My GPG key fingerprint: CBC7 7876 BF7C 9637 B6AE 77BA 7D49 834B 0416 CFA3
Fixed a simple security hole in #taproot, uncovered unintentionally by an attack mounted ≈5hrs ago — intent appeared to be to create new user accounts, unintended result was the creation of a new, empty article.
Hundreds of requests were made against URLs similar to these:
Presumably these URLs are compromised on other systems — needless to say they are far too ugly to exist in #taproot! I’m unsure exactly why
/articles was used as the base URL for the attack in all cases apart from two.
As these URLs don’t exist, and will never exist, it should be safe enough to add server- or application-level filters immediately closing any requests which include them.
Prepping an old machine for demoing crypto tech at the cryptoparty tonight, windows being a complete pain. I have a feeling I’m going to be spending most of the evening apologising for other people’s bad UI decisions.
@_minego links with the
rel semantic can be used both in human-visible markup for improved back-compatibility and quick error-spotting (as well as layering on top of existing solution) and also in HTTP headers for machine-only use
@_minego which existing clients would be broken by adding a classname or
rel value to the HTML page someone downloads something from, or a
Link header to the download itself?
Of course the more significant thing is UI considerations: how to offer this info to the downloader, how to explain what the various possible outcomes mean and what action the user should take as a result of them
#idea: a microformat for download signatures/checksums, allowing browsers to automatically verify files without people having to go into the terminal and use
Amazed to see that “send[ing] your password file to the server” is one of the examples in the curl manpage. wat. curl.haxx.se/docs/manpage.html#-F