aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorRunxi Yu <me@runxiyu.org>2025-04-11 21:33:16 +0800
committerRunxi Yu <me@runxiyu.org>2025-04-11 21:33:16 +0800
commitbae338623d587691b30047972247feba0f38ec8e (patch)
treee4626354e21058f1cf36882516c792dd2fd8ddc7
parentNote on demo instance (diff)
downloadpowxy-bae338623d587691b30047972247feba0f38ec8e.tar.gz
powxy-bae338623d587691b30047972247feba0f38ec8e.tar.zst
powxy-bae338623d587691b30047972247feba0f38ec8e.zip
README.md: Note possibility of length-extension attacks
Diffstat
-rw-r--r--README.md3
1 files changed, 2 insertions, 1 deletions
diff --git a/README.md b/README.md
index a63ee96..10bde5f 100644
--- a/README.md
+++ b/README.md
@@ -53,7 +53,6 @@ program provided near the HTML form, and submit their nonce manually.
- We should allow Git clients and RSS readers.
- If a user is attempting to submit a POST request but their powxy cookie is
invalid, powxy would redirect them to a challenge, and their POST data will
-
be lost.
- It does not work when duplex connections are needed, e.g. with Git's Smart
HTTP protocol.
@@ -63,6 +62,8 @@ program provided near the HTML form, and submit their nonce manually.
what be a good solution though, it'd be nice to have something that's more
memory-hard, but password-based key derivation functions are too heavy
on the server.
+- If we stay with SHA-256, an HMAC or prepending solutions should be used
+ instead of simply appending things; might have issues with length-extension.
- Safari on iOS and iPadOS seem to unpredictably make their requests from
different address families, which causes the challenge to fail.
- Unix domain sockets.
generated by cgit v1.2.3 (git 2.25.1) at 2025-04-20 18:08:06 +0000