-
jonas’
Daniel, fixed the 500
-
Daniel
jonas’, thanks. i'm getting a 400 when trying to search
-
jonas’
Daniel, can you extract the error?
-
jonas’
because search works for me via curl
-
jonas’
and in the web ui via browser
-
jonas’
Daniel, the search API returns a JSON on 400, with a single "error" key
-
Daniel
it says key keywords is required. but i'm 80% i'm setting that. also i haven’t changed the code since it was last working
-
jonas’
Daniel, I’m not sure how that error can be caused except if "keywords" is actually missing
-
jonas’
I haven’t touched that code since it was last working either, and it works fine locally with curl
-
jonas’
$ curl -s \ --data '{"keywords": ["xsf"]}' \ -H 'Content-Type: application/json; charset=utf-8' \ https://search.jabbercat.org/api/1.0/search | jq -C .
-
jonas’
lovetox_, > jonas the black banner looks a bit boring I agree, do you have ideas on how to fix that? :)
-
lovetox_
no i hate webdesign
-
jonas’
lovetox_, let me rephrase: If you have a visual idea, I may be able to put it in css/httml :)✎ -
jonas’
lovetox_, let me rephrase: If you have a visual idea, I may be able to put it in css/html :) ✏
-
Ge0rG
*cough* https://github.com/horazont/muchopper/issues/15 *cough*
-
pep.
Ge0rG: I'd make that search button same height as the input field
-
jonas’
Ge0rG, I think it might be easy to overlook when integrated in the banner
-
Ge0rG
jonas’: that's possible.
-
Ge0rG
OTOH, havig two search boxes is slight overkill
-
jonas’
but only slight!
-
Ge0rG
most of the vertical space is taken up by meta.
-
jonas’
the copy to clipboard will be the first piece of JS on that page, Ge0rG, I hope you feel guilty.✎ -
jonas’
the copy to clipboard will be the first piece of JS on the room list page, Ge0rG, I hope you feel guilty. ✏
-
Daniel
jonas’, ok never mind. classic heisenbug. if i log the query beforing sending it it works
-
Daniel
so it's not you
-
Ge0rG
https://upload.yax.im/upload/kmJi9wW3ylSzcV0P/Screenshot_20190918-100107_Firefox.jpg
-
Ge0rG
I wanted to paste that screenshot earlier, but yaxim was crashing due to my incorrect use of some StringUtils API
-
lovetox_
jonas’ how to whiteliste an avatar?
-
jonas’
lovetox_, ask me
-
jonas’
it’s documented in the For Owners documentation section
-
lovetox_
ok thanks i see you already whitelisted gajim
-
jonas’
lovetox_, I had it whitelisted yesterday on launch already, it just took the bot a while to re-scan the gajim muc :)
-
Ge0rG
damn, so now I need to load the prosody module after all.
-
Ge0rG
And also set the ~horny pe~ yak logo
-
Ge0rG
jonas’: great work!
-
jonas’
Ge0rG, reload the page
-
jonas’
and hover over an entry
-
lovetox_
link styling looks a bit weird
-
Ge0rG
jonas’: nothing happens?
-
lovetox_
i would remove these dots
-
Ge0rG
"hover" is not an option on mobile, but then you should probably have a handler for xmpp: there
-
jonas’
Ge0rG, yeah, that was my line of thought
-
jonas’
oh, I forgot to confirm the pull on the live instance. Ge0rG retry
-
Ge0rG
jonas’: awesome! I'd just add a space before the clipboard character.
-
jonas’
there is a space there?
-
jonas’
maybe hard-reload your things
-
jonas’
(it’s a margin-left: 0.5em)
-
lovetox_
would it not be better to copy the xmpp:xx?join link?
-
jonas’
lovetox_, you can right-click -> copy link address for that one
-
Ge0rG
lovetox_: no
-
Ge0rG
jonas’: ah, I had some intermediate version
-
Ge0rG
jonas’: after clicking the clipboard, it remains visible and marked until you click somewhere
-
jonas’
intentional
-
jonas’
to a certain extent
-
jonas’
I want it to be visible while focused so that it can be reached and used with tab
-
jonas’
that’s the price to pay for that, I guess
-
Ge0rG
so what do I need on prosody 0.11 for MUC avatars?
-
jonas’
Ge0rG, also, reload and retry that click thing
-
Zash
Ge0rG: There's a community module of course.
