-
jonas’
pep., ask a vegetarian
-
flow
ralphm, if I am not mistaken, the current rules of rfc7622 disallow unassigned to in resourceparts, domainparts and probably also localparts
-
flow
i'd say the spec is sound and as sensible as possible, it is the implementations that do not follow the rules and so, once in a while, an invalid jid slips through. That's the main motivation for creating the jid/xmpp strings testframework and the valid/invalid jid corpus
-
jonas’
flow, except that RFC 7622 does not pin the unicode version
-
jonas’
so one entity running on Unicode 10 could consider something as legitimate which an entity on Unicode 9 would not
-
flow
jonas’, right, but as I said earlier, I would consider this to be very rare. But I could be wrong. And I don't think there is a better solution, happy to be proven wrong though
-
flow
That is, I think the tradeoff of not pinning the unicode version is justified
-
flow
At least the troubles we had so far are not caused by not pinning the unicode version, as far as i can tell
-
Ge0rG
No, but they have the same symptoms
-
ralphm
Isn't my example a sign of why this is a problem? Emoji are all Symbols (So), I believe, and as such valid in parts of JIDs. Differing Unicode versions have different ideas on newer codepoints, so also on validity of JIDs?
-
Ge0rG
If we don't want to break the experience for everybody when somebody employs new unicode, we need to accept unassigned as valid from remote entities
-
ralphm
The problem with that, though, is unassigneds that become prohibited.
-
ralphm
Like U+061C.
-
ralphm
Since the foremost expert on this is Peter, I suggest someone write an email about this to standards@. He's busy, but it's more likely he can respond there.
-
Ge0rG
I'm not sure he'll be able to solve that problem either ;)
-
ralphm
No, but he can at least confirm we have this problem and/or know about strategies.
-
jonas’
07:07:12 Ge0rG> If we don't want to break the experience for everybody when somebody employs new unicode, we need to accept unassigned as valid from remote entities
-
jonas’
that’s only a partial solution
-
jonas’
codepoints may change categories and stuff between unicode versions
-
jonas’
and an unassigned codepoint in one version may well be a RTL-codepoint in another version
-
jonas’
so by accepting unassigned input, you may accept something which someone else will consider invalid.
-
jonas’
unicode is a mess.
-
jonas’
ah, ralphm said that alread✎ -
jonas’
ah, ralphm said that already ✏
-
flow
well, since the problem is mostly in resourceparts, localparts and domainparts forbid emojis, we should probably establish a pattern that resourceparts are not user-configurable nor user-visible. Shame on you xep45! I wonder what the state in MIX is
-
flow
And we should probably add a note to xep45 that the use of certain unicode categories is discouraged
-
flow
But I don't want to be the person to discourage emojis in muc usernames…
-
jonas’
flow, passwords and such are also affected.
-
flow
jonas’, how's that?
-
Ge0rG
localparts can be Emoji as well.
-
jonas’
flow, passwords are also passed through stringprep/precis
-
flow
Ge0rG, localparts are UsernmaeCaseMapped profile of the IdentifierClass, and that class forbids symbols under which emojis fall, no?
-
flow
Maybe not all emojis, haven't check them all
-
ralphm
In MIX, nicks are an attribute of a participant, not part of their identity. However, it also says you have to follow https://tools.ietf.org/html/rfc7700
-
ralphm
Which in turn depends on Precis FreeformClass, and thus has the same issues as resources.
-
flow
guess users just want emojis in their nickname
-
flow
maybe there is a reserved for future emojis unicode range?
-
jonas’
there’s still the problem that you can’t do proper normalisation if you don’t know the codepoints
-
flow
well if the reserved range also states the properties of the eventually assigned codepoints?
