What was planned to be a minor #release after last month turned out to be a major release regarding the number of changes, new features and fixes that were made in the meantime. Let's have a look!

Important security fix: remote code execution through unsafe unserialize

An important security issue was discovered just before this release, and it was decided to directly fix and release it. We are strongly encouraging you to upgrade your instance to this version.

Context

For more than ten years now Movim has saved its user configuration in a dedicated PubSub node on the user XMPP profile. This allows the user to keep its Movim instances synchronized and get their configuration back if they choose to migrate to a new instance.

Back then, it was decided to simply save the PHP configuration as a serialized string in a PubSub node item.

A malicious person could then inject in its own XMPP profile a malicious serialized string that -Movim will try to parse when connecting making Movim vulnerable to a remote code execution attack. This related blog post explains it quite well.

Security fix

The serialize and unserialize related code has been completely replaced and rewritten. Movim is now publishing its configuration as a standard XEP-0004: Data Forms now which is also cleaner and easier to handle.

What's new?

First steps of the Movim Live video-conferencing project

Last month we announced that NLNet was funding a large set of features around video-conferencing in Movim.

This release brings the first important changes live 🎉

Moving the pop-up back to the main tab

When video-conferencing was first added to Movim the platform was not yet a full Progressive Web App and the pages were reloading the Javascript environment completely each time the user clicked on a new link. The video-conferences were then moved to a dedicated pop-up to ensure that the connection was not accidentally reloaded during the call.

A lot of work has been done over the past few releases to keep the Javascript session alive and load the content dynamically when navigating on the platform.

This release not only brings back the video-conference window in the main tab but also integrates it dynamically into the discussions.

Introducing the floating, chat-integrated, and full-screen modes

When making a call you will now be able to switch dynamically between the different modes.

When chatting with the person the video and audio call are integrated directly on top of the discussion. It automatically switches to floating mode on the other pages. Some more work regarding those modes and their integrations will be planned in the future.

It is also possible to quickly switch to full-screen mode anytime if you want to really focus on the call with your friend.

Current call status

With the reintegration of the popup a lot of work was also done in the backend to keep track of all the events of the call. A specific CurrentCall object was created allowing the interface to be aware in real time of the call status.

The chats list and header now display a blinking "In call" status.

Modernization of the XMPP Jingle stack

The related pull request also brings a huge refactoring of the video-conferencing Javascript code and a modernization of the Jingle stack, fixing a few bugs along the way.

This is just the beginning

Those are just the first few steps. In the upcoming months we are planning to integrate multi-participant calls as well as server-side handled video-calls. Stay tuned, the Movim Live project will really bring a lots of awesome surprises!

Database refactorings, cleanups and UI fixes

Movim was storing a few pieces of data as serialized objects in the Cache table, including the status of incoming invitations and notifications, open chats and the last article read. The related caches table was completely removed and the related data is now stored properly in dedicated tables.

Along the way, some broken migrations were also fixed and the related database libraries were updated.

A lot of small UI bugs were also fixed in this version.

What's next?

The Movim Live project will be the main priority in the upcoming months.

We are expecting some surprises and difficulties along the way, so no promise can be made regarding the deadlines and the features to come in the upcoming release.

Don't forget to share this release around and support us if you like what we're doing 😊

That's all folks!

#nlnet #security #videoconference #database

Another month, another release! We are happy to introduce Movim 0.26, codename Borrelly.

What's new?

Custom Emojis (yay 🎉)!

Movim implemented the Stickers feature a while ago already but always lacked the ability for users to send some custom #emojis to their friends.

This is now implemented thanks to the complete integration of the #XMPP extension XEP-0231: Bits of Binary which was already used partially by the Stickers.

The available emojis packs are imported by the administrator using a new console command that is compatible with the Mastodon or Plemora emojis pack

For example you can import the neofox pack by Volpeon using the following command:

web-user$ php daemon.php importEmojisPack https://volpeon.ink/emojis/neofox/manifest.json

You'll need to run this command using your webserver user, the script will take care of downloading the ZIP file, copy the pictures and seed the database to make them available to all the #Movim instance users.

Each user will then be able to pick their favorites in the Configuration panel and insert them while chating.

When adding a new favorite emoji the user will be able to add a custom :trigger-word: to insert the emoji in its message.

This feature is compatible with a few other XMPP clients sur as Pidgin (!) and Cheogram.

Codeblock support in messages

By using the codeblock syntax it is now possible to insert sourcecode extracts in your messages.

Better handling of spam messages

Some users were experiencing unsolicited and #spam messages issues. This new release doesn't send desktop and push notifications if the messages is not from a contact.

The 1-to-1 discussions can also be filtered to only display the ones you had with your contacts.

Updated message moderation and retraction

Movim now supports the latest version of Message Retraction and Message Moderation and therefore better integrate with the newest clients and servers implementations.

... but also some fixes

As always some issues were also fixed in this release.

The internal code was refactored to comply with the PSR-4 PHP standard. This should remove a lot of warnings when installing and upgrading.

Some shared image URLs were not handled properly in the chat and the preview was broken, this was fixed in the ticket #1314. The sharing of URLs and some embedding features were also greatly improved when writing a new article.

What's next?

We are happy to announce that Movim was selected by NLNet to fund a large set of exciting features around video-conferencing on the platform 🥳, including one-to-many audio and video calls. This will be the biggest project done until now and should keep us busy until next year.

Some more specifics and technical blogs posts will be published soon to explain more in details what all those changes will be about and which exciting features you will see in the upcoming releases.

Thanks a lot to them and don't forget to follow us to get all the latest details about this.

That's all folks!

#nlnet #funding #videoconferencing

A few days after Movim 0.25 Nagata here is a small bugfix release.

In this release you'll find a fix that prevented Firefox to Firefox audio-video calls to happen, a fix for a route parsing issue that was preventing articles to be attached properly in a new publication and a related one that was preventing articles to be shared to chat users.

One small improvement, the one-to-one chat list now includes preview of sent and received images and links.

That's all folks!

#movim #xmpp #bugfix #release

Only a few months after #Movim 0.24 here comes Movim 0.25 Nagata!

Let's have a look at all the new features and fixes that you can find in this exciting #release.

What's new?

Message files refactoring

The attached #message files metadata are now moved to the Movim SQL database, this allows way more flexibility to handle then including the upcoming work on the multi-files per message feature.

Along this change comes the support of thumbhash. The general idea is to build a small blurred version of the image that can be transferred and store inside the message metadata and then render it as a placeholder for the image before it gets downloaded.

Internal file upload proxy, bye bye CORS!

When you upload a file on Movim, it is not store in Movim itself but directly on your #XMPP server File Upload Service.

This feature, defined in XEP-0363: HTTP File Upload is pretty useful and widely implemented in the XMPP ecosystem. However XMPP web clients, such as Movim, have to deal with browser related limitations called #CORS (Cross-origin resource sharing) that needs some more configuration on the XMPP servers to allow upload files from domains that are not the same as the XMPP file #upload service one.

This new version comes with an internal file upload proxy, basically your file is first uploaded to a temporary script in Movim that then take care to upload it to your XMPP File Upload Service. This change makes all those configuration obsolete and greatly simplify the Movim deployment and configuration.

One small detail, please ensure that your PHP upload_max_filesize internal setting is large enough to handle the files that will be uploaded to the XMPP servers, somes are allowing up to a few hundreds megabytes for the maximum file sizes.

Automatic Nightmode 🌙

Movim is having a Nightmode toggle for a while already. A few internal changes is now allowing Movim to just follow your browser or operating system directives.

XEP-0410: MUC Self-Ping (Schrödinger's Chat)

As defined in the introduction of the XEP:

The Multi-User Chat (XEP-0045) [1] protocol was not designed to handle s2s interruptions or message loss well. Rather often, the restart of a server or a component causes a client to believe that it is still joined to a given chatroom, while the chatroom service does not know of this occupant.

Movim is now implementing the basic features of this XMPP extension and therefore automatically disconnect your from a chatroom if no activity was detected for a few minutes and if the ping doesn't come back positively. It was reported in the issue 1164.

Various other fixes

This version also fixes a few issues like a bug that prevented sometimes Movim to resynchronize the conversations history for one-to-one discussions, a SRV record certificate validation misconfiguration or a wrong priority of the XEP-0319: Last User Interaction over the XEP-0203: Delayed Delivery presences that were giving wrong information regarding your contact "last activity".

What's next?

This release should be the last one before some exciting huge set of features, with the support of the NLNet Fundation that will be integrated in Movim in the upcoming months. It seems that it should improve a few things regarding audio and video calls, stay tuned! 👀

Hope that you'll enjoy all those changes 😊

That's all folks!

Movim 0.24, codename Mueller is out. Let's dive in all the new exciting things that you can find in this new release!

What's new?

XEP-0386: Bind 2, XEP-0388: Extensible SASL Profile and XEP-0474: SASL SCRAM Downgrade Protection

Movim was definitely not the first one integrating those XMPP extensions but their implementation finally brings a much modern authentication stack to the project.

Bind 2 and Extensible SASL Profile greatly simplifies the authentication flow allowing Movim to connect (and reconnect) even faster, don't worry the older method is still there and will allow you to connect on #XMPP servers that don't support yet this new mechanism.

SASL SCRAM Downgrade Protection is a small security layer that sits on top of SASL (the authentication framework used by XMPP) to prevent channel-binding downgrades attack during the handshakes methods. It starts to be enforced by several servers nowadays such as ejabberd.

We would like to thank fabiang that did an awesome work on the #PHP #SASL library to add the SCRAM Downgrade Protection to it and allow a proper integration of the feature in Movim. Thanks!

Complete page navigation loading refactoring

You may not have seen it but a big #refactoring work was done under the hood to greatly simplify the navigation system in Movim.

This allows you to have a working and reliable "back-button" experience across the user interface. It is actually especially noticeable on mobile where the back button is used a lot to switch between the different UI elements (drawers, pages, sliders...).

This refactoring also fixed a few important bugs regarding the user interface internal events that were creating weird behaviors. For example, in some cases, when you were loading several time the same page in a row, the same event was attached several time to some buttons creating an mess when clicking on it.

And finally the browser - server connection (that relies on a Websocket) was also refactored and simplified fixing numerous connectivity bugs that we had until now.

Changes when publishing an article

The post publication form was slightly reorganized. The post privacy toggle was more clearly defined and another one, to disable comments and likes, was added next to it.

Interface improvements

Since its big rewrite in 2014 Movim relies on the Google #Material Design system. This version continue the integration of Material 3 with the redesign of the search and chat boxes as well as small forms and buttons details.

A new placeholder was also added when starting a new chat allowing you to quickly add the user to your contact list or block him.

Other fixes and improvements

A few #OMEMO bugs were also fixed, especially the bug #1261 that was preventing Movim users to decrypt their own messages in chatrooms.

We also fixed an annoying video-conferencing bug (#1274) that was preventing Movim to accept some specific audio and video calls. This allows Movim to process calls properly coming from #SIP bridges and to connect with SIP clients like Linphone !

We would like to especially thanks toastal for his several contributions to the project including internal image size picture management, a big refactoring of the internal language management system and some more minor interface and performances fixes.

What's next?

This version prepared the last important bricks required to introduce the early steps of the big audio and video-conferencing refactoring, especially with all the navigation and interface internal events management that was done the past few releases.

We will tell you more about it soon, stay tuned!

In the meantime, please share the good news around you and don't forget to update your server if you're an admin!

That's all folks!

Movim 0.23, codename Kojima is finally out.

This version brings a lot of fixes, refactoring and a few new exciting features, lets have a look!

What's new?

Improved message bubbles and navigation

A big refactoring of the chat message bubbles internal structure and display was done. This fixes a few old issues regarding the dates separation and their status (received, read, encrypted..).

The messages statuses are now also displayed for the non-textual messages (pictures and audio) and the message menu can be triggered when previewing its attached picture.

XEP-0191: Blocking Command

Movim had its own internal system to allow its users to block specific accounts. While keeping exactly the same flows and behaviors the blocked list is now relying on the XEP-0191 that allows to synchronize on the XMPP account level. The incoming messages are also now directly blocked on the XMPP server and not in Movim anymore.

Messages history retrieval via MAM

Message Archive Management, or MAM is one of the core XMPP XEP that allows clients to retrieve and manage messages from the XMPP server archives.

Movim had a quite basic implementation of MAM until now, the 0.23 allows users to scroll-back any discussions (one to one and chatrooms) and progressively retrieve the complete chat history. The messages are then cached in the Movim database to ensure good performances.

UI improvements and other small features

Kojima is bringing a complete new pack of icons and a few related UI changes to integrate them properly during the navigation and in some specific user flows.

