see shy jo is a user on octodon.social. You can follow them or interact with them if you have an account anywhere in the fediverse.
If you don't, you can sign up here.
@joeyh posted about two security vulnerabilities he uncovered http://joeyh.name/blog/entry/two_security_holes_and_a_new_library/
Notably the ActivityPub appendix warns about these kinds of security vulnerabilities: don't fetch from uri schemes you don't know (be sure your http lib doesn't accept file://) and don't fetch from localhost (though sadly it's hard not to do this one... "localhost-only" is mostly doomed).
But Joey's post also points out that even if you filter out the scheme and localhost yourself, redirects may bite you
@cwebber btw you had some late-nite toots a while ago that got me thinking about this again
@cwebber I was not sure how to really fit that credit in, but thanks for that
