Atlanta, GA
Ticket created by ~samwhited on ~sircmpwn/builds.sr.ht
When submitting the following build manifest (which I guess is invalid YAML):
image:freebsd/latest
I get the error: "'str' object has no attribute 'get'" which has no relation to YAML or what is wrong as far as I can tell. I'm not sure what this means, possibly it's a bug in Python land somewhere. It would be more helpful if it told me that the YAML was invalid (or whatever the problem with that manifest actually is).
Comment by ~samwhited on ~sircmpwn/sr.ht
It may not be a CSRF issue because you have SameSite set, but we don't have to trick users into clicking a link either. They could just visit a page with an embedded pre-load link or image, eg. visiting this issue will log you out without any user input (note that the thing that logs you out is a comment which an attacker could put in any issue):
https://todo.sr.ht/~samwhited/prefetchpoc/1
The usual way to fix this is to make the logout link a form and a POST request.
—Sam
On Tue, Sep 1, 2020, at 17:21, ~sircmpwn wrote:
This isn't a CSRF issue, but rather just a problem of duping someone into clicking a link like this.
-- View on the web: https://todo.sr.ht/~sircmpwn/sr.ht/14#event-48317
Attachments:
- signature.asc
-- Sam Whited
Ticket created by ~samwhited on ~samwhited/prefetchpoc
This is an innocent issue that might log you out.
Ticket created by ~samwhited on ~samwhited/draft-whited-kitten-cb
We should consider adding a replacement for tls-server-end-point to this document as well. What would that look like?
Ticket created by ~samwhited on ~samwhited/draft-whited-kitten-cb
- Not long enough
- Not unique enough without master-secret fix
Others?
Comment by ~samwhited on ~sircmpwn/todo.sr.ht
I have not heard anything, but I think the author is working on a new version of the API so this may be low priority. That's just a guess though.
Comment by ~samwhited on ~sircmpwn/todo.sr.ht
Amusingly, that is exactly what I was doing when I found this issue :) https://git.sr.ht/~samwhited/sourcehut-go