the new copy button is super-convenient for building the white-list! :) ✏
pdurbinhas left
Ge0rG
lovetox_: 🤖 will disagree with you.
jonas’
https://search.jabbercat.org/search?q=xmpp-de the second hit is amusing
COM8has left
Ge0rG
lovetox_: from the stacktrace it seems that it's a JID in my roster, ♥@ツ.op-co.de - so that Gajim will never properly connect to my account again
lovetox_
are you saying this is a valid localpart?
COM8has joined
matkorhas joined
lovetox_
dont think its the roster to be honest, its a stanza where the from attr has a invalid jid
lovetox_
roster pushes are from your server, not from contacts
j.rhas left
Ge0rG
Maybe it's presence unavailable then?
lovetox_
maybe, i will fix that later if i have time
Ge0rG
lovetox_: I'm not saying that it's a valid JID (I don't know), but I'm saying that it's accepted by my server, and thus shouldn't crash my client.
lovetox_
but server should really get going with precis
Ge0rG
Because it's a cheap DoS otherwise.
Ge0rG
lovetox_: we've had that recently. It should be enforced by the server that's authoritative for the JID.
lovetox_
thats not an argument, rfc says jids MUST be validated by server
Ge0rG
If it doesn't, you are rather out of luck
j.rhas joined
Ge0rG
lovetox_: okay, but there are different unicode versions and different xmpp versions. And now everybody can crash your client by sending something from an illegal JID
zachhas left
zachhas joined
lovetox_
this local part was allowed once? they really updated the rfc so that already existing accounts got invalid?
Ge0rG
Where "illegal" depends on your python version, your server version and the position of the moon.
lovetox_
sounds weird
Ge0rG
NodePrep and PRECIS aren't an exact match, so you are guaranteed to end up with illegal JIDs _somewhere_
lovetox_
yeah, i will try to fix that 🙂
Zash
It's likely that U2665 is undefined in Unicode 3.2 which NodePrep uses.
Zash
libidn defaults to allowing undefined characters, and thus Prosody does too.
lovetox_
Ge0rG keep that jid, when i have a fix then you can test if its working 🙂
Ge0rG
lovetox_: feel free to add it to your roster
lovetox_
would need a client that allows that, Gajim does not 😃
jonas’
lovetox_, https://mailarchive.ietf.org/arch/msg/xmpp/a-WhzOTyOq168GujQHgzQ1-DURI for an idea of how deep the mess is we’re in
Ge0rG&
lovetox_
no i write a test for the xmpp lib 🙂
lumihas joined
murabitohas left
murabitohas joined
j.rhas left
lovetox_
genius all undefined characters are allowed 😃
j.rhas joined
debaclehas left
COM8has left
mukt2has joined
jubalhhas left
murabitohas left
murabitohas joined
jubalhhas joined
Mikaelahas left
Mikaelahas joined
mukt2has left
neshtaxmpphas left
neshtaxmpphas joined
mukt2has joined
j.rhas left
j.rhas joined
flow
lovetox_, not by the relevant PRECIS profile. I would suggest to remove the faulty stanza from the stream as first course of action
pdurbinhas joined
jubalhhas left
adiaholichas joined
debaclehas joined
adiaholichas left
adiaholichas joined
j.rhas left
j.rhas joined
jubalhhas joined
neshtaxmpphas left
neshtaxmpphas joined
neshtaxmpphas left
neshtaxmpphas joined
winfriedhas left
winfriedhas joined
pdurbinhas left
jubalhhas left
winfriedhas left
winfriedhas joined
mukt2has left
murabitohas left
murabitohas joined
zachhas left
zachhas joined
lskdjfhas joined
lovetox_has left
lovetox_has joined
lovetox_has left
lovetox_has joined
kokonoehas joined
mukt2has joined
kokonoehas left
murabitohas left
murabitohas joined
kokonoehas joined
jubalhhas joined
Chobbeshas joined
kokonoehas left
kokonoehas joined
murabitohas left
murabitohas joined
Chobbeshas left
Chobbeshas joined
Chobbeshas left
Chobbeshas joined
kokonoehas left
LNJhas left
pep.
https://github.com/xsf/xeps/pull/827 is this some kind of joke? :x
sonny
yes, sorry I couldn't resist
Zash
pep.: Read the rest of the XEP
zachhas left
zachhas joined
pep.
