Bug#1033401: unblock: src:dino-im/0.4.2-1
Control: tags -1 moreinfo
On 2023-03-24 12:45:41 +0000, Martin wrote:
> Package: release.debian.org
> Severity: normal
> User: release.debian.org@packages.debian.org
> Usertags: unblock
>
> Dear release team,
>
> I like to get clearance for uploading dino-im 0.4.2 to unstable, to get
> it into bookworm.
Please go ahead and let us know once the package is available in
unstable.
Cheers
>
> Upstream release text:
>
> > Maintenance release with fix for CVE-2023-28686 and bug fixes.
>
> There are eight commits, from which five should definitively go into
> bookworm (1, 2, 6, 7, 8). Two commits are not related to a bug report,
> but solve relevant problems (3, 4). Only one is not relevant at all, but
> it does not touch file we care about anyway (5).
>
> There are no new features nor unnecessary changes, so I would very much
> prefer to get the new version in instead of adding five to seven
> patches.
>
> Here is a description of the commits between 0.4.1 (now in testing) and
> 0.4.2 (to be uploaded):
>
> 1. acf9c694 * Fix C binding for gst_video_frame_get_data
> Fix for: GTK4 - crash when answering video call #1267
> > Fix C binding for gst_video_frame_get_data
> https://github.com/dino/dino/issues/1267
>
> 2. 89b9110f * Improve history sync
> Fix for: MUC MAM (0313) doesn't work #1386
> > - Ensure we fully fetch desired history if possible (previously, duplicates
> > from offline message queue could hinder MAM sync)
> > - Early drop illegal MAM messages so they don't pile up in the pending queue
> > waiting for their query to end (which it never will if they were not
> > requested in first place).
> https://github.com/dino/dino/issues/1386
>
> 3. 481a68fd * Improve database performance while reconnecting and syncing
> > Improve database performance while reconnecting and syncing
> > Also move some tasks to low priority idle queue so they won't block UI updates
> No bug report, but solves startup time issues some users reported.
>
> 4. 1738bf8d * data: Set StartupNotify to true in .desktop file
> > data: Set StartupNotify to true in .desktop file
> > GTK handles startup notifications, so advertise it in desktop
> > file. This allows splash screens and other startup indications
> > in DEs to work.
> No bug report, but sounds like an issue worth solving.
>
> 5. b6f9b54d * Remove gspell
> (not relevant to Debian: unused cmake/FindGspell.cmake removed, change
> in github ci file)
>
> 6. 00482404 * Fix a crash if a message subnode is not found in a carbon
> Fix for: A carbon crashes Dino #1392
> > Fix a crash if a message subnode is not found in a carbon
> https://github.com/dino/dino/issues/1392
>
> 7. 179c766d * Bind soup session lifetime to File provider/sender lifetime
> Fix for: Dino crashes when sending or receiving files #1395
> > Bind soup session lifetime to File provider/sender lifetime
> > Required since libsoup 3.4. Fixes #1395
> https://github.com/dino/dino/issues/1395
>
> 8. baf96d9d * @ v0.4.2 origin/v0.4 Check sender of bookmark:1 updates
> Fix for: dino-im: Insufficient message sender validation in Dino CVE-2023-28686
> > Check sender of bookmark:1 updates
> https://bugs.debian.org/1033370
>
> Thanks in advance for your comments and decision!
