Another thing we do that isn't perfectly secure is store oauth tokens in localStorage

The reasons to not use environment variables weren't super compelling. I'm coding ground-up support for envvars in Ditto, because it caused nostr:npub1ycnhgr56efxcpvhu7q0er9gqjqttpwhgqgjfgjaj7gpfea5g6xhq4zgshs a lot of pain trying to deploy Rebased in k8s as-is.

Nah, a totally different parser (Floki + fast_html) is used for that. HTML5 is not compatible with XML.

I'm using sqlite. The table structure is almost exactly like nostr-rs-relay. I don't think I can use LMDB without a powerful query language. It will probably work fine.

Ditto so far is a client. But after working through it last night I decided it needs to be a relay. There's no way around it. This will solve multiple critical problems (especially with loading the home feed) at the cost of flexibility. It will simplify everything. Let's just hope I can handle creating a database.

Can you explain the actual attack surface tho

Webfinger can sometimes be in XML format instead of JSON, and the server will parse it. But I don't see how the results could be rendered to the attacker.

]>

Statements dreamed up by the utterly deranged.

This is what happens when you let a bunch of academics and nerds run the W3C. The W3C needs to be fired for this.

I wonder if GNU Social still uses it, since there are like 2 GNU Social servers still online. Even they have managed to modernize things.

Akkoma patched it first.

That's one way to put it.

Side-note: I don't think an XML parser is even needed on the Fediverse anymore. Everything is in JSON. This is unfortunate.

Yes you do.

New Pleroma vuln dropped: https://gitlab.com/soapbox-pub/rebased/-/merge_requests/264/diffs

Yes, this is a new one that isn't the same as the one from yesterday.

I don't completely understand the impact of this one, but you need to upgrade your server again. It seems bad but I'm not sure exactly how to exploit it.

I was just looking at nostrdb again. I'm thinking about doing something like this.

SQLite is so cool.

Centralized platforms.

nostr:note1xrh3ch2rv95mal0jd3gx9fum64xqudvkult0mgz6cgmuakd37nasxdvj52

It's nothing against you. This is about Lain. Lain created Pleroma and attracted a bunch of people to it, then abandoned it and put 2 mentally ill people in charge.

I am frustrated by the constant security vulnerabilities my people are finding while Lain makes public announcements like this intentionally excluding us. I want him to fucking congratulate us every single time we find a security vulnerability. To not do so is to not really take it seriously.

You know what Lain could do? Put poa.st on the homepage of pleroma.social under "Featured Instances". Make it the top one. What is the rationale not to? And next time, tag me, tag graf, and tag niggy.

Lain doesn't write a single line of code on Pleroma anymore. Maybe you should be the one making the Pleroma announcements from now on, feld, since you're the one who actually does the right thing in these scenarios.

This is not something I dwell on. But if every week we find a new security vulnerability and Lain makes a post like this again, I'm going to call it out. Until this either stops or I finish building my new backend, I'm going to expect Lain to step up and justify the situation he created by being the best possible person. I WANT Lain to be good.

Things are always difficult in the beginning. Once you get the ball rolling, it becomes easy.

Lol Deno would completely avoid the directory traversal attack from Pleroma this morning with this sandboxing configured