Zash: I know the xep, I implement it in my rot13 and b64 plugins for poezio.
jubalhhas left
murabitohas left
murabitohas joined
adiaholichas left
adiaholichas joined
Chobbeshas left
sonny
and it still wasn't clear my comment was a joke? I should be more careful 🙂
lovetox_has left
COM8has joined
murabitohas left
murabitohas joined
krauqhas left
krauqhas joined
COM8has left
COM8has joined
COM8has left
COM8has joined
Chobbeshas joined
kokonoehas joined
krauqhas left
krauqhas joined
murabitohas left
marc_has left
murabitohas joined
mukt2has left
marc_has joined
mukt2has joined
Chobbeshas left
COM8has left
COM8has joined
COM8has left
zachhas left
zachhas joined
marc_has left
murabitohas left
murabitohas joined
LNJhas joined
j.rhas left
COM8has joined
jubalhhas joined
COM8has left
j.rhas joined
Kevhas joined
murabitohas left
murabitohas joined
zachhas left
zachhas joined
Chobbeshas joined
Kevhas left
murabitohas left
murabitohas joined
murabitohas left
murabitohas joined
jubalhhas left
zachhas left
zachhas joined
j.rhas left
COM8has joined
COM8has left
COM8has joined
COM8has left
jubalhhas joined
murabitohas left
murabitohas joined
Chobbeshas left
COM8has joined
COM8has left
j.rhas joined
jubalhhas left
COM8has joined
murabitohas left
murabitohas joined
COM8has left
zachhas left
zachhas joined
jubalhhas joined
murabitohas left
murabitohas joined
COM8has joined
marc_has joined
COM8has left
kokonoehas left
COM8has joined
COM8has left
zachhas left
zachhas joined
mukt2has left
mukt2has joined
emushas left
COM8has joined
kokonoehas joined
COM8has left
emushas joined
j.rhas left
mukt2has left
kokonoehas left
murabitohas left
murabitohas joined
mukt2has joined
zachhas left
zachhas joined
COM8has joined
j.rhas joined
COM8has left
pdurbinhas joined
pdurbinhas left
mukt2has left
COM8has joined
j.rhas left
COM8has left
LNJhas left
Chobbeshas joined
COM8has joined
COM8has left
j.rhas joined
zachhas left
zachhas joined
mukt2has joined
COM8has joined
COM8has left
stpeterhas joined
peterhas joined
Chobbeshas left
COM8has joined
zachhas left
zachhas joined
davidhas joined
COM8has left
waqashas joined
Link Mauve
“07:45:33 flow> Link Mauve, that C&C Renegage remake?”, yes, they are using XMPP for their lobby thing now.
Link Mauve
Not for the actual game (yet?).
Link Mauve
“18:47:16 Zash> Are there clients that still fail if you stop advertising <session/>?”, IIRC libpurple did.
zachhas left
zachhas joined
Link Mauve
That’s second-hand experience from IIRC Maranda.
jonas’
excellent, so if we ever want to move past pidgin, that’s how.
Zash
Confirmed. "Error initializing session" it says.
Zash
It's sending the session thing even if it's not advertised.
MattJ
When we added <optional> there were definitely other clients that failed too
MattJ
I think one was Psi/Gajim, and probably some other that is extinct these days
MattJ
and clients couldn't just drop it, because ejabberd had weird behaviour if you didn't do it
MattJ
even though it is, and always was, a no-op in Prosody
jonas’
yeah, weeiiiird behaviour
MattJ
iirc it would let you log in, but timeout your session after some time
MattJ
even though you were using it fine
jonas’
I’m pretty sure I was unable to send stanzas
jonas’
otherwise I would probably not have noticed when developing aioxmpp
wojtekhas joined
jonas’
unfortunately, that was back in 2015 where I wasn’t as good at commit message writing as I’m now, so the error behaviour is lost in history
Daniel
i vaguely remembering not being able to send and receive message or something
Daniel
more than a subtle 'will log you out at some point'
mukt2has left
Link Mauve
jonas’, could you also whitelist SVGs from chat.jabberfr.org on muclumbus?
jonas’
Link Mauve, SVGs are not supported
jonas’
Link Mauve, and I generally only white-list single rooms where I trust the owners or domains where only admins can create rooms (and I trust the admins to a certain extent)
Ge0rG
jonas’: but then again, you trust *me*
mukt2has joined
Daniel
jonas’: are the avatars going to be exposed over the api as well?
Holger
MattJ, Daniel, jonas': FWIW yes back then you got no error from ejabberd when sending random stanzas while it was waiting for `<session/>`, but you'd neither be able to send nor receive anything. You also shouldn't time out though as long as you do send random crap :-)
zachhas left
zachhas joined
mukt2has left
Link Mauve
jonas’, why do you limit it to ¬SVG?
mukt2has joined
Link Mauve
jonas’, once you start supporting SVG, you can whitelist the first 12 entries here: https://search.jabbercat.org/search?q=chat.jabberfr.org
Link Mauve
And also the first four here: https://search.jabbercat.org/search?q=chat.khaganat.net
wojtekhas left
Zash
Hm, why don't we have 157 for individual rooms?