-
jonas’
that won’t work
-
jonas’
then they could just be assigned
-
jonas’
stuff like how they combine with fitzpatrick modifiers
-
flow
No because you don't now yet what they are assigned to
-
flow
but if this codepoint is assigned to, then it has the following properties
-
flow
btw, there is an excellent post about this topic at https://hsivonen.fi/string-length/
-
Ge0rG
flow: I have a user ♥@ツ.op-co.de
-
flow
Ge0rG, I am not suprised that you do, if that's the question
-
ralphm
flow: no, when we think of as emoji is all over the place in several Unicode blocks.
-
flow
ralphm, I suspected that to be the case
-
Ge0rG
flow: I'm not aware of it being illegag.✎ -
Ge0rG
flow: I'm not aware of it being illegal. ✏
-
ralphm
http://www.unicode.org/charts/PDF/Unicode-12.0/
-
flow
Anyhow, yes the situation is not perfect, and I am happy if we could improve it. I just don't know how, and I can probably live with the status quo
-
ralphm
I like the one on chess symbols: https://www.unicode.org/charts/PDF/Unicode-12.0/U120-1FA00.pdf
-
ralphm
Actually https://tools.ietf.org/html/rfc7564#section-12.3 spells out the issue quite clearly: “Strings that conform to the FreeformClass and many profiles thereof can include virtually any Unicode character. This makes the FreeformClass quite expressive, but also problematic from the perspective of possible user confusion. Protocol designers are hereby warned that the FreeformClass contains code points they might not understand, and are encouraged to profile the IdentifierClass wherever feasible; however, if an application protocol requires more code points than are allowed by the IdentifierClass, protocol designers are encouraged to define a profile of the FreeformClass that restricts the allowable code points as tightly as possible.”
-
ralphm
(there's a similar remark in the interop section 13.
-
ralphm
)
-
jonas’
*sigh*
-
flow
sad that the emoji which could express my feelings right now is only coming in unicode 13: Smiling Face With Tear
-
flow
But is the situation really that bad? Implementation could get the latest unicode standard over some sort of data network once in a while. You don't even have to update the involved libraries etc.
-
jonas’
flow, is that true?
-
jonas’
I think that highly depends on the libraries
-
jonas’
I’m not sure how to update python unicodedata for example without updating python
-
ralphm
There are libraries that still do just resourceprep instead of Precis, simply because RFC 6122 is directly linked from RFC 6120, even though it is obsoleted by RFC 7622.
-
ralphm
One example is Twisted, which I am author of.
-
ralphm
One could argue that with resourceprep being more restrictive, just having that is at least a bit clearer as an interop goal.
-
ralphm
To be honest, I don't know what the best course of action is in this regard.
-
jonas’
stay with unicode 3.2 forever
-
Ge0rG
ralphm: be liberal in what you accept and strict in what you emit
-
Zash
s/emit/allow users to send/
-
jonas’
would a MUC service be strict or liberal, regarding nicknames for example? :)
-
ralphm
Ge0rG: my argument here is that this means that something like U+-061C causes problems.
-
Ge0rG
Zash: yes, I implied that
-
ralphm
It was unassigned before (so not valid), then assigned (but still invalid).
-
ralphm
But 🥓 was unassigned before (so not valid), and now assigned (but valid)
-
Ge0rG
ralphm: yes, but if the MUC service accepts it, other servers or clients receiving it from the MUC shouldn't freak out
-
Ge0rG
i.e. a MUC service can strictly police the nickname, but not the resourcepart of the users' real JID.
-
jonas’
ralphm, it’s not invalid, it’s only invalid if used with LTR characters :)
-
ralphm
A MUC service is not something magical. It is just another server that connects to other servers over s2s and uses JIDs in addressing of stanzas.
-
ralphm
jonas’: it is invalid as it is a control character.
-
Ge0rG
ralphm: a regular server should police the resourcepart of local users, but not of remote users.
-
ralphm
jonas’: (for FreeformClass)
-
jonas’
ralphm, ah, fun
-
ralphm
Ge0rG: well, that might be sensible approach, indeed. I'm not sure how well that works with mapping on new code points, and what kind of normalization issues arrise from that, but ok.
