this post was submitted on 15 May 2026
56 points (100.0% liked)

Slop.

857 readers
364 users here now

For posting all the anonymous reactionary bullshit that you can't post anywhere else.

Rule 1: All posts must include links to the subject matter, and no identifying information should be redacted.

Rule 2: If your source is a reactionary website, please use archive.is instead of linking directly.

Rule 3: No sectarianism.

Rule 4: TERF/SWERFs Not Welcome

Rule 5: No bigotry of any kind, including ironic bigotry.

Rule 6: Do not post fellow hexbears.

Rule 7: Do not individually target federated instances' admins or moderators.

founded 2 years ago
MODERATORS
VILenin@hexbear.net
MiraculousMM@hexbear.net
Hestia@hexbear.net
oscardejarjayes@hexbear.net
Diva@lemmy.ml
Diva@hexbear.net
mathemachristian@hexbear.net
Acute_Engles@hexbear.net
56
turns out there's some zero-day bugs in that pie (hexbear.net)
submitted 1 week ago by culpritus@hexbear.net to c/slop@hexbear.net
28 comments fedilink hide all child comments
 

most of the instances are offline or admin only login last I checked

https://lemmy.ml/modlog/14815

you are viewing a single comment's thread
view the rest of the comments
[–] Goferking0@ttrpg.network 13 points 1 week ago (2 children)

Even dealing with a security issue the code is shit. Why are they chaining multiple ors in a if single statements

|                                        |                                                                                                                        |
| -------------------------------------- | ---------------------------------------------------------------------------------------------------------------------- |
| `def is_invalid_get_request_uri(uri):` |                                                                                                                        |
|                                        | `if current_app.debug:`                                                                                                |
|                                        | `return False`                                                                                                         |
|                                        | `try:`                                                                                                                 |
|                                        | `ip = ipaddress.ip_address(furl(uri).host)`                                                                            |
|                                        | `except:`                                                                                                              |
|                                        | `ip = None`                                                                                                            |
|                                        | ``                                                                                                                     |
|                                        | `if ip:`                                                                                                               |
|                                        | `return ip.is_private or ip.is_link_local or ip.is_reserved or ip.is_loopback or ip.is_multicast or ip.is_unspecified` |
|                                        | `return False`                                                                                                         |
|                                        | ``                                                                                                                     |
|                                        | ``                                                                                                                     |
|                                        | `def is_invalid_post_request_uri(uri):`                                                                                |
|                                        | `return is_inv`                                                                                                        |

https://codeberg.org/rimu/pyfedi/commit/ada8e2ea35ec687000b7e7c2343288d44a219c3a

[–] MoonMelon@lemmy.ml 9 points 1 week ago

Bare except, too. Not ideal.

[–] mathemachristian@hexbear.net 9 points 1 week ago (1 children)

I mean they weren't given any heads up but had to instantly shut down their servers and figure out what was going on and come up with a solution on the spot. Not that I think piefed is well-made but just publicly posting critical security vulnerabilities is a dick move.

[–] Goferking0@ttrpg.network 1 points 1 week ago (1 children)

Was it a zero day? And fair.

[–] mathemachristian@hexbear.net 0 points 1 week ago (1 children)

Yeah, piefed is rather small and apparently no one even thought to as much as prompt an LLM for the code. It was an unknown vulnerability.

[–] Goferking0@ttrpg.network 2 points 1 week ago (1 children)

https://lemmy.ml/post/47379574 - - I think this is at least one of them?

Will be an interesting read when not weekend.

Mostly wasn't sure if something big in python or just the implementation. Been so many announcements on big vulnerabilities lately

[–] mathemachristian@hexbear.net 2 points 1 week ago

If it's the one from yogthos then yeah