GNU social JP
  • FAQ
  • Login
GNU social JPは日本のGNU socialサーバーです。
Usage/ToS/admin/test/Pleroma FE

  • Public

    • Public
    • Network
    • Groups
    • Featured
    • Popular
    • People

Conversation

Notices

  1. Embed this notice
    :mima_rule: Mima-sama (mima@makai.chaotic.ninja)'s status on Friday, 02-Feb-2024 17:14:43 JST :mima_rule: Mima-sama :mima_rule: Mima-sama

    #Sharkey's recent vulnerability and their handling of it is still miles better than #Lemmy's #XSS exploit which actually took down a big instance and is something even more elementary than what Sharkey experienced.

    Like seriously, the first thing you do when #Markdown parsing is involved is to sanitize the hell out of it, both in the Markdown input and the HTML output. And you put up a strict #CSP for good measure. Lemmy spectacularly failed on both counts, despite existing as a project for years and a lot more instances (and therefore users, which rivals #Mastodon) using their software!

    I can cut some slack for the Sharkey devs here because:

    - they're relatively new (only months since the project started)
    - it only affected note imports from #Twitter which is already niche enough
    - it was easy to mitigate (just disable note import)
    - it didn't affect single-user instances IIUC
    - I haven't seen any Sharkey instance get actually exploited by this
    - they're taking steps to make sure this shit doesn't happen again (haven't seen this from Lemmy yet, and last I checked their CSP is still shit)

    So this is not worth blowing over in the #fediverse. Your assessment is exaggerated, this energy could've been spent somewhere else, and you owe the Sharkey devs an apology.

    #fediversemeta #security

    RE: https://meowcity.club/fedi/tetra/p/1706812792.496325

    In conversation about 10 months ago from makai.chaotic.ninja permalink

    Attachments

    1. Domain not in remote thumbnail source whitelist: meowcity.club
      Tetra (@tetra@meowcity.club)
      Heya, I'm Tetra!
    • Embed this notice
      :verified_2:防空識別區𝒔𝒐𝒄𝟶 (adiz@soc0.outrnat.nl)'s status on Friday, 02-Feb-2024 17:14:41 JST :verified_2:防空識別區𝒔𝒐𝒄𝟶 :verified_2:防空識別區𝒔𝒐𝒄𝟶
      in reply to
      • FinchHaven

      @FinchHaven@sfba.social Mastodon users aren't allowed to have opinions. Enjoy your shit software. @mima@makai.chaotic.ninja

      In conversation about 10 months ago permalink
      NEETzsche likes this.
    • Embed this notice
      FinchHaven (finchhaven@sfba.social)'s status on Friday, 02-Feb-2024 17:14:43 JST FinchHaven FinchHaven
      in reply to

      @mima

      Markdown

      So is this the same sort of "markdown" that all the young glowey eyed tech bros were all hot-and-heavy about having their distro or their apps support, and who got all pissy and cranky against anyone who said maybe they didn't really *need* markdown just to post to the #Fediverse?

      That #Markdown?

      Oh…

      Interesting

      In conversation about 10 months ago permalink
      NEETzsche repeated this.

Feeds

  • Activity Streams
  • RSS 2.0
  • Atom
  • Help
  • About
  • FAQ
  • TOS
  • Privacy
  • Source
  • Version
  • Contact

GNU social JP is a social network, courtesy of GNU social JP管理人. It runs on GNU social, version 2.0.2-dev, available under the GNU Affero General Public License.

Creative Commons Attribution 3.0 All GNU social JP content and data are available under the Creative Commons Attribution 3.0 license.