profanity
profanity copied to clipboard
profanity-im
Profanity doesn't prevent sending illegal sequences
It was reported to Debian that profanity disconnects after pressing some keys and sending a message. This is due to illegal sequences are inserted from the key combos and the server replies with an "not well formed" error. Please see also yesterdays discussion in jdev@. This should probably be fixed in profanity but libstrophe should also prevent sending those sequences (CC: @pasis ).
Expected Behavior
Those sequences should not be sent over the wire.
Current Behavior
Those sequences are sent over the wire causing a "not well formed" error and a disconnect.
11/11/2020 11:56:19: prof: DBG: Input received: ^V
11/11/2020 11:56:19: conn: DBG: SENT: <message id="YzhhMDE4YWMtMWNmYy00MDk2LWE5YmYtYjk3MWQ0NWNiZmVlNjdkZmMxYmU0YTM4MzcxNjdhZjBiMmVjYTU4NWI5ODEzOGIwNGNjMWFkMmM1MTg0MTBlMDk0MjEwNTZmNDRhOQ==" to="[email protected]" type="chat"><body>^V</body><
active xmlns="http://jabber.org/protocol/chatstates"/><request xmlns="urn:xmpp:receipts"/></message>
11/11/2020 11:56:19: xmpp: DBG: RECV: <error xmlns="http://etherx.jabber.org/streams"><not-well-formed xmlns="urn:ietf:params:xml:ns:xmpp-streams"/></error>
11/11/2020 11:56:19: xmpp: DBG: RECV: </stream:stream>
11/11/2020 11:56:19: xmpp: DBG: Closing socket.
11/11/2020 11:56:19: prof: DBG: Connection handler: XMPP_CONN_DISCONNECT
11/11/2020 11:56:19: prof: DBG: Connection handler: Lost connection for unknown reason
grep YzhhMDE4YWMtMWNmYy00MDk2LWE5YmYtYjk3MWQ0NWNiZmVlNjdkZmMxYmU0YTM4MzcxNjdhZjBiMmVjYTU4NWI5ODEzOGIwNGNjMWFkMmM1MTg0MTBlMDk0MjEwNTZmNDRhOQ== /var/log/prosody/prosody.debug
Nov 11 11:56:19 mod_c2s debug Received invalid XML (not well-formed (invalid token)) 300 bytes: "<message id=\"YzhhMDE4YWMtMWNmYy00MDk2LWE5YmYtYjk3MWQ0NWNiZmVlNjdkZmMxYmU0YTM4MzcxNjdhZjBiMmVjYTU4NWI5ODEzOGIwNGNjMWFkMmM1MTg0MTBlMDk0MjEwNTZmNDRhOQ==\" to=\"[email protected]\" type=\"chat\"><body>\022</body><active xmlns=\"http://jabber.org/protocol/chatstates\"/><request xmlns=\"urn:xmpp:receipts\"/></message>"
Possible Solution
@horazont wrote
https://www.joelonsoftware.com/2003/10/08/the-absolute-minimum-every-software-developer-absolutely-positively-must-know-about-unicode-and-character-sets-no-excuses/ On input, you convert everything to unicode (please see the link). You’ll then have to filter out all codepoints between U+0000 and U+001F (incl.) except U+0009, U+000A and U+000D then you pass that to the XML library for serialisation as XML
Steps to Reproduce (for bugs)
Switch to console, run profanity, and try some escape sequence such as hitting CTRL+V twice, then enter. Disconnects from the server again.
Environment
Happens with 0.9.5 (see linked Debian bug report) as well as with latest master (sorry, I don't have a profanity accessible right now for --version output.
There is also https://github.com/profanity-im/profanity/issues/1220 and https://github.com/profanity-im/profanity/pull/1226 where we started to filter out some characters upon receival.
depends-on-libstrophe: I think one should not solely rely on the lib to filter out those sequences as the lib can't do this on encrypted messages so profanity should also filter on user input (prior to encryption) and on incoming messages (after decryption).