XSF Discussion - 2019-09-10

  1. Ge0rG has left

  2. marc_ has left

  3. aj has joined

  4. pdurbin has joined

  5. sonny has left

  6. neshtaxmpp has left

  7. neshtaxmpp has joined

  8. peter has joined

  9. stpeter has joined

  10. debacle has left

  11. pdurbin has left

  12. peter has left

  13. j.r has left

  14. j.r has joined

  15. zach has left

  16. zach has joined

  17. stpeter has left

  18. UsL has left

  19. UsL has joined

  20. lskdjf has left

  21. lskdjf has joined

  22. lskdjf has left

  23. lskdjf has joined

  24. lskdjf has left

  25. lskdjf has joined

  26. mukt2 has joined

  27. stpeter has joined

  28. peter has joined

  29. lskdjf has left

  30. lskdjf has joined

  31. mukt2 has left

  32. lskdjf has left

  33. lskdjf has joined

  34. lskdjf has left

  35. lskdjf has joined

  36. remko has joined

  37. lskdjf has left

  38. remko has left

  39. neshtaxmpp has left

  40. neshtaxmpp has joined

  41. zach has left

  42. zach has joined

  43. pdurbin has joined

  44. peter has left

  45. pdurbin has left

  46. zach has left

  47. zach has joined

  48. stpeter has left

  49. adiaholic has joined

  50. adiaholic has left

  51. adiaholic has joined

  52. adiaholic has left

  53. Yagiza has joined

  54. pdurbin has joined

  55. UsL has left

  56. adiaholic has joined

  57. UsL has joined

  58. adiaholic has left

  59. adiaholic has joined

  60. adiaholic has left

  61. adiaholic has joined

  62. adiaholic has left

  63. mukt2 has joined

  64. adiaholic has joined

  65. andy has joined

  66. zach has left

  67. neshtaxmpp has left

  68. zach has joined

  69. jrmu has joined

  70. mukt2 has left

  71. adiaholic has left

  72. remko has joined

  73. mukt2 has joined

  74. adiaholic has joined

  75. Nekit has joined

  76. murabito has left

  77. murabito has joined

  78. zach has left

  79. zach has joined

  80. mukt2 has left

  81. rion has left

  82. rion has joined

  83. remko has left

  84. adiaholic has left

  85. jabberjocke has left

  86. jabberjocke has joined

  87. adiaholic has joined

  88. zach has left

  89. zach has joined

  90. mukt2 has joined

  91. lumi has joined

  92. adiaholic has left

  93. adiaholic has joined

  94. mimi89999 has left

  95. neshtaxmpp has joined

  96. karoshi has joined

  97. mimi89999 has joined

  98. mukt2 has left

  99. mukt2 has joined

  100. rion has left

  101. rion has joined

  102. jabberjocke has left

  103. mukt2 has left

  104. moparisthebest has left

  105. mukt2 has joined

  106. moparisthebest has joined

  107. goffi has joined

  108. zach has left

  109. zach has joined

  110. Steve Kille has left

  111. U+061C has joined

  112. marc_ has joined

  113. adiaholic has left

  114. Ge0rG has joined

  115. jonas’

    pep., ask a vegetarian

  116. zach has left

  117. zach has joined

  118. Steve Kille has joined

  119. jabberjocke has joined

  120. flow

    ralphm, if I am not mistaken, the current rules of rfc7622 disallow unassigned to in resourceparts, domainparts and probably also localparts

  121. flow

    i'd say the spec is sound and as sensible as possible, it is the implementations that do not follow the rules and so, once in a while, an invalid jid slips through. That's the main motivation for creating the jid/xmpp strings testframework and the valid/invalid jid corpus

  122. jonas’

    flow, except that RFC 7622 does not pin the unicode version

  123. jonas’

    so one entity running on Unicode 10 could consider something as legitimate which an entity on Unicode 9 would not

  124. mukt2 has left

  125. mukt2 has joined

  126. flow

    jonas’, right, but as I said earlier, I would consider this to be very rare. But I could be wrong. And I don't think there is a better solution, happy to be proven wrong though

  127. zach has left

  128. zach has joined

  129. flow

    That is, I think the tradeoff of not pinning the unicode version is justified

  130. flow

    At least the troubles we had so far are not caused by not pinning the unicode version, as far as i can tell

  131. adiaholic has joined

  132. Ge0rG

    No, but they have the same symptoms

  133. marc_ has left

  134. ralphm

    Isn't my example a sign of why this is a problem? Emoji are all Symbols (So), I believe, and as such valid in parts of JIDs. Differing Unicode versions have different ideas on newer codepoints, so also on validity of JIDs?

  135. Mikaela has joined

  136. Ge0rG

    If we don't want to break the experience for everybody when somebody employs new unicode, we need to accept unassigned as valid from remote entities

  137. ralphm

    The problem with that, though, is unassigneds that become prohibited.

  138. remko has joined

  139. ralphm

    Like U+061C.

  140. ralphm

    Since the foremost expert on this is Peter, I suggest someone write an email about this to standards@. He's busy, but it's more likely he can respond there.

  141. Ge0rG

    I'm not sure he'll be able to solve that problem either ;)

  142. ralphm

    No, but he can at least confirm we have this problem and/or know about strategies.

  143. wurstsalat has joined

  144. adiaholic has left

  145. jonas’

    07:07:12 Ge0rG> If we don't want to break the experience for everybody when somebody employs new unicode, we need to accept unassigned as valid from remote entities

  146. jonas’

    that’s only a partial solution

  147. jonas’

    codepoints may change categories and stuff between unicode versions

  148. jonas’

    and an unassigned codepoint in one version may well be a RTL-codepoint in another version

  149. jonas’

    so by accepting unassigned input, you may accept something which someone else will consider invalid.

  150. jonas’

    unicode is a mess.

