z0x/anubis
Code Activity

cmd/anubis: delete example RSS reader rule (#67)

Browse source 
The example/default bot policy document had a rule to allow RSS readers
through based on paths that end with ".rss", ".xml", ".atom", or
".json". Frameworks like Rails will treat these specially, meaning that
going to /things/12345-whateverhaha.json could bypass Anubis.

I checked the history of this rule and it was present in the original
example policy file in Xe/x. This rule is likely a mistake and it has
been removed. I think it was for making my blog still work with RSS
readers.

Thanks to Graham Sutherland for reporting this over email.

Signed-off-by: Xe Iaso <me@xeiaso.net>
This commit is contained in:
Xe Iaso 2025-03-21 17:20:17 -04:00 committed by GitHub
parent 869e46a4cc
commit 5f7942faca
No known key found for this signature in database
GPG key ID: B5690EEEBB952194
3 changed files with 7 additions and 6 deletions
Download patch file Download diff file Expand all files Collapse all files

6
docs/docs/CHANGELOG.md
View file

@ -11,6 +11,12 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
## [Unreleased]
## v1.14.2
Livia sas Junius: Echo 2
- Remove default RSS reader rule as it may allow for a targeted attack against rails apps
[#67](https://github.com/TecharoHQ/anubis/pull/67)
- Whitelist MojeekBot in botPolicies [#47](https://github.com/TecharoHQ/anubis/issues/47)
## v1.14.1