Yeah? Couple people said it wasn’t worth it and it kinda just got by on shock value and hype and I used that to confirm my laziness 😂
Notices by Ademan (ademan@thebag.social), page 11
-
Ademan (ademan@thebag.social)'s status on Friday, 02-Jun-2023 00:23:22 JST Ademan -
Ademan (ademan@thebag.social)'s status on Friday, 02-Jun-2023 00:23:15 JST Ademan damn that’s cold
Still haven’t watched goblin slayer tbh
-
Ademan (ademan@thebag.social)'s status on Thursday, 01-Jun-2023 06:44:02 JST Ademan By the existing script-src 'self' 'wasm-unsafe-eval' CSP? I assumed 'self' permitted inline scripts but I guess that requires unsafe-inline ?
-
Ademan (ademan@thebag.social)'s status on Thursday, 01-Jun-2023 06:41:59 JST Ademan holy moly, is the everdrive doing anything fancy there? I know some of them use the FPGA to simulate enhancement chips, you could probably use it to accelerate in a way the original hardware couldn’t. (Think Super-FX and beyond)
-
Ademan (ademan@thebag.social)'s status on Thursday, 01-Jun-2023 06:35:31 JST Ademan So the embed injection can’t insert inline js?
-
Ademan (ademan@thebag.social)'s status on Thursday, 01-Jun-2023 06:30:36 JST Ademan Did you turn off the rich media option? It seems like that works regardless of mediaproxy.
-
Ademan (ademan@thebag.social)'s status on Thursday, 01-Jun-2023 06:30:35 JST Ademan Not sure if it’s cached at all, but from what I gather it’s a way the attacker can inject a script tag to execute some js, possibly inline, or definitely uploaded by a local user.
See https://lain.com/objects/9074544e-9edf-44d4-abff-94a80b95142a
If you’re using database config I have no idea, if you’re using plain text configuration:
config :pleroma, :rich_media, enabled: false -
Ademan (ademan@thebag.social)'s status on Thursday, 01-Jun-2023 06:30:34 JST Ademan I’m also… pretty sure… that this defends even against such injection:
location / { ... add_header Content-Security-Policy "script-src https://thebag.social/packs/ https://thebag.social/sw.js;"; always; ... }(I am currently belt-suspenders-ducttape-scotchtape-superglue-elmersglue-… though, nobody with the real know-how has even acknowledged this configuration option)
-
Ademan (ademan@thebag.social)'s status on Thursday, 01-Jun-2023 06:30:33 JST Ademan @lain am I way off base or does the embed injection pose a (known) risk from remote users?
Probably safest to just disable it, but I’m curious if that’s a known vector.
In conversation from thebag.social permalink -
Ademan (ademan@thebag.social)'s status on Thursday, 01-Jun-2023 06:30:33 JST Ademan It seems to me that the embed injection could possibly still work (if it could inject inline code, it would run in the current window context and bypass the other safeguards)
In conversation from thebag.social permalink -
Ademan (ademan@thebag.social)'s status on Thursday, 01-Jun-2023 05:40:01 JST Ademan that is not at all how I remember armored armadillo…
In conversation from thebag.social permalink -
Ademan (ademan@thebag.social)'s status on Thursday, 01-Jun-2023 05:14:40 JST Ademan wow claire good job speaking truth to power trying to stir up shit on an open source dev
In conversation from thebag.social permalink -
Ademan (ademan@thebag.social)'s status on Thursday, 01-Jun-2023 03:38:28 JST Ademan booba bayonetta in a plugsuit
sounds like they’re doing better than ever!
In conversation from thebag.social permalink -
Ademan (ademan@thebag.social)'s status on Wednesday, 31-May-2023 23:22:10 JST Ademan at least there’s no bean shapiro here
follows Robert Reich
In conversation from thebag.social permalink -
Ademan (ademan@thebag.social)'s status on Wednesday, 31-May-2023 06:49:12 JST Ademan I have to constantly remind myself not to violate my own fedposting rule, for my own safety, when journos are mentioned.
In conversation from thebag.social permalink -
Ademan (ademan@thebag.social)'s status on Wednesday, 31-May-2023 06:27:03 JST Ademan journos are the worst of the worst
In conversation from thebag.social permalink -
Ademan (ademan@thebag.social)'s status on Wednesday, 31-May-2023 01:22:21 JST Ademan Serbs from Kosovo return fire, inflicting losses on NATO soldiers
Damn, I hadn’t even heard about any particular tensions. What’s the (recent) cause of this?
In conversation from thebag.social permalink Attachments
-
Ademan (ademan@thebag.social)'s status on Wednesday, 31-May-2023 00:33:24 JST Ademan pinkertons show up at your door
In conversation from thebag.social permalink -
Ademan (ademan@thebag.social)'s status on Monday, 29-May-2023 01:38:43 JST Ademan my swiss chard seedlings shoot up then die, never had this problem before
In conversation from thebag.social permalink -
Ademan (ademan@thebag.social)'s status on Saturday, 27-May-2023 06:42:58 JST Ademan wides lies and owns us all uploading the exploit fully operational
In conversation from thebag.social permalink