  151. jonas’

    ah, ralphm said that alread

  152. jonas’

    ah, ralphm said that already

  153. zach has left

  154. zach has joined

  155. U+061C has left

  156. adiaholic has joined

  157. mukt2 has left

  158. mukt2 has joined

  159. jubalh has joined

  160. zach has left

  161. zach has joined

  162. aj has left

  163. mukt2 has left

  164. Dele (Mobile) has joined

  165. mukt2 has joined

  166. marc_ has joined

  167. flow

    well, since the problem is mostly in resourceparts, localparts and domainparts forbid emojis, we should probably establish a pattern that resourceparts are not user-configurable nor user-visible. Shame on you xep45! I wonder what the state in MIX is

  168. flow

    And we should probably add a note to xep45 that the use of certain unicode categories is discouraged

  169. flow

    But I don't want to be the person to discourage emojis in muc usernames…

  170. jonas’

    flow, passwords and such are also affected.

  171. flow

    jonas’, how's that?

  172. Ge0rG

    localparts can be Emoji as well.

  173. jonas’

    flow, passwords are also passed through stringprep/precis

  174. flow

    Ge0rG, localparts are UsernmaeCaseMapped profile of the IdentifierClass, and that class forbids symbols under which emojis fall, no?

  175. flow

    Maybe not all emojis, haven't check them all

  176. ralphm

    In MIX, nicks are an attribute of a participant, not part of their identity. However, it also says you have to follow https://tools.ietf.org/html/rfc7700

  177. ralphm

    Which in turn depends on Precis FreeformClass, and thus has the same issues as resources.

  178. lumi has left

  179. flow

    guess users just want emojis in their nickname

  180. marc_ has left

  181. marc_ has joined

  182. flow

    maybe there is a reserved for future emojis unicode range?

  183. jonas’

    there’s still the problem that you can’t do proper normalisation if you don’t know the codepoints

  184. flow

    well if the reserved range also states the properties of the eventually assigned codepoints?

  185. jonas’

    that won’t work

  186. jonas’

    then they could just be assigned

  187. zach has left

  188. zach has joined

  189. jonas’

    stuff like how they combine with fitzpatrick modifiers

  190. flow

    No because you don't now yet what they are assigned to

  191. flow

    but if this codepoint is assigned to, then it has the following properties

  192. mukt2 has left

  193. flow

    btw, there is an excellent post about this topic at https://hsivonen.fi/string-length/

  194. Ge0rG

    flow: I have a user ♥@ツ.op-co.de

  195. flow

    Ge0rG, I am not suprised that you do, if that's the question

  196. ralphm

    flow: no, when we think of as emoji is all over the place in several Unicode blocks.

  197. flow

    ralphm, I suspected that to be the case

  198. Ge0rG

    flow: I'm not aware of it being illegag.

  199. Ge0rG

    flow: I'm not aware of it being illegal.

  200. ralphm


  201. UsL has left

  202. UsL has joined

  203. flow

    Anyhow, yes the situation is not perfect, and I am happy if we could improve it. I just don't know how, and I can probably live with the status quo

  204. ralphm

    I like the one on chess symbols: https://www.unicode.org/charts/PDF/Unicode-12.0/U120-1FA00.pdf

  205. ralphm

    Actually https://tools.ietf.org/html/rfc7564#section-12.3 spells out the issue quite clearly: “Strings that conform to the FreeformClass and many profiles thereof can include virtually any Unicode character. This makes the FreeformClass quite expressive, but also problematic from the perspective of possible user confusion. Protocol designers are hereby warned that the FreeformClass contains code points they might not understand, and are encouraged to profile the IdentifierClass wherever feasible; however, if an application protocol requires more code points than are allowed by the IdentifierClass, protocol designers are encouraged to define a profile of the FreeformClass that restricts the allowable code points as tightly as possible.”

  206. ralphm

    (there's a similar remark in the interop section 13.

  207. ralphm


  208. jonas’


  209. flow

    sad that the emoji which could express my feelings right now is only coming in unicode 13: Smiling Face With Tear

  210. flow

    But is the situation really that bad? Implementation could get the latest unicode standard over some sort of data network once in a while. You don't even have to update the involved libraries etc.

  211. XSF has left

  212. jonas’

    flow, is that true?

  213. jonas’

    I think that highly depends on the libraries

  214. jonas’

    I’m not sure how to update python unicodedata for example without updating python

  215. ralphm

    There are libraries that still do just resourceprep instead of Precis, simply because RFC 6122 is directly linked from RFC 6120, even though it is obsoleted by RFC 7622.

  216. ralphm

    One example is Twisted, which I am author of.

  217. aj has joined

  218. ralphm

    One could argue that with resourceprep being more restrictive, just having that is at least a bit clearer as an interop goal.

  219. ralphm

    To be honest, I don't know what the best course of action is in this regard.

  220. jonas’

    stay with unicode 3.2 forever

  221. Ge0rG

    ralphm: be liberal in what you accept and strict in what you emit

  222. mukt2 has joined

  223. Zash

    s/emit/allow users to send/

  224. jonas’

    would a MUC service be strict or liberal, regarding nicknames for example? :)

  225. ralphm

    Ge0rG: my argument here is that this means that something like U+-061C causes problems.

  226. adiaholic has left

  227. Ge0rG

    Zash: yes, I implied that

  228. ralphm

    It was unassigned before (so not valid), then assigned (but still invalid).

  229. zach has left

  230. zach has joined

  231. ralphm

    But 🥓 was unassigned before (so not valid), and now assigned (but valid)

  232. Ge0rG

    ralphm: yes, but if the MUC service accepts it, other servers or clients receiving it from the MUC shouldn't freak out

  233. Ge0rG

    i.e. a MUC service can strictly police the nickname, but not the resourcepart of the users' real JID.

  234. jonas’

    ralphm, it’s not invalid, it’s only invalid if used with LTR characters :)

  235. ralphm

    A MUC service is not something magical. It is just another server that connects to other servers over s2s and uses JIDs in addressing of stanzas.

  236. ralphm

    jonas’: it is invalid as it is a control character.

  237. Ge0rG

    ralphm: a regular server should police the resourcepart of local users, but not of remote users.

  238. ralphm

    jonas’: (for FreeformClass)

  239. pdurbin has left

  240. jonas’

    ralphm, ah, fun

  241. remko has left

  242. remko has joined

  243. adiaholic has joined

  244. ralphm

    Ge0rG: well, that might be sensible approach, indeed. I'm not sure how well that works with mapping on new code points, and what kind of normalization issues arrise from that, but ok.

  245. ralphm

    In any case it deserves some wider attention. Maybe even to the XMPPWG mailing list.

  246. Ge0rG

    ralphm: framed differently: you shouldn't police any JIDs that you don't have the authority over, except when they are illegal in a breaking way, i.e. contain " or '

  247. ralphm

    does that include localpart?

  248. Ge0rG

    ralphm: what?

  249. ralphm

    Ge0rG: should a server do precis processing on localparts of a remote JID?

  250. aj has left

  251. ralphm

    Ge0rG: also, for resourcepart, should it a) use incoming JIDs as is (no processing), b) allow unassigneds, but still do Precis, c) something else.

  252. Ge0rG

    ralphm: I'm not sure yet where the point of no return between a and b is, for either localpart or resourcepart

  253. Ge0rG

    If you do a, that probably opens up some very interesting ways to break your clients

  254. jonas’

    I think it boils down to: treat JIDs as opaque if you don’t have authority over them

  255. ralphm

    Yep, things like IV and Ⅳ.

  256. jonas’

    don’t do normalisation on them, or any processing at all, just treat them as opaque sequences of codepoints

  257. ralphm

    (I followed by V, vs. ROMAN NUMBER 4)

  258. Ge0rG

    ralphm: I don't think _that_ would break things

  259. jonas’

    it is the domain authorities responsibility to ensure that stuff is valid and comparable when it is emitted from there

  260. flow

    jonas’, I think so. You sure could bulid an python library that does so

  261. ralphm

    but you can then have different people with arguably the same nick

  262. Ge0rG

    ralphm: this is something the MUC has authority over.

  263. mimi89999 has left

  264. Ge0rG

    ralphm: if you try to enforce that on your user's server, your user will get kicked

  265. mimi89999 has joined

  266. ralphm


  267. flow

    > jonas’> ralphm, it’s not invalid, it’s only invalid if used with LTR characters :) I think it is invalid regardless the context with rfc7622

  268. ralphm

    But I definitely don't want to be so lenient for localpart

  269. jonas’

    ralphm, why?

  270. Ge0rG

    ralphm: just tear down s2s and blacklist the remote server as incompliant.

  271. ralphm

    flow: it is invalid in resourceprep because unassigned in 3.2, and invalid in Precis FreeformClass because it is an a prohibited class

  272. Ge0rG

    Conveniently, it also prevents you from contacting the server admin

  273. debacle has joined

  274. ralphm

    jonas’: because (bare) JIDs are identity

  275. jonas’

    ralphm, from whose perspective are you currently arguing?

  276. ralphm

    jonas’: I don't want to accept incoming stanzas that fail precis processing on localpart

  277. jonas’

    as a client? as a MUC service? as a server? as anyone?

  278. ralphm

    all, I guess

  279. jonas’

    I see

  280. flow

    > jonas’> don’t do normalisation on them, or any processing at all, just treat them as opaque sequences of codepoints That would probably open up another box of issues

  281. Nekit has left

  282. Nekit has joined

  283. mukt2 has left

  284. mukt2 has joined

  285. COM8 has joined

  286. adiaholic has left

  287. adiaholic has joined

  288. flow

    Since Unicode does us so much good, I'l like to suggest that the XSF adopts a character (for as little as 100$, but maybe we could got for silver) before matrix does it: https://www.unicode.org/consortium/adopted-characters.html

  289. zach has left

  290. zach has joined

  291. sonny has joined

  292. COM8 has left

  293. jonas’


  294. jonas’

    flow, send this to board

  295. flow

    on my way

  296. jonas’

    and find a good character thing to sponsor

  297. flow

    U+1F5E9 probably

  298. flow

    but I am open for suggestions

  299. Ge0rG

    I propose U+1F926

  300. Ge0rG

    💡 U+1F4A1 would be too obvious, right?

  301. jonas’


  302. Seve

    Would be nice to havethe logo as a character :D

  303. Seve

    Ge0rG, nope :(

  304. Seve

    flow's suggestion makes more sense ;)

  305. Ge0rG

    Seve: that can only mean you are too young.

  306. jonas’

    Seve, https://www.jabber.org/

  307. Seve

    Nah, but I want to go forward!

  308. jonas’


  309. Seve

    Gaze at our bright future, my friends!

  310. debacle has left

  311. Ge0rG


  312. jonas’

    same here

  313. jonas’

    we’re the future!

  314. jonas’

    (a.k.a. WTF)

  315. Ge0rG

    Looks rather like a SEMI OPAQUE RECTANGLE

  316. ralphm

    flow: Discourse already has Gold on U+1F4AC, so yeah.

  317. COM8 has joined

  318. ralphm

    To be honest, funny as it is, I don't think we should spend any money on this.

  319. COM8 has left

  320. COM8 has joined

  321. COM8 has left

  322. COM8 has joined

  323. COM8 has left

  324. Nameless RTL person has left

  325. zach has left

  326. zach has joined

  327. remko has left

  328. pep.

    What's the conclusion of all this btw?

  329. pep.

    (Not the Unicode sponsoring bits)

  330. jonas’

    pep., everything is terrible

  331. jonas’

    I think the most sensible statement is around 08:38:12 ralphm> In any case it deserves some wider attention. Maybe even to the XMPPWG mailing list.

  332. pep.

