~samwhited

Atlanta, GA

https://blog.samwhited.com

Trackers

~samwhited/prefetchpoc

Last active 16 days ago

~samwhited/draft-whited-kitten-cb

Last active 3 months ago

~samwhited/soquee

Last active 4 months ago

~samwhited/draft-whited-kitten-password-storage

Last active 4 months ago

~samwhited/blogsync

Last active 8 months ago

~samwhited/terraform-provider-sourcehut

Last active 1 year, 6 months ago

#14 Only allow /logout if the referer is ourselves 16 days ago

Comment by ~samwhited on ~sircmpwn/sr.ht

It may not be a CSRF issue because you have SameSite set, but we don't have to trick users into clicking a link either. They could just visit a page with an embedded pre-load link or image, eg. visiting this issue will log you out without any user input (note that the thing that logs you out is a comment which an attacker could put in any issue):

https://todo.sr.ht/~samwhited/prefetchpoc/1

The usual way to fix this is to make the logout link a form and a POST request.

—Sam

On Tue, Sep 1, 2020, at 17:21, ~sircmpwn wrote:

This isn't a CSRF issue, but rather just a problem of duping someone into clicking a link like this.

-- View on the web: https://todo.sr.ht/~sircmpwn/sr.ht/14#event-48317

Attachments:

  • signature.asc

-- Sam Whited

#1 An innocent issue 16 days ago

Comment by ~samwhited on ~samwhited/prefetchpoc

Something like:

test

#1 An innocent issue 16 days ago

Ticket created by ~samwhited on ~samwhited/prefetchpoc

This is an innocent issue that might log you out.

#2 Add an end-point based mechanism 3 months ago

Ticket created by ~samwhited on ~samwhited/draft-whited-kitten-cb

We should consider adding a replacement for tls-server-end-point to this document as well. What would that look like?

#1 Issues with TLS Unique that need to be addressed 3 months ago

Ticket created by ~samwhited on ~samwhited/draft-whited-kitten-cb

  • Not long enough
  • Not unique enough without master-secret fix

Others?

#214 Updating ticket by status and resolution via API does not work 3 months ago

Comment by ~samwhited on ~sircmpwn/todo.sr.ht

I have not heard anything, but I think the author is working on a new version of the API so this may be low priority. That's just a guess though.

#212 Delete tracker listed twice in API docs 4 months ago

on ~sircmpwn/todo.sr.ht

REPORTED RESOLVED FIXED

#214 Updating ticket by status and resolution via API does not work 4 months ago

Comment by ~samwhited on ~sircmpwn/todo.sr.ht

Amusingly, that is exactly what I was doing when I found this issue :) https://git.sr.ht/~samwhited/sourcehut-go

#280 Request: add title or build file name to build page 4 months ago

Comment by ~samwhited on ~sircmpwn/builds.sr.ht

I don't do python, sorry. Just wanted to make the suggestion, and I hope to see it one day. Thanks for your consideration!

#280 Request: add title or build file name to build page 4 months ago

Ticket created by ~samwhited on ~sircmpwn/builds.sr.ht

Hi,

I have to builds that get run when I push, a set of unit tests and a set of integration tests. Right now when I push the SSH output comes up, I sometimes click both links, then tab over to my browser. However, I can't tell at a glance which tab is the unit tests and which the integration tests without waiting for output and trying to remember which of the tests that are running were one type or the other.

This is a request to add some sort of information to the build pages that identifies what file and repo they were created from (the project is visible only as a hash that you have to click through to make sense of). This might be the repo name / build file path, or a new title attribute in the build that lets me set a name for the pipeline like "MyProject Integration Tests", etc.

Thanks for your time!