>
> Cheers
>
> unblock src:dino-im/0.4.2-1
>
> diff -Nru dino-im-0.4.1/.github/workflows/build.yml dino-im-0.4.2/.github/workflows/build.yml
> --- dino-im-0.4.1/.github/workflows/build.yml 2023-03-01 23:30:00.000000000 +0000
> +++ dino-im-0.4.2/.github/workflows/build.yml 2023-03-23 18:00:00.000000000 +0000
> @@ -7,7 +7,7 @@
> - uses: actions/checkout@v2
> - run: sudo apt-get update
> - run: sudo apt-get remove libunwind-14-dev
> - - run: sudo apt-get install -y build-essential gettext cmake valac libgee-0.8-dev libsqlite3-dev libgtk-4-dev libnotify-dev libgpgme-dev libsoup2.4-dev libgcrypt20-dev libqrencode-dev libgspell-1-dev libnice-dev libgstreamer1.0-dev libgstreamer-plugins-base1.0-dev libsrtp2-dev libwebrtc-audio-processing-dev libadwaita-1-dev
> + - run: sudo apt-get install -y build-essential gettext cmake valac libgee-0.8-dev libsqlite3-dev libgtk-4-dev libnotify-dev libgpgme-dev libsoup2.4-dev libgcrypt20-dev libqrencode-dev libnice-dev libgstreamer1.0-dev libgstreamer-plugins-base1.0-dev libsrtp2-dev libwebrtc-audio-processing-dev libadwaita-1-dev
> - run: ./configure --with-tests --with-libsignal-in-tree
> - run: make
> - run: build/xmpp-vala-test
> diff -Nru dino-im-0.4.1/VERSION dino-im-0.4.2/VERSION
> --- dino-im-0.4.1/VERSION 2023-03-01 23:30:00.000000000 +0000
> +++ dino-im-0.4.2/VERSION 2023-03-23 18:00:00.000000000 +0000
> @@ -1 +1 @@
> -RELEASE 0.4.1
> +RELEASE 0.4.2
> diff -Nru dino-im-0.4.1/cmake/FindGspell.cmake dino-im-0.4.2/cmake/FindGspell.cmake
> --- dino-im-0.4.1/cmake/FindGspell.cmake 2023-03-01 23:30:00.000000000 +0000
> +++ dino-im-0.4.2/cmake/FindGspell.cmake 1970-01-01 00:00:00.000000000 +0000
> @@ -1,14 +0,0 @@
> -include(PkgConfigWithFallback)
> -find_pkg_config_with_fallback(Gspell
> - PKG_CONFIG_NAME gspell-1
> - LIB_NAMES gspell-1
> - INCLUDE_NAMES gspell.h
> - INCLUDE_DIR_SUFFIXES gspell-1 gspell-1/gspell
> - DEPENDS GTK3
> -)
> -
> -include(FindPackageHandleStandardArgs)
> -find_package_handle_standard_args(Gspell
> - REQUIRED_VARS Gspell_LIBRARY
> - VERSION_VAR Gspell_VERSION)
> -
> diff -Nru dino-im-0.4.1/debian/changelog dino-im-0.4.2/debian/changelog
> --- dino-im-0.4.1/debian/changelog 2023-03-02 07:17:50.000000000 +0000
> +++ dino-im-0.4.2/debian/changelog 2023-03-23 20:14:12.000000000 +0000
> @@ -1,3 +1,15 @@
> +dino-im (0.4.2-1) unstable; urgency=medium
> +
> + * Maintenance release with fix for CVE-2023-28686 and bug fixes
> +
> + -- Martin <debacle@debian.org> Thu, 23 Mar 2023 20:14:12 +0000
> +
> +dino-im (0.4.1+git20230307.47a0669-1) experimental; urgency=medium
> +
> + * Upstream snapshot
> +
> + -- Martin <debacle@debian.org> Sun, 12 Mar 2023 23:16:53 +0000
> +
> dino-im (0.4.1-1) unstable; urgency=medium
>
> * Bug fix and maintenance release, no new features
> diff -Nru dino-im-0.4.1/debian/patches/rename-to-dino-im.patch dino-im-0.4.2/debian/patches/rename-to-dino-im.patch
> --- dino-im-0.4.1/debian/patches/rename-to-dino-im.patch 2023-03-02 07:17:50.000000000 +0000
> +++ dino-im-0.4.2/debian/patches/rename-to-dino-im.patch 2023-03-23 20:14:12.000000000 +0000
> @@ -13,7 +13,7 @@
> -Exec=dino %U
> +Exec=dino-im %U
> Icon=im.dino.Dino
> - StartupNotify=false
> + StartupNotify=true
> Terminal=false
> --- a/main/data/im.dino.Dino.service
> +++ b/main/data/im.dino.Dino.service
> diff -Nru dino-im-0.4.1/libdino/src/service/database.vala dino-im-0.4.2/libdino/src/service/database.vala
> --- dino-im-0.4.1/libdino/src/service/database.vala 2023-03-01 23:30:00.000000000 +0000
> +++ dino-im-0.4.2/libdino/src/service/database.vala 2023-03-23 18:00:00.000000000 +0000
> @@ -7,7 +7,7 @@
> namespace Dino {
>
