turns out there's some zero-day bugs in that pie (thelemmy.club)

submitted 3 days ago by culpritus@hexbear.net to c/slop@hexbear.net

28 comments fedilink hide all child comments

most of the instances are offline or admin only login last I checked

you are viewing a single comment's thread
view the rest of the comments

[-] Goferking0@ttrpg.network 23 points 3 days ago

Even dealing with a security issue the code is shit. Why are they chaining multiple ors in a if single statements

|                                        |                                                                                                                        |
| -------------------------------------- | ---------------------------------------------------------------------------------------------------------------------- |
| `def is_invalid_get_request_uri(uri):` |                                                                                                                        |
|                                        | `if current_app.debug:`                                                                                                |
|                                        | `return False`                                                                                                         |
|                                        | `try:`                                                                                                                 |
|                                        | `ip = ipaddress.ip_address(furl(uri).host)`                                                                            |
|                                        | `except:`                                                                                                              |
|                                        | `ip = None`                                                                                                            |
|                                        | ``                                                                                                                     |
|                                        | `if ip:`                                                                                                               |
|                                        | `return ip.is_private or ip.is_link_local or ip.is_reserved or ip.is_loopback or ip.is_multicast or ip.is_unspecified` |
|                                        | `return False`                                                                                                         |
|                                        | ``                                                                                                                     |
|                                        | ``                                                                                                                     |
|                                        | `def is_invalid_post_request_uri(uri):`                                                                                |
|                                        | `return is_inv`                                                                                                        |

https://codeberg.org/rimu/pyfedi/commit/ada8e2ea35ec687000b7e7c2343288d44a219c3a

[-] mathemachristian@hexbear.net 15 points 3 days ago

I mean they weren't given any heads up but had to instantly shut down their servers and figure out what was going on and come up with a solution on the spot. Not that I think piefed is well-made but just publicly posting critical security vulnerabilities is a dick move.