Ge0rG
Why don't we have 157 for individual users?
adiaholichas left
adiaholichas joined
ajhas joined
mukt2has left
waqashas left
jonas’
Link Mauve, I limit it to PNG and JPEG to be precise
Link Mauve
Any reason for that?
jonas’
Link Mauve, rescaling
MattJ
I heard SVG has trouble with that
Link Mauve
It’s free to do in the browser with SVG.
jonas’
and embedding SVG would require a separate domain to prevent any funny javascript attacks in SVG
jonas’
or at least a CSP
Link Mauve
jonas’, use <img/> instead of embedding it.
jonas’
all things I don’t know about
jonas’
Link Mauve, will that stop it from executing scripts?
Link Mauve
Yes.
jonas’
are you sure? if so, why?
Link Mauve
Yes I am; because images are expected since about forever to not contain scripts.
jonas’
yeah well, I expect the web to be sane since forever and it isn’t
Link Mauve
And browsers would be very cautious to not open such a huge hole that can even do cross-site things.
zachhas left
zachhas joined
jonas’
they have traditionally done that, I don’t trust browsers
moparisthebest
I was fairly confident SVGs even with image could execute javascript
Link Mauve
For instance example.org has an <img src="https://evil.com/image.png"> on some page, now evil.com starts serving a SVG containing a script at this URL.
jonas’
Link Mauve, am I still safe when I use the SVG as background-image?
Link Mauve
jonas’, yes, it also is in an image context.
Link Mauve
moparisthebest, do you have a link to an attack description?
Link Mauve
jonas’, what isn’t would be to use <object/> or <embed/> or <iframe/>.
MattJ
jonas’, https://www.w3.org/wiki/SVG_Security
jonas’
MattJ, thanks
moparisthebest
yea if browsers actually implement it like that it should be safe, neat
Seve
>For instance example.org has an <img src="https://evil.com/image.png"> on some page, now evil.com starts serving a SVG containing a script at this URL.
Haven't you said earlier to use <img/>?
Link Mauve
Seve, yes.
Seve
Ah you mean nothing would happen if that is the case
Link Mauve
Yes, this story is about as obvious as it could be, and the reason why browsers took so long to accept SVG in image contexts.
moparisthebest
jonas’ is still right though in that if someone links to https://somedomain.com/evil.svg that'll still execute javascript and be able to steal cookies and XSS from somedomain.com, so if you allow SVG uploads, you need different domain or CSP or similar
MattJ
Right-click->View Image
Link Mauve
Or a data: URI.
Link Mauve
Or a Blob.
Link Mauve
Or any of the various mechanisms that aren’t tied to the domain.
Link Mauve
(CSP is very good.)
j.rhas left
j.rhas joined
adiaholichas left
jonas’
moparisthebest, thanks, good point
jonas’
a CSP it is
jonas’
the sane thing would be to disable all csript things for the avatar endpoint?
adiaholichas joined
Link Mauve
Probably also all external CSS.
jonas’
everything
jonas’
how do I do that?
Ge0rG
Just burn the web. With napalm
Link Mauve
At JabberFR, for our HTTP File Upload domain, we use:
Content-Security-Policy: frame-ancestors 'none'; default-src 'none'; img-src 'self'; media-src 'self'; report-uri /report-csp-violation
Link Mauve
I should add style-src 'self'.
Ge0rG
Link Mauve: do you have a csp violation listener at /?
for a site like yours jonas’ I'd probably just disable everything with CSP, then enable as you need
jonas’
yeah
Link Mauve
That’s default-src 'none'.
Ge0rG
Link Mauve: what's the implementation you are using?
Ge0rGis asking for a friend
jubalhhas left
jonas’
default-src 'none'; seems to still allow SVG to be rendered
Link Mauve
Ge0rG, the one which uses a ton of memory.
Zash
It's funny when you disable the CSS in SVG.
Ge0rG
Link Mauve: ejabberd?
Link Mauve
Zash, yes, which is why you should also have style-src 'unsafe-inline'.
Link Mauve
Ge0rG, ah no, Prosody.
Link Mauve
With the mod_http_upload community module.
Ge0rG
Link Mauve: prosody is a csp violation reporting tool?
jonas’
Link Mauve,
> frame-ancestors 'none'; default-src 'none'; style-src 'unsafe-inline';
jonas’
does that sound good?
Link Mauve
jonas’, sounds nice yeah.
Link Mauve
You may want to add a listener so that you know what your users are being prevented from fetching, at least for a short while.
jonas’
... nah :)
jonas’
I only set it on the avatar endpoint
jonas’
people will complain when their avatars aren’t working
Link Mauve
Ge0rG, ah no, I’m using one which sends them to my JID.
Link Mauve
Let me figure it out.
Link Mauve
pep., do you remember where I put it?
mukt2has joined
adiaholichas left
jonas’
Link Mauve, https://search.jabbercat.org/search?q=jabberfr
jonas’
the others will be updated when the scanner gets to them
Link Mauve
\o/
Link Mauve
I should add the new muc#roominfo_webchat_url thing we are going to accept shortly. ^^
Link Mauve
Since we also have that.
Link Mauve
https://chat.jabberfr.org/ could use an emoji instead of a SVG now, for the join bubble.
jonas’
indeed
jonas’
thinking of directly embedding small avatars as data URLs for faster loading✎
jonas’
thinking of directly embedding small avatars as data URIs for faster loading ✏
winfriedhas left
winfriedhas joined
jonas’
not sure how to write the query so that it only fetches the avatar from the database for the result list if it’s small enough
zachhas left
zachhas joined
Link Mauve
Indeed, on just chat.jabberfr.org it takes about 700ms for me to download every SVG.
jonas’
to the SQL console!
jonas’
ugh, the only standard-SQL-way of doing it might be with a self-join
jonas’
hm, however, doing that would break caching
moparisthebest
another column that's only non-null if small enough? :/
jonas’
in postgres, I can do: select mime_type, case when length(data) < 16384 then data else null end from avatar;
jonas’
but locally I’m testing with sqlite, soo....
adiaholichas joined
jonas’
oh, sqlite also has case
moparisthebest
was going to say I feel like that should work in sqlite
jonas’
and sqlalchemy supports it, too
jonas’
now the question is, does it even make sense to embed the avatars?
jonas’
right now, we send a 304 for avatars if they’re still cached on the client
jonas’
we can’t do that for the result page
jonas’
so we’d send all avatars of a page to the client, inefficiently base64-encoded
jonas’
every time, since they can’t benefit from caching
moparisthebest
you'd probably get more benefit from supporting http/2
adiaholichas left
adiaholichas joined
jonas’
tell that to apache
moparisthebest
because then browser could request all the images over one connection at the same time etc
moparisthebest
apache surely supports http/2 by now?
jonas’
dunno
jonas’
if it isn’t on by default, I don’t bother
Link Mauve
moparisthebest, they already can with HTTP/1.1.
moparisthebest
not in parallel though?
jonas’
SVG support brought a few new avatars to the listing
jonas’
HTTP/2 seems to be a clusterfuck regarding the parallelism anyways. no idea why they thought it’d be a good idea to re-implement multiplexing which we alreday have with TCP
Zash
jonas’, itym SCTP
Link Mauve
moparisthebest, how does HTTP/2 do that?
moparisthebest
maybe, I mean http/3 is coming, but regardless it's still way faster for browsers
jonas’
or that
Zash
But we can't have SCTP because broken middleboxes
Zash
And NAT, and all the other things that ruin all nice things
Zash
Is MPTCP still alive?
moparisthebest
Link Mauve, like jonas’ said they reinvented multiplexing etc etc
Link Mauve
So instead we have WebRTC, which is like SCTP over RTP.
Link Mauve
moparisthebest, but in parallel you mean over multiple TCP connections, or…?
moparisthebest
http/3 over quic sounds pretty sweet though
moparisthebest
no just one
mukt2has left
winfriedhas left
Steve Killehas left
winfriedhas joined
moparisthebest
it's probably just a config option to enable http2 jonas’ you should look at it
Link Mauve
moparisthebest, what is the difference between that and HTTP/1.1 pipelining then?
moparisthebest
I assume it's new enough because you support TLS 1.3 :) https://www.ssllabs.com/ssltest/analyze.html?d=search.jabbercat.org&s=2a01%3a4f9%3a2b%3a2c50%3a1010%3a1010%3a0%3a1&latest
jonas’
Link Mauve, HTTP/2 introduces its own framing on top of TCP
jonas’
so you’d be requesting resources A B C, and then receive chunks A1 B1 C1 A2 B2 C2 ...
jonas’
also the server may push you resources of which it expects you to need some
moparisthebest
https://stackoverflow.com/questions/34478967/what-is-the-difference-between-http-1-1-pipelining-and-http-2-multiplexing I guess, plenty of different search results
Link Mauve
jonas’, oh, I see.
moparisthebest
bottom line is, it's far far faster, so turn it on