhas left
Dave Cridlandhas left
Ge0rG
You'd have to trick the client to connect to a "proxy" you defined
Dave Cridlandhas left
Zash
I forget the details, but doesn't one party pick the proxies, the other responds with one it can connect to.