jdev - 2021-12-27

  1. me9 has left

  2. marc0s has left

  3. marc0s has joined

  4. debacle has left

  5. moparisthebest has left

  6. moparisthebest has joined

  7. emus has left

  8. pasdesushi has left

  9. jgart has joined

  10. 9lakes has left

  11. dezant has left

  12. 9lakes has joined

  13. sonny has left

  14. sonny has joined

  15. Alex has left

  16. wurstsalat has left

  17. marc0s has left

  18. marc0s has joined

  19. dezant has joined

  20. atomicwatch has left

  21. atomicwatch has joined

  22. moparisthebest has left

  23. atomicwatch has left

  24. atomicwatch has joined

  25. moparisthebest has joined

  26. marc0s has left

  27. marc0s has joined

  28. mac has joined

  29. mac has left

  30. moparisthebest has left

  31. moparisthebest has joined

  32. atomicwatch has left

  33. marc0s has left

  34. marc0s has joined

  35. Yagizа has joined

  36. dezant has left

  37. atomicwatch has joined

  38. sonny has left

  39. atomicwatch has left

  40. mac has joined

  41. atomicwatch has joined

  42. msavoritias has joined

  43. atomicwatch has left

  44. dezant has joined

  45. COM8 has joined

  46. atomicwatch has joined

  47. COM8 has left

  48. COM8 has joined

  49. COM8 has left

  50. atomicwatch has left

  51. rafasaurus has left

  52. Yagizа has left

  53. Yagizа has joined

  54. atomicwatch has joined

  55. rafasaurus has joined

  56. Alacer has left

  57. alacer has joined

  58. drops has left

  59. moparisthebest has left

  60. moparisthebest has joined

  61. drops has joined

  62. COM8 has joined

  63. COM8 has left

  64. atomicwatch has left

  65. jgart has left

  66. drops has left

  67. drops has joined

  68. Alex has joined

  69. atomicwatch has joined

  70. dezant has left

  71. dezant has joined

  72. drops has left

  73. jgart has joined

  74. emus has joined

  75. drops has joined

  76. goffi has joined

  77. wurstsalat has joined

  78. bung has left

  79. mac has left

  80. Martin has left

  81. Martin has joined

  82. marmistrz has left

  83. debacle has joined

  84. flow has left

  85. marmistrz has joined

  86. flow has joined

  87. raghavgururajan has left

  88. pasdesushi has joined

  89. marmistrz has left

  90. mac has joined

  91. marc0s has left

  92. marc0s has joined

  93. pulkomandy has left

  94. pulkomandy has joined

  95. marmistrz has joined

  96. atomicwatch has left

  97. atomicwatch has joined

  98. alacer has left

  99. bung has joined

  100. alacer has joined

  101. kikuchiyo has joined

  102. al has joined

  103. COM8 has joined

  104. COM8 has left

  105. COM8 has joined

  106. COM8 has left

  107. goffi has left

  108. COM8 has joined

  109. COM8 has left

  110. goffi has joined

  111. pep.

    https://xmpp.org/extensions/xep-0363.html#request What's the rationale for limiting headers to these 3 only?

  112. bung has left

  113. pep.

    (Authorization, Cookie, Expires)

  114. al has left

  115. marc0s has left

  116. marc0s has joined

  117. pulkomandy has left

  118. pulkomandy has joined

  119. MattJ

    pep.: to limit the evil that can be done by a server

  120. MattJ

    The server can return any address for the upload, including things like LAN addresses. Some HTTP security flaws can be performed through header manipulation.

  121. MattJ

    The server can return any address for the upload, including things like LAN addresses. Some HTTP implementation security flaws can be exploited through header manipulation.

  122. mac has left

  123. mac has joined

  124. Zash

    A server running on a LAN would return a LAN address...

  125. 9lakes has left

  126. 9lakes has joined

  127. pulkomandy has left

  128. pulkomandy has joined

  129. pasdesushi has left

  130. pasdesushi has joined

  131. Vaulor has left

  132. Vaulor has joined

  133. pep.

    evil server doing evil things via their client, through a quite small attack surface

  134. marmistrz has left

  135. pep.

    So if tomorrow I need to pass Foo: bar because my server requires it, @#$% me?

  136. debacle has left

  137. jonas’

    yes.

  138. pep.

    "640K is enough for everyone" ish

  139. jonas’

    the alternative would've been to depend '363 on CORS

  140. jonas’

    which nobody wanted

  141. jonas’

    because you need to get consent from the receiving domain that the "sending" domain (your XMPP server) is allowed to formulate a request (via the client) to that domain

  142. jonas’

    which is what CORS is all about

  143. jonas’

    nobody wants CORS in XMPP

  144. jonas’

    hence, keep it simple

  145. lovetox- has joined

  146. Zash

    Just use the standard solution to all HTTP problems: Add another reverse proxy.

  147. lovetox- has left

  148. jonas’

    how would that help?

  149. jonas’

    oh, the xmppd being one, yes

  150. bung has joined

  151. Zash

    The proxy can add that header.

  152. Zash

    > So if tomorrow I need to pass Foo: bar

  153. jonas’

    or it could transform Cookie/Authorization to that header, indeed

  154. Zash

    or ?query stuff

  155. jonas’

    sure

  156. jonas’

    pep., also, given the number of stupid plastic routers and stuff like log4shell, I wouldn't consider the attack surface small.

