jdev - 2021-12-27


  1. me9 has left
  2. marc0s has left
  3. marc0s has joined
  4. debacle has left
  5. moparisthebest has left
  6. moparisthebest has joined
  7. emus has left
  8. pasdesushi has left
  9. jgart has joined
  10. 9lakes has left
  11. dezant has left
  12. 9lakes has joined
  13. sonny has left
  14. sonny has joined
  15. Alex has left
  16. wurstsalat has left
  17. marc0s has left
  18. marc0s has joined
  19. dezant has joined
  20. atomicwatch has left
  21. atomicwatch has joined
  22. moparisthebest has left
  23. atomicwatch has left
  24. atomicwatch has joined
  25. moparisthebest has joined
  26. marc0s has left
  27. marc0s has joined
  28. mac has joined
  29. mac has left
  30. moparisthebest has left
  31. moparisthebest has joined
  32. atomicwatch has left
  33. marc0s has left
  34. marc0s has joined
  35. Yagizа has joined
  36. dezant has left
  37. atomicwatch has joined
  38. sonny has left
  39. atomicwatch has left
  40. mac has joined
  41. atomicwatch has joined
  42. msavoritias has joined
  43. atomicwatch has left
  44. dezant has joined
  45. COM8 has joined
  46. atomicwatch has joined
  47. COM8 has left
  48. COM8 has joined
  49. COM8 has left
  50. atomicwatch has left
  51. rafasaurus has left
  52. Yagizа has left
  53. Yagizа has joined
  54. atomicwatch has joined
  55. rafasaurus has joined
  56. Alacer has left
  57. alacer has joined
  58. drops has left
  59. moparisthebest has left
  60. moparisthebest has joined
  61. drops has joined
  62. COM8 has joined
  63. COM8 has left
  64. atomicwatch has left
  65. jgart has left
  66. drops has left
  67. drops has joined
  68. Alex has joined
  69. atomicwatch has joined
  70. dezant has left
  71. dezant has joined
  72. drops has left
  73. jgart has joined
  74. emus has joined
  75. drops has joined
  76. goffi has joined
  77. wurstsalat has joined
  78. bung has left
  79. mac has left
  80. Martin has left
  81. Martin has joined
  82. marmistrz has left
  83. debacle has joined
  84. flow has left
  85. marmistrz has joined
  86. flow has joined
  87. raghavgururajan has left
  88. pasdesushi has joined
  89. marmistrz has left
  90. mac has joined
  91. marc0s has left
  92. marc0s has joined
  93. pulkomandy has left
  94. pulkomandy has joined
  95. marmistrz has joined
  96. atomicwatch has left
  97. atomicwatch has joined
  98. alacer has left
  99. bung has joined
  100. alacer has joined
  101. kikuchiyo has joined
  102. al has joined
  103. COM8 has joined
  104. COM8 has left
  105. COM8 has joined
  106. COM8 has left
  107. goffi has left
  108. COM8 has joined
  109. COM8 has left
  110. goffi has joined
  111. pep. https://xmpp.org/extensions/xep-0363.html#request What's the rationale for limiting headers to these 3 only?
  112. bung has left
  113. pep. (Authorization, Cookie, Expires)
  114. al has left
  115. marc0s has left
  116. marc0s has joined
  117. pulkomandy has left
  118. pulkomandy has joined
  119. MattJ pep.: to limit the evil that can be done by a server
  120. MattJ The server can return any address for the upload, including things like LAN addresses. Some HTTP security flaws can be performed through header manipulation.
  121. MattJ The server can return any address for the upload, including things like LAN addresses. Some HTTP implementation security flaws can be exploited through header manipulation.
  122. mac has left
  123. mac has joined
  124. Zash A server running on a LAN would return a LAN address...
  125. 9lakes has left
  126. 9lakes has joined
  127. pulkomandy has left
  128. pulkomandy has joined
  129. pasdesushi has left
  130. pasdesushi has joined
  131. Vaulor has left
  132. Vaulor has joined
  133. pep. evil server doing evil things via their client, through a quite small attack surface
  134. marmistrz has left
  135. pep. So if tomorrow I need to pass Foo: bar because my server requires it, @#$% me?
  136. debacle has left
  137. jonas’ yes.
  138. pep. "640K is enough for everyone" ish
  139. jonas’ the alternative would've been to depend '363 on CORS
  140. jonas’ which nobody wanted
  141. jonas’ because you need to get consent from the receiving domain that the "sending" domain (your XMPP server) is allowed to formulate a request (via the client) to that domain
  142. jonas’ which is what CORS is all about
  143. jonas’ nobody wants CORS in XMPP
  144. jonas’ hence, keep it simple
  145. lovetox- has joined
  146. Zash Just use the standard solution to all HTTP problems: Add another reverse proxy.
  147. lovetox- has left
  148. jonas’ how would that help?
  149. jonas’ oh, the xmppd being one, yes
  150. bung has joined
  151. Zash The proxy can add that header.
  152. Zash > So if tomorrow I need to pass Foo: bar
  153. jonas’ or it could transform Cookie/Authorization to that header, indeed
  154. Zash or ?query stuff
  155. jonas’ sure
  156. jonas’ pep., also, given the number of stupid plastic routers and stuff like log4shell, I wouldn't consider the attack surface small.
