Conversation
Notices
-
Embed this notice
Alex Gleason (alex@gleasonator.com)'s status on Saturday, 27-May-2023 04:57:11 JST 
Alex Gleason
Lessons learned:
1. Always host user uploads on a separate domain.
2. Don't use Pleroma FE.
3. Mastodon was right.-
Embed this notice
feld (feld@bikeshed.party)'s status on Saturday, 27-May-2023 04:58:55 JST 
feld
Changing user uploads to a different domain breaks old media uploads btw 😭
You have to proxy/redirect for the old ones which means you could remain vulnerable -
Embed this notice
Alex Gleason (alex@gleasonator.com)'s status on Saturday, 27-May-2023 05:00:07 JST
Alex Gleason
@admin Not allowing users to upload literally every type of file on purpose. -
Embed this notice
Black Sir bigl0af of the BLAZ (admin@mastodon.foxfam.club)'s status on Saturday, 27-May-2023 05:00:13 JST 
Black Sir bigl0af of the BLAZ
@alex
Right about what?? -
Embed this notice
bot (ba2883fb4a7f62cb851b9f5411659791cffb2e3fc8b90f683ee5091f413880a1@mostr.pub)'s status on Saturday, 27-May-2023 05:03:08 JST 
bot
Why does that happen? -
Embed this notice
feld (feld@bikeshed.party)'s status on Saturday, 27-May-2023 05:03:08 JST
feld
When you federate posts with attachments the full URL to the file is part of the data. You can't change it once it's been federated. Everyone will always need to retrieve the attachment files from the original location. -
Embed this notice
feld (feld@bikeshed.party)'s status on Saturday, 27-May-2023 05:25:07 JST
feld
If someone uploaded the JavaScript attack payload to your server already before this change the rewrite just changes where the file is retrieved from but the vulnerability remains as it's still coming from the same domain when the browser fetches it -
Embed this notice
?? أحمد ?? (ahmad@bassam.social)'s status on Saturday, 27-May-2023 05:25:08 JST 
?? أحمد ??
Rewrite and upload to S3? -
Embed this notice
Alex Gleason (alex@gleasonator.com)'s status on Saturday, 27-May-2023 05:53:07 JST
Alex Gleason
@marlin @admin Install my antivirus software. Just double-click this exe... -
Embed this notice
marlin (marlin@poa.st)'s status on Saturday, 27-May-2023 05:53:08 JST 
marlin
@alex @admin You're telling me that Pleroma/Rebased allows for uploading of arbitrary files? wow. Uploading of media (iamges, video, music) I understand, but PDF, Docx, torrent, etc., why? -
Embed this notice
marlin (marlin@poa.st)'s status on Saturday, 27-May-2023 05:55:39 JST
marlin
@alex @admin hot_lesbian_porn.exe would be better bait. -
Embed this notice
Alex Gleason (alex@gleasonator.com)'s status on Saturday, 27-May-2023 05:55:39 JST
Alex Gleason
@marlin @admin Did you open it? Because I really do want someone to click my exe. -
Embed this notice
Alex Gleason (alex@gleasonator.com)'s status on Saturday, 27-May-2023 06:37:33 JST
Alex Gleason
@eris Cursed. -
Embed this notice
Eris (eris@gleasonator.com)'s status on Saturday, 27-May-2023 06:37:34 JST 
Eris
@alex Pleroma don’t what Mastodo -
Embed this notice
b (c37b6a82a98de368c104bbc6da365571ec5a263b07057d0a3977b4c05afa7e63@mostr.pub)'s status on Saturday, 27-May-2023 12:40:59 JST 
b
#nostr fixes this lol Alex Gleason likes this.
-
Embed this notice
All GNU social JP content and data are available under the