-
Ge0rG
lovetox_: http://paste.debian.net/1101390/ :(
-
Zash
Tho technically possible to only use the included mod_vcard, but then it's read-only and you'd have to manually add the data.
-
Ge0rG
jonas’: much better now
-
Ge0rG
Zash: | /usr/lib/prosody/modules/mod_a community module.lua: No such file or directory
-
lovetox_
yeah Ge0rG i really dont have a solution for that yet
-
lovetox_
i want to parse validate jids in the xmpp lib
-
lovetox_
but on encountering invalid ones, im not sure what to do
-
Ge0rG
lovetox_: don't crash the xml stream.
-
jonas’
Ge0rG, wanna tell me what you want to have whitelisted?
-
Ge0rG
jonas’: chat.yax.im
-
jonas’
no
-
jonas’
yaxim@chat.yax.im?
-
Ge0rG
jonas’: the first four of https://search.jabbercat.org/search?q=chat.yax.im
-
Ge0rG
maybe also test@chat.yax.im - if you dare
-
lovetox_
yeah Ge0rG but thats not so easy, on the other side, server should not send messages from invalid jids
-
lovetox_
🙂
-
jonas’
the new copy button is super-convenient! :)✎ -
jonas’
the new copy button is super-convenient for building the white-list! :) ✏
-
Ge0rG
lovetox_: 🤖 will disagree with you.
-
jonas’
https://search.jabbercat.org/search?q=xmpp-de the second hit is amusing
-
Ge0rG
lovetox_: from the stacktrace it seems that it's a JID in my roster, ♥@ツ.op-co.de - so that Gajim will never properly connect to my account again
-
lovetox_
are you saying this is a valid localpart?
-
lovetox_
dont think its the roster to be honest, its a stanza where the from attr has a invalid jid
-
lovetox_
roster pushes are from your server, not from contacts
-
Ge0rG
Maybe it's presence unavailable then?
-
lovetox_
maybe, i will fix that later if i have time
-
Ge0rG
lovetox_: I'm not saying that it's a valid JID (I don't know), but I'm saying that it's accepted by my server, and thus shouldn't crash my client.
-
lovetox_
but server should really get going with precis
-
Ge0rG
Because it's a cheap DoS otherwise.
-
Ge0rG
lovetox_: we've had that recently. It should be enforced by the server that's authoritative for the JID.
-
lovetox_
thats not an argument, rfc says jids MUST be validated by server
-
Ge0rG
If it doesn't, you are rather out of luck
-
Ge0rG
lovetox_: okay, but there are different unicode versions and different xmpp versions. And now everybody can crash your client by sending something from an illegal JID
-
lovetox_
this local part was allowed once? they really updated the rfc so that already existing accounts got invalid?
-
Ge0rG
Where "illegal" depends on your python version, your server version and the position of the moon.
-
lovetox_
sounds weird
-
Ge0rG
NodePrep and PRECIS aren't an exact match, so you are guaranteed to end up with illegal JIDs _somewhere_
-
lovetox_
yeah, i will try to fix that 🙂
-
Zash
It's likely that U2665 is undefined in Unicode 3.2 which NodePrep uses.
-
Zash
libidn defaults to allowing undefined characters, and thus Prosody does too.
-
lovetox_
Ge0rG keep that jid, when i have a fix then you can test if its working 🙂
-
Ge0rG
lovetox_: feel free to add it to your roster
-
lovetox_
would need a client that allows that, Gajim does not 😃
-
jonas’
lovetox_, https://mailarchive.ietf.org/arch/msg/xmpp/a-WhzOTyOq168GujQHgzQ1-DURI for an idea of how deep the mess is we’re in
- Ge0rG &
-
lovetox_
no i write a test for the xmpp lib 🙂
-
lovetox_
genius all undefined characters are allowed 😃
-
flow
lovetox_, not by the relevant PRECIS profile. I would suggest to remove the faulty stanza from the stream as first course of action
-
pep.
https://github.com/xsf/xeps/pull/827 is this some kind of joke? :x
-
sonny
yes, sorry I couldn't resist
-
Zash
pep.: Read the rest of the XEP
-
pep.
Zash: I know the xep, I implement it in my rot13 and b64 plugins for poezio.
-
sonny
and it still wasn't clear my comment was a joke? I should be more careful 🙂
-
Link Mauve
“07:45:33 flow> Link Mauve, that C&C Renegage remake?”, yes, they are using XMPP for their lobby thing now.
-
Link Mauve
Not for the actual game (yet?).
-
Link Mauve
“18:47:16 Zash> Are there clients that still fail if you stop advertising <session/>?”, IIRC libpurple did.
-
Link Mauve
That’s second-hand experience from IIRC Maranda.
-
jonas’
excellent, so if we ever want to move past pidgin, that’s how.
-
Zash
Confirmed. "Error initializing session" it says.
-
Zash
It's sending the session thing even if it's not advertised.
-
MattJ
When we added <optional> there were definitely other clients that failed too
-
MattJ
I think one was Psi/Gajim, and probably some other that is extinct these days
-
MattJ
and clients couldn't just drop it, because ejabberd had weird behaviour if you didn't do it
-
MattJ
even though it is, and always was, a no-op in Prosody
-
jonas’
yeah, weeiiiird behaviour
-
MattJ
iirc it would let you log in, but timeout your session after some time
-
MattJ
even though you were using it fine
-
jonas’
I’m pretty sure I was unable to send stanzas
-
jonas’
otherwise I would probably not have noticed when developing aioxmpp
-
jonas’
unfortunately, that was back in 2015 where I wasn’t as good at commit message writing as I’m now, so the error behaviour is lost in history
-
Daniel
i vaguely remembering not being able to send and receive message or something
-
Daniel
more than a subtle 'will log you out at some point'
-
Link Mauve
jonas’, could you also whitelist SVGs from chat.jabberfr.org on muclumbus?
-
jonas’
Link Mauve, SVGs are not supported
-
jonas’
Link Mauve, and I generally only white-list single rooms where I trust the owners or domains where only admins can create rooms (and I trust the admins to a certain extent)
-
Ge0rG
jonas’: but then again, you trust *me*
-
Daniel
jonas’: are the avatars going to be exposed over the api as well?
-
Holger
MattJ, Daniel, jonas': FWIW yes back then you got no error from ejabberd when sending random stanzas while it was waiting for `<session/>`, but you'd neither be able to send nor receive anything. You also shouldn't time out though as long as you do send random crap :-)
-
Link Mauve
jonas’, why do you limit it to ¬SVG?
-
Link Mauve
jonas’, once you start supporting SVG, you can whitelist the first 12 entries here: https://search.jabbercat.org/search?q=chat.jabberfr.org
-
Link Mauve
And also the first four here: https://search.jabbercat.org/search?q=chat.khaganat.net
-
Zash
Hm, why don't we have 157 for individual rooms?
-
Ge0rG
Why don't we have 157 for individual users?
-
jonas’
Link Mauve, I limit it to PNG and JPEG to be precise
-
Link Mauve
Any reason for that?
-
jonas’
Link Mauve, rescaling
-
MattJ
I heard SVG has trouble with that
-
Link Mauve
It’s free to do in the browser with SVG.
-
jonas’
and embedding SVG would require a separate domain to prevent any funny javascript attacks in SVG
-
jonas’
or at least a CSP
-
Link Mauve
jonas’, use <img/> instead of embedding it.
-
jonas’
all things I don’t know about
-
jonas’
Link Mauve, will that stop it from executing scripts?
-
Link Mauve
Yes.
-
jonas’
are you sure? if so, why?
-
Link Mauve
Yes I am; because images are expected since about forever to not contain scripts.
-
jonas’
yeah well, I expect the web to be sane since forever and it isn’t
-
Link Mauve
And browsers would be very cautious to not open such a huge hole that can even do cross-site things.
-
jonas’
they have traditionally done that, I don’t trust browsers
-
moparisthebest
I was fairly confident SVGs even with image could execute javascript
-
Link Mauve
For instance example.org has an <img src="https://evil.com/image.png"> on some page, now evil.com starts serving a SVG containing a script at this URL.
-
jonas’
Link Mauve, am I still safe when I use the SVG as background-image?
-
Link Mauve
jonas’, yes, it also is in an image context.
-
Link Mauve
moparisthebest, do you have a link to an attack description?
-
Link Mauve
jonas’, what isn’t would be to use <object/> or <embed/> or <iframe/>.
