Conversation
Notices
-
(mint@ryona.agency)'s status on Friday, 10-May-2024 18:46:58 JST 
@NEETzsche @rees @crunklord420 @NEETzsche @p @LukeAlmighty @caekislove @lain @jeffcliff @sun >Unfortunately, Soapbox and Pleroma seem to drop the balormo object in federation
Yeah, Pleroma strips all unknown fields from received objects. Having a separate field for arbitrary data that could be extended with anything to frontend's discretion sounds like a good idea to me, though I'd question local experts ( @feld, @i) about possible security implications.- † top dog :pedomustdie: likes this.
-
:blank: (i@declin.eu)'s status on Friday, 10-May-2024 19:51:06 JST 
:blank:
@mint @feld @rees @crunklord420 @NEETzsche @p @LukeAlmighty @caekislove @NEETzsche @lain @jeffcliff @sun probably better as an MRF, like the one i did in 2021: https://pastebin.com/JCLeeMCP likes this. -
munir (munir@fedi.munir.tokyo)'s status on Friday, 10-May-2024 23:17:31 JST 
munir
@mint @feld @rees @crunklord420 @i @NEETzsche @p @LukeAlmighty @caekislove @NEETzsche @lain @jeffcliff @sun > Having a separate field for arbitrary data that could be extended with anything to frontend's discretion sounds like a good idea to me
its not mint, its a good security hole :02_learn: -
(mint@ryona.agency)'s status on Friday, 10-May-2024 23:18:06 JST
@munir I'm fine. -
munir (munir@fedi.munir.tokyo)'s status on Friday, 10-May-2024 23:18:07 JST
munir
@mint also how are you :02_hi: :02_heart: -
(mint@ryona.agency)'s status on Friday, 10-May-2024 23:18:37 JST
@munir @feld @rees @crunklord420 @i @NEETzsche @p @LukeAlmighty @caekislove @NEETzsche @lain @jeffcliff @sun It doesn't touch any other fields, so as long as it has a limit for amount and size of its own fields, I think it should be fine. -
munir (munir@fedi.munir.tokyo)'s status on Friday, 10-May-2024 23:39:59 JST
munir
@mint @feld @rees @crunklord420 @i @NEETzsche @p @LukeAlmighty @caekislove @NEETzsche @lain @jeffcliff @sun yeah but what if a frontend tries to evaluate it the wrong way? im no cybersec god but it sounds like a gateway for an exploit, almost like eval() in python iykwim -
(mint@ryona.agency)'s status on Friday, 10-May-2024 23:40:40 JST
@munir @feld @rees @crunklord420 @i @NEETzsche @p @LukeAlmighty @caekislove @NEETzsche @lain @jeffcliff @sun Not a backend problem.
not my problem.png -
:blank: (i@declin.eu)'s status on Friday, 10-May-2024 23:41:57 JST
:blank:
@munir @feld @rees @crunklord420 @NEETzsche @p @LukeAlmighty @caekislove @NEETzsche @lain @mint @jeffcliff @sun we've already had XSS multiple times in pleroma-fe from fields being scrubbed in some versions and not in others, making people ship their own sanitizers likes this. -
(mint@ryona.agency)'s status on Friday, 10-May-2024 23:42:35 JST
@i @feld @rees @crunklord420 @NEETzsche @munir @p @LukeAlmighty @caekislove @NEETzsche @lain @jeffcliff @sun Remember what they took from you.
Screenshot_20221126_192923.png
Screenshot_20221126_204615.png
Screenshot_20221126_210605.png
Screenshot_20221126_210151.png
Screenshot_20221126_210341.png -
NEETzsche (neetzsche@iddqd.social)'s status on Sunday, 12-May-2024 15:28:32 JST 
NEETzsche
Right now my only intention is to put information that's intended to be visible to anybody who can see the object/activity in the first place. Hopefully that limits the security implications quite a bit, but we'll see.
likes this. -
NEETzsche (neetzsche@iddqd.social)'s status on Sunday, 12-May-2024 15:30:04 JST
NEETzsche
@munir no offense, but "what if the FE misinterprets this?", if taken to its logical conclusion, applies to all backend output
@feld @rees @crunklord420 @i @NEETzsche @p @LukeAlmighty @caekislove @lain @mint @jeffcliff @sun likes this.
All 076萌SNS content and data are available under the 