  157. mac has left

  158. dezant has left

  159. pulkomandy has left

  160. Martin has left

  161. mac has joined

  162. Martin has joined

  163. Martin has left

  164. Martin has joined

  165. pep.

    Right so considering the server evil is now a norm I guess?

  166. Zash

    Meh

  167. goffi has left

  168. jgart has left

  169. goffi has joined

  170. pulkomandy has joined

  171. goffi has left

  172. goffi has joined

  173. marmistrz has joined

  174. goffi has left

  175. dezant has joined

  176. goffi has joined

  177. atomicwatch has left

  178. lovetox- has joined

  179. lovetox- has left

  180. goffi has left

  181. goffi has joined

  182. goffi has left

  183. atomicwatch has joined

  184. marmistrz has left

  185. dezant has left

  186. COM8 has joined

  187. COM8 has left

  188. COM8 has joined

  189. COM8 has left

  190. Wojtek has joined

  191. lovetox- has joined

  192. huhn has joined

  193. Wojtek has left

  194. nephele has joined

  195. lovetox- has left

  196. marmistrz has joined

  197. Pete has left

  198. Pete has joined

  199. goffi has joined

  200. COM8 has joined

  201. COM8 has left

  202. marc0s has left

  203. marc0s has joined

  204. alacer has left

  205. raghavgururajan has joined

  206. alacer has joined

  207. COM8 has joined

  208. COM8 has left

  209. COM8 has joined

  210. COM8 has left

  211. COM8 has joined

  212. COM8 has left

  213. nephele has left

  214. COM8 has joined

  215. COM8 has left

  216. COM8 has joined

  217. COM8 has left

  218. serge90 has joined

  219. atomicwatch has left

  220. atomicwatch has joined

  221. PapaTutuWawa has joined

  222. mac has left

  223. debacle has joined

  224. marc0s has left

  225. marc0s has joined

  226. marc0s has left

  227. marc0s has joined

  228. marc0s has left

  229. marc0s has joined

  230. marc0s has left

  231. marc0s has joined

  232. nephele has joined

  233. debacle has left

  234. larma has joined

  235. jgart has joined

  236. debacle has joined

  237. marc0s has left

  238. marc0s has joined

  239. pep.

    HTTP Upload again, multiple times the same header seems to be unspecified?

  240. serge90 has left

  241. debacle has left

  242. jonas’

    in which way?

  243. pep.

    <put><header name="Authorization">Foo</header><header name="Authorization">Bar</header></put

  244. jonas’

    in which way does this need extra specification?

  245. jonas’

    forwarding both is perfectly valid in HTTP

  246. Zash

    Thanks to the wonders of HTTP, that is equivalent to `Authorization: Foo, Bar` except when it isn't

  247. jonas’

    including both is perfectly valid in HTTP

  248. pep.

    I just realized it's written nowhere that one must forward headers to the put url, I think. It's written that one must ignore other headers and must not include them in the http request

  249. pep.

    Maybe it could also be hinted that http handles multiple headers just fine

  250. pep.

    "just fine" (I hear)

  251. jonas’

    "the server providing the headers will know what it's doing, eh"

  252. Zash

    If you control both the client and server, you can of course use forbidden headers all you want

  253. Yagizа has left

  254. Yagizа has joined

  255. marmistrz has left

  256. marmistrz has joined

  257. COM8 has joined

  258. mac has joined

  259. kikuchiyo has left

  260. kikuchiyo has joined

  261. COM8 has left

  262. COM8 has joined

  263. larma has left

  264. larma has joined

  265. COM8 has left

  266. COM8 has joined

  267. COM8 has left

  268. jgart has left

  269. jgart has joined

  270. 9lakes has left

  271. debacle has joined

  272. larma has left

  273. lovetox- has joined

  274. larma has joined

  275. lovetox- has left

  276. lovetox- has joined

  277. lovetox- has left

  278. marc0s has left

  279. marc0s has joined

  280. marc0s has left

  281. marc0s has joined

  282. marc0s has left

  283. marc0s has joined

  284. mac has left

  285. mac has joined

  286. Yagizа has left

  287. pasdesushi has left

  288. marc0s has left

  289. marc0s has joined

  290. marc0s has left

  291. marc0s has joined

  292. dezant has joined

  293. pasdesushi has joined

  294. marc0s has left

  295. marc0s has joined

  296. lovetox- has joined

  297. larma has left

  298. lovetox- has left

  299. pulkomandy has left

  300. pulkomandy has joined

  301. lovetox- has joined

  302. pulkomandy has left

  303. pulkomandy has joined

  304. lovetox- has left

  305. 9lakes has joined

  306. nephele has left

  307. PapaTutuWawa has left

  308. SouL has left

  309. atomicwatch has left

  310. msavoritias has left

  311. marc0s has left

  312. marc0s has joined

  313. atomicwatch has joined

  314. marc0s has left

  315. marc0s has joined

  316. sonny has joined

  317. dezant has left

  318. moparisthebest has left

  319. moparisthebest has joined

  320. sonny has left

  321. sonny has joined

  322. sonny has left

  323. sonny has joined

  324. marc0s has left

  325. marc0s has joined

  326. pasdesushi has left

  327. goffi has left

  328. atomicwatch has left

  329. kikuchiyo has left

  330. sonny has left

  331. sonny has joined

  332. emus has left