Restrict files used for profile image #3
Comments
|
If you are an attacker can't you just host your poisoned image elsewhere and use https://metadata.nostr.com/ to update your profile? |
|
Yes its possible however clients can still use some sanitization for user profile images. |
|
What is a poisoned image? Are we just talking about ip leakage and read receipts? If so, I'm not sure how you can have a full-featured UX without running afoul of that. The same vulnerability would apply to any clickable link too. In the future I might add a setting to turn off images/links, or proxy them through a server, but it's not a huge priority for coracle right now. |
ghost
mentioned this issue
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Do not allow users to upload any file type, without any restrictions on file size or type. An attacker could potentially upload a malicious image file.
I tested by uploading QR code image, pdf etc. generated here: https://canarytokens.org/generate
The text was updated successfully, but these errors were encountered: