There is a bug in yarnd that’s been around for awhile and is still present in the current version I’m running that lets a person hit a constructed URL like

YOUR_POD/external?nick=lovetocode999&uri=https://socialmphl.com/story19510368/doujin

and see a legitimate-looking page on YOUR_POD, with an HTTP code 200 (success). From that fake page you can even follow an external feed. Try it yourself, replacing “YOUR_POD” with the URL of any yarnd pod you know. Try following the feed.

I think URLs like this should return errors. They should not render HTML, nor produce legitimate-looking pages. This mechanism is ripe for DDoS attacks. My pod gets roughly 70,000 hits per day to URLs like this. Many are porn or other types of content I do not want. At this point, if it’s not fixed soon I am going to have to shut down my pod. @prologic@twtxt.net please have a look.

⤋ Read More

I’ve pushed a slightly improved version of this that will return a HTTP 404 Not Found if the UserAgent is determined to NOT be a Browser.

⤋ Read More

@prologic@twtxt.net hmm… I think we should do better than this. It is an improvement though. Ideally we check that URI to make sure it is a twtxt.txt (contents, or otherwise). If it isn’t, don’t link, don’t follow, don’t “create” an empty page. If it is not twtxt, it shouldn’t be on twtxt. :-)

⤋ Read More

@bender@twtxt.net The problem with this is we just don’t know until we try. That’s why if the external feed you’re looking for isn’t found in the cache, it’ll try to fetch it in the background. It’s a bit of a sucky UX really, but its better than the experience of “waiting, waiting waiting and then timeout”.

⤋ Read More

I’m happy with the current implementation though, because the only reason you should be hitting the external profile endpoint at all is a) you’re logged in and happen to click on someone’s profile that is external to the pod or b) you’re anonymous and just clicking through the frontpage (see a)

⤋ Read More

@abucci@anthony.buc.ci This is already in place. It will error, return 404 Feed Not Found for non-browsers and external feeds are never fetched (unless you are an authenticated/valid user of the pod) – I patched that hole a while ago, because I already picked up it was being abused by bots 🤖

⤋ Read More

A stopgap setting that would let me stop all calls to /external matching a particular pattern (like this damn lovetocode999 nick) would do the job. Given the potential for abuse of that endpoint, having more moderation control over what it can do is probably a good idea.

⤋ Read More

Participate

Login to join in on this yarn.