
Show HN: Browse my blog with netcat/plain TCP - anderspitman
https://anderspitman.net/19/#netcatable
======
timeattack
Hey Anders, there's vulnerability in your code. I've sent an email to you
describing it.

~~~
wandererx2a
Yep, sounds more like 'Browse my filesystem with netcat' in its current state.

~~~
jolmg
It's a bit funny how timeattack is trying to not disclose the nature of the
bug publicly and goes through the trouble of sending a private email and
notifying here, then you spill the beans publicly in a reply. :D

It might be obvious to many, but to many more it would not be. It just raises
the chances of someone exploiting it before anderspitman fixed it.

Window was pretty small though, so that's good.

~~~
wandererx2a
To the Hacker News crowd, I think that anybody that read the timeattack's
comment has thought: a server application that output files given a filepath?
Maybe we can forge some absolute path? And then, 5 minutes later, on Github,
you confirm your hypothesis by reading 62 lines of Go.

Nevertheless, I am respectful of responsible security disclosure. Maybe
timeattack will prefer to use an entirely private channel to communicate with
the server owner the next time?

In the end, the info was already out, the author fixed it real quick and I
hoped he has cleaned its server by now ;)

------
jolmg

      * This site is now browsable with netcat/plain TCP (2020-01-20)
        | curl https://anderspitman.net/txt/19
        | nc txt.anderspitman.net 3838 <<< /txt/19
    

That's neat, but if you remove the `|` then one can copy the whole line with
triple click instead of having to click and drag to carefully exclude the `|`.
Just a tip to improve the UX. :)

~~~
anderspitman
Great suggestion, thanks. Should be working now. FWIW, I find it fastest to
use the shell history and modify the last few characters.

~~~
jolmg
I don't think it would be. With the current setup you can almost completely
avoid using the keyboard. In bash, you just triple-click and middle-click to
follow a link. You don't even need to move the mouse between clicks. Selecting
a line with triple-click includes the newline needed to execute the command.
Zsh has protection against executing from a paste, so you would need to hit
the numpad enter key with you thumb after pasting with the middle-click. This
is assuming that your desktop environment doesn't prevent you from using
Xorg's PRIMARY selection clipboard.

If you haven't used PRIMARY before, you don't need to Ctrl-C/Ctrl-V (that's
the CLIPBOARD clipboard). Middle-clicking does the copy and paste at once from
the last selection.

I find it nice for mindless browsing. In contrast, changing the last few
characters means the action is different for each link. You need to pay
attention to the id of the post and write it. Also, you need to memorize the
number/path, because most terminals will scroll to the bottom when you start
typing.

~~~
anderspitman
Great points

------
alexellisuk
How do you filter out the CSS etc for plaintext viewers? /txt/feed is a new
one on me. Any docs on it?

~~~
anderspitman
I'm not currently doing any filtering. The content is in Markdown, and I'm
using a home grown static site generator to make the final output. For
everything under /txt/, I just append a simple header section. You can see the
really hacky code I'm using to generate it here:

[https://github.com/anderspitman/anderspitman.net/blob/master...](https://github.com/anderspitman/anderspitman.net/blob/master/curly-
jefferson)

