IRC/#cemetech wrote:
Code: [17:10] <saxjax> [#] <Cemetech> S/jr/W registered and activated a new account
[17:11] <saxjax> [#] <Cemetech> S/jr/W entered the room
[17:14] <saxjax> [D] <TuberPhD> The restrictions on usernames is so lax.
[17:22] <saxjax> [#] <Cemetech> S/jr/W reviewed file [Fractals]( http://ceme.tech/DL1709 )
[17:24] <notipa> uhh
[17:24] <notipa> why does that file give a 500 now
[17:25] <saxjax> [C] <> The Fractals?
[17:25] <notipa> yes
[17:25] <saxjax> [C] <> It started giving 500 since I tried to post the review.
[17:25] <saxjax> [C] <> It says I posted it, but it told me it didn't work.
[17:26] <notipa> sounds like someone didn't sanitize their inputs
[17:26] <saxjax> [C] <> Everything else works good.
[17:27] <saxjax> [C] <> *Well
Yes, their username is being displayed that way in IRC and in Discord, but properly in SAX.
This needs to be fixed and pronto. It seems like somewhere along the line, in the username registration or in the review system, input isn't being sanitized, and its breaking file uploads. I can't even put into words how egregious of a potential security risk this is.
I wouldn't characterize this as a security risk, it's just a bug in how the archives system defined userinfo URLs that caused it to fail to generate the URL for a username containing slashes. The fix is being rolled out as I write this.
To be clear, there is no missing sanitization.
Tari wrote:
I wouldn't characterize this as a security risk.
To be fair, anything that compromises either the confidentiality, integrity, or availability of a resource is technically a security risk. A user being able to (unintentionally, even) cause a 500 error on a resource is a compromise of "availability". Just saying :p
Technicalities (and partial troll-mode) aside, good that's its being fixed.
Register to Join the Conversation
Have your own thoughts to add to this or any other topic? Want to ask a question, offer a suggestion, share your own programs and projects, upload a file to the file archives, get help with calculator and computer programming, or simply chat with like-minded coders and tech and calculator enthusiasts via the site-wide AJAX SAX widget? Registration for a free Cemetech account only takes a minute.
»
Go to Registration page
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum