@New_scientist@feeds.twtxt.net Make sense–if a clown murders the child they don’t need to go to the hospital.
@quark@ferengi.one wow everybody loves @prologic@twtxt.net
@quark@ferengi.one Check out this thread if you haven’t already: https://mastodon.social/@sundogplanets/112464533481477428
I think we already know It’s likely to be a disaster.
@New_scientist@feeds.twtxt.net It’s great that US regulators have approved launching 40,000 satellites with a 5-year lifespan before we had this kind of information about what’s likely to happen when they start falling out of orbit at a rate of several per hour.
@prologic@twtxt.net My pod, which is running the same commit you are, does not return an error like that. It returns the same HTML it always has. Try it. I nuked my cache before restarting.
Edit: Oh wait, the plot thickens. I do get an error if I use curl or if I use a web browser that isn’t logged in. That’s good!
@prologic@twtxt.net I’m not sure what this update does, but
https://twtxt.net/external?uri=https://google.com&nick=lovetocode999
still exhibits the same problem, on your pod and on mine, after the latest update.
@prologic@twtxt.net OK, I just updated to commit 77d527
, which looks to be the same one you’re running right now. I forgot to blow away my cache before restarting, so I just deleted the cache
file and restarted.
Had to disable support functions because I’ve received three spammy support emails today. Thanks for that feature @prologic@twtxt.net
@bender@twtxt.net Hey, want to go in halfsies on one?
@bender@twtxt.net Oh look at that, the same problem is still happening on twtxt.net
too. I tested a different link but that one gave an error. Maybe that means my pod isn’t behaving different from twtxt.net
after all.
yarnd
that's been around for awhile and is still present in the current version I'm running that lets a person hit a constructed URL like
A stopgap setting that would let me stop all calls to /external
matching a particular pattern (like this damn lovetocode999
nick) would do the job. Given the potential for abuse of that endpoint, having more moderation control over what it can do is probably a good idea.
yarnd
that's been around for awhile and is still present in the current version I'm running that lets a person hit a constructed URL like
@prologic@twtxt.net I deleted a file named cache
in my yarn data and restarted. Problem persists.
yarnd
that's been around for awhile and is still present in the current version I'm running that lets a person hit a constructed URL like
@prologic@twtxt.net “Refresh cache in Poderator Settings”
Is there some other way to do that?
yarnd
that's been around for awhile and is still present in the current version I'm running that lets a person hit a constructed URL like
@prologic@twtxt.net What? I compiled, updated, and restarted. If you check what my pod reports, it gives that 7a… SHA. I don’t know what that other screenshot is showing but it seems to be out of date. That was the SHA I was running before this update.
yarnd
that's been around for awhile and is still present in the current version I'm running that lets a person hit a constructed URL like
@prologic@twtxt.net Here’s a log entry:
Aug 27 15:59:43 buc yarnd[1200580]: [yarnd] 2024/08/27 15:59:43 (IP_REDACTED) "GET /external?nick=lovetocode999&uri=https://URL_REDACTED HTTP/1.1" 200 35442 14.554763ms
HTTP 200 status, not 404.
yarnd
that's been around for awhile and is still present in the current version I'm running that lets a person hit a constructed URL like
@prologic@twtxt.net This does not seem to fix the problem for me, or I’ve done something wrong. I did the following:
- Pull the latest version from
git
(I have commit7ad848
, same as ontwtxt.net
I believe).
make build
andmake install
- Restart
yarnd
- Refresh cache in Poderator Settings
Yet I still see these bogus /external
things on my pod when I hit URLs like the one I sent you recently. When I hit such a URL with curl
I think it’s giving an error? But in a web browser, the (buggy) response is the same as it was before I updated.
So, this problem is not fixed for me.
yarnd
that's been around for awhile and is still present in the current version I'm running that lets a person hit a constructed URL like
@prologic@twtxt.net Aha, now it gives an error. OK I’m updating to this to see if it fixes the issue on my pod! Thank you.
yarnd
that's been around for awhile and is still present in the current version I'm running that lets a person hit a constructed URL like
@prologic@twtxt.net I believe you are not seeing the problem I am describing.
Hit this URL in your web browser:
https://twtxt.net/external?nick=lovetocode999&uri=https://socialmphl.com/story19510368/doujin
That’s your pod. I assume you don’t have a user named lovetocode999
on your pod. Yet that URL returns HTTP status 200, and generates HTML, complete with a link to https://socialmphl.com/story19510368/doujin
, which is not a twtxt feed (that’s where the twtxt.txt
link goes if you click it). That link could be to anything, including porn, criminal stuff, etc, and it will appear to be coming from your twtxt.net domain.
What I am saying is that this is a bug. If there is no user lovetocode999
on the pod, hitting this URL should not return HTTP 200 status, and it should definitely not be generating valid HTML with links in it.