    Can somebody(tm) put that to the agenda if they think it's appropriate?

  333. andy has left

  334. pep.

    So that we don't get stuck here and realize we still have the same issues in 4 years

  335. andy has joined

  336. Zash

    Gotta have this discussion every 4 years

  337. COM8 has joined

  338. COM8 has left

  339. COM8 has joined

  340. COM8 has left

  341. COM8 has joined

  342. zach has left

  343. zach has joined

  344. COM8 has left

  345. flow

    hmm, I wonder if there is a backstory behind the pile of poo gold sponsor: https://www.unicode.org/consortium/adopted-characters.html

  346. Guus

    I'd like to think that friends of Jason raised the money and did this behind his back.

  347. COM8 has joined

  348. COM8 has left

  349. COM8 has joined

  350. COM8 has left

  351. COM8 has joined

  352. larma has left

  353. Ge0rG

    Maybe that name is a kind of pseudonym with a secondary meaning?

  354. waqas has left

  355. COM8 has left

  356. COM8 has joined

  357. COM8 has left

  358. marc_ has left

  359. Guus

    Random quote found through google: "that's a shitty way to spend 5000 USD"

  360. COM8 has joined

  361. COM8 has left

  362. Ge0rG

    I suppose there are enough rich brogrammers in the valley

  363. COM8 has joined

  364. debacle has joined

  365. kokonoe has joined

  366. COM8 has left

  367. larma has joined

  368. remko has joined

  369. debacle has left

  370. Douglas Terabyte has left

  371. kokonoe has left

  372. Douglas Terabyte has joined

  373. Nameless RTL person has joined

  374. kokonoe has joined

  375. pdurbin has joined

  376. Douglas Terabyte has left

  377. Douglas Terabyte has joined

  378. pdurbin has left

  379. remko has left

  380. nyco has joined

  381. andrey.g has left

  382. sonny has left

  383. murabito has left

  384. murabito has joined

  385. zach has left

  386. zach has joined

  387. andrey.g has joined

  388. debacle has joined

  389. marc_ has joined

  390. zach has left

  391. zach has joined

  392. marc_ has left

  393. jcbrand has joined

  394. stpeter has joined

  395. peter has joined

  396. sonny has joined

  397. zach has left

  398. zach has joined

  399. lumi has joined

  400. mukt2 has left

  401. mukt2 has joined

  402. Maranda has left

  403. Maranda has joined

  404. zach has left

  405. zach has joined

  406. marc_ has joined

  407. nyco has left

  408. adiaholic has left

  409. adiaholic has joined

  410. marc_ has left

  411. zach has left

  412. zach has joined

  413. larma has left

  414. COM8 has joined

  415. COM8 has left

  416. COM8 has joined

  417. COM8 has left

  418. larma has joined

  419. lskdjf has joined

  420. kokonoe has left

  421. remko has joined

  422. COM8 has joined

  423. COM8 has left

  424. COM8 has joined

  425. zach has left

  426. zach has joined

  427. COM8 has left

  428. adiaholic has left

  429. adiaholic has joined

  430. pdurbin has joined

  431. LNJ has joined

  432. jabberjocke has left

  433. pdurbin has left

  434. jabberjocke has joined

  435. zach has left

  436. zach has joined

  437. peter has left

  438. dele has joined

  439. dele has left

  440. jabberjocke has left

  441. dele has joined

  442. dele has left

  443. zach has left

  444. zach has joined

  445. stpeter has left

  446. Daniel has left

  447. Daniel has joined

  448. eevvoor has joined

  449. Daniel has left

  450. Daniel has joined

  451. Zash has left

  452. Zash has joined

  453. stpeter has joined

  454. COM8 has joined

  455. COM8 has left

  456. zach has left

  457. zach has joined

  458. adiaholic has left

  459. edhelas has left

  460. lumi has left

  461. marc_ has joined

  462. edhelas has joined

  463. stpeter has left

  464. jabberjocke has joined

  465. zach has left

  466. zach has joined

  467. aj has joined

  468. COM8 has joined

  469. COM8 has left

  470. COM8 has joined

  471. COM8 has left

  472. COM8 has joined

  473. COM8 has left

  474. COM8 has joined

  475. COM8 has left

  476. COM8 has joined

  477. zach has left

  478. zach has joined

  479. COM8 has left

  480. stpeter has joined

  481. COM8 has joined

  482. COM8 has left

  483. Zash has left

  484. Zash has joined

  485. stpeter has left

  486. j.r has left

  487. alameyo has left

  488. alameyo has joined

  489. zach has left

  490. zach has joined

  491. stpeter has joined

  492. peter has joined

  493. pdurbin has joined

  494. Chobbes has joined

  495. adiaholic has joined

  496. balu_der_baer has joined

  497. zach has left

  498. zach has joined

  499. adiaholic has left

  500. adiaholic has joined

  501. ralphm

    For those involved in the Unicode discussion: I wrote to the XMPPWG mailinglist: https://mailarchive.ietf.org/arch/msg/xmpp/a-WhzOTyOq168GujQHgzQ1-DURI

  502. pep.


  503. j.r has joined

  504. jonas’

    <3 thanks

  505. jonas’

    where do I subscribe?

  506. ralphm


  507. Zash

    thanks ralphm!

  508. ralphm

    and beware IETF Note Well https://www.ietf.org/about/note-well/

  509. pep.

    "there are implementations and deployments performing the obsoleted stringprep." you mean all (at least public) implementations? :P

  510. Kev

    I raised this sooooo long ago (back when we were discussing using precis for JIDs in the first place).

  511. Chobbes has left

  512. Kev

    The opinion then, as I remember it, was mostly to not worry about it and assume it won't cause practical interop problems that people might be talking different versions of unicode.