-
ralphm
In any case it deserves some wider attention. Maybe even to the XMPPWG mailing list.
-
Ge0rG
ralphm: framed differently: you shouldn't police any JIDs that you don't have the authority over, except when they are illegal in a breaking way, i.e. contain " or '
-
ralphm
does that include localpart?
-
Ge0rG
ralphm: what?
-
ralphm
Ge0rG: should a server do precis processing on localparts of a remote JID?
-
ralphm
Ge0rG: also, for resourcepart, should it a) use incoming JIDs as is (no processing), b) allow unassigneds, but still do Precis, c) something else.
-
Ge0rG
ralphm: I'm not sure yet where the point of no return between a and b is, for either localpart or resourcepart
-
Ge0rG
If you do a, that probably opens up some very interesting ways to break your clients
-
jonas’
I think it boils down to: treat JIDs as opaque if you don’t have authority over them
-
ralphm
Yep, things like IV and Ⅳ.
-
jonas’
don’t do normalisation on them, or any processing at all, just treat them as opaque sequences of codepoints
-
ralphm
(I followed by V, vs. ROMAN NUMBER 4)
-
Ge0rG
ralphm: I don't think _that_ would break things
-
jonas’
it is the domain authorities responsibility to ensure that stuff is valid and comparable when it is emitted from there
-
flow
jonas’, I think so. You sure could bulid an python library that does so
-
ralphm
but you can then have different people with arguably the same nick
-
Ge0rG
ralphm: this is something the MUC has authority over.
-
Ge0rG
ralphm: if you try to enforce that on your user's server, your user will get kicked
-
ralphm
Right
-
flow
> jonas’> ralphm, it’s not invalid, it’s only invalid if used with LTR characters :) I think it is invalid regardless the context with rfc7622
-
ralphm
But I definitely don't want to be so lenient for localpart
-
jonas’
ralphm, why?
-
Ge0rG
ralphm: just tear down s2s and blacklist the remote server as incompliant.
-
ralphm
flow: it is invalid in resourceprep because unassigned in 3.2, and invalid in Precis FreeformClass because it is an a prohibited class
-
Ge0rG
Conveniently, it also prevents you from contacting the server admin
-
ralphm
jonas’: because (bare) JIDs are identity
-
jonas’
ralphm, from whose perspective are you currently arguing?
-
ralphm
jonas’: I don't want to accept incoming stanzas that fail precis processing on localpart
-
jonas’
as a client? as a MUC service? as a server? as anyone?
-
ralphm
all, I guess
-
jonas’
I see
-
flow
> jonas’> don’t do normalisation on them, or any processing at all, just treat them as opaque sequences of codepoints That would probably open up another box of issues
-
flow
Since Unicode does us so much good, I'l like to suggest that the XSF adopts a character (for as little as 100$, but maybe we could got for silver) before matrix does it: https://www.unicode.org/consortium/adopted-characters.html
-
jonas’
+1
-
jonas’
flow, send this to board
-
flow
on my way
-
jonas’
and find a good character thing to sponsor
-
flow
U+1F5E9 probably
-
flow
but I am open for suggestions
-
Ge0rG
I propose U+1F926
-
Ge0rG
💡 U+1F4A1 would be too obvious, right?
-
jonas’
uhh
-
Seve
Would be nice to havethe logo as a character :D
-
Seve
Ge0rG, nope :(
-
Seve
flow's suggestion makes more sense ;)
-
Ge0rG
Seve: that can only mean you are too young.
-
jonas’
Seve, https://www.jabber.org/
-
Seve
Nah, but I want to go forward!
-
jonas’
;)
-
Seve
Gaze at our bright future, my friends!
-
Ge0rG
https://upload.yax.im/upload/8O5TitoHucjZZDeW/Screenshot_20190910-111700_Firefox.jpg
-
jonas’
same here
-
jonas’
we’re the future!
