View Issue Details

IDProjectCategoryView StatusLast Update
0000185opensim-SCGeneralpublic2024-02-17 00:04
Reporteronefang Assigned Toonefang  
PriorityurgentSeveritymajorReproducibilityN/A
Status assignedResolutionopen 
Summary0000185: Various secure coding things.
DescriptionThis is likely to be just a list of links to secure coding stuff.
Additional Informationhttps://forums.theregister.com/forum/all/2021/01/29/severe_libgcrypt_bug/

Interesting point about not having input buffers before function pointers in structs.
TagsNo tags attached.

Activities

onefang

onefang

2021-04-26 17:24

administrator   ~0000324

Opt out of Googles FLOC thing.

Apparently I can tell the browser "don't do that". Wether or not Google will comply, but at least I can try. https://spreadprivacy.com/block-floc-with-duckduckgo/

https://www.w3.org/TR/permissions-policy-1/#introduction
onefang

onefang

2021-10-29 10:30

administrator   ~0000520

Last edited: 2022-01-13 09:13

BoringSSL might be useful to replace OpenSSL?


"LibTLS is basically a very thin wrapper which constrains how you hold an
SSL library, essentially making it very hard to hold it in the wrong way.
As a nice benefit it's become a common API for abstracting away an SSL
implementation (LibreSSL, OpenSSL, BearSSL, etc)
The OpenSSL implementation here is using all of the defaults, in other
words you are assuming OpenSSL is using sane defaults which has,
historically, not been the case. But for more recent versions of OpenSSL
(1.1.1b and higher) is reasonably safe. This is also using the BIO
abstraction which is the simplest "modern" way to hold OpenSSL correctly
that I know of."


Or libressl?

"The libressl team, in the wake of heartbleed which spawned the project, eliminated tens of thousands of lines of code in the first few weeks of the project existing. That code was never going to come back."
onefang

onefang

2021-12-21 08:13

administrator   ~0000532

https://www.theregister.com/2021/03/08/post_spectre_programming/
onefang

onefang

2022-11-22 06:48

administrator   ~0000592

Maybe -fsantiize=address,undefined
And it might have friends.
onefang

onefang

2022-11-22 07:28

administrator   ~0000593

Spin might be useful, it's in the Devuan repos.
onefang

onefang

2023-03-16 05:13

administrator   ~0000601

Instead of sending a URL to click on for email validation, send a code they have to copy to their account.

Or send both, and have the link tell them off for clicking email links. Muahahaha!
onefang

onefang

2023-07-29 06:43

administrator   ~0000613

Double check I'm doing this right https://www.theregister.com/2023/07/29/cisa_nsa_idor_australia/
onefang

onefang

2024-02-17 00:03

administrator   ~0000632

I've seen someone fishing for what I think is a wordpress login page. So double check I'm dealing with shit like

/opt/opensim_SC/../../../../../../etc/passwd

Issue History

Date Modified Username Field Change
2021-01-30 04:46 onefang New Issue
2021-01-30 04:46 onefang Status new => assigned
2021-01-30 04:46 onefang Assigned To => onefang
2021-04-26 17:24 onefang Note Added: 0000324
2021-05-28 06:41 onefang Priority normal => high
2021-10-29 10:30 onefang Note Added: 0000520
2021-10-29 10:34 onefang Note Edited: 0000520
2021-12-21 08:13 onefang Note Added: 0000532
2022-01-13 09:13 onefang Note Edited: 0000520
2022-11-22 06:48 onefang Note Added: 0000592
2022-11-22 07:28 onefang Note Added: 0000593
2023-03-16 05:13 onefang Note Added: 0000601
2023-07-29 06:43 onefang Note Added: 0000613
2024-02-17 00:03 onefang Note Added: 0000632
2024-02-17 00:04 onefang Priority high => urgent