It's a bit funny how timeattack is trying to not disclose the nature of the bug publicly and goes through the trouble of sending a private email and notifying here, then you spill the beans publicly in a reply. :D
It might be obvious to many, but to many more it would not be. It just raises the chances of someone exploiting it before anderspitman fixed it.
To the Hacker News crowd, I think that anybody that read the timeattack's comment has thought: a server application that output files given a filepath? Maybe we can forge some absolute path? And then, 5 minutes later, on Github, you confirm your hypothesis by reading 62 lines of Go.
Nevertheless, I am respectful of responsible security disclosure. Maybe timeattack will prefer to use an entirely private channel to communicate with the server owner the next time?
In the end, the info was already out, the author fixed it real quick and I hoped he has cleaned its server by now ;)
* This site is now browsable with netcat/plain TCP (2020-01-20)
| curl https://anderspitman.net/txt/19
| nc txt.anderspitman.net 3838 <<< /txt/19
That's neat, but if you remove the `|` then one can copy the whole line with triple click instead of having to click and drag to carefully exclude the `|`. Just a tip to improve the UX. :)
I don't think it would be. With the current setup you can almost completely avoid using the keyboard. In bash, you just triple-click and middle-click to follow a link. You don't even need to move the mouse between clicks. Selecting a line with triple-click includes the newline needed to execute the command. Zsh has protection against executing from a paste, so you would need to hit the numpad enter key with you thumb after pasting with the middle-click. This is assuming that your desktop environment doesn't prevent you from using Xorg's PRIMARY selection clipboard.
If you haven't used PRIMARY before, you don't need to Ctrl-C/Ctrl-V (that's the CLIPBOARD clipboard). Middle-clicking does the copy and paste at once from the last selection.
I find it nice for mindless browsing. In contrast, changing the last few characters means the action is different for each link. You need to pay attention to the id of the post and write it. Also, you need to memorize the number/path, because most terminals will scroll to the bottom when you start typing.
I'm not currently doing any filtering. The content is in Markdown, and I'm using a home grown static site generator to make the final output. For everything under /txt/, I just append a simple header section. You can see the really hacky code I'm using to generate it here:
