Me trying to fix a bug in a random 6-year old project on github after having read the entirety of the two paragraphs in developer_docs.md
I’ve posted this one before but it’s too funny to not post again
nostr:npub1h6zx48mues94cvpgnklhg0h9j4t29y248a285pppyxpvqmxnd5aqqgmvn7 nostr:npub1hywuy6pv8fctjnppge8cl7ft6gr8qnfhr64c7y3y552ls6v84s5qynke8d Eventually we'll get solid implementations of cryptographic accumulators and this won't be an issue. It is right now for sure though.
nostr:npub1vstq6fu5nqzdffd9uw3lw2pqu0dstjkm8q6a66v4z9vxjd9xtxtqnmaefa nah, this unnamed post is all the attention that retard gets from me
nostr:npub1a0qxpztc73n47hp37wxfqt6thaakt97seu7satuv7uz65mnlq37sxu3tmr also, just mute me or add the words to your account’s filter list? I get it if I was like kicking puppies or some shit, but damn that’s all it takes to get super buttmad?
This type of person is the type to cry for Muh hate speech laws.
Also they live in DC and probably work for the government so idk why I expected any different.
nostr:npub1ks4j70qusuv7hnaqcrr3azks95fxjpz4sx29sy9h35z3vltwaunsmdx88p No, in that case I expect that police officers at the enforcement level will like drinking beer and not being shot, so they'll tell the legislature to go fuck themselves.
In the event that some psychos manage to convince the population to surrender their guns willingly, many won't and would be sued by the government, in which case jurors should nullify.
You seem to not understand the implications of Marbury v Madison and "the law of the land", which is the resulting propaganda.
I have surpassed 1k followers.
I'm cool now, right?
Who do I contact to get my silver Mastodon "Toot" button?
nostr:npub108pv4cg5ag52nq082kd5leu9ffrn2gdg6g4xdwatn73y36uzplmq9uyev6 Yeah, sorry I missed the message earlier in the RT'd thread a post or two up the chain where you mentioned setting it in Nginx.
To redeem myself a bit, I'll recommend checking out this tool to evaluate CSPs: https://csp-evaluator.withgoogle.com/
And for building a CSP from scratch (for those who haven't done it by hand a dozen or so times already), I recommend this Firefox extension: https://addons.mozilla.org/en-US/firefox/addon/laboratory-by-mozilla/
I still have hope for America, but I don't anticipate any meaningful improvement for at least another decade or two.
The sitting supreme court is the only thing going for us federally, and it's hard to support a branch of government unaccountable to their actions with zero capacity to be checked by other branches.
I refuse to become a porn-sick doomer like the generation that proceeded mine, but damned if it isn't hard to stay positive.
"From a quarter to half of Earth’s vegetated lands has shown significant greening over the last 35 years largely due to rising levels of atmospheric carbon dioxide, according to a new study published in the journal Nature Climate Change on April 25."
This information is based on observational study, not theoretical modeling.
Published April 26th, 2016
Source: https://www.nasa.gov/feature/goddard/2016/carbon-dioxide-fertilization-greening-earth
nostr:npub1yck44z5zqxmwpqzqs75ay6ffjdw843ng9p6mz0lzfff3fgz2djlsngujmw nostr:npub108pv4cg5ag52nq082kd5leu9ffrn2gdg6g4xdwatn73y36uzplmq9uyev6 oh no, pictures with red! And hurricane projections! WE'RE ALL GOING TO DIE!!!!
Steve of Gamer's Nexus is a gigachad who managed to save LTT despite Linus' cringe sad sack response.
For years Gamer's Nexus has been the only consistently high-quality technical review channel I know of.
Linus was, and remains, a cringe money-hungry shitlord dressed up as a tankie.
The only real repentance I would accept as genuine from Linus is if he cut a fat check to Steve for saving his ass. This meme is the only thing I could think of while watching LTT's executive apology tour video.
nostr:npub108pv4cg5ag52nq082kd5leu9ffrn2gdg6g4xdwatn73y36uzplmq9uyev6 nostr:npub1d0npefkxtfkcptjdawvwkfu58japhjfaljt4hqtpq2xqn8pt2nwqdjahqw this might be true for localhost but probably won’t save you from SSRF to other RFC1918 addresses + aws metadata ip.
nostr:npub108pv4cg5ag52nq082kd5leu9ffrn2gdg6g4xdwatn73y36uzplmq9uyev6 nostr:npub1d0npefkxtfkcptjdawvwkfu58japhjfaljt4hqtpq2xqn8pt2nwqdjahqw check if you can GET aws+gcp metadata api by IP, check if you can do the same with A/AAA records and CNAMEs (using records from a domain you control). Same for 127.0.0.1 using whatever port the software’s server listens on, but you may just have to accept the risk for that one because idk how you fix that without resolving and testing every FQDN resolution result anyway.
My suggestion is to use content-type whitelist strategy I mentioned.
nostr:npub1d0npefkxtfkcptjdawvwkfu58japhjfaljt4hqtpq2xqn8pt2nwqdjahqw nostr:npub108pv4cg5ag52nq082kd5leu9ffrn2gdg6g4xdwatn73y36uzplmq9uyev6 this is correct (and what I would recommend to a client/org) but this is a hard sell for FOSS projects where you don’t control the OS or network layer. Best OSS projects can do is include a bunch of init runtime checks for the vulns and warn that external (to the software) config changes need to be made for security.
Then you get 9,999 GitHub tickets asking “how do I enable DNS rebind protection for
nostr:npub18994crjwnldrukwym5lz3y2nae84s84v20m2rkngtjnyg549lr6qvxmd6m question, how TF do I prevent SSRF without setting up an outbound proxy server? Doing DNS lookup I assume will destroy performance, and caching the lookup makes it vulnerable to timing attacks. The internet is broken
nostr:npub108pv4cg5ag52nq082kd5leu9ffrn2gdg6g4xdwatn73y36uzplmq9uyev6 like you mentioned, resolving DNS and inspecting the records is the only full-proof way. You’d want to disable the aws/gcp metadata endpoints, 127.0.0.1/localhost, and maybe even all RFC1918 addresses.
The cheating way is to not do any of that and allow arbitrary GETs, BUT fix the issue elsewhere. Disable metadata api (and put a check at program startup), don’t run unauthenticated local services, make the result blind (so the ssrf can’t be used as an intranet port scanner)