Conversation

Notices

1. Tadano ❄️🎅 (tadano@amala.schwartzwelt.xyz)'s status on Saturday, 27-May-2023 22:45:59 JST Tadano ❄️🎅
   Good morning
   •  (mint@ryona.agency)'s status on Saturday, 27-May-2023 22:45:58 JST 

     in reply to
     @Tadano The morning is, in fact, not that good.
     Screenshot_20230527_162615.png
     Screenshot_20230527_162713.png
   • :blank: (i@declin.eu)'s status on Saturday, 27-May-2023 22:50:08 JST :blank:

     in reply to

     • 
     @mint @Tadano the show finally closes out it's last season, not with a bang, but with a whisper
      likes this.
   •  (mint@ryona.agency)'s status on Saturday, 27-May-2023 22:50:17 JST 

     in reply to

     • :blank:
     @i @Tadano And the objective evil reigns on despite the fatal blow to its morale.
   •  (mint@ryona.agency)'s status on Saturday, 27-May-2023 22:52:11 JST 

     in reply to

     • Vivi Nella Verita :Debian_logo:
     • Some Purple Cat
     @PurpCat @Tadano @verita84 ran Misskey on pooper.social for a while and I had an alt there, it skipped fetching like 50% posts of people I subscribed to before getting shut down.
   • Some Purple Cat (purpcat@boks.moe)'s status on Saturday, 27-May-2023 22:52:12 JST Some Purple Cat

     in reply to

     • 
     @mint @Tadano unironically gonna run pisskey for the multi user instance because it has people working on it and not developers writing essays about why Alex is a stupid transphobe
     Machismo repeated this.
   • Tadano ❄️🎅 (tadano@amala.schwartzwelt.xyz)'s status on Saturday, 27-May-2023 22:52:54 JST Tadano ❄️🎅

     in reply to

     • 
     • Some Purple Cat
     @PurpCat @mint would run it if it wasn't entirely fucking JavaScript
     Please tell me they have plans to correct this :LIVE:
   •  (mint@ryona.agency)'s status on Saturday, 27-May-2023 22:53:11 JST 

     in reply to

     • Some Purple Cat
     @Tadano @PurpCat Revolver 2030, trust the plan. :burning_q:
   • Machismo (zerglingman@freespeechextremist.com)'s status on Saturday, 27-May-2023 22:54:18 JST Machismo

     in reply to

     • 
     • Some Purple Cat
     @Tadano @mint @PurpCat Most masto clients also support misskey. Just pick one that's not a javashit? lol
   • Some Purple Cat (purpcat@boks.moe)'s status on Saturday, 27-May-2023 22:55:42 JST Some Purple Cat

     in reply to

     • 
     • Machismo
     @Zerglingman @Tadano @mint it's misskey being written in node
     Machismo likes this.
   • Machismo (zerglingman@freespeechextremist.com)'s status on Saturday, 27-May-2023 22:55:55 JST Machismo

     in reply to

     • 
     • Some Purple Cat
     @PurpCat @mint @Tadano lmao
   • Tadano ❄️🎅 (tadano@amala.schwartzwelt.xyz)'s status on Saturday, 27-May-2023 23:07:36 JST Tadano ❄️🎅

     in reply to

     • 
     • Some Purple Cat
     @PurpCat @mint Hopefully the security issue gets patched up soon. No fucking way I have the resources atm to run MK and no fucking way am I touching Mastodong.
   •  (mint@ryona.agency)'s status on Saturday, 27-May-2023 23:07:36 JST 

     in reply to

     • Some Purple Cat
     @Tadano @PurpCat It is, both the CSP header for /media/ and the rich media exploit.
     https://git.pleroma.social/pleroma/pleroma/-/commit/0d68804aa7efc4f3212e02218804755da93d03f0
     https://git.pleroma.social/pleroma/pleroma/-/commit/38bcf6b19e3d83cb6c4e6c82d237a26edcab167a
     Moving the media to subdomain might or might not be worth it depending on who you ask. You might also block access to js/html/svg uploads, that's what I did at least before more info dropped.
   • Some Purple Cat (purpcat@boks.moe)'s status on Saturday, 27-May-2023 23:07:37 JST Some Purple Cat

     in reply to

     • 
     @Tadano @mint why is all Fedi software shit it's picking between JavaShit, bugged software with security holes, and eugens autism paradise
   •  (mint@ryona.agency)'s status on Saturday, 27-May-2023 23:08:47 JST 

     in reply to

     • 
     • Some Purple Cat
     @Tadano @PurpCat Also then-hidden issue is now in the open.
     https://git.pleroma.social/pleroma/pleroma/-/issues/3126
   • Tadano ❄️🎅 (tadano@amala.schwartzwelt.xyz)'s status on Saturday, 27-May-2023 23:10:00 JST Tadano ❄️🎅

     in reply to

     • 
     • Some Purple Cat
     @mint @PurpCat Given I'm using a janky boringproxy setup I don't particularly feel like fucking around with subdomains, I think I'll just block JS/HTML/SVG uploads if my friends on this instance don't mind.
      likes this.
   •  (mint@ryona.agency)'s status on Saturday, 27-May-2023 23:19:13 JST 

     in reply to

     • Alex Gleason
     • Some Purple Cat
     @alex @Tadano @PurpCat Alrighty then, explain how the second vulnerability can be exploited if all unsafe HTML tags are stripped from the oembed cards.
   • Alex Gleason (alex@gleasonator.com)'s status on Saturday, 27-May-2023 23:19:14 JST Alex Gleason