-
jonas’
(a.k.a. WTF)
-
Ge0rG
Looks rather like a SEMI OPAQUE RECTANGLE
-
ralphm
flow: Discourse already has Gold on U+1F4AC, so yeah.
-
ralphm
To be honest, funny as it is, I don't think we should spend any money on this.
-
pep.
What's the conclusion of all this btw?
-
pep.
(Not the Unicode sponsoring bits)
-
jonas’
pep., everything is terrible
-
jonas’
I think the most sensible statement is around 08:38:12 ralphm> In any case it deserves some wider attention. Maybe even to the XMPPWG mailing list.
-
pep.
Can somebody(tm) put that to the agenda if they think it's appropriate?
-
pep.
So that we don't get stuck here and realize we still have the same issues in 4 years
-
Zash
Gotta have this discussion every 4 years
-
flow
hmm, I wonder if there is a backstory behind the pile of poo gold sponsor: https://www.unicode.org/consortium/adopted-characters.html
-
Guus
I'd like to think that friends of Jason raised the money and did this behind his back.
-
Ge0rG
Maybe that name is a kind of pseudonym with a secondary meaning?
-
Guus
Random quote found through google: "that's a shitty way to spend 5000 USD"
-
Ge0rG
I suppose there are enough rich brogrammers in the valley
-
ralphm
For those involved in the Unicode discussion: I wrote to the XMPPWG mailinglist: https://mailarchive.ietf.org/arch/msg/xmpp/a-WhzOTyOq168GujQHgzQ1-DURI
-
pep.
thanks
-
jonas’
<3 thanks
-
jonas’
where do I subscribe?
-
ralphm
https://www.ietf.org/mailman/listinfo/xmpp
-
Zash
thanks ralphm!
-
ralphm
and beware IETF Note Well https://www.ietf.org/about/note-well/
-
pep.
"there are implementations and deployments performing the obsoleted stringprep." you mean all (at least public) implementations? :P
-
Kev
I raised this sooooo long ago (back when we were discussing using precis for JIDs in the first place).
-
Kev
The opinion then, as I remember it, was mostly to not worry about it and assume it won't cause practical interop problems that people might be talking different versions of unicode.
-
jonas’
given that we had a fun unicode version interop problem the other day, I think we can safely bury that assumption
-
Kev
That's ok, I didn't believe it at the time :)
-
jonas’
good :)
-
ralphm
:-D
-
Ge0rG
🤖 will disagree on that
-
jonas’
that is also PRECISely my problem with it.
-
jonas’
someone had to say this, and now it’s out of the way, you can all thank me.
-
jonas’
;)
-
ralphm
🤦♂️
-
ralphm
Kev: I guess that was all before we got gazillions of emoji that are valid in resources.
-
Ge0rG
Yeah, somebody hijacked the Unicode consortium to do things actually relevant to the bigger populace
-
Zash
𒈜
-
jonas’
where was this repository where Daniel explains how the push service for Conversations works and which data is passed to google exactly?
-
jonas’
ah, found it
-
jonas’
https://github.com/iNPUTmice/p2
-
Zash
Cool story bro
-
pep.
> 𒈜 What was that
-
Zash
😉
-
Guus
Hmm, I'm missing the message to which Zash responded "cool story bro"
-
Guus
https://igniterealtime.org:443/httpfileupload/5c99fd39-7a01-40ab-8da9-b3e97d387824/rnGY3VwZTG6XbONXbZUg_g.jpg
-
Zash
Odd, it's in Dino but not poezio
-
Guus
I saw it in Converse, not Conversations.
-
Guus
More unicode magic?
-
pep.
indeed I don't see it.
-
Ge0rG
Something something message dedup?
-
Guus
It's only in Converse that I noticed the "I am groot" message.
-
Guus
I already wondered why Zash was reacting with that on the message that I saw before it.