-
MattJ
jonas’, https://www.w3.org/wiki/SVG_Security
-
jonas’
MattJ, thanks
-
moparisthebest
yea if browsers actually implement it like that it should be safe, neat
-
Seve
>For instance example.org has an <img src="https://evil.com/image.png"> on some page, now evil.com starts serving a SVG containing a script at this URL. Haven't you said earlier to use <img/>?
-
Link Mauve
Seve, yes.
-
Seve
Ah you mean nothing would happen if that is the case
-
Link Mauve
Yes, this story is about as obvious as it could be, and the reason why browsers took so long to accept SVG in image contexts.
-
moparisthebest
jonas’ is still right though in that if someone links to https://somedomain.com/evil.svg that'll still execute javascript and be able to steal cookies and XSS from somedomain.com, so if you allow SVG uploads, you need different domain or CSP or similar
-
MattJ
Right-click->View Image
-
Link Mauve
Or a data: URI.
-
Link Mauve
Or a Blob.
-
Link Mauve
Or any of the various mechanisms that aren’t tied to the domain.
-
Link Mauve
(CSP is very good.)
-
jonas’
moparisthebest, thanks, good point
-
jonas’
a CSP it is
-
jonas’
the sane thing would be to disable all csript things for the avatar endpoint?
-
Link Mauve
Probably also all external CSS.
-
jonas’
everything
-
jonas’
how do I do that?
-
Ge0rG
Just burn the web. With napalm
-
Link Mauve
At JabberFR, for our HTTP File Upload domain, we use: Content-Security-Policy: frame-ancestors 'none'; default-src 'none'; img-src 'self'; media-src 'self'; report-uri /report-csp-violation
-
Link Mauve
I should add style-src 'self'.
-
Ge0rG
Link Mauve: do you have a csp violation listener at /?
-
Zash
``` ~$ ssh snikket2 ~$ more /etc/nginx/snippets/csp-strict.conf add_header Content-Security-Policy "default-src 'none'; img-src 'self'; style-src 'self'; font-src 'self'"; ```
-
Link Mauve
Ge0rG, yes.
-
Link Mauve
For every domain.
-
moparisthebest
for a site like yours jonas’ I'd probably just disable everything with CSP, then enable as you need
-
jonas’
yeah
-
Link Mauve
That’s default-src 'none'.
-
Ge0rG
Link Mauve: what's the implementation you are using?
- Ge0rG is asking for a friend
-
jonas’
default-src 'none'; seems to still allow SVG to be rendered
-
Link Mauve
Ge0rG, the one which uses a ton of memory.
-
Zash
It's funny when you disable the CSS in SVG.
-
Ge0rG
Link Mauve: ejabberd?
-
Link Mauve
Zash, yes, which is why you should also have style-src 'unsafe-inline'.
-
Link Mauve
Ge0rG, ah no, Prosody.
-
Link Mauve
With the mod_http_upload community module.
-
Ge0rG
Link Mauve: prosody is a csp violation reporting tool?
-
jonas’
Link Mauve, > frame-ancestors 'none'; default-src 'none'; style-src 'unsafe-inline';
-
jonas’
does that sound good?
-
Link Mauve
jonas’, sounds nice yeah.
-
Link Mauve
You may want to add a listener so that you know what your users are being prevented from fetching, at least for a short while.
-
jonas’
... nah :)
-
jonas’
I only set it on the avatar endpoint
-
jonas’
people will complain when their avatars aren’t working
-
Link Mauve
Ge0rG, ah no, I’m using one which sends them to my JID.
-
Link Mauve
Let me figure it out.
-
Link Mauve
pep., do you remember where I put it?
-
jonas’
Link Mauve, https://search.jabbercat.org/search?q=jabberfr
-
jonas’
the others will be updated when the scanner gets to them
-
Link Mauve
\o/
-
Link Mauve
I should add the new muc#roominfo_webchat_url thing we are going to accept shortly. ^^
-
Link Mauve
Since we also have that.
-
Link Mauve
https://chat.jabberfr.org/ could use an emoji instead of a SVG now, for the join bubble.
-
jonas’
indeed
-
jonas’
thinking of directly embedding small avatars as data URLs for faster loading✎ -
jonas’
thinking of directly embedding small avatars as data URIs for faster loading ✏
-
jonas’
not sure how to write the query so that it only fetches the avatar from the database for the result list if it’s small enough
-
Link Mauve
Indeed, on just chat.jabberfr.org it takes about 700ms for me to download every SVG.
