HomeSearchPrevious dayNext day

00:09:24Larsenv quits [Excess Flood]
00:09:46Larsenv (Larsenv) joins
00:20:19etnguyen03 (etnguyen03) joins
00:35:33nepeat quits [Ping timeout: 272 seconds]
00:35:41BlueMaxima quits [Read error: Connection reset by peer]
00:41:32nepeat (nepeat) joins
02:12:44etnguyen03 quits [Client Quit]
02:14:42etnguyen03 (etnguyen03) joins
02:16:51etnguyen03 quits [Client Quit]
03:31:48Specular joins
03:46:17@dxrt quits [Read error: Connection reset by peer]
03:46:22DogsRNice_ quits [Read error: Connection reset by peer]
04:06:49qw3rty__ quits [Ping timeout: 255 seconds]
04:09:36qw3rty__ joins
04:10:47dxrt joins
04:10:49dxrt quits [Changing host]
04:10:49dxrt (dxrt) joins
04:10:49@ChanServ sets mode: +o dxrt
04:34:16xarph quits [Quit: ZNC 1.8.2+deb2build5 - https://znc.in]
04:40:26xarph joins
05:17:15icedice quits [Client Quit]
06:17:09Specular quits [Read error: Connection reset by peer]
06:25:42Specular joins
07:05:41Chris50100 (Chris5010) joins
07:05:51Specular_ joins
07:08:13Chris5010 quits [Ping timeout: 272 seconds]
07:08:13Chris50100 is now known as Chris5010
07:10:07Specular quits [Ping timeout: 272 seconds]
07:15:30icedice (icedice) joins
08:14:07lizardexile_ joins
08:17:28lizardexile quits [Ping timeout: 255 seconds]
08:49:14<fireonlive>https://x.com/veh0rny/status/1812295241707266330
08:49:14<eggdrop>nitter: https://nitter.privacydev.net/veh0rny/status/1812295241707266330
08:49:15<fireonlive>hmmmmm
08:55:30yarrow quits [Client Quit]
09:00:02Bleo1826007227196 quits [Client Quit]
09:01:20yarrow (yarrow) joins
09:01:27Bleo1826007227196 joins
09:08:07benjinsm joins
09:11:43benjins quits [Ping timeout: 272 seconds]
09:51:58Specular_ quits [Ping timeout: 255 seconds]
10:04:17pabs quits [Ping timeout: 272 seconds]
10:30:53nulldata quits [Ping timeout: 272 seconds]
10:49:39yarrow quits [Read error: Connection reset by peer]
10:49:59nulldata (nulldata) joins
10:51:51yarrow (yarrow) joins
10:56:25icedice2 (icedice) joins
11:00:01icedice quits [Ping timeout: 272 seconds]
11:02:52Ruthalas59 quits [Remote host closed the connection]
11:11:37midou quits [Ping timeout: 255 seconds]
11:13:17pabs (pabs) joins
11:20:19sludge_ joins
11:22:19sludge__ joins
11:22:52sludge quits [Ping timeout: 255 seconds]
11:25:07sludge_ quits [Ping timeout: 255 seconds]
13:13:01qw3rty__ quits [Ping timeout: 272 seconds]
13:15:05qw3rty__ joins
14:29:39katocala quits [Ping timeout: 272 seconds]
14:29:56katocala joins
14:42:05icedice2 quits [Client Quit]
14:45:49katocala quits [Ping timeout: 255 seconds]
14:46:02katocala joins
15:58:57DogsRNice joins
16:00:42DogsRNice_ joins
16:04:34DogsRNice quits [Ping timeout: 255 seconds]
16:29:38DogsRNice_ quits [Client Quit]
16:29:40DogsRNice_ joins
16:30:06DogsRNice_ quits [Read error: Connection reset by peer]
16:33:42DogsRNice joins
16:40:52midou joins
16:49:37qw3rty__ quits [Ping timeout: 272 seconds]
16:50:08qw3rty__ joins
17:16:25HackMii quits [Remote host closed the connection]
17:20:48icedice (icedice) joins
17:31:05HackMii (hacktheplanet) joins
17:39:34<pabs>http://blog.sesse.net/blog/tech/2024-07-15-13-04_pull_requests_via_git_push.html
18:04:26HackMii quits [Remote host closed the connection]
18:12:18HackMii (hacktheplanet) joins
18:19:41Shjosan quits [Quit: Am sleepy (-, – )…zzzZZZ]
18:20:33Shjosan (Shjosan) joins
18:22:33HackMii quits [Remote host closed the connection]
18:25:27HackMii (hacktheplanet) joins
18:38:58PredatorIWD quits [Read error: Connection reset by peer]
18:44:28PredatorIWD joins
19:25:12<fireonlive>modern web developers: fuck you
19:25:14<fireonlive>thanks
19:30:42pabs quits [Read error: Connection reset by peer]
19:31:21pabs (pabs) joins
20:03:57DogsRNice_ joins
20:06:40DogsRNice quits [Ping timeout: 255 seconds]
20:07:06<pabs>same to modern browser developers: fuck you too :)
20:19:11<pabs>https://www.ow2.org/view/Events/The_European_Union_must_keep_funding_free_software_open_letter https://news.ycombinator.com/item?id=40970985
20:26:51Irene quits [Read error: Connection reset by peer]
20:31:07Irenes (ireneista) joins
20:44:31AlsoHP_Archivist joins
20:48:23HP_Archivist quits [Ping timeout: 272 seconds]
21:00:31ThetaDev quits [Client Quit]
21:00:49ThetaDev joins
21:02:44<fireonlive>hello where did i leave my beats headphones
21:02:48<fireonlive>thanks xoxo
21:03:35nic8693102 quits [Ping timeout: 272 seconds]
21:08:36<nulldata>!8ball Will fireonlive find his Beats?
