~samwhited

Atlanta, GA

https://blog.samwhited.com

Trackers

~samwhited/prefetchpoc

Last active 4 years ago

~samwhited/draft-whited-kitten-cb

Last active 4 years ago

~samwhited/draft-whited-kitten-password-storage

Last active 4 years ago

~samwhited/blogsync

Last active 4 years ago

~samwhited/terraform-provider-sourcehut

Last active 5 years ago

#42 Gitea integration 3 years ago

Comment by ~samwhited on ~sircmpwn/dispatch.sr.ht


#314 Build manifest results in unhelpful error (possibly from python) 3 years ago

Ticket created by ~samwhited on ~sircmpwn/builds.sr.ht

When submitting the following build manifest (which I guess is invalid YAML):

image:freebsd/latest

I get the error: "'str' object has no attribute 'get'" which has no relation to YAML or what is wrong as far as I can tell. I'm not sure what this means, possibly it's a bug in Python land somewhere. It would be more helpful if it told me that the YAML was invalid (or whatever the problem with that manifest actually is).

#14 Only allow /logout if the referer is ourselves 4 years ago

Comment by ~samwhited on ~sircmpwn/sr.ht

It may not be a CSRF issue because you have SameSite set, but we don't have to trick users into clicking a link either. They could just visit a page with an embedded pre-load link or image, eg. visiting this issue will log you out without any user input (note that the thing that logs you out is a comment which an attacker could put in any issue):

https://todo.sr.ht/~samwhited/prefetchpoc/1

The usual way to fix this is to make the logout link a form and a POST request.

—Sam

On Tue, Sep 1, 2020, at 17:21, ~sircmpwn wrote:

This isn't a CSRF issue, but rather just a problem of duping someone into clicking a link like this.

-- View on the web: https://todo.sr.ht/~sircmpwn/sr.ht/14#event-48317

Attachments:

  • signature.asc

-- Sam Whited

#1 An innocent issue 4 years ago

Comment by ~samwhited on ~samwhited/prefetchpoc

Something like:

test

#1 An innocent issue 4 years ago

Ticket created by ~samwhited on ~samwhited/prefetchpoc

This is an innocent issue that might log you out.

#2 Add an end-point based mechanism 4 years ago

Ticket created by ~samwhited on ~samwhited/draft-whited-kitten-cb

We should consider adding a replacement for tls-server-end-point to this document as well. What would that look like?

#1 Issues with TLS Unique that need to be addressed 4 years ago

Ticket created by ~samwhited on ~samwhited/draft-whited-kitten-cb

  • Not long enough
  • Not unique enough without master-secret fix

Others?

#214 Updating ticket by status and resolution via API does not work 4 years ago

Comment by ~samwhited on ~sircmpwn/todo.sr.ht

I have not heard anything, but I think the author is working on a new version of the API so this may be low priority. That's just a guess though.

#212 Delete tracker listed twice in API docs 4 years ago

on ~sircmpwn/todo.sr.ht

REPORTED RESOLVED FIXED

#214 Updating ticket by status and resolution via API does not work 4 years ago

Comment by ~samwhited on ~sircmpwn/todo.sr.ht

Amusingly, that is exactly what I was doing when I found this issue :) https://git.sr.ht/~samwhited/sourcehut-go