  157. mac has left
  158. dezant has left
  159. pulkomandy has left
  160. Martin has left
  161. mac has joined
  162. Martin has joined
  163. Martin has left
  164. Martin has joined
  165. pep. Right so considering the server evil is now a norm I guess?
  166. Zash Meh
  167. goffi has left
  168. jgart has left
  169. goffi has joined
  170. pulkomandy has joined
  171. goffi has left
  172. goffi has joined
  173. marmistrz has joined
  174. goffi has left
  175. dezant has joined
  176. goffi has joined
  177. atomicwatch has left
  178. lovetox- has joined
  179. lovetox- has left
  180. goffi has left
  181. goffi has joined
  182. goffi has left
  183. atomicwatch has joined
  184. marmistrz has left
  185. dezant has left
  186. COM8 has joined
  187. COM8 has left
  188. COM8 has joined
  189. COM8 has left
  190. Wojtek has joined
  191. lovetox- has joined
  192. huhn has joined
  193. Wojtek has left
  194. nephele has joined
  195. lovetox- has left
  196. marmistrz has joined
  197. Pete has left
  198. Pete has joined
  199. goffi has joined
  200. COM8 has joined
  201. COM8 has left
  202. marc0s has left
  203. marc0s has joined
  204. alacer has left
  205. raghavgururajan has joined
  206. alacer has joined
  207. COM8 has joined
  208. COM8 has left
  209. COM8 has joined
  210. COM8 has left
  211. COM8 has joined
  212. COM8 has left
  213. nephele has left
  214. COM8 has joined
  215. COM8 has left
  216. COM8 has joined
  217. COM8 has left
  218. serge90 has joined
  219. atomicwatch has left
  220. atomicwatch has joined
  221. PapaTutuWawa has joined
  222. mac has left
  223. debacle has joined
  224. marc0s has left
  225. marc0s has joined
  226. marc0s has left
  227. marc0s has joined
  228. marc0s has left
  229. marc0s has joined
  230. marc0s has left
  231. marc0s has joined
  232. nephele has joined
  233. debacle has left
  234. larma has joined
  235. jgart has joined
  236. debacle has joined
  237. marc0s has left
  238. marc0s has joined
  239. pep. HTTP Upload again, multiple times the same header seems to be unspecified?
  240. serge90 has left
  241. debacle has left
  242. jonas’ in which way?
  243. pep. <put><header name="Authorization">Foo</header><header name="Authorization">Bar</header></put
  244. jonas’ in which way does this need extra specification?
  245. jonas’ forwarding both is perfectly valid in HTTP
  246. Zash Thanks to the wonders of HTTP, that is equivalent to `Authorization: Foo, Bar` except when it isn't
  247. jonas’ including both is perfectly valid in HTTP
  248. pep. I just realized it's written nowhere that one must forward headers to the put url, I think. It's written that one must ignore other headers and must not include them in the http request
  249. pep. Maybe it could also be hinted that http handles multiple headers just fine
  250. pep. "just fine" (I hear)
  251. jonas’ "the server providing the headers will know what it's doing, eh"
  252. Zash If you control both the client and server, you can of course use forbidden headers all you want
  253. Yagizа has left
  254. Yagizа has joined
  255. marmistrz has left
  256. marmistrz has joined
  257. COM8 has joined
  258. mac has joined
  259. kikuchiyo has left
  260. kikuchiyo has joined
  261. COM8 has left
  262. COM8 has joined
  263. larma has left
  264. larma has joined
  265. COM8 has left
  266. COM8 has joined
  267. COM8 has left
  268. jgart has left
  269. jgart has joined
  270. 9lakes has left
  271. debacle has joined
  272. larma has left
  273. lovetox- has joined
  274. larma has joined
  275. lovetox- has left
  276. lovetox- has joined
  277. lovetox- has left
  278. marc0s has left
  279. marc0s has joined
  280. marc0s has left
  281. marc0s has joined
  282. marc0s has left
  283. marc0s has joined
  284. mac has left
  285. mac has joined
  286. Yagizа has left
  287. pasdesushi has left
  288. marc0s has left
  289. marc0s has joined
  290. marc0s has left
  291. marc0s has joined
  292. dezant has joined
  293. pasdesushi has joined
  294. marc0s has left
  295. marc0s has joined
  296. lovetox- has joined
  297. larma has left
  298. lovetox- has left
  299. pulkomandy has left
  300. pulkomandy has joined
  301. lovetox- has joined
  302. pulkomandy has left
  303. pulkomandy has joined
  304. lovetox- has left
  305. 9lakes has joined
  306. nephele has left
  307. PapaTutuWawa has left
  308. SouL has left
  309. atomicwatch has left
  310. msavoritias has left
  311. marc0s has left
  312. marc0s has joined
  313. atomicwatch has joined
  314. marc0s has left
  315. marc0s has joined
  316. sonny has joined
  317. dezant has left
  318. moparisthebest has left
  319. moparisthebest has joined
  320. sonny has left
  321. sonny has joined
  322. sonny has left
  323. sonny has joined
  324. marc0s has left
  325. marc0s has joined
  326. pasdesushi has left
  327. goffi has left
  328. atomicwatch has left
  329. kikuchiyo has left
  330. sonny has left
  331. sonny has joined
  332. emus has left