It seems to work, even though you would assume it shouldn't. Can I assume Sandstorm doesn't care about an app's own CSP or Frame Options requests?
samba_ has quit [Quit: WeeChat 2.1]
Zarutian_PI has quit [Read error: Connection reset by peer]
Zarutian_PI has joined #sandstorm
isd has quit [Quit: Leaving.]
digitalcircuit has quit [Quit: Signing off from Quassel - see ya!]
digitalcircuit has joined #sandstorm
jemc has joined #sandstorm
ogres has quit [Quit: Connection closed for inactivity]
pie_ has quit [Ping timeout: 260 seconds]
jemc has quit [Ping timeout: 264 seconds]
afuentes has joined #sandstorm
wolcen has quit [Ping timeout: 240 seconds]
wolcen has joined #sandstorm
catern has quit [Ping timeout: 240 seconds]
catern has joined #sandstorm
pie_ has joined #sandstorm
pie__ has joined #sandstorm
pie_ has quit [Ping timeout: 260 seconds]
Telesight has joined #sandstorm
kentonv: It's not the webserver that is "delivering" certificates. It's completely separate tool. And now that that tool doesn't need to serve HTTP for validation it can run without needing any special integration layer, just input path to the periodically refreshed cert and you're done.
wolcen has quit [Ping timeout: 240 seconds]
wolcen has joined #sandstorm
xet7 has joined #sandstorm
pie__ has quit [Quit: Leaving]
pie_ has joined #sandstorm
test123 has joined #sandstorm
wolcen has quit [Ping timeout: 256 seconds]
Zarutian_PI has quit [Read error: Connection reset by peer]
nicoo has quit [Remote host closed the connection]
nicoo has joined #sandstorm
jemc has joined #sandstorm
ocdtrekkie, Sandstorm doesn't pass through those headers from the app. Instead, it sets its own values for the headers. I don't foresee any need for it to pay attention to what the app sets, so I think it's unlikely that it ever will.
jemc has quit [Ping timeout: 265 seconds]
ccx^xmpp, in order for Let's Encrypt to give you a wildcard cert, you have to prove that you control DNS by setting a DNS entry. All I'm saying is that Sandstorm can't automate this, but you can of course perform the process manually and then use those certs with Sandstorm.
sorry; misclick
But yeah. My point was that there's no point in making that as there are tools already that do just that.
First vuln is in newer version; second I think is irrelevant (uses sqlite?); third pre-empted by existing access control. Does that seem right?
kentonv: Fun fact: Previous functionality of Sandstorm, the last activity date didn't update when the API was accessed, now it does.
I actually think this is an improvement, but I figured I'd point it out.
TimMc: Sounds about right. And of course, the extent of damage one can do in an Etherpad grain is... that grain, so only really public Etherpad grains might have to be worried.
There aren't enough details there to evalute the risk from a public-read etherpad grain assuming the first two vulns *were* in play, though.
Hmm, yeah, it's possible you'd need edit access to exploit it, in which it wouldn't matter at all.
Wekan 0.80 is approved on Sandstorm. (I approved Firefly III yesterday.)
WordPress is updated on the experimental market, but I haven't gotten the go-ahead yet to approve it.
RCE in Sandstorm grains is still an issue, despite the containerization.
Sure, if it is exploitable, it could serve malware to other users it's shared with, presumably.
Or get out of the container.
Container breakouts aren't unheard of, and an attacker may have some in their private stash.
pie__ has joined #sandstorm
pie_ has quit [Ping timeout: 276 seconds]
Telesight has quit [Remote host closed the connection]
jemc has quit [Ping timeout: 260 seconds]
afuentes has quit [Ping timeout: 240 seconds]
jemc has joined #sandstorm
AZero has joined #sandstorm
TimMc, based on the announcement it seems like Sandstorm is not affected by any of the three vulnerabilities, though I wish they'd give more detail on the bugs so that I could tell for sure
While a fresh Etherpad build would be nice, it is probably worth waiting. The new build has gotten a lot of bugs reported, including data loss.
good to know
pie__ has quit [Ping timeout: 255 seconds]
pie_ has joined #sandstorm
jemc has quit [Ping timeout: 264 seconds]
ogres has quit [Quit: Connection closed for inactivity]
sandworm has joined #sandstorm
hello. i try to install sandstorn on my container. is there a way to turn that off? "Press enter to accept defaults. Type 'no' to customize. [yes]"
Well, he left and gave us no way to contact him.
But installing Sandstorm inside containers doesn't generally work.
I think he answered his question
by reading the script
comments in the script
I am just thinking that is not going to be his only problem.
jemc has joined #sandstorm
jemc has quit [Client Quit]
jemc has joined #sandstorm
jemc has quit [Ping timeout: 256 seconds]
jemc has joined #sandstorm
kentonv: Yeah, it didn't seem too concerning to me either, and a quick search of the diff since the last etherpad release didn't turn up any clues.