• #dev 2022-09-19
  • Prev
    Next
  • #indieweb
  • #dev
  • #wordpress
  • #meta
  • #stream
  • #microformats
  • #known
  • #events
#dev ≡
  • ←
  • →
2022-09-19 UTC
# 23:18
vikanezrimaya the novel thing I did in Kittybox for the token storage is actually sanitizing filenames, since an attack to read or delete some files would otherwise be trivial -- just try to access the authorization endpoint with a code like ../../../../../../../etc/passwd (of course Kittybox doesn't run as root and cannot read nor delete that file, but it could've attempted if not for me only allowing alphanumeric characters in codes and tokens!)