~samwhited

Atlanta, GA

https://blog.samwhited.com

Trackers

~samwhited/prefetchpoc

Last active 1 year, 1 month ago

~samwhited/draft-whited-kitten-cb

Last active 1 year, 4 months ago

~samwhited/soquee

Last active 1 year, 5 months ago

~samwhited/draft-whited-kitten-password-storage

Last active 1 year, 5 months ago

~samwhited/blogsync

Last active 1 year, 9 months ago

~samwhited/terraform-provider-sourcehut

Last active 2 years ago

#42 Gitea integration 3 months ago

Comment by ~samwhited on ~sircmpwn/dispatch.sr.ht

I've been wanting any cloud CI that I could use with Codeberg lately so I started experimenting with this. I couldn't get builds.sr.ht running locally so I stopped, but I do have a branch with a lot of the boilerplate done if anyone is interested in picking this up (no actual Gitea API code, just a copy/pasta of the GitHub integration with lots of structs renamed to "Gitea_whatever"). I'd be happy to send that along if anyone is interested in working on this and wants to avoid some of the tedious initial work.

Mine has a field where you'd enter your gitea instance, then it would try to auth against that one so in theory you could use it against several gitea instances at once and just make different tasks for each.

#314 Build manifest results in unhelpful error (possibly from python) 9 months ago

Ticket created by ~samwhited on ~sircmpwn/builds.sr.ht

When submitting the following build manifest (which I guess is invalid YAML):

image:freebsd/latest

I get the error: "'str' object has no attribute 'get'" which has no relation to YAML or what is wrong as far as I can tell. I'm not sure what this means, possibly it's a bug in Python land somewhere. It would be more helpful if it told me that the YAML was invalid (or whatever the problem with that manifest actually is).

#14 Only allow /logout if the referer is ourselves 1 year, 1 month ago

Comment by ~samwhited on ~sircmpwn/sr.ht

It may not be a CSRF issue because you have SameSite set, but we don't have to trick users into clicking a link either. They could just visit a page with an embedded pre-load link or image, eg. visiting this issue will log you out without any user input (note that the thing that logs you out is a comment which an attacker could put in any issue):

https://todo.sr.ht/~samwhited/prefetchpoc/1

The usual way to fix this is to make the logout link a form and a POST request.

—Sam

On Tue, Sep 1, 2020, at 17:21, ~sircmpwn wrote:

This isn't a CSRF issue, but rather just a problem of duping someone into clicking a link like this.

-- View on the web: https://todo.sr.ht/~sircmpwn/sr.ht/14#event-48317

Attachments:

  • signature.asc

-- Sam Whited

#1 An innocent issue 1 year, 1 month ago

Comment by ~samwhited on ~samwhited/prefetchpoc

Something like:

test

#1 An innocent issue 1 year, 1 month ago

Ticket created by ~samwhited on ~samwhited/prefetchpoc

This is an innocent issue that might log you out.

#2 Add an end-point based mechanism 1 year, 4 months ago

Ticket created by ~samwhited on ~samwhited/draft-whited-kitten-cb

We should consider adding a replacement for tls-server-end-point to this document as well. What would that look like?

#1 Issues with TLS Unique that need to be addressed 1 year, 4 months ago

Ticket created by ~samwhited on ~samwhited/draft-whited-kitten-cb

  • Not long enough
  • Not unique enough without master-secret fix

Others?

#214 Updating ticket by status and resolution via API does not work 1 year, 4 months ago

Comment by ~samwhited on ~sircmpwn/todo.sr.ht

I have not heard anything, but I think the author is working on a new version of the API so this may be low priority. That's just a guess though.

#212 Delete tracker listed twice in API docs 1 year, 5 months ago

on ~sircmpwn/todo.sr.ht

REPORTED RESOLVED FIXED

#214 Updating ticket by status and resolution via API does not work 1 year, 5 months ago

Comment by ~samwhited on ~sircmpwn/todo.sr.ht

Amusingly, that is exactly what I was doing when I found this issue :) https://git.sr.ht/~samwhited/sourcehut-go