21:08:37<eggdrop>🎱: nulldata, as i see it, yes
21:08:46<nulldata>fireonlive - Good news!
21:08:55<fireonlive>yay!
21:20:08<kpcyrd>fireonlive: "I have backups, in case someone discovers some sort of evil security hole" - git, email, shell, $5 there's some kind of RCE issue in this setup
21:20:36<fireonlive>oh for sure haha
21:22:08<kpcyrd>it's creative, but I wish the "decentralize everything!!" people would eventually figure something out and normalize it
21:22:22<kpcyrd>specifically for contributions
21:23:48<fireonlive>hopefully forgejo... maybe?
21:24:46<kpcyrd>the thing nobody can pronounce? :)
21:24:47ymgve_ joins
21:24:58f_ quits [Ping timeout: 255 seconds]
21:25:11<fireonlive>😅
21:26:26f_ (funderscore) joins
21:26:33etnguyen03 (etnguyen03) joins
21:26:50<kpcyrd>http://ipa-reader.xyz/?text=for%CB%88d%CD%A1%CA%92e.jo apparently
21:28:55ymgve quits [Ping timeout: 272 seconds]
21:31:25<steering>Excluding an RCE in git/git-http-backend (whatever that is) it should be perfectly secure
21:32:16<steering>tis a neat idea
21:38:02<kpcyrd>I mean the good ol CVE-2018-1000156 style unix exploits
21:39:33<kpcyrd>"oh actually when processing this patch it invokes ed and pipes the input as editor instructions but the editor also supports `!<cmd>`" or something
21:40:24<kpcyrd>bless if you memorized all /usr/bin/mail footguns
21:42:37<steering>sure, but git is what's actually doing everything from patching to mailing, and has been pretty heavily scrutinized for this sort of workflow; half the issues in git historically have also been present in the various git frontends
21:43:38<steering>I'm sure there are plenty more RCE's in git I just wouldn't attribute them "in this setup" :)
21:49:22<kpcyrd>it's difficult to reason about this because those are probably not reachable through git-http-backend, but for starters ` --quiet $oldsha..$newsha` -> ` --quiet "$oldsha..$newsha"` and `read -r`
21:56:39<kpcyrd>the script is bugged in the way that it can't properly handle echo '--sendmail-cmd="touch\ /tmp/pwned"\ 1337 foo bar refname', and you rely on the other program to keep you secure and this bug unreachable
21:57:18<kpcyrd>(I didn't test this, but something along these lines should work)
22:04:35sec^nd quits [Ping timeout: 260 seconds]
22:09:58sec^nd (second) joins
22:10:25<kpcyrd>you could even go with `--quiet -- "$oldsha..$newsha"` if you want to be extra correct. the quotes prevent argument splitting, but they don't stop the argument parser from assigning special meaning to the 0x2C byte - you'd rely on the absence of an positional argument to not act on the flag that was passed instead
22:11:20<steering>While I agree that it should at least be quoted I also expect git to strictly define the format it sends to hooks because they're expected to receive untrusted data and the format is strictly defined (by git)
22:12:47<kpcyrd>*0x2D
22:14:18<kpcyrd>it's likely not exploitable, but the amount of stuff you need to learn/know to be able to reason about all this in the first place is quite something :)
22:15:19<steering>true, but that's why I'd rather let the smart people writing git help ;)
22:16:37<steering>https://github.com/git/git/blob/master/builtin/receive-pack.c#L882 yeah they're both explicitly converted into hex before getting fed to the hook
22:18:26<steering>now with all that said -- yes if he tries doing something more complex in the hook he's gonna get into trouble. thankfully no one says your git hooks have to be written in shell :)
22:22:45<kpcyrd>or maybe the custom SSH-facing code was not that bad to begin with? ;)
22:27:51<Harzilein>good evening kpcyrd
22:28:27<Harzilein>(good (ugt) evening everyone)
22:34:28<kpcyrd>hello
22:37:29GNU_world quits [Quit: Konversation terminated!]
22:39:41etnguyen03 quits [Client Quit]
22:40:04benjins joins
22:40:34benjinsm quits [Ping timeout: 255 seconds]
22:40:34benjins2 quits [Ping timeout: 255 seconds]
22:43:19sec^nd quits [Ping timeout: 260 seconds]
22:45:24etnguyen03 (etnguyen03) joins
22:45:24sec^nd (second) joins
22:48:30BlueMaxima joins
22:52:35GNU_world joins
23:01:18yarrow quits [Read error: Connection reset by peer]
23:05:26nic8693102 (nic) joins
23:17:51sec^nd quits [Ping timeout: 260 seconds]
23:29:23<fireonlive>!ig es96ihu6b0qmr01g366t04wdk ^https?://www\.millironcontracting\.com/
23:29:26<fireonlive>.
23:30:44<thuban>((ugt?))
23:31:35sec^nd (second) joins
23:44:15etnguyen03 quits [Client Quit]
23:45:05Medowar quits [Ping timeout: 272 seconds]
23:49:59Medowar joins

HomeSearchPrevious dayNext day