I mean they weren’t given any heads up but had to instantly shut down their servers and figure out what was going on and come up with a solution on the spot. Not that I think piefed is well-made but just publicly posting critical security vulnerabilities is a dick move.
Even dealing with a security issue the code is shit. Why are they chaining multiple ors in a if single statements
| | | | -------------------------------------- | ---------------------------------------------------------------------------------------------------------------------- | | `def is_invalid_get_request_uri(uri):` | | | | `if current_app.debug:` | | | `return False` | | | `try:` | | | `ip = ipaddress.ip_address(furl(uri).host)` | | | `except:` | | | `ip = None` | | | `` | | | `if ip:` | | | `return ip.is_private or ip.is_link_local or ip.is_reserved or ip.is_loopback or ip.is_multicast or ip.is_unspecified` | | | `return False` | | | `` | | | `` | | | `def is_invalid_post_request_uri(uri):` | | | `return is_inv` |https://codeberg.org/rimu/pyfedi/commit/ada8e2ea35ec687000b7e7c2343288d44a219c3a
I mean they weren’t given any heads up but had to instantly shut down their servers and figure out what was going on and come up with a solution on the spot. Not that I think piefed is well-made but just publicly posting critical security vulnerabilities is a dick move.
Was it a zero day? And fair.
Yeah, piefed is rather small and apparently no one even thought to as much as prompt an LLM for the code. It was an unknown vulnerability.
https://lemmy.ml/post/47379574 - - I think this is at least one of them?
Will be an interesting read when not weekend.
Mostly wasn’t sure if something big in python or just the implementation. Been so many announcements on big vulnerabilities lately
If it’s the one from yogthos then yeah
Bare except, too. Not ideal.