> public class Database : Qlite.Database {
> - private const int VERSION = 25;
> + private const int VERSION = 26;
>
> public class AccountTable : Table {
> public Column<int> id = new Column.Integer("id") { primary_key = true, auto_increment = true };
> @@ -93,6 +93,11 @@
>
> // deduplication
> index("message_account_counterpart_stanzaid_idx", {account_id, counterpart_id, stanza_id});
> + index("message_account_counterpart_serverid_idx", {account_id, counterpart_id, server_id});
> +
> + // message by marked
> + index("message_account_marked_idx", {account_id, marked});
> +
> fts({body});
> }
> }
> diff -Nru dino-im-0.4.1/libdino/src/service/history_sync.vala dino-im-0.4.2/libdino/src/service/history_sync.vala
> --- dino-im-0.4.1/libdino/src/service/history_sync.vala 2023-03-01 23:30:00.000000000 +0000
> +++ dino-im-0.4.2/libdino/src/service/history_sync.vala 2023-03-23 18:00:00.000000000 +0000
> @@ -163,7 +163,7 @@
> if (current_row[db.mam_catchup.from_end]) return;
>
> debug("[%s] Fetching between ranges %s - %s", mam_server.to_string(), previous_row[db.mam_catchup.to_time].to_string(), current_row[db.mam_catchup.from_time].to_string());
> - current_row = yield fetch_between_ranges(account, mam_server, previous_row, current_row);
> + current_row = yield fetch_between_ranges(account, mam_server, previous_row, current_row, cancellable);
> if (current_row == null) return;
>
> RowOption previous_row_opt = db.mam_catchup.select()
> @@ -214,13 +214,11 @@
> return null;
> }
>
> - // If we get PageResult.Duplicate, we still want to update the db row to the latest message.
> -
> // Catchup finished within first page. Update latest db entry.
> if (latest_row_id != -1 &&
> - page_result.page_result in new PageResult[] { PageResult.TargetReached, PageResult.NoMoreMessages, PageResult.Duplicate }) {
> + page_result.page_result in new PageResult[] { PageResult.TargetReached, PageResult.NoMoreMessages }) {
>
> - if (page_result.stanzas == null || page_result.stanzas.is_empty) return null;
> + if (page_result.stanzas == null) return null;
>
> string latest_mam_id = page_result.query_result.last;
> long latest_mam_time = (long) mam_times[account][latest_mam_id].to_unix();
> @@ -272,7 +270,7 @@
> ** Merges the `earlier_range` db row into the `later_range` db row.
> ** @return The resulting range comprising `earlier_range`, `later_rage`, and everything in between. null if fetching/merge failed.
> **/
> - private async Row? fetch_between_ranges(Account account, Jid mam_server, Row earlier_range, Row later_range) {
> + private async Row? fetch_between_ranges(Account account, Jid mam_server, Row earlier_range, Row later_range, Cancellable? cancellable = null) {
> int later_range_id = (int) later_range[db.mam_catchup.id];
> DateTime earliest_time = new DateTime.from_unix_utc(earlier_range[db.mam_catchup.to_time]);
> DateTime latest_time = new DateTime.from_unix_utc(later_range[db.mam_catchup.from_time]);
> @@ -282,9 +280,9 @@
> earliest_time, earlier_range[db.mam_catchup.to_id],
> latest_time, later_range[db.mam_catchup.from_id]);
>
> - PageRequestResult page_result = yield fetch_query(account, query_params, later_range_id);
> + PageRequestResult page_result = yield fetch_query(account, query_params, later_range_id, cancellable);
>
> - if (page_result.page_result == PageResult.TargetReached) {
> + if (page_result.page_result == PageResult.TargetReached || page_result.page_result == PageResult.NoMoreMessages) {
> debug("[%s | %s] Merging range %i into %i", account.bare_jid.to_string(), mam_server.to_string(), earlier_range[db.mam_catchup.id], later_range_id);
> // Merge earlier range into later one.
> db.mam_catchup.update()
> @@ -330,9 +328,9 @@
> PageRequestResult? page_result = null;
> do {
> page_result = yield get_mam_page(account, query_params, page_result, cancellable);
> - debug("Page result %s %b", page_result.page_result.to_string(), page_result.stanzas == null);
> + debug("[%s | %s] Page result %s (got stanzas: %s)", account.bare_jid.to_string(), query_params.mam_server.to_string(), page_result.page_result.to_string(), (page_result.stanzas != null).to_string());
>
> - if (page_result.page_result == PageResult.Error || page_result.page_result == PageResult.Cancelled || page_result.stanzas == null) return page_result;
> + if (page_result.page_result == PageResult.Error || page_result.page_result == PageResult.Cancelled || page_result.query_result.first == null) return page_result;
>
> string earliest_mam_id = page_result.query_result.first;
> long earliest_mam_time = (long)mam_times[account][earliest_mam_id].to_unix();
> @@ -357,7 +355,6 @@
> MorePagesAvailable,
> TargetReached,
> NoMoreMessages,
> - Duplicate,
> Error,
> Cancelled
> }
> @@ -399,23 +396,25 @@
> string query_id = query_params.query_id;
> string? after_id = query_params.start_id;
>
> + var stanzas_for_query = stanzas.has_key(query_id) && !stanzas[query_id].is_empty ? stanzas[query_id] : null;
> if (cancellable != null && cancellable.is_cancelled()) {
> - return new PageRequestResult(PageResult.Cancelled, query_result, stanzas[query_id]);
> + stanzas.unset(query_id);
> + return new PageRequestResult(PageResult.Cancelled, query_result, stanzas_for_query);
> }
>
> - if (stanzas.has_key(query_id) && !stanzas[query_id].is_empty) {
> + if (stanzas_for_query != null) {
>
> // Check it we reached our target (from_id)
> - foreach (Xmpp.MessageStanza message in stanzas[query_id]) {
> + foreach (Xmpp.MessageStanza message in stanzas_for_query) {
> Xmpp.MessageArchiveManagement.MessageFlag? mam_message_flag = Xmpp.MessageArchiveManagement.MessageFlag.get_flag(message);
> if (mam_message_flag != null && mam_message_flag.mam_id != null) {
> if (after_id != null && mam_message_flag.mam_id == after_id) {
> // Successfully fetched the whole range
> yield send_messages_back_into_pipeline(account, query_id, cancellable);
> if (cancellable != null && cancellable.is_cancelled()) {
> - return new PageRequestResult(PageResult.Cancelled, query_result, stanzas[query_id]);
> + return new PageRequestResult(PageResult.Cancelled, query_result, stanzas_for_query);
> }
> - return new PageRequestResult(PageResult.TargetReached, query_result, stanzas[query_id]);
> + return new PageRequestResult(PageResult.TargetReached, query_result, stanzas_for_query);
> }
> }
> }
> @@ -423,37 +422,9 @@
> // Message got filtered out by xmpp-vala, but succesful range fetch nevertheless
> yield send_messages_back_into_pipeline(account, query_id);
> if (cancellable != null && cancellable.is_cancelled()) {
> - return new PageRequestResult(PageResult.Cancelled, query_result, stanzas[query_id]);
> + return new PageRequestResult(PageResult.Cancelled, query_result, stanzas_for_query);
> }
> - return new PageRequestResult(PageResult.TargetReached, query_result, stanzas[query_id]);
> - }
> -
> - // Check for duplicates. Go through all messages and build a db query.
> - foreach (Xmpp.MessageStanza message in stanzas[query_id]) {
> - Xmpp.MessageArchiveManagement.MessageFlag? mam_message_flag = Xmpp.MessageArchiveManagement.MessageFlag.get_flag(message);
> - if (mam_message_flag != null && mam_message_flag.mam_id != null) {
> - if (selection == null) {
> - selection = @"$(db.message.server_id) = ?";
> - } else {
> - selection += @" OR $(db.message.server_id) = ?";
> - }
> - selection_args += mam_message_flag.mam_id;
> - }
> - }
> - var duplicates_qry = db.message.select()
> - .with(db.message.account_id, "=", account.id)
> - .where(selection, selection_args);
> - // We don't want messages from different MAM servers to interfere with each other.
> - if (!query_params.mam_server.equals_bare(account.bare_jid)) {
> - duplicates_qry.with(db.message.counterpart_id, "=", db.get_jid_id(query_params.mam_server));
> - } else {
> - duplicates_qry.with(db.message.type_, "=", Message.Type.CHAT);
> - }
> - var duplicates_count = duplicates_qry.count();
> - if (duplicates_count > 0) {
> - // We got a duplicate although we thought we have to catch up.
> - // There was a server bug where prosody would send all messages if it didn't know the after ID that was given
> - page_result = PageResult.Duplicate;
> + return new PageRequestResult(PageResult.TargetReached, query_result, stanzas_for_query);
> }
> }
>
> @@ -461,7 +432,7 @@
> if (cancellable != null && cancellable.is_cancelled()) {
> page_result = PageResult.Cancelled;
> }
> - return new PageRequestResult(page_result, query_result, stanzas.has_key(query_id) ? stanzas[query_id] : null);
> + return new PageRequestResult(page_result, query_result, stanzas_for_query);
> }
>
> private async void send_messages_back_into_pipeline(Account account, string query_id, Cancellable? cancellable = null) {
> diff -Nru dino-im-0.4.1/main/data/im.dino.Dino.desktop dino-im-0.4.2/main/data/im.dino.Dino.desktop
> --- dino-im-0.4.1/main/data/im.dino.Dino.desktop 2023-03-01 23:30:00.000000000 +0000
> +++ dino-im-0.4.2/main/data/im.dino.Dino.desktop 2023-03-23 18:00:00.000000000 +0000
> @@ -5,7 +5,7 @@
> Keywords=chat;talk;im;message;xmpp;jabber;
> Exec=dino %U
> Icon=im.dino.Dino
> -StartupNotify=false
> +StartupNotify=true
> Terminal=false
> Type=Application
> Categories=GTK;Network;Chat;InstantMessaging;
> diff -Nru dino-im-0.4.1/main/src/ui/conversation_selector/conversation_selector_row.vala dino-im-0.4.2/main/src/ui/conversation_selector/conversation_selector_row.vala
> --- dino-im-0.4.1/main/src/ui/conversation_selector/conversation_selector_row.vala 2023-03-01 23:30:00.000000000 +0000
> +++ dino-im-0.4.2/main/src/ui/conversation_selector/conversation_selector_row.vala 2023-03-23 18:00:00.000000000 +0000
> @@ -225,7 +225,21 @@
> label.attributes = copy;
> }
>
> + private bool update_read_pending = false;
> + private bool update_read_pending_force = false;
> protected void update_read(bool force_update = false) {
> + if (force_update) update_read_pending_force = true;
> + if (update_read_pending) return;
> + update_read_pending = true;
> + Idle.add(() => {
> + update_read_pending = false;
> + update_read_pending_force = false;
> + update_read_idle(update_read_pending_force);
> + return Source.REMOVE;
> + }, Priority.LOW);
> + }
> +
> + private void update_read_idle(bool force_update = false) {
> int current_num_unread = stream_interactor.get_module(ChatInteraction.IDENTITY).get_num_unread(conversation);