-
jonas’
to the SQL console!
-
jonas’
ugh, the only standard-SQL-way of doing it might be with a self-join
-
jonas’
hm, however, doing that would break caching
-
moparisthebest
another column that's only non-null if small enough? :/
-
jonas’
in postgres, I can do: select mime_type, case when length(data) < 16384 then data else null end from avatar;
-
jonas’
but locally I’m testing with sqlite, soo....
-
jonas’
oh, sqlite also has case
-
moparisthebest
was going to say I feel like that should work in sqlite
-
jonas’
and sqlalchemy supports it, too
-
jonas’
now the question is, does it even make sense to embed the avatars?
-
jonas’
right now, we send a 304 for avatars if they’re still cached on the client
-
jonas’
we can’t do that for the result page
-
jonas’
so we’d send all avatars of a page to the client, inefficiently base64-encoded
-
jonas’
every time, since they can’t benefit from caching
-
moparisthebest
you'd probably get more benefit from supporting http/2
-
jonas’
tell that to apache
-
moparisthebest
because then browser could request all the images over one connection at the same time etc
-
moparisthebest
apache surely supports http/2 by now?
-
jonas’
dunno
-
jonas’
if it isn’t on by default, I don’t bother
-
Link Mauve
moparisthebest, they already can with HTTP/1.1.
-
moparisthebest
not in parallel though?
-
jonas’
SVG support brought a few new avatars to the listing
-
jonas’
HTTP/2 seems to be a clusterfuck regarding the parallelism anyways. no idea why they thought it’d be a good idea to re-implement multiplexing which we alreday have with TCP
-
Zash
jonas’, itym SCTP
-
Link Mauve
moparisthebest, how does HTTP/2 do that?
-
moparisthebest
maybe, I mean http/3 is coming, but regardless it's still way faster for browsers
-
jonas’
or that
-
Zash
But we can't have SCTP because broken middleboxes
-
Zash
And NAT, and all the other things that ruin all nice things
-
Zash
Is MPTCP still alive?
-
moparisthebest
Link Mauve, like jonas’ said they reinvented multiplexing etc etc
-
Link Mauve
So instead we have WebRTC, which is like SCTP over RTP.
-
Link Mauve
moparisthebest, but in parallel you mean over multiple TCP connections, or…?
-
moparisthebest
http/3 over quic sounds pretty sweet though
-
moparisthebest
no just one
-
moparisthebest
it's probably just a config option to enable http2 jonas’ you should look at it
-
Link Mauve
moparisthebest, what is the difference between that and HTTP/1.1 pipelining then?
-
moparisthebest
I assume it's new enough because you support TLS 1.3 :) https://www.ssllabs.com/ssltest/analyze.html?d=search.jabbercat.org&s=2a01%3a4f9%3a2b%3a2c50%3a1010%3a1010%3a0%3a1&latest
-
jonas’
Link Mauve, HTTP/2 introduces its own framing on top of TCP
-
jonas’
so you’d be requesting resources A B C, and then receive chunks A1 B1 C1 A2 B2 C2 ...
-
jonas’
also the server may push you resources of which it expects you to need some
-
moparisthebest
https://stackoverflow.com/questions/34478967/what-is-the-difference-between-http-1-1-pipelining-and-http-2-multiplexing I guess, plenty of different search results
-
Link Mauve
jonas’, oh, I see.
-
moparisthebest
bottom line is, it's far far faster, so turn it on
-
jonas’
it’s also much more broken
-
jonas’
https://github.com/Netflix/security-bulletins/blob/master/advisories/third-party/2019-002.md
-
moparisthebest
than ?
-
jonas’
I’m going to wait until the HTTP/2 implementations settle down before deploying that and having yet another headache to deal with
-
moparisthebest
http 1.1 pipelining is pretty broken too iirc :) everything is broken
-
Link Mauve
The web especially.
-
jonas’
https://github.com/Netflix/security-bulletins/blob/master/advisories/third-party/2019-002.md#attacks
-
jonas’
plenty of good stuff in there
-
Zash
jonas’, do the compromise I did on prosody.im, only do HTTP/2 over IPv6
-
Link Mauve
jonas’, do you have something setup for i18n for muclumbus yet?
-
jonas’
Link Mauve, not really