In other words, he wants everyone else in power to have just much to lose as him if the regime fails, so that they don't turn on him. It works like this in NK and Russia.
...or the mob, or street gangs whose initiation rituals usually involves committing a crime to bind you to the group, so you all have something to lose.
A potential customer could leave the site, spend time searching for a coupon code, not find anything and give up, and then not return to the site to complete the purchase. Honey could keep users on the site moving through the order flow even if it didn't find anything.
It is a tool used by developers to keep track of time spent in their editor as well as related metadata like which projects were worked on, which languages were used and so on
Signal makes it very difficult to even tell what parties are talking to each other (though if you have nation-state-level internet tracking, you can probably tell.)
Signal doesn't know anything about you except your number or screenname, when you signed up, and when you were last active.
Zoom is none of those things and the grandparent commenter has no idea what they're talking about.
signal may be e2e encrypted, but if i root your phone with a 0 click exploit. Which most of the state level actors we care about can and do do. Then I can just read your signal messages out of memory as soon as you open them. period. end of.
Using a public smartphone to conduct discussions about classified information is straight crazy. E2E encrypted or not.
The middleware should fetch auth, not check it. Each page should check the auth provided by the middleware. Skipping middleware wouldn't bypass anything in this case.
If each page has different criteria, sure, but if not, why? Let's say I simply care if the user is a paying member. I don't see why I wouldn't just have that in the middleware.
That should be the server. Your Nextjs app should have zero access to business data without at least an auth token. And if you're relying on middleware for auth, it'll be responsible for providing that auth token to the rest of the app. And if you bypass middleware, then there's no auth token, and no vulnerability.
This is only a vulnerability if you have pages you don't want to render for some people, regardless of upstream data it would need to fetch.
Not necessarily. There is no big difference whether the business logic resides in the same node process or another one. If the first process is unsafe on that level, then the token can also be extracted.
Middleware runs server side doesn't it? tbh I haven't used nextjs middleware. But in many frameworks have used middleware that provides overarching access control.
For example having all routes under `/admin/*` automatically return an error if the user is not an admin, and then the individual routes don't need to be concerns with access control.
The issue is, everyone uses middleware because Next.js doesn't provide a primitive for a middleware like how it's done for any other framework. Just something to execute before your endpoint, that's it.
They haven't had one for years and everyone wrapped their endpoints which was error prone and also flat out annoying, it's reasonable that people then jump to middleware
It took them a week to respond about the initial report for v12.0.0, the exploit was so trivial and obvious that even that should have been a warning to go check newer versions themselves, even if they hadn't seen the follow up message that had been sent a few days prior showing that the vulnerability was present in later versions.
reply