Julian Lam on Nostr: arcanicanis wild, but completely understandable how something like this could slip by ...
arcanicanis (npub1pmt…d4ts) wild, but completely understandable how something like this could slip by undetected; a one-liner slip-up.
Implementors may choose to trust the response from remote endpoints, but this clearly demonstrates that it is not always wise to do so.
What is the recommended mitigation here, is it as simple as a domain match check?
Dereferencing an object's id is rather important because URLs don't always tend to match their IDs, but we want to save the actual IDs into the database...
Implementors may choose to trust the response from remote endpoints, but this clearly demonstrates that it is not always wise to do so.
What is the recommended mitigation here, is it as simple as a domain match check?
Dereferencing an object's id is rather important because URLs don't always tend to match their IDs, but we want to save the actual IDs into the database...