The Tenor integration was fixed and upgraded to the v2.0 of their API allow you to send and receive again funny GIFs while chatting!

On the other hand the Twitter integration was completely dropped regarding their recent political changes and API limitation. Bye bye Elon!

Progressive Web App integration

As you may have noticed, Movim is a Progressive Web App! This means that you don't need a specific store to get it, you can can directly install it from you prefered browser (Chrome, Firefox, Safari..) and your operating system will take care of building a "native" application out of it.

A few small improvement were added in the 0.23 allowing an even better integration. Movim is now aware of your system network connectivity and automatically disconnect and reconnect/refresh when you get back online, very practical when you're using it on your phone is an area where the network is not that great.

What's next?

This version is a stepping stone before jumping into the big project that will occupy me the whole rest of the year.

The next version(s) will bring a complete refactoring and redesign of the audio-video calls as well as the suport of multi-participants calls. I will work closely with a few other XMPP clients and server teams to ensure that the integration is properly standardized and fully compatible.

I'll give you some more information about that soon.

In the meantime, enjoy the new release!

That's all folks :)

Hi everyone!

I'm happy to announce that #Movim 0.22.3 has been released. In this small #release, among some bug fixes you will find:

XEP-0425: Message Moderation

Movim is now supporting message moderation in chatrooms. This will allow admins to moderate bad messages in a few clicks.

Movim is also now handling moderated and removed messages coming from bridged accounts. Deleted messages on Telegram bridged using Slidge will be properly handled and removed in Movim accordingly.

Improved avatars

Some small cleanup were done regarding avatar display. Newly uploaded avatars are now 512x512px !

Fixes fixes fixes

A dumb mistake, that was preventing likes and comments to be published under articles has been fixed as well as a Docker related issue that was preventing to serve some files properly.

Enjoy!

Hi everyone!

Another small bugfix #release. Lets have a look!

New design for the navigation bars

This version introduce a new design for the navigation bars, both on desktop and mobile. Nothing big but it should gives some more feedback when navigating between the different Movim zones.

Avatars refresh fixes

Several bugs around the avatars refresh were also fixed. #Movim now properly check if the #avatar is not already in cache before trying to refresh it again.

The avatar refresh queries are also now spread in time using a super simple scheduler. This helps lowering the network (and I/O) load when logging in.

Some avatars placeholders were also not displayed in some chatrooms, this version fix this small issue.

Chatroom administration panel

The previous version introduced a refactor that broke the #chatroom administration panel access. Its now fixed ☺️

join.movim.eu fixes

Not directly related with this release, but join.movim.eu was also updated to support the newest Movim versions. If you are a server admin, do not hesitate to register your instance there ☺️

That's all folks!

A small #release but with a couple of performances improvements and bug fixes.

Confidentiality settings 🔒

The configuration page was reorganized and all the confidentiality setting are now grouped in one unique section.

Linked to that, if you choose to keep your profile private, Movim is now completely disabling your public page, blog and links to your profile.

Fixes

RatchetPHP

Movim is relying on Ratchet to manage its Websockets. We moved to the fork maintained by Plesk that upgrated and is now maintaining the project. See the related ticket. This upgrade fixes the related code Warnings under PHP 8.2 as well.

Bookmarks 2 🔖

0.22 brought a refactor of the internal XMPP Pubsub related code. This change broke the #Bookmarks management. This version fixes it.

Video-conferencing fixes 📹

Movim has now some basic support of MSID in SDP (what does it means ?). This basically fixes video-conferencing between #Movim and Conversations.

Performances improvements 🚀

Maybe one of the most noticeable changes of this release are the two database related fixes that are bringing important #performances boosts (under certain conditions):

• Some large chatrooms, with plenty of messages, were taking many seconds to load. This was caused by Movim trying to find the current room subject in the #database before displaying the room panel. The related query was rewritten to reduce considerably its execution time.
• The unread messages counter database query, that was known to be one of the slowest part of Movim, was also rewritten to divide by 2 its execution time. On top of that a new index was added to boost even more its performances. This should greatly improve the chat conversations and page load time on large accounts.

And finally, some pictures, avatars and icons are now loaded lazily. This means that your phone or browser will not load them before they are actively displayed on your screen. This greatly reduce the server load and page display time.

Enjoy