-
Ge0rG
Guus: me too
-
Ge0rG
Now I want to see the xml
-
Guus
Unsure if it's in MAM
-
Zash
It's not in the MUC MAM
-
Zash
Ok, what trickery is this
-
Ge0rG
Can anybody post the XML?
-
jonas’
and I was wondering why Zash thought my finding of the p2 repository was a cool stoyr
-
Zash
Can't post the XML. Can't even find the corresponding line in my logs.
-
Daniel
it's not in my dino
-
moparisthebest
it showed up in my dino
-
Ge0rG
It's a carbon.
-
Daniel
a carbon in a muc?
-
moparisthebest
https://burtrum.org/up/7fa35ad6-3c2e-4f19-b0a2-acb54255d6ee/open-screeny-16761.png
-
Ge0rG
<message to="georg@yax.im/poezio" id="718d40df-3948-4798-a99b-35cc9f03cc4f-641" type="groupchat" from="xsf@muc.xmpp.org/balu_der_baer"> <received xmlns="urn:xmpp:carbons:2"> <forwarded xmlns="urn:xmpp:forward:0"> <message xmlns="jabber:client" to="xsf@muc.xmpp.org" type="groupchat" from="xsf@muc.xmpp.org/i_am_groot"> <body>I am groot.</body> </message> </forwarded> </received> </message>
-
Daniel
so any client that shows it potentially has f'uped carbon parsing?
-
Zash
Royally
-
moparisthebest
yep missing from my Conversations though, neat
-
moparisthebest
I love that mysterious bug finder
-
Daniel
Ge0rG, do you just dump all the xml?
-
Ge0rG
Daniel: that's from poezio debug log file
-
Ge0rG
Everything old is new again. https://www.cvedetails.com/cve/CVE-2017-5589/
-
Daniel
sadly i think dino even existed back then
-
Guus
It's interesting to ponder on how this can be utilized to have covert discussions en plein public
-
Ge0rG
moparisthebest: Guus: can you open bug reports?
-
moparisthebest
Daniel, but you said it *didn't* display in your dino? but it did in mine... what version do you have?
-
Zash
Guus, MUC PMs seems simpler
-
Daniel
HEAD
-
Daniel
but maybe it wasn’t stored in muc history
-
Guus
Zash: where's the fun in that though
-
Daniel
so don’t count on that
-
moparisthebest
AH that makes more sense
-
Guus
Ge0rG: wilco
-
moparisthebest
mine is built from git HEAD too, but trying to figure out exactly when...
-
Ge0rG
Also I need to talk to our content manager because the advisory url is 404
-
Zash
Mine is whatever Debian package from OBS, and I saw it.
-
Guus
jcbrand: ^^
-
Daniel
converse showed it as well?
-
Ge0rG
Funny how the month changed... https://rt-solutions.de/en/2017/01/cve-2017-5589_xmpp_carbons/
-
Daniel
sigh
-
Ge0rG
Converse was affected back then.
-
Ge0rG
balu_der_baer: are you a pentester or is your client broken?
-
Daniel
that does not look like a broken client
-
Daniel
(on the sending end)
-
Ge0rG
Daniel: something like delayed delivery gone very much wrong?
-
Daniel
how? why?
-
Ge0rG
Next up: unrequested MAM impersonation
-
moparisthebest
the `i_am_groot` seems like a dead giveaway for deliberate test
-
moparisthebest
otherwise that'd be an insanely odd client bug
-
Daniel
there is so much long hanging fruit to pick in the xmpp world
-
Ge0rG
It's good that somebody does the testing. And this place is actually well suited
-
Zash
So what's next, shall we try the MEGALOL-attack?
-
Guus
It would have been nice to share findings though.
-
Guus
I found out by accident.
-
moparisthebest
isn't that what that was? :D
-
Daniel
i mean i was wondering why Zash found the p2 story so interesting…
-
pep.
Daniel, same :D
-
Ge0rG
Heh.
-
Ge0rG
"complain loudly if you can read this"
-
pep.
haha
-
moparisthebest
so you can probably impersonate actual people that are in the MUC right?
