In-reply-to » Falling satellite will give clues to how objects burn up on re-entry A chance to observe the high-speed re-entry of a falling satellite will give researchers important insights on how debris burns up in our atmosphere ⌘ Read more

@quark@ferengi.one Check out this thread if you haven’t already: https://mastodon.social/@sundogplanets/112464533481477428

I think we already know It’s likely to be a disaster.

⤋ Read More
In-reply-to » Falling satellite will give clues to how objects burn up on re-entry A chance to observe the high-speed re-entry of a falling satellite will give researchers important insights on how debris burns up in our atmosphere ⌘ Read more

@New_scientist@feeds.twtxt.net It’s great that US regulators have approved launching 40,000 satellites with a 5-year lifespan before we had this kind of information about what’s likely to happen when they start falling out of orbit at a rate of several per hour.

⤋ Read More
In-reply-to » @abucci appreciate it if you find the time to update again 🙏

@prologic@twtxt.net My pod, which is running the same commit you are, does not return an error like that. It returns the same HTML it always has. Try it. I nuked my cache before restarting.

Edit: Oh wait, the plot thickens. I do get an error if I use curl or if I use a web browser that isn’t logged in. That’s good!

⤋ Read More
In-reply-to » There is a bug in yarnd that's been around for awhile and is still present in the current version I'm running that lets a person hit a constructed URL like

A stopgap setting that would let me stop all calls to /external matching a particular pattern (like this damn lovetocode999 nick) would do the job. Given the potential for abuse of that endpoint, having more moderation control over what it can do is probably a good idea.

⤋ Read More
In-reply-to » There is a bug in yarnd that's been around for awhile and is still present in the current version I'm running that lets a person hit a constructed URL like

@prologic@twtxt.net What? I compiled, updated, and restarted. If you check what my pod reports, it gives that 7a… SHA. I don’t know what that other screenshot is showing but it seems to be out of date. That was the SHA I was running before this update.

⤋ Read More
In-reply-to » There is a bug in yarnd that's been around for awhile and is still present in the current version I'm running that lets a person hit a constructed URL like

@prologic@twtxt.net Here’s a log entry:

Aug 27 15:59:43 buc yarnd[1200580]: [yarnd] 2024/08/27 15:59:43 (IP_REDACTED) "GET /external?nick=lovetocode999&uri=https://URL_REDACTED HTTP/1.1" 200 35442 14.554763ms

HTTP 200 status, not 404.

⤋ Read More
In-reply-to » There is a bug in yarnd that's been around for awhile and is still present in the current version I'm running that lets a person hit a constructed URL like

@prologic@twtxt.net This does not seem to fix the problem for me, or I’ve done something wrong. I did the following:

  1. Pull the latest version from git (I have commit 7ad848, same as on twtxt.net I believe).
  2. make build and make install
  3. Restart yarnd
  4. Refresh cache in Poderator Settings

Yet I still see these bogus /external things on my pod when I hit URLs like the one I sent you recently. When I hit such a URL with curl I think it’s giving an error? But in a web browser, the (buggy) response is the same as it was before I updated.

So, this problem is not fixed for me.

⤋ Read More
In-reply-to » There is a bug in yarnd that's been around for awhile and is still present in the current version I'm running that lets a person hit a constructed URL like

@prologic@twtxt.net I believe you are not seeing the problem I am describing.

Hit this URL in your web browser:

https://twtxt.net/external?nick=lovetocode999&uri=https://socialmphl.com/story19510368/doujin

That’s your pod. I assume you don’t have a user named lovetocode999 on your pod. Yet that URL returns HTTP status 200, and generates HTML, complete with a link to https://socialmphl.com/story19510368/doujin, which is not a twtxt feed (that’s where the twtxt.txt link goes if you click it). That link could be to anything, including porn, criminal stuff, etc, and it will appear to be coming from your twtxt.net domain.

What I am saying is that this is a bug. If there is no user lovetocode999 on the pod, hitting this URL should not return HTTP 200 status, and it should definitely not be generating valid HTML with links in it.

Edit: Oops, I misunderstood the purpose of this /external endpoint. Still, since the uri is not a yarn pod, let alone one with a user named lovetocode999 on it, I stand by the belief that URLs like this should be be generating valid HTML with links to unknown sites. Shouldn’t it be possible to construct a valid target URL from the nick and uri instead of using the pod’s /external endpoint?

⤋ Read More
In-reply-to » There is a bug in yarnd that's been around for awhile and is still present in the current version I'm running that lets a person hit a constructed URL like

@prologic@twtxt.net @bender@twtxt.net I partially agree with bender on this one I think. The way this person is abusing the /external endpoint on my pod seems to be to generate legitimate-looking HTML content for external sites, using a username that does not exist on my pod. One “semantically correct” thing to do would be to error out if that username does not exist on the pod. It’s not unlike having a mail server configured as an open relay at this point.

It would also be very helpful to give the pod administrator control over what’s being fetched this way. I don’t want people using my pod to redirect porn sites or whatever. If I could have something as simple as the ability to blacklist URLs that’d already help.

⤋ Read More
In-reply-to » @mckinley He's signed up three times now even though I keep deleting the account, which is enough for me to permaban this person. I don't technically want open registrations on my pod but up till now I've been too lazy to figure out how to turn them off and actually do that, and there hasn't been a pressing need. I may have to now.

@lyse@lyse.isobeef.org Interesting. The yarnd --help currently says (for me):

  -R, --open-registrations            whether or not to have open user registgration

meaning it doesn’t give the default setting or warn you that you need to use -R=false and not -R false. It also leaves unclear whether --open-registrations false would work or if you need to do --open-registrations=false. It’s also unclear whether the setting change in the user interface is overridden by the command line arguments, overrides the command line arguments, is persisted across restarts.

Maybe all this is worth posting an issue for additional documentation on the git repo if there isn’t one already.

“registgration” is misspelled that way in the help by the way.

⤋ Read More
In-reply-to » @mckinley He's signed up three times now even though I keep deleting the account, which is enough for me to permaban this person. I don't technically want open registrations on my pod but up till now I've been too lazy to figure out how to turn them off and actually do that, and there hasn't been a pressing need. I may have to now.

@lyse@lyse.isobeef.org Ha, sweet thanks for this! For some reason I thought you had to do this with an environmental variable or command-line option and I didn’t think to check the settings. 🤦‍♂

⤋ Read More
In-reply-to » There is a bug in yarnd that's been around for awhile and is still present in the current version I'm running that lets a person hit a constructed URL like

For some reason this nick lovetocode999 is frequently present in my log entries.

⤋ Read More

There is a bug in yarnd that’s been around for awhile and is still present in the current version I’m running that lets a person hit a constructed URL like

YOUR_POD/external?nick=lovetocode999&uri=https://socialmphl.com/story19510368/doujin

and see a legitimate-looking page on YOUR_POD, with an HTTP code 200 (success). From that fake page you can even follow an external feed. Try it yourself, replacing “YOUR_POD” with the URL of any yarnd pod you know. Try following the feed.

I think URLs like this should return errors. They should not render HTML, nor produce legitimate-looking pages. This mechanism is ripe for DDoS attacks. My pod gets roughly 70,000 hits per day to URLs like this. Many are porn or other types of content I do not want. At this point, if it’s not fixed soon I am going to have to shut down my pod. @prologic@twtxt.net please have a look.

⤋ Read More
In-reply-to » 👋 Hello @nigergibe, welcome to Buccipod, a Yarn.social Pod! To get started you may want to check out the pod's Discover feed to find users to follow and interact with. To follow new users, use the ⨁ Follow button on their profile page or use the Follow form and enter a Twtxt URL. You may also find other feeds of interest via Feeds. Welcome! 🤗

@mckinley@twtxt.net He’s signed up three times now even though I keep deleting the account, which is enough for me to permaban this person. I don’t technically want open registrations on my pod but up till now I’ve been too lazy to figure out how to turn them off and actually do that, and there hasn’t been a pressing need. I may have to now.

⤋ Read More