  513. jonas’

    given that we had a fun unicode version interop problem the other day, I think we can safely bury that assumption

  514. Kev

    That's ok, I didn't believe it at the time :)

  515. jonas’

    good :)

  516. ralphm


  517. Ge0rG

    🤖 will disagree on that

  518. jonas’

    that is also PRECISely my problem with it.

  519. jonas’

    someone had to say this, and now it’s out of the way, you can all thank me.

  520. jonas’


  521. pdurbin has left

  522. ralphm


  523. ralphm

    Kev: I guess that was all before we got gazillions of emoji that are valid in resources.

  524. balu_der_baer has left

  525. balu_der_baer has joined

  526. rion has left

  527. Ge0rG

    Yeah, somebody hijacked the Unicode consortium to do things actually relevant to the bigger populace

  528. Zash


  529. balu_der_baer has left

  530. COM8 has joined

  531. zach has left

  532. zach has joined

  533. Wojtek has joined

  534. Wojtek has left

  535. balu_der_baer has joined

  536. COM8 has left

  537. mukt2 has left

  538. COM8 has joined

  539. COM8 has left

  540. mukt2 has joined

  541. COM8 has joined

  542. j.r has left

  543. COM8 has left

  544. COM8 has joined

  545. jonas’

    where was this repository where Daniel explains how the push service for Conversations works and which data is passed to google exactly?

  546. zach has left

  547. zach has joined

  548. jonas’

    ah, found it

  549. jonas’


  550. lumi has joined

  551. COM8 has left

  552. winfried has left

  553. winfried has joined

  554. j.r has joined

  555. COM8 has joined

  556. COM8 has left

  557. COM8 has joined

  558. jabberjocke has left

  559. jabberjocke has joined

  560. zach has left

  561. zach has joined

  562. mukt2 has left

  563. COM8 has left

  564. mukt2 has joined

  565. jabberjocke has left

  566. mukt2 has left

  567. adiaholic has left

  568. zach has left

  569. zach has joined

  570. adiaholic has joined

  571. winfried has left

  572. winfried has joined

  573. mukt2 has joined

  574. mukt2 has left

  575. winfried has left

  576. winfried has joined

  577. zach has left

  578. zach has joined

  579. mukt2 has joined

  580. Steve Kille has left

  581. Steve Kille has joined

  582. pdurbin has joined

  583. rion has joined

  584. jabberjocke has joined

  585. adiaholic has left

  586. winfried has left

  587. winfried has joined

  588. pdurbin has left

  589. debacle has left

  590. marc_ has left

  591. zach has left

  592. zach has joined

  593. mukt2 has left

  594. mukt2 has joined

  595. Zash

    Cool story bro

  596. eevvoor has left

  597. mukt2 has left

  598. alameyo has left

  599. alameyo has joined

  600. winfried has left

  601. winfried has joined

  602. winfried has left

  603. winfried has joined

  604. mukt2 has joined

  605. alameyo has left

  606. adiaholic has joined

  607. aj has left

  608. alameyo has joined

  609. zach has left

  610. zach has joined

  611. marc_ has joined

  612. zach has left

  613. zach has joined

  614. alameyo has left

  615. alameyo has joined

  616. waqas has joined

  617. alameyo has left

  618. waqas has left

  619. zach has left

  620. zach has joined

  621. waqas has joined

  622. waqas has left

  623. waqas has joined

  624. mr.fister has joined

  625. stpeter has left

  626. peter has left

  627. stpeter has joined

  628. peter has joined

  629. waqas has left

  630. alameyo has joined

  631. zach has left

  632. zach has joined

  633. lovetox has joined

  634. zach has left

  635. zach has joined

  636. pep.

    > 𒈜 What was that

  637. Zash


  638. pdurbin has joined

  639. Guus

    Hmm, I'm missing the message to which Zash responded "cool story bro"

  640. Guus


  641. Zash

    Odd, it's in Dino but not poezio

  642. Guus

    I saw it in Converse, not Conversations.

  643. Guus

    More unicode magic?

  644. pep.

    indeed I don't see it.

  645. Ge0rG

    Something something message dedup?

  646. Guus

    It's only in Converse that I noticed the "I am groot" message.

  647. peter has left

  648. Guus

    I already wondered why Zash was reacting with that on the message that I saw before it.

  649. Ge0rG

    Guus: me too

  650. Ge0rG

    Now I want to see the xml

  651. Guus

    Unsure if it's in MAM

  652. Zash

    It's not in the MUC MAM

  653. mukt2 has left

  654. Zash

    Ok, what trickery is this

  655. Ge0rG

    Can anybody post the XML?

  656. jonas’

    and I was wondering why Zash thought my finding of the p2 repository was a cool stoyr

  657. Zash

    Can't post the XML. Can't even find the corresponding line in my logs.

  658. zach has left

  659. pdurbin has left

  660. zach has joined

  661. Daniel

    it's not in my dino

  662. moparisthebest

    it showed up in my dino

  663. Ge0rG

    It's a carbon.

  664. Daniel

    a carbon in a muc?

  665. neshtaxmpp has left

  666. moparisthebest


  667. Ge0rG

    <message to="georg@yax.im/poezio" id="718d40df-3948-4798-a99b-35cc9f03cc4f-641" type="groupchat" from="xsf@muc.xmpp.org/balu_der_baer"> <received xmlns="urn:xmpp:carbons:2"> <forwarded xmlns="urn:xmpp:forward:0"> <message xmlns="jabber:client" to="xsf@muc.xmpp.org" type="groupchat" from="xsf@muc.xmpp.org/i_am_groot"> <body>I am groot.</body> </message> </forwarded> </received> </message>

  668. Daniel

    so any client that shows it potentially has f'uped carbon parsing?

  669. Zash


  670. moparisthebest

    yep missing from my Conversations though, neat

  671. moparisthebest

    I love that mysterious bug finder

  672. winfried has left

  673. winfried has joined

  674. Daniel

    Ge0rG, do you just dump all the xml?