-
Ge0rG
moparisthebest: yes
-
Daniel
depending on how fucked it is not just muc
-
Ge0rG
moparisthebest: most probably you can impersonate anyone, even outside of the MUC
-
Ge0rG
moparisthebest: read the CVE
-
moparisthebest
right, sweet
-
moparisthebest
yea I just meant the XML groot just sent was MUC only, and implied you could impersonate anyone
-
moparisthebest
I'd seen the old general carbons CVE before though
-
Ge0rG
It's not really new
-
Ge0rG
We should have a test suite for clients.
-
Daniel
i wouldn’t be shocked if dino was vulnerable to CVE-2015-8688
-
Ge0rG
https://wiki.xmpp.org/web/Client_Test_Cases
-
lovetox
so is this covered by this line in the XEP
-
Daniel
someone should try; probably...
-
lovetox
Any forwarded copies received by a Carbons-enabled client MUST be from that user's bare JID
-
lovetox
?
-
Daniel
lovetox, yes
-
lovetox
someone cant fake a message from a bare muc jid
-
Guus
Uff, this was hard on mobile. https://github.com/conversejs/converse.js/issues/1704
-
Guus
Please augment if needed
-
Daniel
lovetox, it not bare jid. just the users bare jid is allowed
-
Daniel
there shouldn’t be carbons in mucs
-
lovetox
yeah but the server is responsible that there are none
-
lovetox
at least that says the xep
-
Daniel
huh?
-
Daniel
your carbons parsing code needs to be wrapped in a if from == null || from == my_account_jid
-
lovetox
ah i get it
-
lovetox
yes must be from my account bare jid
-
lovetox
not a "user"
-
Daniel
which excludes the shit balu send
-
lovetox
yes
-
lovetox
# Carbon must be from our bare jid if not stanza.getFrom() == own_jid.getBare(): raise InvalidFrom('Invalid from: %s' % stanza.getAttr('from'))
-
lovetox
was scared i fucked up :) but seems i did this right
-
pep.
That's not a new bug, gajim would have probably been tested at that time :)
-
Ge0rG
I've added a section to the test cases
-
pep.
thanks
-
Ge0rG
Still looking for somebody who can implement them
-
Ge0rG
Would probably have to be a component for the MUC parts
-
Ge0rG
OTOH, a bot could fake being a MUC, right?
-
lovetox
yes pep. but as of course i think i can do everything better i reimplement much code, also carbon parsing
-
Zash
This carbons thing could be done by a bot
-
pep.
hehe
-
pep.
lovetox, tests!
-
Ge0rG
It was a huge strain to my eyes, my fingers and my patience to add those three lines to the wiki from my android phone.
-
lovetox
though its much harder wth MAM
-
lovetox
i only accept mam messages with query-id s that im actually waiting for
-
Daniel
well you do…
-
Daniel
and yes can confirm that dino is vuln to https://gultsch.de/gajim_roster_push_and_message_interception.html
-
Daniel
why does this shit keep happening
-
Daniel
#BSG
-
Zash
BSG!
-
pep.
BSG?
-
Daniel
so question is do i fix it now?
-
Ge0rG
Daniel: can you do a roster push through a MUC?
-
Daniel
Ge0rG: looking at the code I'm relatively certain you could
-
Ge0rG
Yay.
-
pep.
let's try?
-
Daniel
Haven't tested that one tho
-
Daniel
You have to get lucky to get your iq routed I guess. Lol
-
Ge0rG
Daniel: only with MSN
-
moparisthebest
is there a generic bot/component someplace that can just try all of these things against a JID
-
pep.
Which is probably the default in this MUC
-
pep.
