Christopher Lemmer Webber is a user on octodon.social. You can follow them or interact with them if you have an account anywhere in the fediverse. If you don't, you can sign up here.
Christopher Lemmer Webber @cwebber

@joeyh posted about two security vulnerabilities he uncovered joeyh.name/blog/entry/two_secu

Notably the ActivityPub appendix warns about these kinds of security vulnerabilities: don't fetch from uri schemes you don't know (be sure your http lib doesn't accept file://) and don't fetch from localhost (though sadly it's hard not to do this one... "localhost-only" is mostly doomed).

But Joey's post also points out that even if you filter out the scheme and localhost yourself, redirects may bite you

see shy jo @joeyh

@cwebber btw you had some late-nite toots a while ago that got me thinking about this again

Christopher Lemmer Webber @cwebber

@joeyh oh really? Was it the one about bumping into Racket's http lib grabbing stuff from file:// by default? I was wondering if maybe you saw that and it influenced this but figured it was unlikely!

· Web · 0 · 0
see shy jo @joeyh

@cwebber yes those

octodon.social powered by Mastodon