  675. winfried has left

  676. winfried has joined

  677. Ge0rG

    Daniel: that's from poezio debug log file

  678. Ge0rG

    Everything old is new again. https://www.cvedetails.com/cve/CVE-2017-5589/

  679. Daniel

    sadly i think dino even existed back then

  680. Guus

    It's interesting to ponder on how this can be utilized to have covert discussions en plein public

  681. Ge0rG

    moparisthebest: Guus: can you open bug reports?

  682. moparisthebest

    Daniel, but you said it *didn't* display in your dino? but it did in mine... what version do you have?

  683. winfried has left

  684. winfried has joined

  685. Zash

    Guus, MUC PMs seems simpler

  686. Daniel


  687. Daniel

    but maybe it wasn’t stored in muc history

  688. Guus

    Zash: where's the fun in that though

  689. Daniel

    so don’t count on that

  690. moparisthebest

    AH that makes more sense

  691. Guus

    Ge0rG: wilco

  692. moparisthebest

    mine is built from git HEAD too, but trying to figure out exactly when...

  693. winfried has left

  694. Ge0rG

    Also I need to talk to our content manager because the advisory url is 404

  695. winfried has joined

  696. Zash

    Mine is whatever Debian package from OBS, and I saw it.

  697. Guus

    jcbrand: ^^

  698. Daniel

    converse showed it as well?

  699. Ge0rG

    Funny how the month changed... https://rt-solutions.de/en/2017/01/cve-2017-5589_xmpp_carbons/

  700. Daniel


  701. Ge0rG

    Converse was affected back then.

  702. stpeter has left

  703. Ge0rG

    balu_der_baer: are you a pentester or is your client broken?

  704. Daniel

    that does not look like a broken client

  705. Daniel

    (on the sending end)

  706. winfried has left

  707. winfried has joined

  708. Ge0rG

    Daniel: something like delayed delivery gone very much wrong?

  709. Daniel

    how? why?

  710. Ge0rG

    Next up: unrequested MAM impersonation

  711. moparisthebest

    the `i_am_groot` seems like a dead giveaway for deliberate test

  712. moparisthebest

    otherwise that'd be an insanely odd client bug

  713. winfried has left

  714. winfried has joined

  715. Daniel

    there is so much long hanging fruit to pick in the xmpp world

  716. Ge0rG

    It's good that somebody does the testing. And this place is actually well suited

  717. Zash

    So what's next, shall we try the MEGALOL-attack?

  718. Guus

    It would have been nice to share findings though.

  719. Guus

    I found out by accident.

  720. moparisthebest

    isn't that what that was? :D

  721. Daniel

    i mean i was wondering why Zash found the p2 story so interesting…

  722. pep.

    Daniel, same :D

  723. Ge0rG


  724. Nekit has left

  725. Ge0rG

    "complain loudly if you can read this"

  726. pep.


  727. moparisthebest

    so you can probably impersonate actual people that are in the MUC right?

  728. Ge0rG

    moparisthebest: yes

  729. Nekit has joined

  730. Daniel

    depending on how fucked it is not just muc

  731. Ge0rG

    moparisthebest: most probably you can impersonate anyone, even outside of the MUC

  732. Ge0rG

    moparisthebest: read the CVE

  733. moparisthebest

    right, sweet

  734. remko has left

  735. moparisthebest

    yea I just meant the XML groot just sent was MUC only, and implied you could impersonate anyone

  736. moparisthebest

    I'd seen the old general carbons CVE before though

  737. Ge0rG

    It's not really new

  738. zach has left

  739. zach has joined

  740. Ge0rG

    We should have a test suite for clients.

  741. Daniel

    i wouldn’t be shocked if dino was vulnerable to CVE-2015-8688

  742. Douglas Terabyte has left

  743. Ge0rG


  744. Douglas Terabyte has joined

  745. lovetox

    so is this covered by this line in the XEP

  746. Daniel

    someone should try; probably...

  747. lovetox

    Any forwarded copies received by a Carbons-enabled client MUST be from that user's bare JID

  748. lovetox


  749. Daniel

    lovetox, yes

  750. lovetox

    someone cant fake a message from a bare muc jid

  751. Guus

    Uff, this was hard on mobile. https://github.com/conversejs/converse.js/issues/1704

  752. Guus

    Please augment if needed

  753. Daniel

    lovetox, it not bare jid. just the users bare jid is allowed

  754. Daniel

    there shouldn’t be carbons in mucs

  755. lovetox

    yeah but the server is responsible that there are none

  756. lovetox

    at least that says the xep

  757. Daniel


  758. Daniel

    your carbons parsing code needs to be wrapped in a if from == null || from == my_account_jid

  759. lovetox

    ah i get it

  760. lovetox

    yes must be from my account bare jid

  761. lovetox

    not a "user"

  762. Daniel

    which excludes the shit balu send

  763. lovetox


  764. adiaholic has left

  765. adiaholic has joined

  766. lovetox

    # Carbon must be from our bare jid if not stanza.getFrom() == own_jid.getBare(): raise InvalidFrom('Invalid from: %s' % stanza.getAttr('from'))

  767. lovetox

    was scared i fucked up :) but seems i did this right

  768. pep.

    That's not a new bug, gajim would have probably been tested at that time :)

  769. Ge0rG

    I've added a section to the test cases

  770. pep.


  771. Ge0rG

    Still looking for somebody who can implement them

  772. Ge0rG

    Would probably have to be a component for the MUC parts

  773. Ge0rG

    OTOH, a bot could fake being a MUC, right?

  774. lovetox

    yes pep. but as of course i think i can do everything better i reimplement much code, also carbon parsing

  775. Zash

    This carbons thing could be done by a bot

  776. pep.


  777. pep.

    lovetox, tests!

  778. Ge0rG

    It was a huge strain to my eyes, my fingers and my patience to add those three lines to the wiki from my android phone.