     in reply to

     • 
     • Some Purple Cat
     @mint @Tadano @PurpCat None of these things actually fix the problem. 🤦♂️ Are they really gonna make me fix it?
   • m0xEE (m0xee@breloma.m0xee.net)'s status on Saturday, 27-May-2023 23:22:58 JST m0xEE

     in reply to

     • 
     @mint @Tadano
     I had to take my cats to the vet at noon today to get them vaccinated, but I woke up earlier and was like "Okay, I'll check out what's up on Fedi and go back to bad",— and literally the first thing I see is this vulnerability being discussed and I was: "Damn! Do I really have to fix it now?" :marseytabletired:
      likes this.
   • Alex Gleason (alex@gleasonator.com)'s status on Saturday, 27-May-2023 23:25:05 JST Alex Gleason

     in reply to

     • 
     • Some Purple Cat
     @PurpCat @Tadano @mint
     niuulianov likes this.
   • Some Purple Cat (purpcat@boks.moe)'s status on Saturday, 27-May-2023 23:25:06 JST Some Purple Cat

     in reply to

     • Alex Gleason
     • 
     @alex @Tadano @mint pleroma devs trying to fix a security hole
     Machismo repeated this.
   • Vivi Nella Verita :Debian_logo: (verita84@poster.place)'s status on Saturday, 27-May-2023 23:29:12 JST Vivi Nella Verita :Debian_logo:

     in reply to

     • 
     • Some Purple Cat
     @mint @Tadano @PurpCat
     
     Is MK better now? If people are this soy about security fixes, they should not use computers because this happens all the time to software we use
      likes this.
   •  (mint@ryona.agency)'s status on Saturday, 27-May-2023 23:29:39 JST 

     in reply to

     • Vivi Nella Verita :Debian_logo:
     • Some Purple Cat
     @verita84 @Tadano @PurpCat No idea, that was the only time I used it, left a sour taste.
   • Tadano ❄️🎅 (tadano@amala.schwartzwelt.xyz)'s status on Saturday, 27-May-2023 23:57:38 JST Tadano ❄️🎅

     in reply to

     • 
     • Vivi Nella Verita :Debian_logo:
     • Some Purple Cat
     @mint @PurpCat @verita84 according to MK's roadmap rewriting the entire the entire codebase in rust or something for better scalability is a long term goal :marisa:
      likes this.
   • Some Purple Cat (purpcat@boks.moe)'s status on Sunday, 28-May-2023 00:01:17 JST Some Purple Cat

     in reply to

     • 
     • Vivi Nella Verita :Debian_logo:
     @Tadano @verita84 @mint had a friend look at misskey
     It has no csp 🤣
      likes this.
   • feld (feld@bikeshed.party)'s status on Sunday, 28-May-2023 00:22:44 JST feld

     in reply to

     • Alex Gleason
     • 
     • Some Purple Cat
     Explain the problem ??
   • Alex Gleason (alex@gleasonator.com)'s status on Sunday, 28-May-2023 00:22:44 JST Alex Gleason

     in reply to

     • 
     • feld
     • Some Purple Cat

     @feld @Tadano @PurpCat @mint It’s twofold:

     1. We need a new upload filter called MimeFilter that lets you specify a whitelist of mime types with wildcard support, defaulting to audio/*, video/*, image/*
     2. We need a plug at the end of /media and /proxy which blacklists a specific set of known harmful mimes including application/javascript and svg. Those should be rewritten to text/plain.

     Bonus points: sanitizing the oembed html is good, but Pleroma FE actually needs to be patched to put the HTML into a sandboxed iframe. Soapbox doesn’t have this problem because it doesn’t blindly inject the oembed onto the page.

      likes this.
   • feld (feld@bikeshed.party)'s status on Sunday, 28-May-2023 00:26:06 JST feld

     in reply to

     • Alex Gleason
     • 
     • Some Purple Cat
     Yeah we tried building a good mime filter but there's no good way to do it with Elixir right now. Mime/magic database has backwards incompatible changes every update which makes targeting it a nightmare for releases. Jordan/href spent months working and researching this
      likes this.
   • Some Purple Cat (purpcat@boks.moe)'s status on Sunday, 28-May-2023 08:35:35 JST Some Purple Cat

     in reply to

     • 
     • CrunkLord420
     @crunklord420 @Tadano @mint I found out MK wasn't much better when it comes to CORS from a friend though to some degree and even worse the cross origin policy is very relaxed on it.
   • CrunkLord420 (crunklord420@rdrama.cc)'s status on Sunday, 28-May-2023 08:35:35 JST CrunkLord420

     in reply to

     • 
     • Some Purple Cat
     @PurpCat @Tadano @mint WEBSHITTERS WHO MAKE WAR-CRIME-TIER SOFTWARE THAT CONSUME GIGABYTES OF MEMORY TO DISPLAY TEXT CANT EVEN DO THE ONE THING THAT IS ACTUALLY IMPORTANT
     
     Many such cases.
      likes this.
   • CrunkLord420 (crunklord420@rdrama.cc)'s status on Sunday, 28-May-2023 08:35:36 JST CrunkLord420

     in reply to

     • 
     • Some Purple Cat
     @PurpCat @Tadano @mint OHOOOOOHOOHOHOHOHH SICK BURN 🔥🔥🔥🔥🔥 😭😭😭😭