> if (num_unread == current_num_unread && !force_update) return;
> num_unread = current_num_unread;
> diff -Nru dino-im-0.4.1/plugins/http-files/src/file_provider.vala dino-im-0.4.2/plugins/http-files/src/file_provider.vala
> --- dino-im-0.4.1/plugins/http-files/src/file_provider.vala 2023-03-01 23:30:00.000000000 +0000
> +++ dino-im-0.4.2/plugins/http-files/src/file_provider.vala 2023-03-23 18:00:00.000000000 +0000
> @@ -10,13 +10,16 @@
>
> private StreamInteractor stream_interactor;
> private Dino.Database dino_db;
> + private Soup.Session session;
> private static Regex http_url_regex = /^https?:\/\/([^\s#]*)$/; // Spaces are invalid in URLs and we can't use fragments for downloads
> private static Regex omemo_url_regex = /^aesgcm:\/\/(.*)#(([A-Fa-f0-9]{2}){48}|([A-Fa-f0-9]{2}){44})$/;
>
> public FileProvider(StreamInteractor stream_interactor, Dino.Database dino_db) {
> this.stream_interactor = stream_interactor;
> this.dino_db = dino_db;
> + this.session = new Soup.Session();
>
> + session.user_agent = @"Dino/$(Dino.get_short_version()) ";
> stream_interactor.get_module(MessageProcessor.IDENTITY).received_pipeline.connect(new ReceivedMessageListener(this));
> }
>
> @@ -114,8 +117,6 @@
> HttpFileReceiveData? http_receive_data = receive_data as HttpFileReceiveData;
> if (http_receive_data == null) return file_meta;
>
> - var session = new Soup.Session();
> - session.user_agent = @"Dino/$(Dino.get_short_version()) ";
> var head_message = new Soup.Message("HEAD", http_receive_data.url);
> head_message.request_headers.append("Accept-Encoding", "identity");
>
> @@ -150,8 +151,6 @@
> HttpFileReceiveData? http_receive_data = receive_data as HttpFileReceiveData;
> if (http_receive_data == null) assert(false);
>
> - var session = new Soup.Session();
> - session.user_agent = @"Dino/$(Dino.get_short_version()) ";
> var get_message = new Soup.Message("GET", http_receive_data.url);
>
> try {
> diff -Nru dino-im-0.4.1/plugins/http-files/src/file_sender.vala dino-im-0.4.2/plugins/http-files/src/file_sender.vala
> --- dino-im-0.4.1/plugins/http-files/src/file_sender.vala 2023-03-01 23:30:00.000000000 +0000
> +++ dino-im-0.4.2/plugins/http-files/src/file_sender.vala 2023-03-23 18:00:00.000000000 +0000
> @@ -7,12 +7,15 @@
> public class HttpFileSender : FileSender, Object {
> private StreamInteractor stream_interactor;
> private Database db;
> + private Soup.Session session;
> private HashMap<Account, long> max_file_sizes = new HashMap<Account, long>(Account.hash_func, Account.equals_func);
>
> public HttpFileSender(StreamInteractor stream_interactor, Database db) {
> this.stream_interactor = stream_interactor;
> this.db = db;
> + this.session = new Soup.Session();
>
> + session.user_agent = @"Dino/$(Dino.get_short_version()) ";
> stream_interactor.stream_negotiated.connect(on_stream_negotiated);
> stream_interactor.get_module(MessageProcessor.IDENTITY).build_message_stanza.connect(check_add_oob);
> }
> @@ -90,8 +93,6 @@
> Xmpp.XmppStream? stream = stream_interactor.get_stream(file_transfer.account);
> if (stream == null) return;
>
> - var session = new Soup.Session();
> - session.user_agent = @"Dino/$(Dino.get_short_version()) ";
> var put_message = new Soup.Message("PUT", file_send_data.url_up);
> #if SOUP_3_0
> put_message.set_request_body(file_meta.mime_type, file_transfer.input_stream, (ssize_t) file_meta.size);