So not a correct target
-
moparisthebest
so it can be used across projects
-
Ge0rG
moparisthebest: write one please! https://wiki.xmpp.org/web/Client_Test_Cases#Staying_inside
-
moparisthebest
it would probably be hard to write it with most existing libraries, they tend to try to insist on you sending proper things
-
Daniel
Glad the Spammer haven't found out how to but themselves right into your roster
-
Daniel
The cool thing about that CVE is due to roster version it also won't go away
-
moparisthebest
I'd gladly accept spam from such a smart spammer though
-
Daniel
So my Dino will be stuck with that test jid I injected
-
moparisthebest
might even buy what he's selling
-
Ge0rG
moparisthebest: it would get propagated into the spam sending tools and used by dozens spammers within some weeks
-
Daniel
So who is going to collect the CVE for mam injection in multiple clients?
-
Ge0rG
Daniel: let's wait half a year until there is a significant deployed base
-
Daniel
🔥
-
Ge0rG
Other than that, I'll gladly volunteer. I need some more CVEs on my CV
-
Zash
CVEs go on your CV?
-
Ge0rG
Zash: yes
-
lovetox
thats why they start with CV..
-
Zash
:D
-
Ge0rG
Curriculum Vitae Extension.
-
Ge0rG
Do we have an up to date entity caps database?
-
balu_der_baer
Can you see me?
-
pep.
Only the hash? Or all features? If it's just hashes, movim probably has a few up to some point in the past(?) https://nl.movim.eu/?about#caps_widget_tab, otherwise I'm sure you can gather some by running code on prosody
-
pep.
balu_der_baer, yes
-
Zash
A wild haxxor appears
-
Ge0rG
balu_der_baer: no
-
Ge0rG
pep.: all the features. Looking for clients with MAM
-
Daniel
Mam doesn't show up in Caps
-
Daniel
Shouldn't show up. Lpl✎ -
Ge0rG
Then I'll hack something into mod_mam
-
Daniel
Shouldn't show up. 😂 ✏
-
Zash
Nothing says you can't do client-to-client MAM ;)
-
Ge0rG
Zash: MAM Push!
-
Zash
Idea from long ago: Make a bot that connects to your account and enables carbons, then lets you query it.
-
pep.
Zash: that's actually been mentioned a few times..
-
Ge0rG
Like posting some Carbons when upgrading from 1:1 to a private MUC!
-
pep.
(c2c MAM)
-
Daniel
There used to be an ad hoc command that did something like that
-
Zash
pep.: nothing new under the sun.
-
Daniel
Only for unread I believe
-
Zash
Yeah, that too
-
Daniel
from reading the code it looks like dino has disabled code that would have checked for the origin of a mam message
-
Daniel
and yes it is in fact vulnerable
-
Daniel
(just wanted to beat Ge0rG to it)
-
Guus
Daniel: a worthy goal.
-
pep.
I don't want to swear that slix isn't.
-
pep.
(or poezio)
-
mathieui
vulnerable to what?
-
Daniel
to the MAM thing? no i bet it will be more than just dino
-
mathieui
we don’t check the origin, but you have to guess the (fully-random) mam ID
-
mathieui
(slix matchers make checking for multiple things a bit tricky, so to fix that we would have to write an "xml mask")
-
Ge0rG
Daniel: keep us updated on your advisory
-
moparisthebest
so this time balu_der_baer 's "Can you see me?" showed up in Conversations but not dino, fun stuff
-
Daniel
was that anything critical?
-
moparisthebest
Ge0rG, got raw XML for that one?
-
pep.
04:48:04 IN <message xml:lang="en" from="xsf@muc.xmpp.org/Daniel" type="groupchat" to="pep@bouah.net/poezio-C7iY" id="e682bdd7-d98c-4cfd-9c59-fb9e5f9a6d8a"><origin-id xmlns="urn:xmpp:sid:0" id="e682bdd7-d98c-4cfd-9c59-fb9e5f9a6d8a" /><replace xmlns="urn:xmpp:message-correct:0" id="00dc00d3-ae5f-4572-b6c3-4b9e95445e5b" /><body>Shouldn't show up. 😂 </body><stanza-id xmlns="urn:xmpp:sid:0" by="xsf@muc.xmpp.org" id="2019-09-10-f3fa92f3f7cb7366" /></message>
-
pep.
heh
-
U+061C
it's not my fault this time!
