Archived
1
0
Fork
You've already forked MDB
0
No description
This repository has been archived on 2025年07月29日. You can view files and clone it, but you cannot make any changes to its state, such as pushing and creating new issues, pull requests or comments.
  • Python 83%
  • HTML 11.4%
  • CSS 4.4%
  • Shell 1.2%
Find a file
2015年06月07日 02:40:00 +01:00
scripts Initial Commit 2015年06月07日 02:19:45 +01:00
.gitignore Initial Commit 2015年06月07日 02:19:45 +01:00
favicon.png Initial Commit 2015年06月07日 02:19:45 +01:00
index-template.html Initial Commit 2015年06月07日 02:19:45 +01:00
login.html Initial Commit 2015年06月07日 02:19:45 +01:00
post-template.html Initial Commit 2015年06月07日 02:19:45 +01:00
README.md Make readme 2015年06月07日 02:40:00 +01:00
server.py Initial Commit 2015年06月07日 02:19:45 +01:00
singlepost-template.html Initial Commit 2015年06月07日 02:19:45 +01:00
stylesheet.css Initial Commit 2015年06月07日 02:19:45 +01:00

MDB

Some blog thing. Posts are written in markdown and put in posts/

Run sign.sh to generate PGP detached signatures which are linked to at the bottom of every post

The code tries to limit access to inside the website directory (hardcoded in the code at the moment). I'm confident there are no directory traversal attacks directly.

Users are not stored between runs, and the is no way to add new users, and users can't do anything at the moment. The code uses pbkdf2_hmac and sha256, a 32 byte salt from /dev/urandom and 1 000 000 iterations. This takes about a second on my machine.
There is no current protection against a DoS by just forcing the server to generate hashes continously. I've found it only takes 6 processes hitting the authenticate page to make the website completely unusable. This could be mitigated by a proof of work on the client machine (requires javascript), or locking the IP out after x amount of incorrect guesses(doesn't work well against people with access to many IP's)