Screw up scrapper

[powerboat9]

Screws up the scrapper here using a spider trap. Should screw up some other curl based scrappers.

[shenlebantongying]

Approved!

[shenlebantongying]

https://archive.is/1bHIq

[nukeop]

Can you inject rm -rf ~/? Or a fork bomb?

[powerboat9]

Can you inject rm -rf ~/? Or a fork bomb?

I don't think so. The way xargs is used, the only thing you can really do is screw with the url parameter curl gets. You could try using a name starting with "../../" to call a different api function, though you'd have to find an api function that takes the same parameters in a POST request.

[nukeop]

They seem to have adapted to this hack in a fork...

[powerboat9]

#4661

[powerboat9]

#4667

[nukeop]

Won't that break some links? Like mailto:?

[shenlebantongying]

yes, reverted

6ad7901

[nukeop]

Thanks for fixing.

[nukeop]

Looking at that scraper, we could add a fake attribute to each <a> tag, e.g. <a herp="https://github.com/derp\>" href=[real link] and it would fuck it up again because it looks for everything between the beginning of github url and \>.