-
Ge0rG
Daniel: no, just interested. I'd be glad to co-author as well
-
pep.
noo, poezio has only 2k lines in the xml_tab.. gonna grep logs now
-
moparisthebest
didn't see that one in either place pep.
-
pep.
moparisthebest, neither did I, just looking at xml logs
-
Daniel
pep., what's that?
-
Ge0rG
moparisthebest: sigh
-
Ge0rG
<message to="georg@yax.im/poezio-IS8H" id="718d40df-3948-4798-a99b-35cc9f03cc4f-13F5" type="groupchat" from="xsf@muc.xmpp.org/balu_der_baer"> <body>Can you see me?</body> <received xmlns="urn:xmpp:carbons:2"> <forwarded xmlns="urn:xmpp:forward:0"> <message xmlns="jabber:client" to="xsf@muc.xmpp.org" type="groupchat" from="xsf@muc.xmpp.org/balu_der_baer" /> </forwarded> </received>
-
Ge0rG
It was a message that also contained a carbon
-
Daniel
but that's ok to show up?
-
Daniel
probably?
-
moparisthebest
strange that dino doesn't show that one but Conversations does
-
Daniel
i mean both is fine i guess
-
Ge0rG
Yes, that's okay
-
moparisthebest
so dino does have filtering? it's just wrong
-
pep.
What was that XEP that says "don't send everything in the same payload"
-
Daniel
no i wouldn’t blame dino for not showing that
-
Ge0rG
balu_der_baer: next time add another body to the carbon
-
Daniel
moparisthebest, no it just goes down the carbons pipe
-
Daniel
and then the carbon doesn’t have anything
-
Daniel
Ge0rG, well that will show up in dino
-
Daniel
but with the message from within the carbon
-
U+061C
out of curiosity, can you put carbon into carbon?
-
Daniel
no
-
Ge0rG
pep.: https://xmpp.org/extensions/xep-0226.html
-
pep.
right that
-
U+061C
i mean, what will clients do if they receive carbon within carbon?
-
Daniel
just ignore it
-
moparisthebest
I'm just awaiting the circular fastening
-
Daniel
or parse the outer body if there is one
-
pep.
Daniel, that's what you'd hope they do
-
Daniel
well at least for dino (even with the bug) and Conversations
-
Daniel
and almost def Gajim
-
Daniel
until we bring full stanza in the mix
-
Daniel
then other funny things might happen
-
Ge0rG
U+061C: only if the client has a recursive carbon parser
-
moparisthebest
it'd be odd to have code to parse carbons recursively
-
Daniel
yes
-
moparisthebest
any clients written in lisp around? :D
-
U+061C
that emacs client?
-
Ge0rG
moparisthebest: a message parsing function that extracts the forwarded payload and passes it to the message parsing function? Sounds rather plausible
-
Daniel
but hey with Xabber doing their own thing we will soon have new CVE instead of having to recycle the old ones
-
moparisthebest
could be
-
pep.
Zash, unrelated, what conversejs version is running on xmpp.org btw?
-
Zash
Probably just the CDN version.
-
pep.
ah it says on the page
-
pep.
5.0.1
-
balu_der_baer
Anyone knows if this is the latest version of Prosody running here?
-
Zash
It's not
-
Zash
/version xmpp.org
-
Daniel
is today the picking low hanging fruit day?
-
Zash
s/day/week/?
-
Daniel
i also kinda want to rewatch BSG now
-
Zash
All this has happened before, and it will happen again, and again, and again
- balu_der_baer
-
Daniel
so yeah since people have started to exploit the dino roster push i should probably take this offline
-
Zash
Anyone got examples of strings that'd be different between IDNA 2003 and 2008?
-
Zash
Ha