0

centralized repo collection TWEET

lad1337 10 років тому оновлено Sami Haahtinen 10 років тому 5
send a tweet with the url to XDM_APP that contains something like

@XDM_APP my fancy #repo https://github.com/lad1337/XDM-main-plugin-repo/

and XDM would check these tweets and collect the urls ... no central service (maintained by me) easy to use and more awarness
Let me object to this in the form of a tweet:

@XDM_APP Buy my fancy viagra now https://viagraburger.com/biggor-p3n1s/

Sure, it might be a nice and dynamic solution, but we need some kind of a way to control and remove harmful entries as well.
Same goes for the other idea with the form.

  1. your tweet is missing the #repo thing
  2. It could be restricted to urls ending with .json
  3. The response body must be json parseable
  4. The json must fit the schema (uhhh I could enforce a json schema!)
Only then XDM should use the URL 
Well true, but anyone could forge an url with .json at the end and it would be quite dangerous to have N instances of XDM polling random addresses for json. This could easily be used as an attack against servers, the ultimate DDOS :)

Not to mention that you can quite easily forge an url that is valid but has nothing to do with json, but still looks like json: http://example.com/index.php/foobar.json or https://www.facebook.com/index.php/doodaa.json

The way that PHP works, that should be valid with pretty much all php files with the same logic.

Don't get me wrong, I like the idea of decentralized repository management, but I'm seeing a lot of potential for malicious behavior with the proposed solution.
Mhhh DDOS ... That is true and unavoidable if XDM has to get the content to verify the URL
so can this be vital by enforcing a bunch of rules on the URL schema?

maybe only allow "https://raw.github.com" ?
Yeah, that would be a sane assumption and would work without much trouble. It would also help deal with spam, since github has mechanisms to disable spam repositories etc.