| tomreyn | hmm, is it a known bug that launchpadlibrarian.net would return user uploaded plain text content as text/html content-type? https://launchpadlibrarian.net/461085327/syslog | 02:35 |
|---|---|---|
| alkisg | Hello, my builds at https://code.launchpad.net/~epoptes/+recipe/epoptes-stable fail with "You are in 'detached HEAD' state." | 04:58 |
| alkisg | Is this a launchpad issue, should I just retry later, or is it something on my side? | 04:58 |
| alkisg | Hmm I wonder if it's related to tagging... "error: Entry 'debian/changelog' overlaps with 'debian/changelog'. Cannot bind." | 05:00 |
| alkisg | Oh sorry my bad, I forgot to update the epoptes-stable recipe after merging debian into master, I only updated the epoptes-proposed recipe | 05:03 |
| wgrant | tomreyn: It will return the content type specified in the upload. That's why it's on its own domain, with only public content. | 18:27 |
| tomreyn | a separate domain certainly breaks most attack vectors there. phishing remains possible. | 18:53 |
| tomreyn | i.e. think forged sso login page. | 18:55 |
| tomreyn | actually this reminds me of bug 1835964 (which i admit is really quite irrelevant nowadays) | 18:58 |
| ubot5 | bug 1835964 in Launchpad itself "Prevent XSS due to MIME Type Sniffing bugs in old Internet Explorer" [Low,Triaged] https://launchpad.net/bugs/1835964 | 18:58 |
| wgrant | tomreyn: We don't consider phishing on an alternate domain like that to be an interesting attack vector. | 19:19 |
| wgrant | It's a compromise, like services like GitHub Pages, for example. | 19:19 |
| wgrant | Alternate 2LD | 19:19 |
| tomreyn | wgrant: i see where you'Re coming from there. github pages is limited in what you can push to it, though, and i assume it would not be easy to host a forged github login page there. | 19:21 |
| tomreyn | i.e. you can only push to it through their trimmed down jekyll fork. | 19:23 |
| wgrant | I don't think those restrictions manage to prevent any meaningful class of attacks. | 19:25 |
| wgrant | But I haven't looked in a while. | 19:25 |
| tomreyn | i haven't tried to find out. it's also probably outside the scope of their bug bounty for the same reasons you provided. | 19:26 |
| tomreyn | would you consider it abusive if i uploaded an (intentionally broken) proof of concept to show it to you or to link to it in a bug report? | 19:26 |
| wgrant | No. It's been done before. But we would be very unlikely to consider it a valid bug. | 19:26 |
| wgrant | We are entirely aware of this attack vector, so demonstrating it isn't useful, but also not forbidden. | 19:27 |
| wgrant | Anyway, I need to get on a plane. | 19:27 |
| tomreyn | okay, then there's no use in posting it other than increasing the risk of those who shouldn't becoming aware of it. have a good flight. | 19:28 |
| wgrant | (slow boarding is slow. Looks to me like you can still push arbitrary content to GitHub Pages. Doesn't even have to run through Jekyll) | 19:39 |
| tomreyn | oh, really, i wasn't aware, never tried. | 19:49 |
| tomreyn | and apprently it's "we don'T care what you put there" mode in github.io's case: https://securityheaders.com/?q=https%3A%2F%2Fsha-mbles.github.io | 19:54 |
Generated by irclog2html.py 2.7 by Marius Gedminas - find it at mg.pov.lt!