Edit: Oops, I misunderstood the purpose of this /external
endpoint. Still, since the uri
is not a yarn
pod, let alone one with a user named lovetocode999
on it, I stand by the belief that URLs like this should be be generating valid HTML with links to unknown sites. Shouldn’t it be possible to construct a valid target URL from the nick
and uri
instead of using the pod’s /external
endpoint?
yarnd
that's been around for awhile and is still present in the current version I'm running that lets a person hit a constructed URL like
@prologic@twtxt.net @bender@twtxt.net I partially agree with bender on this one I think. The way this person is abusing the /external
endpoint on my pod seems to be to generate legitimate-looking HTML content for external sites, using a username that does not exist on my pod. One “semantically correct” thing to do would be to error out if that username does not exist on the pod. It’s not unlike having a mail server configured as an open relay at this point.
It would also be very helpful to give the pod administrator control over what’s being fetched this way. I don’t want people using my pod to redirect porn sites or whatever. If I could have something as simple as the ability to blacklist URLs that’d already help.
@lyse@lyse.isobeef.org Interesting. The yarnd --help
currently says (for me):
-R, --open-registrations whether or not to have open user registgration
meaning it doesn’t give the default setting or warn you that you need to use -R=false
and not -R false
. It also leaves unclear whether --open-registrations false
would work or if you need to do --open-registrations=false
. It’s also unclear whether the setting change in the user interface is overridden by the command line arguments, overrides the command line arguments, is persisted across restarts.
Maybe all this is worth posting an issue for additional documentation on the git repo if there isn’t one already.
“registgration” is misspelled that way in the help by the way.
@lyse@lyse.isobeef.org Ha, sweet thanks for this! For some reason I thought you had to do this with an environmental variable or command-line option and I didn’t think to check the settings. 🤦♂
yarnd
that's been around for awhile and is still present in the current version I'm running that lets a person hit a constructed URL like
@prologic@twtxt.net Ah nice, thank you! Do you think this fix is ready for me to test it or do you think I should wait til you poke at it?
yarnd
that's been around for awhile and is still present in the current version I'm running that lets a person hit a constructed URL like
For some reason this nick lovetocode999
is frequently present in my log entries.
👋 Hello @testtest@anthony.buc.ci, welcome to Buccipod, a Yarn.social Pod! To get started you may want to check out the pod’s Discover feed to find users to follow and interact with. To follow new users, use the ⨁ Follow
button on their profile page or use the Follow form and enter a Twtxt URL. You may also find other feeds of interest via Feeds. Welcome! 🤗
There is a bug in yarnd
that’s been around for awhile and is still present in the current version I’m running that lets a person hit a constructed URL like
YOUR_POD/external?nick=lovetocode999&uri=https://socialmphl.com/story19510368/doujin
and see a legitimate-looking page on YOUR_POD, with an HTTP code 200 (success). From that fake page you can even follow an external feed. Try it yourself, replacing “YOUR_POD” with the URL of any yarnd
pod you know. Try following the feed.
I think URLs like this should return errors. They should not render HTML, nor produce legitimate-looking pages. This mechanism is ripe for DDoS attacks. My pod gets roughly 70,000 hits per day to URLs like this. Many are porn or other types of content I do not want. At this point, if it’s not fixed soon I am going to have to shut down my pod. @prologic@twtxt.net please have a look.
⨁ Follow
button on their profile page or use the Follow form and enter a Twtxt URL. You may also find other feeds of interest via Feeds. Welcome! 🤗
@mckinley@twtxt.net He’s signed up three times now even though I keep deleting the account, which is enough for me to permaban this person. I don’t technically want open registrations on my pod but up till now I’ve been too lazy to figure out how to turn them off and actually do that, and there hasn’t been a pressing need. I may have to now.
👋 Hello @nigergibe@anthony.buc.ci, welcome to Buccipod, a Yarn.social Pod! To get started you may want to check out the pod’s Discover feed to find users to follow and interact with. To follow new users, use the ⨁ Follow
button on their profile page or use the Follow form and enter a Twtxt URL. You may also find other feeds of interest via Feeds. Welcome! 🤗
👋 Hello @nigergibe@anthony.buc.ci, welcome to Buccipod, a Yarn.social Pod! To get started you may want to check out the pod’s Discover feed to find users to follow and interact with. To follow new users, use the ⨁ Follow
button on their profile page or use the Follow form and enter a Twtxt URL. You may also find other feeds of interest via Feeds. Welcome! 🤗
👋 Hello @nigergibe@anthony.buc.ci, welcome to Buccipod, a Yarn.social Pod! To get started you may want to check out the pod’s Discover feed to find users to follow and interact with. To follow new users, use the ⨁ Follow
button on their profile page or use the Follow form and enter a Twtxt URL. You may also find other feeds of interest via Feeds. Welcome! 🤗