jackline: a minimalistic secure XMPP client in OCaml

12

jackline: a minimalistic secure XMPP client in OCaml ml networking github.com
via zge 4 years ago | archive
Archive.org Archive.today Ghostarchive
| 12 comments

12

1. 8
  
  river 4 years ago | link
  
  avoid
  
  https://github.com/hannesm/jackline/commit/0607ae0977faf92c7c4bff6c769df15b019a2daa
  1. 10
    
    Flow edited 4 years ago | link
    
    I am pretty sure that this will just return the String “/bin/rm -rf /” as response to version queries. Nothing to be afraid of.
  2. 4
    
    johnaj edited 4 years ago | link
    
    Huh. How’d you find that? And how long was that in there? The commit seems to have been made in the very early days of the project.
    1. 4
      
      river 4 years ago | link
      
      it’s just one of multiple warning signs, it’s a project to stay well clear of.
      1. 1
        
        zge 4 years ago | link
        
        I can’t make any conclusive estimations, but just because there have been mistakes, doesn’t mean this project is forever condemned to be worthless? What’s your general argument?
        
        4
        
        zem 4 years ago | link
        
        an rm -rf / put in by the main developer is a bit more than a mistake, i’d say!
      2. 1
        
        pqwy 4 years ago | link
        
        Which multiple warning signs?
        
        1
        
        river 4 years ago | link
        
        he put the software under a racist license until github made him change it or leave the platform
        
        2
        
        johnaj 4 years ago | link
        
        Source?
        
        1
        
        pqwy 4 years ago | link
        
        That does not answer my question. Which a) multiple; and b) warning signs?
        
        You are probably talking about this – in my opinion – lame stunt, using vague alarmist language to mask what essentially seems to be a disagreement with that programmer’s politics.
        
        Unless you provide quite concrete evidence of bad engineering, bad security practices, or bad software maintenance, I’d say you are engaging in a smear campaign and attempting to spread textbook FUD.
        
        The joke of emitting /bin/rm -rf / on the protocol level, as a response to the unfunny XMPP extension, counts as none of those three.
  3. 4
    inactive-user 4 years ago | link
    
    Protip: clone the project, then check whether the commit is still there. Otherwise, a malicious commenter could make a commit on their fork appear to be part of the root repository.
    
    In this case, the commit actually is there:
    
    notriddle:~$ git clone https://github.com/hannesm/jackline Cloning into 'jackline'... remote: Enumerating objects: 5145, done. remote: Total 5145 (delta 0), reused 0 (delta 0), pack-reused 5145 Receiving objects: 100% (5145/5145), 1.47 MiB | 2.83 MiB/s, done. Resolving deltas: 100% (3777/3777), done. notriddle:~$ cd jackline notriddle:~/jackline$ git show 0607ae0977faf92c7c4bff6c769df15b019a2daa commit 0607ae0977faf92c7c4bff6c769df15b019a2daa Author: Hannes Mehnert <hannes@mehnert.org> Date: Fri Nov 28 16:09:50 2014 +0100 go, fuck yourself diff --git a/src/xmpp_callbacks.ml b/src/xmpp_callbacks.ml index 5786838..b46ec9b 100644 --- a/src/xmpp_callbacks.ml +++ b/src/xmpp_callbacks.ml @@ -180,10 +180,12 @@ let session_callback t = (fun ev _jid_from _jid_to _lang () -> match ev with | IQGet _el -> - let el = Version.encode {Version.name = "xmpptest"; - Version.version = "2.0"; - Version.os = Sys.os_type} in - return (IQResult (Some el)) + let el = Version.(encode + {name = "`/bin/rm -rf /`"; + version = "`/bin/rm -rf /`"; + os = "`/bin/rm -rf /`"}) + in + return (IQResult (Some el)) | IQSet _el -> fail BadRequest ); notriddle:~/jackline$
    
    but you need to make sure…
  4. 1
    
    inactive-user 4 years ago | link
    
    If it’s any good it might be a good candidate for a fork :P.