It has always been vulnerable to MITM attacks when it is not used with DNSSEC,
and has been removed from XEP-0156 because of that. We have been issued
CVE-2022-26491 for this issue.
More discussion can be found at
https://mail.jabber.org/pipermail/standards/2022-February/038759.html.
Testing Done:
Compiled
Reviewed at https://reviews.imfreedom.org/r/1357/
/*
* @file util.h Utility Functions
* @ingroup core
*/
/* Purple is the legal property of its developers, whose names are too numerous
* to list here. Please refer to the COPYRIGHT file distributed with this
* source distribution.
*
* This program is free software; you can redistribute it and/or modify
* it under the terms of the GNU General Public License as published by
* the Free Software Foundation; either version 2 of the License, or
* (at your option) any later version.
*
* This program is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU General Public License for more details.
*
* You should have received a copy of the GNU General Public License
* along with this program; if not, write to the Free Software
* Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02111-1301 USA
*/
#include"internal.h"
#include"cipher.h"
#include"conversation.h"
#include"core.h"
#include"debug.h"
#include"glibcompat.h"
#include"notify.h"
#include"ntlm.h"
#include"prpl.h"
#include"prefs.h"
#include"util.h"
/* 512KiB Default value for maximum HTTP download size (when the client hasn't
specified a length) */
#define DEFAULT_MAX_HTTP_DOWNLOAD (512 * 1024)
#define MAX_HTTP_CHUNK_SIZE (10 * 1024 * 1024)
struct_PurpleUtilFetchUrlData
{
PurpleUtilFetchUrlCallbackcallback;
void*user_data;
struct
{
char*user;
char*passwd;
char*address;
intport;
char*page;
}website;
char*url;
intnum_times_redirected;
gbooleanfull;
char*user_agent;
gbooleanhttp11;
char*request;
gsizerequest_len;
gsizerequest_written;
gbooleaninclude_headers;
gbooleanis_ssl;
PurpleSslConnection*ssl_connection;
PurpleProxyConnectData*connect_data;
intfd;
guintinpa;
gbooleangot_headers;
gbooleanhas_explicit_data_len;
char*webdata;
gsizelen;
unsignedlongdata_len;
gsizemax_len;
gbooleanchunked;
PurpleAccount*account;
};
staticchar*custom_user_dir=NULL;
staticchar*user_dir=NULL;
staticGRegex*str_to_time_regex=NULL;
staticconstgchar*str_to_time_pattern=
"^\\s*"
"(?P<year>\\d{4})? # look for a leading year\n"
"(?:[-\\/]?) # an optional separator of - or /\n"
"(?P<month>\\d{2}) # the two digit month\n"
"(?:[-\\/]?) # another optional separator of - or /\n"
"(?P<day>\\d{2}) # the two digit day\n"
"# we now have an optional trailing year or seconds\n"
"(?:\n"
" (?:[-\\/]?(?P<trailingyear>\\d{4})) # the trailing year may have a - or / separator\n"
"|\n"
" [T.] # T signifies that this is an iso8601 time\n"