> diff -Nru dino-im-0.4.1/plugins/rtp/src/video_widget.vala dino-im-0.4.2/plugins/rtp/src/video_widget.vala
> --- dino-im-0.4.1/plugins/rtp/src/video_widget.vala 2023-03-01 23:30:00.000000000 +0000
> +++ dino-im-0.4.2/plugins/rtp/src/video_widget.vala 2023-03-23 18:00:00.000000000 +0000
> @@ -1,4 +1,5 @@
> private static extern unowned Gst.Video.Info gst_video_frame_get_video_info(Gst.Video.Frame frame);
> +[CCode (array_length_type = "size_t", type = "void*")]
> private static extern unowned uint8[] gst_video_frame_get_data(Gst.Video.Frame frame);
>
> public class Dino.Plugins.Rtp.Paintable : Gdk.Paintable, Object {
> diff -Nru dino-im-0.4.1/xmpp-vala/src/module/xep/0280_message_carbons.vala dino-im-0.4.2/xmpp-vala/src/module/xep/0280_message_carbons.vala
> --- dino-im-0.4.1/xmpp-vala/src/module/xep/0280_message_carbons.vala 2023-03-01 23:30:00.000000000 +0000
> +++ dino-im-0.4.2/xmpp-vala/src/module/xep/0280_message_carbons.vala 2023-03-23 18:00:00.000000000 +0000
> @@ -58,6 +58,10 @@
> warning("Received alleged carbon message from %s, ignoring", message.from.to_string());
> return true;
> }
> + if (message_node == null) {
> + warning("Received a carbon message with no message subnode in jabber:client namespace from %s, ignoring", message.from.to_string());
> + return true;
> + }
> if (received_node != null) {
> message.add_flag(new MessageFlag(MessageFlag.TYPE_RECEIVED));
> } else if (sent_node != null) {
> diff -Nru dino-im-0.4.1/xmpp-vala/src/module/xep/0313_message_archive_management.vala dino-im-0.4.2/xmpp-vala/src/module/xep/0313_message_archive_management.vala
> --- dino-im-0.4.1/xmpp-vala/src/module/xep/0313_message_archive_management.vala 2023-03-01 23:30:00.000000000 +0000
> +++ dino-im-0.4.2/xmpp-vala/src/module/xep/0313_message_archive_management.vala 2023-03-23 18:00:00.000000000 +0000
> @@ -11,8 +11,8 @@
> public bool error { get; set; default=false; }
> public bool malformed { get; set; default=false; }
> public bool complete { get; set; default=false; }
> - public string first { get; set; }
> - public string last { get; set; }
> + public string? first { get; set; }
> + public string? last { get; set; }
> }
>
> public class Module : XmppStreamModule {
> @@ -65,16 +65,17 @@
> }
>
> StanzaNode query_node = new StanzaNode.build("query", NS_VER(stream)).add_self_xmlns().put_node(data_form.get_submit_node());
> - if (queryid != null) {
> - query_node.put_attribute("queryid", queryid);
> - }
> + query_node.put_attribute("queryid", queryid);
> return query_node;
> }
>
> internal async QueryResult query_archive(XmppStream stream, string ns, Jid? mam_server, StanzaNode query_node, Cancellable? cancellable = null) {
> - var res = new QueryResult();
>
> - if (stream.get_flag(Flag.IDENTITY) == null) { res.error = true; return res; }
> + var res = new QueryResult();
> + Flag? flag = stream.get_flag(Flag.IDENTITY);
> + string? query_id = query_node.get_attribute("queryid");
> + if (flag == null || query_id == null) { res.error = true; return res; }
> + flag.active_query_ids.add(query_id);
>
> // Build and send query
> Iq.Stanza iq = new Iq.Stanza.set(query_node) { to=mam_server };
> @@ -93,6 +94,11 @@
> if ((res.first == null) != (res.last == null)) { res.malformed = true; return res; }
> res.complete = fin_node.get_attribute_bool("complete", false, ns);
>
> + Idle.add(() => {
> + flag.active_query_ids.remove(query_id);
> + return Source.REMOVE;
> + }, Priority.LOW);
> +
> return res;
