From 81c8f1cf6dd5bf3460479428b30313f7e9574671 Mon Sep 17 00:00:00 2001 From: moparisthebest Date: Sat, 14 May 2022 01:25:19 -0400 Subject: [PATCH] Tweak latest --- content/httppppppppppp-upload.md | 8 +++++--- 1 file changed, 5 insertions(+), 3 deletions(-) diff --git a/content/httppppppppppp-upload.md b/content/httppppppppppp-upload.md index 6bd869d..4a590ac 100644 --- a/content/httppppppppppp-upload.md +++ b/content/httppppppppppp-upload.md @@ -34,8 +34,8 @@ Solution(s) 1. Conversations has a [handful](https://github.com/iNPUTmice/Conversations/commit/7e762eb799abe0d4f172d04eb714b97e838a8b1f) [of](https://github.com/iNPUTmice/Conversations/commit/eadb1e127b81005b8d83a86197e6c71ce0115fcc) [commits](https://github.com/iNPUTmice/Conversations/commit/95e3a6769d6cdc08ff86d70fb8cb561974346501) to: a. request uncompressed file size b. only download up to that size -2. Dino [allows file transfers to be cancelled](https://github.com/dino/dino/commit/193bf38a790b2a124493c3b7ad591f826e0f773d) -3. Gajim [allows file tranfers to be cancelled](https://dev.gajim.org/gajim/gajim/-/commit/57924ca86061d60634bfa3ff0253b9d481f0f906) +2. Dino [allows file transfers to be canceled](https://github.com/dino/dino/commit/193bf38a790b2a124493c3b7ad591f826e0f773d) +3. Gajim [allows file transfers to be canceled](https://dev.gajim.org/gajim/gajim/-/commit/57924ca86061d60634bfa3ff0253b9d481f0f906) 4. Siskin [only downloads the number of bytes returned in HEAD request](https://github.com/tigase/siskin-im/commit/2a9adecbbdccee880e1d587d65ed2d2be899ccca) (Impossibility of) Coordinated Disclosure @@ -48,8 +48,10 @@ Advice for HTTP-using devs 1. You have no guarantee headers will end, limit these to something sane, maybe 16k of headers or something 2. You have no guarantee data returned by the HEAD request will match that returned by the GET request. -3. Beware transer-chunked encoding. +3. Beware transfer-chunked encoding. 4. Always have a way to cancel or a sane limit. +5. Make sure your "sane limit" is *after* decompression is applied, not before (ie [zip-bomb](https://en.wikipedia.org/wiki/Zip_bomb) ) +6. Beware old attacks like [slow loris](https://en.wikipedia.org/wiki/Slowloris_(computer_security)) so require a minimum speed For XMPP client devs specifically, this advice applies to downloading HTTP Uploaded files, POSH files, host-meta files, and anything else you might grab over HTTP. Honestly just beware [any stream that may be unlimited](https://www.moparisthebest.com/eatxmempp-cve-2021-32918/).