  779. lovetox

    though its much harder wth MAM

  780. lovetox

    i only accept mam messages with query-id s that im actually waiting for

  781. Daniel

    well you do…

  782. Daniel

    and yes can confirm that dino is vuln to https://gultsch.de/gajim_roster_push_and_message_interception.html

  783. Daniel

    why does this shit keep happening

  784. Daniel


  785. Zash


  786. pep.


  787. Daniel

    so question is do i fix it now?

  788. Nekit has left

  789. Ge0rG

    Daniel: can you do a roster push through a MUC?

  790. zach has left

  791. zach has joined

  792. Daniel

    Ge0rG: looking at the code I'm relatively certain you could

  793. Ge0rG


  794. pep.

    let's try?

  795. Daniel

    Haven't tested that one tho

  796. Daniel

    You have to get lucky to get your iq routed I guess. Lol

  797. adiaholic has left

  798. adiaholic has joined

  799. Ge0rG

    Daniel: only with MSN

  800. moparisthebest

    is there a generic bot/component someplace that can just try all of these things against a JID

  801. pep.

    Which is probably the default in this MUC

  802. pep.

    So not a correct target

  803. moparisthebest

    so it can be used across projects

  804. Ge0rG

    moparisthebest: write one please! https://wiki.xmpp.org/web/Client_Test_Cases#Staying_inside

  805. moparisthebest

    it would probably be hard to write it with most existing libraries, they tend to try to insist on you sending proper things

  806. Daniel

    Glad the Spammer haven't found out how to but themselves right into your roster

  807. Daniel

    The cool thing about that CVE is due to roster version it also won't go away

  808. moparisthebest

    I'd gladly accept spam from such a smart spammer though

  809. Daniel

    So my Dino will be stuck with that test jid I injected

  810. moparisthebest

    might even buy what he's selling

  811. Yagiza has left

  812. Ge0rG

    moparisthebest: it would get propagated into the spam sending tools and used by dozens spammers within some weeks

  813. Daniel

    So who is going to collect the CVE for mam injection in multiple clients?

  814. adiaholic has left

  815. lumi has left

  816. Ge0rG

    Daniel: let's wait half a year until there is a significant deployed base

  817. Daniel


  818. Douglas Terabyte has left

  819. Douglas Terabyte has joined

  820. Ge0rG

    Other than that, I'll gladly volunteer. I need some more CVEs on my CV

  821. jcbrand has left

  822. Zash

    CVEs go on your CV?

  823. Ge0rG

    Zash: yes

  824. lovetox

    thats why they start with CV..

  825. Zash


  826. Ge0rG

    Curriculum Vitae Extension.

  827. Ge0rG

    Do we have an up to date entity caps database?

  828. lumi has joined

  829. lovetox has left

  830. balu_der_baer

    Can you see me?

  831. pep.

    Only the hash? Or all features? If it's just hashes, movim probably has a few up to some point in the past(?) https://nl.movim.eu/?about#caps_widget_tab, otherwise I'm sure you can gather some by running code on prosody

  832. pep.

    balu_der_baer, yes

  833. zach has left

  834. zach has joined

  835. Zash

    A wild haxxor appears

  836. Ge0rG

    balu_der_baer: no

  837. Ge0rG

    pep.: all the features. Looking for clients with MAM

  838. Daniel

    Mam doesn't show up in Caps

  839. Daniel

    Shouldn't show up. Lpl

  840. Ge0rG

    Then I'll hack something into mod_mam

  841. Daniel

    Shouldn't show up. 😂

  842. Zash

    Nothing says you can't do client-to-client MAM ;)

  843. Ge0rG

    Zash: MAM Push!

  844. Zash

    Idea from long ago: Make a bot that connects to your account and enables carbons, then lets you query it.

  845. pep.

    Zash: that's actually been mentioned a few times..

  846. Ge0rG

    Like posting some Carbons when upgrading from 1:1 to a private MUC!

  847. pep.

    (c2c MAM)

  848. Daniel

    There used to be an ad hoc command that did something like that

  849. Zash

    pep.: nothing new under the sun.

  850. Daniel

    Only for unread I believe

  851. Zash

    Yeah, that too

  852. Daniel

    from reading the code it looks like dino has disabled code that would have checked for the origin of a mam message

  853. j.r has left

  854. j.r has joined

  855. Link Mauve has left

  856. Link Mauve has joined

  857. Daniel

    and yes it is in fact vulnerable

  858. Daniel

    (just wanted to beat Ge0rG to it)

  859. Guus

    Daniel: a worthy goal.

  860. zach has left

  861. zach has joined

  862. U+061C has joined

  863. pep.

    I don't want to swear that slix isn't.

  864. pep.

    (or poezio)

  865. eevvoor has joined

  866. mathieui

    vulnerable to what?

  867. Daniel

    to the MAM thing? no i bet it will be more than just dino

  868. mathieui

    we don’t check the origin, but you have to guess the (fully-random) mam ID

  869. mathieui

    (slix matchers make checking for multiple things a bit tricky, so to fix that we would have to write an "xml mask")

  870. Ge0rG

    Daniel: keep us updated on your advisory

  871. moparisthebest

    so this time balu_der_baer 's "Can you see me?" showed up in Conversations but not dino, fun stuff

  872. Daniel

    was that anything critical?

  873. moparisthebest

    Ge0rG, got raw XML for that one?

  874. pep.

    04:48:04 IN <message xml:lang="en" from="xsf@muc.xmpp.org/Daniel" type="groupchat" to="pep@bouah.net/poezio-C7iY" id="e682bdd7-d98c-4cfd-9c59-fb9e5f9a6d8a"><origin-id xmlns="urn:xmpp:sid:0" id="e682bdd7-d98c-4cfd-9c59-fb9e5f9a6d8a" /><replace xmlns="urn:xmpp:message-correct:0" id="00dc00d3-ae5f-4572-b6c3-4b9e95445e5b" /><body>Shouldn&apos;t show up. 😂 </body><stanza-id xmlns="urn:xmpp:sid:0" by="xsf@muc.xmpp.org" id="2019-09-10-f3fa92f3f7cb7366" /></message>

  875. pep.


  876. U+061C

    it's not my fault this time!

  877. Ge0rG

    Daniel: no, just interested. I'd be glad to co-author as well

  878. pep.

    noo, poezio has only 2k lines in the xml_tab.. gonna grep logs now

  879. moparisthebest

    didn't see that one in either place pep.

  880. pep.

    moparisthebest, neither did I, just looking at xml logs

  881. Daniel

    pep., what's that?

  882. Ge0rG

    moparisthebest: sigh

  883. Ge0rG

    <message to="georg@yax.im/poezio-IS8H" id="718d40df-3948-4798-a99b-35cc9f03cc4f-13F5" type="groupchat" from="xsf@muc.xmpp.org/balu_der_baer"> <body>Can you see me?</body> <received xmlns="urn:xmpp:carbons:2"> <forwarded xmlns="urn:xmpp:forward:0"> <message xmlns="jabber:client" to="xsf@muc.xmpp.org" type="groupchat" from="xsf@muc.xmpp.org/balu_der_baer" /> </forwarded> </received>

  884. Ge0rG

    It was a message that also contained a carbon

  885. Daniel

    but that's ok to show up?

  886. Daniel


  887. moparisthebest

    strange that dino doesn't show that one but Conversations does

  888. Daniel

    i mean both is fine i guess

  889. Ge0rG

    Yes, that's okay

  890. moparisthebest

    so dino does have filtering? it's just wrong

  891. pep.

    What was that XEP that says "don't send everything in the same payload"

  892. Daniel

    no i wouldn’t blame dino for not showing that

  893. Ge0rG

    balu_der_baer: next time add another body to the carbon

  894. Daniel

    moparisthebest, no it just goes down the carbons pipe

  895. Daniel

    and then the carbon doesn’t have anything

  896. Daniel

    Ge0rG, well that will show up in dino

  897. Daniel

    but with the message from within the carbon

  898. U+061C

    out of curiosity, can you put carbon into carbon?

  899. Daniel


  900. Ge0rG

    pep.: https://xmpp.org/extensions/xep-0226.html

  901. pep.

    right that

  902. U+061C

    i mean, what will clients do if they receive carbon within carbon?

  903. Daniel

    just ignore it

  904. moparisthebest

    I'm just awaiting the circular fastening

  905. Daniel

    or parse the outer body if there is one

  906. pep.

    Daniel, that's what you'd hope they do

  907. Daniel

    well at least for dino (even with the bug) and Conversations

  908. Daniel

    and almost def Gajim

  909. Daniel

    until we bring full stanza in the mix

  910. Daniel

    then other funny things might happen

  911. Ge0rG

    U+061C: only if the client has a recursive carbon parser

  912. moparisthebest

    it'd be odd to have code to parse carbons recursively

  913. Daniel


  914. moparisthebest

    any clients written in lisp around? :D

  915. U+061C

    that emacs client?

  916. dele has joined

  917. Ge0rG

    moparisthebest: a message parsing function that extracts the forwarded payload and passes it to the message parsing function? Sounds rather plausible

  918. Daniel

    but hey with Xabber doing their own thing we will soon have new CVE instead of having to recycle the old ones

  919. moparisthebest

    could be

  920. dele has left

  921. pep.

    Zash, unrelated, what conversejs version is running on xmpp.org btw?

  922. dele has joined

  923. Zash

    Probably just the CDN version.

  924. pep.

    ah it says on the page

  925. pep.


  926. Nekit has joined

  927. dele has left

  928. dele has joined

  929. pdurbin has joined

  930. balu_der_baer

    Anyone knows if this is the latest version of Prosody running here?

  931. Zash

    It's not

  932. Zash

    /version xmpp.org

  933. Daniel

    is today the picking low hanging fruit day?

  934. Zash


  935. Daniel

    i also kinda want to rewatch BSG now

  936. sonny has left

  937. pdurbin has left

  938. dele has left

  939. Zash

    All this has happened before, and it will happen again, and again, and again

  940. balu_der_baer

  941. jonas’ has left

  942. jonas’ has joined

  943. grooty has joined

  944. grooty has left

  945. sonny has joined

  946. Daniel

    so yeah since people have started to exploit the dino roster push i should probably take this offline

  947. zach has left

  948. zach has joined

  949. david has left

  950. david has joined

  951. zach has left

  952. zach has joined

  953. lumi has left

  954. debacle has joined

  955. j.r has left

  956. eevvoor has left

  957. LNJ has left

  958. goffi has left

  959. Nekit has left

  960. Zash

    Anyone got examples of strings that'd be different between IDNA 2003 and 2008?

  961. mr.fister has left

  962. jabberjocke has left

  963. jubalh has left

  964. gav has left

  965. gav has joined

  966. zach has left

  967. zach has joined

  968. wurstsalat has left

  969. mukt2 has joined

  970. mukt2 has left

  971. mukt2 has joined

  972. mukt2 has left

  973. mukt2 has joined

  974. zach has left

  975. zach has joined

  976. mukt2 has left

  977. mukt2 has joined

  978. Mikaela has left

  979. pdurbin has joined

  980. mukt2 has left

  981. pdurbin has left

  982. mukt2 has joined

  983. U+061C has left

  984. mukt2 has left

  985. Zash


  986. andy has left

  987. marc_ has left

  988. stpeter has joined

  989. remko has joined

  990. Guus has left

  991. Guus has joined

  992. stpeter has left

  993. zach has left

  994. zach has joined

  995. remko has left

  996. kokonoe has joined

  997. UsL has left

  998. UsL has joined

  999. stpeter has joined

  1000. zach has left

  1001. zach has joined

  1002. stpeter has left

  1003. mukt2 has joined