> }
>
> @@ -104,7 +110,8 @@
> public override string[] after_actions { get { return after_actions_const; } }
>
> public override async bool run(XmppStream stream, MessageStanza message) {
> - if (stream.get_flag(Flag.IDENTITY) == null) return false;
> + Flag? flag = stream.get_flag(Flag.IDENTITY);
> + if (flag == null) return false;
>
> StanzaNode? message_node = message.stanza.get_deep_subnode(NS_VER(stream) + ":result", StanzaForwarding.NS_URI + ":forwarded", Xmpp.NS_URI + ":message");
> if (message_node != null) {
> @@ -112,6 +119,28 @@
> DateTime? datetime = DelayedDelivery.get_time_for_node(forward_node);
> string? mam_id = message.stanza.get_deep_attribute(NS_VER(stream) + ":result", NS_VER(stream) + ":id");
> string? query_id = message.stanza.get_deep_attribute(NS_VER(stream) + ":result", NS_VER(stream) + ":queryid");
> +
> + if (query_id == null) {
> + warning("Received MAM message without queryid from %s, ignoring", message.from.to_string());
> + return true;
> + }
> +
> + if (!flag.active_query_ids.contains(query_id)) {
> + warning("Received MAM message from %s with unknown query id %s, ignoring", message.from.to_string(), query_id ?? "<none>");
> + return true;
> + }
> + Jid? inner_from = null;
> + try {
> + inner_from = new Jid(message_node.get_attribute("from"));
> + } catch (InvalidJidError e) {
> + warning("Received MAM message with invalid from attribute in forwarded message from %s, ignoring", message.from.to_string());
> + return true;
> + }
> + if (!message.from.equals(stream.get_flag(Bind.Flag.IDENTITY).my_jid.bare_jid) && !message.from.equals_bare(inner_from)) {
> + warning("Received MAM message from %s illegally impersonating %s, ignoring", message.from.to_string(), inner_from.to_string());
> + return true;
> + }
> +
> message.add_flag(new MessageFlag(message.from, datetime, mam_id, query_id));
>
> message.stanza = message_node;
> @@ -124,6 +153,7 @@
> public class Flag : XmppStreamFlag {
> public static FlagIdentity<Flag> IDENTITY = new FlagIdentity<Flag>(NS_URI, "message_archive_management");
> public bool cought_up { get; set; default=false; }
> + public Gee.Set<string> active_query_ids { get; set; default = new HashSet<string>(); }
> public string ns_ver;
>
> public Flag(string ns_ver) {
> diff -Nru dino-im-0.4.1/xmpp-vala/src/module/xep/0402_bookmarks2.vala dino-im-0.4.2/xmpp-vala/src/module/xep/0402_bookmarks2.vala
> --- dino-im-0.4.1/xmpp-vala/src/module/xep/0402_bookmarks2.vala 2023-03-01 23:30:00.000000000 +0000
> +++ dino-im-0.4.2/xmpp-vala/src/module/xep/0402_bookmarks2.vala 2023-03-23 18:00:00.000000000 +0000
> @@ -68,6 +68,11 @@
> }
>
> private void on_pupsub_item(XmppStream stream, Jid jid, string id, StanzaNode? node) {
> + if (!jid.equals(stream.get_flag(Bind.Flag.IDENTITY).my_jid.bare_jid)) {
> + warning("Received alleged bookmarks:1 item from %s, ignoring", jid.to_string());
> + return;
> + }
> +
> Conference conference = parse_item_node(node, id);
> Flag? flag = stream.get_flag(Flag.IDENTITY);
> if (flag != null) {
> @@ -77,6 +82,11 @@
> }
>
> private void on_pupsub_retract(XmppStream stream, Jid jid, string id) {
> + if (!jid.equals(stream.get_flag(Bind.Flag.IDENTITY).my_jid.bare_jid)) {
> + warning("Received alleged bookmarks:1 retract from %s, ignoring", jid.to_string());
> + return;
> + }
> +
> try {
> Jid jid_parsed = new Jid(id);
> Flag? flag = stream.get_flag(Flag.IDENTITY);
--
Sebastian Ramacher
Reply to: