[Hackz/2019/39]

[Hackz/2019/39/1]


you only do client-side validation of the maximum length of a post, which is easy to get around
if it's greater than 5000 characters, the post should be discarded

also, there is a directory traversal issue, for example: https://ralee.org/view/Anime/2019/16/../../../..

I'm not a malicious hacker, just figuring out bugs so you can fix them

please don't take this the wrong way, I'm just trying to help

[Hackz/2019/39/2]


I'm not seeing the vector you're pointing out with the directory traversal attack: requests to that URI only result in fetching the index page, which does not seem to be a problem; the only thing I notice is that, semantically, the request should return "301 Moved Permanently" as opposed to "200 Found".
And for your first point, I just patched that in the commit (f70c63) this morning, thanks for pointing it out; it looks like I forgot to reintroduce CONFIG_RAL_POSTMAXLEN which has been in the source tree since 2017.

If you find a vulnerability and sincerely don't want me to "take this the wrong way" then please follow a responsible disclosure policy and notify me by e-mail rather than announcing it publicly in a Github issue or via the BBS itself.

[Hackz/2019/39/3]


ok my bad, I will email you in the future