Security

Token

There is no security token.

Firewall

main Name
Security enabled
Stateless

Configuration

Key Value
provider security.user.provider.concrete.app_user_provider
context main
entry_point App\Security\KbinAuthenticator
user_checker App\Security\UserChecker
access_denied_handler (none)
access_denied_url (none)
authenticators
[
  "two_factor"
  "remember_me"
  "App\Security\KbinAuthenticator"
  "App\Security\FacebookAuthenticator"
  "App\Security\GoogleAuthenticator"
  "App\Security\GithubAuthenticator"
  "App\Security\KeycloakAuthenticator"
]

Listeners

Listener Duration Response
Symfony\Component\Security\Http\Firewall\ChannelListener {#723
  -map: Symfony\Component\Security\Http\AccessMap {#722 …}
  -logger: Monolog\Logger {#783 …}
  -httpPort: 80
  -httpsPort: 443
}
0.00 ms (none)
Symfony\Component\Security\Http\Firewall\ContextListener {#706
  -tokenStorage: Symfony\Component\Security\Core\Authentication\Token\Storage\TokenStorage {#1017 …}
  -sessionKey: "_security_main"
  -logger: Monolog\Logger {#783 …}
  -userProviders: Symfony\Component\DependencyInjection\Argument\RewindableGenerator {#705 …}
  -dispatcher: Symfony\Component\EventDispatcher\Debug\TraceableEventDispatcher {#747 …}
  -registered: false
  -trustResolver: Scheb\TwoFactorBundle\Security\Authentication\AuthenticationTrustResolver {#780 …}
  -sessionTrackerEnabler: Symfony\Component\Security\Core\Authentication\Token\Storage\UsageTrackingTokenStorage::enableUsageTracking(): void {#703 …}
}
2.54 ms (none)
Symfony\Component\Security\Http\Firewall\AuthenticatorManagerListener {#584
  -authenticatorManager: Symfony\Component\Security\Http\Authentication\AuthenticatorManager {#595 …}
}
0.00 ms (none)
Scheb\TwoFactorBundle\Security\Http\Firewall\TwoFactorAccessListener {#582
  -twoFactorFirewallConfig: Scheb\TwoFactorBundle\Security\TwoFactor\TwoFactorFirewallConfig {#842 …}
  -tokenStorage: Symfony\Component\Security\Core\Authentication\Token\Storage\UsageTrackingTokenStorage {#1018 …}
  -twoFactorAccessDecider: Scheb\TwoFactorBundle\Security\Authorization\TwoFactorAccessDecider {#581 …}
}
0.05 ms (none)
Symfony\Component\Security\Http\Firewall\AccessListener {#579
  -tokenStorage: Symfony\Component\Security\Core\Authentication\Token\Storage\UsageTrackingTokenStorage {#1018 …}
  -accessDecisionManager: Symfony\Component\Security\Core\Authorization\TraceableAccessDecisionManager {#937 …}
  -map: Symfony\Component\Security\Http\AccessMap {#722 …}
}
0.00 ms (none)
Symfony\Component\Security\Http\Firewall\LogoutListener {#786
  -tokenStorage: Symfony\Component\Security\Core\Authentication\Token\Storage\UsageTrackingTokenStorage {#1018 …}
  -options: [
    "csrf_parameter" => "_csrf_token"
    "csrf_token_id" => "logout"
    "logout_path" => "app_logout"
  ]
  -httpUtils: Symfony\Component\Security\Http\HttpUtils {#841 …}
  -csrfTokenManager: Symfony\Component\Security\Csrf\CsrfTokenManager {#1015 …}
  -eventDispatcher: Symfony\Component\EventDispatcher\Debug\TraceableEventDispatcher {#747 …}
}
0.00 ms (none)

Authenticators

No authenticators have been recorded. Check previous profiles on your authentication endpoint.

Access Decision

affirmative Strategy
# Voter class
1
"Symfony\Component\Security\Core\Authorization\Voter\AuthenticatedVoter"
2
"Scheb\TwoFactorBundle\Security\Authorization\Voter\TwoFactorInProgressVoter"
3
"Symfony\Component\Security\Core\Authorization\Voter\RoleHierarchyVoter"
4
"Symfony\Component\Security\Core\Authorization\Voter\ExpressionVoter"
5
"App\Security\Voter\EntryCommentVoter"
6
"App\Security\Voter\EntryVoter"
7
"App\Security\Voter\MagazineVoter"
8
"App\Security\Voter\MessageThreadVoter"
9
"App\Security\Voter\MessageVoter"
10
"App\Security\Voter\NotificationVoter"
11
"App\Security\Voter\OAuth2UserConsentVoter"
12
"App\Security\Voter\PostCommentVoter"
13
"App\Security\Voter\PostVoter"
14
"App\Security\Voter\UserVoter"

Access decision log

# Result Attributes Object
1 DENIED ROLE_USER
null
"Scheb\TwoFactorBundle\Security\Authorization\Voter\TwoFactorInProgressVoter"
ACCESS ABSTAIN
"Symfony\Component\Security\Core\Authorization\Voter\RoleHierarchyVoter"
ACCESS DENIED
"App\Security\Voter\EntryCommentVoter"
ACCESS ABSTAIN
"App\Security\Voter\EntryVoter"
ACCESS ABSTAIN
"App\Security\Voter\MagazineVoter"
ACCESS ABSTAIN
"App\Security\Voter\MessageThreadVoter"
ACCESS ABSTAIN
"App\Security\Voter\MessageVoter"
ACCESS ABSTAIN
"App\Security\Voter\NotificationVoter"
ACCESS ABSTAIN
"App\Security\Voter\OAuth2UserConsentVoter"
ACCESS ABSTAIN
"App\Security\Voter\PostCommentVoter"
ACCESS ABSTAIN
"App\Security\Voter\PostVoter"
ACCESS ABSTAIN
"App\Security\Voter\UserVoter"
ACCESS ABSTAIN
Show voter details
2 DENIED moderate
App\Entity\Entry {#1846
  +user: Proxies\__CG__\App\Entity\User {#1899 …}
  +magazine: App\Entity\Magazine {#289
    +icon: Proxies\__CG__\App\Entity\Image {#270 …}
    +name: "linux@lemmy.ml"
    +title: "linux"
    +description: """
      From Wikipedia, the free encyclopedia\n
      \n
      Linux is a family of open source Unix-like operating systems based on the Linux kernel, an operating system kernel first released on September 17, 1991 by Linus Torvalds. Linux is typically packaged in a Linux distribution (or distro for short).\n
      \n
      Distributions include the Linux kernel and supporting system software and libraries, many of which are provided by the GNU Project. Many Linux distributions use the word “Linux” in their name, but the Free Software Foundation uses the name GNU/Linux to emphasize the importance of GNU software, causing some controversy.\n
      \n
      ### Rules\n
      \n
      - Posts must be relevant to operating systems running the Linux kernel. GNU/Linux or otherwise.\n
      - No misinformation\n
      - No NSFW content\n
      - No hate speech, bigotry, etc\n
      \n
      ### Related Communities\n
      \n
      - [!opensource@lemmy.ml](https://lemmy.ml/c/opensource)\n
      - [!libre_culture@lemmy.ml](https://lemmy.ml/c/libre_culture)\n
      - [!technology@lemmy.ml](https://lemmy.ml/c/technology)\n
      - [!libre_hardware@lemmy.ml](https://lemmy.ml/c/libre_hardware)\n
      \n
      Community icon by [Alpár-Etele Méder](https://www.iconfinder.com/pocike), licensed under [CC BY 3.0](https://creativecommons.org/licenses/by/3.0/)
      """
    +rules: null
    +subscriptionsCount: 1
    +entryCount: 1406
    +entryCommentCount: 28632
    +postCount: 6
    +postCommentCount: 214
    +isAdult: false
    +customCss: null
    +lastActive: DateTime @1729583542 {#299
      date: 2024-10-22 09:52:22.0 +02:00
    }
    +markedForDeletionAt: null
    +tags: null
    +moderators: Doctrine\ORM\PersistentCollection {#261 …}
    +ownershipRequests: Doctrine\ORM\PersistentCollection {#257 …}
    +moderatorRequests: Doctrine\ORM\PersistentCollection {#246 …}
    +entries: Doctrine\ORM\PersistentCollection {#204 …}
    +posts: Doctrine\ORM\PersistentCollection {#162 …}
    +subscriptions: Doctrine\ORM\PersistentCollection {#224 …}
    +bans: Doctrine\ORM\PersistentCollection {#141 …}
    +reports: Doctrine\ORM\PersistentCollection {#127 …}
    +badges: Doctrine\ORM\PersistentCollection {#105 …}
    +logs: Doctrine\ORM\PersistentCollection {#95 …}
    +awards: Doctrine\ORM\PersistentCollection {#84 …}
    +categories: Doctrine\ORM\PersistentCollection {#71 …}
    -id: 73
    +apId: "linux@lemmy.ml"
    +apProfileId: "https://lemmy.ml/c/linux"
    +apPublicUrl: "https://lemmy.ml/c/linux"
    +apFollowersUrl: "https://lemmy.ml/c/linux/followers"
    +apInboxUrl: "https://lemmy.ml/inbox"
    +apDomain: "lemmy.ml"
    +apPreferredUsername: "linux"
    +apDiscoverable: true
    +apManuallyApprovesFollowers: null
    +privateKey: null
    +publicKey: null
    +apFetchedAt: DateTime @1729583596 {#293
      date: 2024-10-22 09:53:16.0 +02:00
    }
    +apDeletedAt: null
    +apTimeoutAt: null
    +visibility: "visible             "
    +createdAt: DateTimeImmutable @1698929468 {#292
      date: 2023-11-02 13:51:08.0 +01:00
    }
  }
  +image: null
  +domain: Proxies\__CG__\App\Entity\Domain {#1911 …}
  +slug: "With-Firefox-on-X11-any-page-can-pastejack-you-anytime"
  +title: "With Firefox on X11, any page can pastejack you anytime"
  +url: "https://www.openwall.com/lists/oss-security/2023/10/17/1"
  +body: """
    Date: Tue, 17 Oct 2023 03:17:36 +0300 From: turistu To: oss-security@…ts.openwall.com Subject: with firefox on X11, any page can pastejack you anytime\n
    \n
    Note to the moderator: I have already submitted this to the firefox people three weeks ago, and according to them, this is not a real security issue, or at least not worse than those pesky scripts which you cannot kill without killing firefox itself; if you think the same, just ignore this without replying.\n
    \n
    I would however appreciate if you let this through and so give it some visibility so that the other 2 or 3 people who may be affected by this could learn about it.\n
    \n
    Thank you very much.\n
    \n
    ====\n
    \n
    In firefox running on X11, any script from any page can freely write to the primary selection, and that can be easily exploited to run arbitrary code on the user’s machine.\n
    \n
    No user interaction is necessary – any page able to run javascript can do it, including e.g. a page from a background tab of a minimized window, an iframe inside such a window, an error page, a sandboxed iframe, a page that has reloaded itself via `meta http-equiv=refresh`, etc.\n
    \n
    This applies to all the versions of mozilla/firefox and their derivatives (seamonkey, etc) that I was able to test, including the latest nightly.\n
    \n
    ### Example\n
    \n
    The simplest example, which works in the default configurations of systems like OpenBSD or Alpine Linux (= any Unix/Linux system where Wayland is not the default and the default *shell* does not implement bracketed-paste), would go like this:\n
    \n
    Load the following snippet in firefox:\n
    \n
    ```\n
    \n
    <span style="color:#323232;">\n
    </span><span style="color:#323232;">intentionally left blank\n
    </span>\n
    ```\n
    \n
    Then pretend to forget about it, and go about your work. Sooner or later, when trying to paste something in the terminal with shift-Insert or middle click, you will end up running the command `writeXPrimary()` has injected just between your copy and paste.\n
    \n
    live example of that snippet: [turistu.github.io/firefox/pastejack.html](https://turistu.github.io/firefox/pastejack.html)\n
    \n
    ### Short technical explanation\n
    \n
    Browsers like firefox have the concepts of “secure context” (e.g. `https://`) and “transient user activation”; the javascript from the page gets some temporary powers as soon as you have interacted *even so little* with the page, like clicked, touched, etc.\n
    \n
    For instance, writing with `Clipboard.writeText()` to the windows-style Ctrl-C Ctrl-V *clipboard* selection is only possible from secure contexts and only in the short while after the user has clicked a button, etc on the page. As this bug demonstrates, those prerequisites are not needed for writing to the *primary* selection, which on X11 is much more used and much more valuable.\n
    \n
    ### Workaround\n
    \n
    Without patching firefox, the only workaround I can think about is disabling the `Clipboard.selectAllChildren()` function from an addon’s content script, e.g. like this:\n
    \n
    ```\n
    \n
    <span style="color:#323232;">let block = function(){ throw Error('blocked') };\n
    </span><span style="color:#323232;">exportFunction(block, Selection.prototype, { defineAs: 'selectAllChildren' });\n
    </span>\n
    ```\n
    \n
    Complete extension here at [github.com/turistu/odds-n-ends/raw/…/no-sel.xpi](https://github.com/turistu/odds-n-ends/raw/main/firefox/no-sel.xpi).\n
    \n
    I tried to submit it to addons.mozilla.org but they didn’t accept it. If you’re running firefox-esr, the development edition or nightly, you can just `set xpinstall.signatures.required` to true in `about:config` and install it with `firefox no-sel.xpi`.\n
    \n
    ### Firefox Patch\n
    \n
    ```\n
    \n
    <span style="color:#323232;">diff -r 9b362770f30b layout/generic/nsFrameSelection.cpp\n
    </span><span style="color:#323232;">--- a/layout/generic/nsFrameSelection.cpp\tFri Oct 06 12:03:17 2023 +0000\n
    </span><span style="color:#323232;">+++ b/layout/generic/nsFrameSelection.cpp\tSun Oct 08 11:04:41 2023 +0300\n
    </span><span style="color:#323232;">@@ -3345,6 +3345,10 @@\n
    </span><span style="color:#323232;">     return;  // Don't care if we are still dragging.\n
    </span><span style="color:#323232;">   }\n
    </span><span style="color:#323232;"> \n
    </span><span style="color:#323232;">+  if (aReason &amp; nsISelectionListener::JS_REASON) {\n
    </span><span style="color:#323232;">+    return;\n
    </span><span style="color:#323232;">+  }\n
    </span><span style="color:#323232;">+\n
    </span><span style="color:#323232;">   if (!aDocument || aSelection.IsCollapsed()) {\n
    </span><span style="color:#323232;"> #ifdef DEBUG_CLIPBOARD\n
    </span><span style="color:#323232;">     fprintf(stderr, "CLIPBOARD: no selection/collapsed selectionn");\n
    </span>\n
    ```\n
    \n
    The idea of this patch was to *always* prevent javascript from indirectly messing with the primary selection via the Selection API. However, it turned out that the `JS_REASON` flag was not reliable; if javascript calls some function like `addRange()` or `selectAllChildren()` while the user has started dragging but hasn’t released the mouse button yet, that code will be called *without* that flag but with the text set by javascript, not the text selected by the user. However, I think that this patch is still enough to fill the glaring hole opened by `selectAllChildren()`.\n
    \n
    ### About the example and bracketed-paste\n
    \n
    The bracketed paste feature of bash/readline and zsh means that you cannot just append a CR or LF to the payload and be done, it’s the user who has to press ENTER for it to run.\n
    \n
    However, workarounds exist. For instance, some terminals like mlterm don’t filter out the pasted data, and you can terminate the pasting mode early by inserting a `e201~` in the payload.\n
    \n
    For bash, you can take advantage of some quirks in the readline library to turn off the highlighting and make the payload invisible to the user. E.g.:\n
    \n
    ```\n
    \n
    <span style="color:#323232;">let payload = 'touch ~/LOL-' + Date.now() / 1000;\n
    </span><span style="color:#323232;">writeXPrimary('n' + payload + 'n'.repeat(100) + ' '.repeat(30)\n
    </span><span style="color:#323232;">\t+ 'n'.repeat(100))\n
    </span>\n
    ```\n
    \n
    which will confuse the user with the same screen as when some stray background job had written something to the terminal:\n
    \n
    ```\n
    \n
    <span style="color:#323232;">user@...t:~$ : previous unrelated command\n
    </span><span style="color:#323232;">user@...t:~$\t&lt;-- paste here\n
    </span><span style="color:#323232;">#   &lt;-- cursor here, most users will just hit Enter to get a new prompt\n
    </span>\n
    ```\n
    \n
    live example of that snippet: [turistu.github.io/firefox/bash-pastejack.html\n
    \n
    Just to be clear, I don’t think that either mlterm, bash, nor the shells that don’t do have that bracketed-paste feature are at fault here in any way (and I personally always turn off that misfeature as it badly interferes with my workflow): It’s firefox which should get all the blame for letting random javascript evade its pretended “sandbox” in this way.\n
    \n
    ### About Wayland\n
    \n
    For firefox running in Wayland, `writeXPrimary()` will only succeed when the firefox window (the main window, not necessarily the tab the code runs in) has the focus. Otherwise the selection will be cleared. At first I assumed that this is something specific to the Wayland protocol, but that turned out to be utterly false; it’s just some quirk, bug or “feature” specific to either firefox itself or GTK.\n
    \n
    But I think that’s still bad enough, even if the page should take care to only set the selection when the main window has gained focus.\n
    \n
    And of course, all this doesn’t affect the situation where you’re copying and pasting in another firefox tab with a different context, origin, etc; and all the other situations where you don’t appreciate having random javascript you don’t even know about messing with your copy &amp; paste.\n
    \n
    ===\n
    \n
    This is a slightly edited version of [github.com/turistu/odds-n-ends/…/pastejack.md](https://github.com/turistu/odds-n-ends/blob/main/firefox/pastejack.md).\n
    \n
    I will correct any errors or omissions and also add more info there.
    """
  +type: "link"
  +lang: "en"
  +isOc: false
  +hasEmbed: false
  +commentCount: 8
  +favouriteCount: 0
  +score: 0
  +isAdult: false
  +sticky: false
  +lastActive: DateTime @1725264437 {#1861
    date: 2024-09-02 10:07:17.0 +02:00
  }
  +ip: null
  +adaAmount: 0
  +tags: null
  +mentions: null
  +comments: Doctrine\ORM\PersistentCollection {#1949 …}
  +votes: Doctrine\ORM\PersistentCollection {#1894 …}
  +reports: Doctrine\ORM\PersistentCollection {#2402 …}
  +favourites: Doctrine\ORM\PersistentCollection {#1386 …}
  +notifications: Doctrine\ORM\PersistentCollection {#1370 …}
  +badges: Doctrine\ORM\PersistentCollection {#1375 …}
  +children: []
  -id: 17198
  -titleTs: "'anytim':10 'firefox':2 'page':6 'pastejack':8 'x11':4"
  -bodyTs: "'+0000':538 '+0300':9,547 '+3345':550 '-3345':548 '/firefox/bash-pastejack.html':843 '/firefox/pastejack.html](https://turistu.github.io/firefox/pastejack.html)':326 '/lol-':779 '/no-sel.xpi':479 '/pastejack.md':1069 '/turistu/odds-n-ends/':1068 '/turistu/odds-n-ends/blob/main/firefox/pastejack.md).':1072 '/turistu/odds-n-ends/raw/':478 '/turistu/odds-n-ends/raw/main/firefox/no-sel.xpi).':482 '03':6,535 '04':544 '06':533 '08':542 '10':551 '100':787,792 '1000':781 '11':543 '12':534 '17':3,7,536 '2':101 '2023':5,537,546 '3':103 '30':789 '36':8 '41':545 '6':549 '9b362770f30b':528 'a/layout/generic/nsframeselection.cpp':530 'abl':158,218 'accept':494 'accord':45 'activ':343 'add':1082 'addon':454 'addons.mozilla.org':489 'addrang':618 'adocu':568 'advantag':754 'affect':108,1016 'ago':43 'alpin':240 'alreadi':34 'also':1081 'alway':586,879 'anoth':1026 'anytim':27 'api':599 'append':694 'appli':203 'appreci':85,1044 'arbitrari':144 'areason':562 'aselection.iscollapsed':569 'assum':949 'b/layout/generic/nsframeselection.cpp':539 'background':171,806 'bad':886,988 'bash':750,855 'bash/readline':686 'blame':899 'blank':273 'block':462,466,468 'bracket':259,679,682,866 'bracketed-past':258,678,865 'browser':330 'bug':412,972 'button':405,633 'c':381 'call':614,639 'cannot':66,692 'care':555,996 'clear':847,945 'click':302,366,403 'clipboard':385,572,575 'clipboard.selectallchildren':450 'clipboard.writetext':373 'code':145,636,934 'command':309,818 'complet':472 'concept':335 'config':517 'configur':234 'confus':795 'content':456 'context':338,392,1032 'copi':316,1022,1057 'correct':1075 'could':111 'cours':1011 'cr':696 'ctrl':380,383 'ctrl-c':379 'ctrl-v':382 'cursor':823 'data':733 'date':1 'date.now':780 'debug':571 'default':233,250,253 'definea':470 'demonstr':413 'deriv':212 'develop':504 'didn':492 'diff':526 'differ':1031 'disabl':448 'doesn':1014 'done':704 'drag':560,626 'e.g':166,339,458,775 'e201':745 'earli':741 'easili':140 'edit':505,1063 'either':853,977 'end':305 'enough':665,989 'enter':713,830 'equiv':199 'error':184,465,1077 'esr':502 'etc':201,214,368,406,1034 'evad':904 'even':359,990,1051 'exampl':225,228,320,676,837 'exist':720 'explan':329 'exploit':141 'exportfunct':467 'extens':473 'fals':966 'fault':871 'featur':684,868,974 'fill':667 'filter':729 'firefox':19,39,70,120,270,332,439,501,522,524,893,914,924,978,1027 'firefox-esr':500 'first':947 'flag':608,642 'focus':939,1008 'follow':267 'forget':277 'fprintf':573 'freeli':130 'fri':531 'function':451,463,616 'gain':1007 'get':349,832,896 'github.com':477,481,1067,1071 'github.com/turistu/odds-n-ends/':1066 'github.com/turistu/odds-n-ends/blob/main/firefox/pastejack.md).':1070 'github.com/turistu/odds-n-ends/raw/':476 'github.com/turistu/odds-n-ends/raw/main/firefox/no-sel.xpi).':480 'give':93 'glare':669 'go':262,281 'gtk':981 'hasn':628 'highlight':766 'hit':829 'hole':670 'howev':84,600,657,718 'http':198 'http-equiv':197 'idea':580 'ifdef':570 'ifram':178,188 'ignor':78 'implement':257 'includ':165,221 'indirect':590 'info':1084 'inject':312 'insert':299,743 'insid':179 'instal':519 'instanc':370,722 'intent':271 'interact':153,358 'interfer':887 'invis':771 'issu':54 'javascript':161,345,588,613,649,903,1047 'job':807 'js':564,606 'kill':67,69 'know':1052 'later':287 'latest':223 'layout/generic/nsframeselection.cpp':529 'learn':112 'least':57 'left':272 'let':88,461,776,901 'lf':698 'librari':761 'like':237,263,331,365,459,617,725 'linux':241 'littl':361 'live':319,836 'load':265 'machin':150 'main':927,1004 'make':768 'may':106 'mean':689 'mess':591,1054 'meta':196 'middl':301 'minim':175 'misfeatur':883 'mlterm':726,854 'mode':740 'moder':31 'mous':632 'mozilla/firefox':209 'much':118,429,433 'n':783,785,790 'necessari':155 'necessarili':930 'need':418 'new':834 'night':224,507 'no-sel.xpi':523 'note':28 'nsiselectionlisten':563 'oct':4,532,541 'omiss':1079 'open':671 'openbsd':238 'origin':1033 'oss':14 'oss-secur':13 'otherwis':940 'page':23,128,157,168,185,190,348,364,409,993 'past':260,291,318,680,683,732,739,821,867,1024,1058 'pastejack':25 'patch':438,525,583,662 'payload':701,748,770,777,784 'peopl':40,104 'person':878 'peski':62 'possibl':389 'power':352 'prerequisit':415 'press':712 'pretend':275,906 'prevent':587 'previous':816 'primari':134,423,594 'prompt':835 'protocol':958 'quirk':757,971 'r':527 'random':902,1046 're':498,1021 'readlin':760 'real':52 'reason':565,607 'refresh':200 'releas':630 'reliabl':611 'reload':193 'repeat':786,788,791 'repli':81 'return':552,566 'run':121,143,160,307,499,717,915,935 'sandbox':187,907 'screen':801 'script':63,125,457 'seamonkey':213 'secur':15,53,337,391 'select':135,386,424,595,598,653,942,1001 'selectallchildren':471,620,673 'selection.prototype':469 'selection/collapsed':577 'selectionn':578 'set':511,647,999 'shell':254,858 'shift':298 'shift-insert':297 'short':327,397 'simplest':227 'situat':1018,1039 'slight':1062 'snippet':268,323,840 'someth':292,810,953 'soon':354 'sooner':285 'specif':954,975 'start':625 'stderr':574 'still':559,664,987 'stray':805 'style':378 'subject':17 'submit':35,486 'succeed':921 'sun':540 'system':236,244 'tab':172,932,1028 'take':753,995 'technic':328 'temporari':351 'termin':295,724,737,813 'test':220 'text':646,652 'thank':115 'think':74,445,659,851,984 'three':41 'throw':464 'touch':367,778 'transient':341 'tri':289,484 'true':514 'ts.openwall.com':16 'tue':2 'turistu':11 'turistu.github.io':325,842 'turistu.github.io/firefox/bash-pastejack.html':841 'turistu.github.io/firefox/pastejack.html](https://turistu.github.io/firefox/pastejack.html)':324 'turn':602,763,880,961 'unix/linux':243 'unrel':817 'use':431 'user':148,152,342,401,623,656,708,774,797,814,819,826 'utter':965 'v':384 'valuabl':435 'version':207,1064 'via':195,596 'visibl':96 'way':875,910 'wayland':246,912,917,957 'week':42 'window':176,182,377,925,928,1005 'windows-styl':376 'without':68,80,437,640 'work':230,284 'workaround':436,442,719 'workflow':890 'wors':59 'would':83,261 'write':131,371,420 'writexprimari':310,782,918 'written':809 'x11':21,123,427 'xpinstall.signatures.required':512 'yet':634 'zsh':688"
  +cross: false
  +upVotes: 0
  +downVotes: 0
  +ranking: 1697959616
  +visibility: "visible             "
  +apId: "https://lemmy.world/post/7123900"
  +editedAt: null
  +createdAt: DateTimeImmutable @1697907616 {#75
    date: 2023-10-21 19:00:16.0 +02:00
  }
}
"Scheb\TwoFactorBundle\Security\Authorization\Voter\TwoFactorInProgressVoter"
ACCESS ABSTAIN
"App\Security\Voter\EntryCommentVoter"
ACCESS ABSTAIN
"App\Security\Voter\EntryVoter"
ACCESS DENIED
"App\Security\Voter\MagazineVoter"
ACCESS ABSTAIN
"App\Security\Voter\MessageThreadVoter"
ACCESS ABSTAIN
"App\Security\Voter\MessageVoter"
ACCESS ABSTAIN
"App\Security\Voter\NotificationVoter"
ACCESS ABSTAIN
"App\Security\Voter\OAuth2UserConsentVoter"
ACCESS ABSTAIN
"App\Security\Voter\PostCommentVoter"
ACCESS ABSTAIN
"App\Security\Voter\PostVoter"
ACCESS ABSTAIN
"App\Security\Voter\UserVoter"
ACCESS ABSTAIN
Show voter details
3 DENIED edit
App\Entity\Entry {#1846
  +user: Proxies\__CG__\App\Entity\User {#1899 …}
  +magazine: App\Entity\Magazine {#289
    +icon: Proxies\__CG__\App\Entity\Image {#270 …}
    +name: "linux@lemmy.ml"
    +title: "linux"
    +description: """
      From Wikipedia, the free encyclopedia\n
      \n
      Linux is a family of open source Unix-like operating systems based on the Linux kernel, an operating system kernel first released on September 17, 1991 by Linus Torvalds. Linux is typically packaged in a Linux distribution (or distro for short).\n
      \n
      Distributions include the Linux kernel and supporting system software and libraries, many of which are provided by the GNU Project. Many Linux distributions use the word “Linux” in their name, but the Free Software Foundation uses the name GNU/Linux to emphasize the importance of GNU software, causing some controversy.\n
      \n
      ### Rules\n
      \n
      - Posts must be relevant to operating systems running the Linux kernel. GNU/Linux or otherwise.\n
      - No misinformation\n
      - No NSFW content\n
      - No hate speech, bigotry, etc\n
      \n
      ### Related Communities\n
      \n
      - [!opensource@lemmy.ml](https://lemmy.ml/c/opensource)\n
      - [!libre_culture@lemmy.ml](https://lemmy.ml/c/libre_culture)\n
      - [!technology@lemmy.ml](https://lemmy.ml/c/technology)\n
      - [!libre_hardware@lemmy.ml](https://lemmy.ml/c/libre_hardware)\n
      \n
      Community icon by [Alpár-Etele Méder](https://www.iconfinder.com/pocike), licensed under [CC BY 3.0](https://creativecommons.org/licenses/by/3.0/)
      """
    +rules: null
    +subscriptionsCount: 1
    +entryCount: 1406
    +entryCommentCount: 28632
    +postCount: 6
    +postCommentCount: 214
    +isAdult: false
    +customCss: null
    +lastActive: DateTime @1729583542 {#299
      date: 2024-10-22 09:52:22.0 +02:00
    }
    +markedForDeletionAt: null
    +tags: null
    +moderators: Doctrine\ORM\PersistentCollection {#261 …}
    +ownershipRequests: Doctrine\ORM\PersistentCollection {#257 …}
    +moderatorRequests: Doctrine\ORM\PersistentCollection {#246 …}
    +entries: Doctrine\ORM\PersistentCollection {#204 …}
    +posts: Doctrine\ORM\PersistentCollection {#162 …}
    +subscriptions: Doctrine\ORM\PersistentCollection {#224 …}
    +bans: Doctrine\ORM\PersistentCollection {#141 …}
    +reports: Doctrine\ORM\PersistentCollection {#127 …}
    +badges: Doctrine\ORM\PersistentCollection {#105 …}
    +logs: Doctrine\ORM\PersistentCollection {#95 …}
    +awards: Doctrine\ORM\PersistentCollection {#84 …}
    +categories: Doctrine\ORM\PersistentCollection {#71 …}
    -id: 73
    +apId: "linux@lemmy.ml"
    +apProfileId: "https://lemmy.ml/c/linux"
    +apPublicUrl: "https://lemmy.ml/c/linux"
    +apFollowersUrl: "https://lemmy.ml/c/linux/followers"
    +apInboxUrl: "https://lemmy.ml/inbox"
    +apDomain: "lemmy.ml"
    +apPreferredUsername: "linux"
    +apDiscoverable: true
    +apManuallyApprovesFollowers: null
    +privateKey: null
    +publicKey: null
    +apFetchedAt: DateTime @1729583596 {#293
      date: 2024-10-22 09:53:16.0 +02:00
    }
    +apDeletedAt: null
    +apTimeoutAt: null
    +visibility: "visible             "
    +createdAt: DateTimeImmutable @1698929468 {#292
      date: 2023-11-02 13:51:08.0 +01:00
    }
  }
  +image: null
  +domain: Proxies\__CG__\App\Entity\Domain {#1911 …}
  +slug: "With-Firefox-on-X11-any-page-can-pastejack-you-anytime"
  +title: "With Firefox on X11, any page can pastejack you anytime"
  +url: "https://www.openwall.com/lists/oss-security/2023/10/17/1"
  +body: """
    Date: Tue, 17 Oct 2023 03:17:36 +0300 From: turistu To: oss-security@…ts.openwall.com Subject: with firefox on X11, any page can pastejack you anytime\n
    \n
    Note to the moderator: I have already submitted this to the firefox people three weeks ago, and according to them, this is not a real security issue, or at least not worse than those pesky scripts which you cannot kill without killing firefox itself; if you think the same, just ignore this without replying.\n
    \n
    I would however appreciate if you let this through and so give it some visibility so that the other 2 or 3 people who may be affected by this could learn about it.\n
    \n
    Thank you very much.\n
    \n
    ====\n
    \n
    In firefox running on X11, any script from any page can freely write to the primary selection, and that can be easily exploited to run arbitrary code on the user’s machine.\n
    \n
    No user interaction is necessary – any page able to run javascript can do it, including e.g. a page from a background tab of a minimized window, an iframe inside such a window, an error page, a sandboxed iframe, a page that has reloaded itself via `meta http-equiv=refresh`, etc.\n
    \n
    This applies to all the versions of mozilla/firefox and their derivatives (seamonkey, etc) that I was able to test, including the latest nightly.\n
    \n
    ### Example\n
    \n
    The simplest example, which works in the default configurations of systems like OpenBSD or Alpine Linux (= any Unix/Linux system where Wayland is not the default and the default *shell* does not implement bracketed-paste), would go like this:\n
    \n
    Load the following snippet in firefox:\n
    \n
    ```\n
    \n
    <span style="color:#323232;">\n
    </span><span style="color:#323232;">intentionally left blank\n
    </span>\n
    ```\n
    \n
    Then pretend to forget about it, and go about your work. Sooner or later, when trying to paste something in the terminal with shift-Insert or middle click, you will end up running the command `writeXPrimary()` has injected just between your copy and paste.\n
    \n
    live example of that snippet: [turistu.github.io/firefox/pastejack.html](https://turistu.github.io/firefox/pastejack.html)\n
    \n
    ### Short technical explanation\n
    \n
    Browsers like firefox have the concepts of “secure context” (e.g. `https://`) and “transient user activation”; the javascript from the page gets some temporary powers as soon as you have interacted *even so little* with the page, like clicked, touched, etc.\n
    \n
    For instance, writing with `Clipboard.writeText()` to the windows-style Ctrl-C Ctrl-V *clipboard* selection is only possible from secure contexts and only in the short while after the user has clicked a button, etc on the page. As this bug demonstrates, those prerequisites are not needed for writing to the *primary* selection, which on X11 is much more used and much more valuable.\n
    \n
    ### Workaround\n
    \n
    Without patching firefox, the only workaround I can think about is disabling the `Clipboard.selectAllChildren()` function from an addon’s content script, e.g. like this:\n
    \n
    ```\n
    \n
    <span style="color:#323232;">let block = function(){ throw Error('blocked') };\n
    </span><span style="color:#323232;">exportFunction(block, Selection.prototype, { defineAs: 'selectAllChildren' });\n
    </span>\n
    ```\n
    \n
    Complete extension here at [github.com/turistu/odds-n-ends/raw/…/no-sel.xpi](https://github.com/turistu/odds-n-ends/raw/main/firefox/no-sel.xpi).\n
    \n
    I tried to submit it to addons.mozilla.org but they didn’t accept it. If you’re running firefox-esr, the development edition or nightly, you can just `set xpinstall.signatures.required` to true in `about:config` and install it with `firefox no-sel.xpi`.\n
    \n
    ### Firefox Patch\n
    \n
    ```\n
    \n
    <span style="color:#323232;">diff -r 9b362770f30b layout/generic/nsFrameSelection.cpp\n
    </span><span style="color:#323232;">--- a/layout/generic/nsFrameSelection.cpp\tFri Oct 06 12:03:17 2023 +0000\n
    </span><span style="color:#323232;">+++ b/layout/generic/nsFrameSelection.cpp\tSun Oct 08 11:04:41 2023 +0300\n
    </span><span style="color:#323232;">@@ -3345,6 +3345,10 @@\n
    </span><span style="color:#323232;">     return;  // Don't care if we are still dragging.\n
    </span><span style="color:#323232;">   }\n
    </span><span style="color:#323232;"> \n
    </span><span style="color:#323232;">+  if (aReason &amp; nsISelectionListener::JS_REASON) {\n
    </span><span style="color:#323232;">+    return;\n
    </span><span style="color:#323232;">+  }\n
    </span><span style="color:#323232;">+\n
    </span><span style="color:#323232;">   if (!aDocument || aSelection.IsCollapsed()) {\n
    </span><span style="color:#323232;"> #ifdef DEBUG_CLIPBOARD\n
    </span><span style="color:#323232;">     fprintf(stderr, "CLIPBOARD: no selection/collapsed selectionn");\n
    </span>\n
    ```\n
    \n
    The idea of this patch was to *always* prevent javascript from indirectly messing with the primary selection via the Selection API. However, it turned out that the `JS_REASON` flag was not reliable; if javascript calls some function like `addRange()` or `selectAllChildren()` while the user has started dragging but hasn’t released the mouse button yet, that code will be called *without* that flag but with the text set by javascript, not the text selected by the user. However, I think that this patch is still enough to fill the glaring hole opened by `selectAllChildren()`.\n
    \n
    ### About the example and bracketed-paste\n
    \n
    The bracketed paste feature of bash/readline and zsh means that you cannot just append a CR or LF to the payload and be done, it’s the user who has to press ENTER for it to run.\n
    \n
    However, workarounds exist. For instance, some terminals like mlterm don’t filter out the pasted data, and you can terminate the pasting mode early by inserting a `e201~` in the payload.\n
    \n
    For bash, you can take advantage of some quirks in the readline library to turn off the highlighting and make the payload invisible to the user. E.g.:\n
    \n
    ```\n
    \n
    <span style="color:#323232;">let payload = 'touch ~/LOL-' + Date.now() / 1000;\n
    </span><span style="color:#323232;">writeXPrimary('n' + payload + 'n'.repeat(100) + ' '.repeat(30)\n
    </span><span style="color:#323232;">\t+ 'n'.repeat(100))\n
    </span>\n
    ```\n
    \n
    which will confuse the user with the same screen as when some stray background job had written something to the terminal:\n
    \n
    ```\n
    \n
    <span style="color:#323232;">user@...t:~$ : previous unrelated command\n
    </span><span style="color:#323232;">user@...t:~$\t&lt;-- paste here\n
    </span><span style="color:#323232;">#   &lt;-- cursor here, most users will just hit Enter to get a new prompt\n
    </span>\n
    ```\n
    \n
    live example of that snippet: [turistu.github.io/firefox/bash-pastejack.html\n
    \n
    Just to be clear, I don’t think that either mlterm, bash, nor the shells that don’t do have that bracketed-paste feature are at fault here in any way (and I personally always turn off that misfeature as it badly interferes with my workflow): It’s firefox which should get all the blame for letting random javascript evade its pretended “sandbox” in this way.\n
    \n
    ### About Wayland\n
    \n
    For firefox running in Wayland, `writeXPrimary()` will only succeed when the firefox window (the main window, not necessarily the tab the code runs in) has the focus. Otherwise the selection will be cleared. At first I assumed that this is something specific to the Wayland protocol, but that turned out to be utterly false; it’s just some quirk, bug or “feature” specific to either firefox itself or GTK.\n
    \n
    But I think that’s still bad enough, even if the page should take care to only set the selection when the main window has gained focus.\n
    \n
    And of course, all this doesn’t affect the situation where you’re copying and pasting in another firefox tab with a different context, origin, etc; and all the other situations where you don’t appreciate having random javascript you don’t even know about messing with your copy &amp; paste.\n
    \n
    ===\n
    \n
    This is a slightly edited version of [github.com/turistu/odds-n-ends/…/pastejack.md](https://github.com/turistu/odds-n-ends/blob/main/firefox/pastejack.md).\n
    \n
    I will correct any errors or omissions and also add more info there.
    """
  +type: "link"
  +lang: "en"
  +isOc: false
  +hasEmbed: false
  +commentCount: 8
  +favouriteCount: 0
  +score: 0
  +isAdult: false
  +sticky: false
  +lastActive: DateTime @1725264437 {#1861
    date: 2024-09-02 10:07:17.0 +02:00
  }
  +ip: null
  +adaAmount: 0
  +tags: null
  +mentions: null
  +comments: Doctrine\ORM\PersistentCollection {#1949 …}
  +votes: Doctrine\ORM\PersistentCollection {#1894 …}
  +reports: Doctrine\ORM\PersistentCollection {#2402 …}
  +favourites: Doctrine\ORM\PersistentCollection {#1386 …}
  +notifications: Doctrine\ORM\PersistentCollection {#1370 …}
  +badges: Doctrine\ORM\PersistentCollection {#1375 …}
  +children: []
  -id: 17198
  -titleTs: "'anytim':10 'firefox':2 'page':6 'pastejack':8 'x11':4"
  -bodyTs: "'+0000':538 '+0300':9,547 '+3345':550 '-3345':548 '/firefox/bash-pastejack.html':843 '/firefox/pastejack.html](https://turistu.github.io/firefox/pastejack.html)':326 '/lol-':779 '/no-sel.xpi':479 '/pastejack.md':1069 '/turistu/odds-n-ends/':1068 '/turistu/odds-n-ends/blob/main/firefox/pastejack.md).':1072 '/turistu/odds-n-ends/raw/':478 '/turistu/odds-n-ends/raw/main/firefox/no-sel.xpi).':482 '03':6,535 '04':544 '06':533 '08':542 '10':551 '100':787,792 '1000':781 '11':543 '12':534 '17':3,7,536 '2':101 '2023':5,537,546 '3':103 '30':789 '36':8 '41':545 '6':549 '9b362770f30b':528 'a/layout/generic/nsframeselection.cpp':530 'abl':158,218 'accept':494 'accord':45 'activ':343 'add':1082 'addon':454 'addons.mozilla.org':489 'addrang':618 'adocu':568 'advantag':754 'affect':108,1016 'ago':43 'alpin':240 'alreadi':34 'also':1081 'alway':586,879 'anoth':1026 'anytim':27 'api':599 'append':694 'appli':203 'appreci':85,1044 'arbitrari':144 'areason':562 'aselection.iscollapsed':569 'assum':949 'b/layout/generic/nsframeselection.cpp':539 'background':171,806 'bad':886,988 'bash':750,855 'bash/readline':686 'blame':899 'blank':273 'block':462,466,468 'bracket':259,679,682,866 'bracketed-past':258,678,865 'browser':330 'bug':412,972 'button':405,633 'c':381 'call':614,639 'cannot':66,692 'care':555,996 'clear':847,945 'click':302,366,403 'clipboard':385,572,575 'clipboard.selectallchildren':450 'clipboard.writetext':373 'code':145,636,934 'command':309,818 'complet':472 'concept':335 'config':517 'configur':234 'confus':795 'content':456 'context':338,392,1032 'copi':316,1022,1057 'correct':1075 'could':111 'cours':1011 'cr':696 'ctrl':380,383 'ctrl-c':379 'ctrl-v':382 'cursor':823 'data':733 'date':1 'date.now':780 'debug':571 'default':233,250,253 'definea':470 'demonstr':413 'deriv':212 'develop':504 'didn':492 'diff':526 'differ':1031 'disabl':448 'doesn':1014 'done':704 'drag':560,626 'e.g':166,339,458,775 'e201':745 'earli':741 'easili':140 'edit':505,1063 'either':853,977 'end':305 'enough':665,989 'enter':713,830 'equiv':199 'error':184,465,1077 'esr':502 'etc':201,214,368,406,1034 'evad':904 'even':359,990,1051 'exampl':225,228,320,676,837 'exist':720 'explan':329 'exploit':141 'exportfunct':467 'extens':473 'fals':966 'fault':871 'featur':684,868,974 'fill':667 'filter':729 'firefox':19,39,70,120,270,332,439,501,522,524,893,914,924,978,1027 'firefox-esr':500 'first':947 'flag':608,642 'focus':939,1008 'follow':267 'forget':277 'fprintf':573 'freeli':130 'fri':531 'function':451,463,616 'gain':1007 'get':349,832,896 'github.com':477,481,1067,1071 'github.com/turistu/odds-n-ends/':1066 'github.com/turistu/odds-n-ends/blob/main/firefox/pastejack.md).':1070 'github.com/turistu/odds-n-ends/raw/':476 'github.com/turistu/odds-n-ends/raw/main/firefox/no-sel.xpi).':480 'give':93 'glare':669 'go':262,281 'gtk':981 'hasn':628 'highlight':766 'hit':829 'hole':670 'howev':84,600,657,718 'http':198 'http-equiv':197 'idea':580 'ifdef':570 'ifram':178,188 'ignor':78 'implement':257 'includ':165,221 'indirect':590 'info':1084 'inject':312 'insert':299,743 'insid':179 'instal':519 'instanc':370,722 'intent':271 'interact':153,358 'interfer':887 'invis':771 'issu':54 'javascript':161,345,588,613,649,903,1047 'job':807 'js':564,606 'kill':67,69 'know':1052 'later':287 'latest':223 'layout/generic/nsframeselection.cpp':529 'learn':112 'least':57 'left':272 'let':88,461,776,901 'lf':698 'librari':761 'like':237,263,331,365,459,617,725 'linux':241 'littl':361 'live':319,836 'load':265 'machin':150 'main':927,1004 'make':768 'may':106 'mean':689 'mess':591,1054 'meta':196 'middl':301 'minim':175 'misfeatur':883 'mlterm':726,854 'mode':740 'moder':31 'mous':632 'mozilla/firefox':209 'much':118,429,433 'n':783,785,790 'necessari':155 'necessarili':930 'need':418 'new':834 'night':224,507 'no-sel.xpi':523 'note':28 'nsiselectionlisten':563 'oct':4,532,541 'omiss':1079 'open':671 'openbsd':238 'origin':1033 'oss':14 'oss-secur':13 'otherwis':940 'page':23,128,157,168,185,190,348,364,409,993 'past':260,291,318,680,683,732,739,821,867,1024,1058 'pastejack':25 'patch':438,525,583,662 'payload':701,748,770,777,784 'peopl':40,104 'person':878 'peski':62 'possibl':389 'power':352 'prerequisit':415 'press':712 'pretend':275,906 'prevent':587 'previous':816 'primari':134,423,594 'prompt':835 'protocol':958 'quirk':757,971 'r':527 'random':902,1046 're':498,1021 'readlin':760 'real':52 'reason':565,607 'refresh':200 'releas':630 'reliabl':611 'reload':193 'repeat':786,788,791 'repli':81 'return':552,566 'run':121,143,160,307,499,717,915,935 'sandbox':187,907 'screen':801 'script':63,125,457 'seamonkey':213 'secur':15,53,337,391 'select':135,386,424,595,598,653,942,1001 'selectallchildren':471,620,673 'selection.prototype':469 'selection/collapsed':577 'selectionn':578 'set':511,647,999 'shell':254,858 'shift':298 'shift-insert':297 'short':327,397 'simplest':227 'situat':1018,1039 'slight':1062 'snippet':268,323,840 'someth':292,810,953 'soon':354 'sooner':285 'specif':954,975 'start':625 'stderr':574 'still':559,664,987 'stray':805 'style':378 'subject':17 'submit':35,486 'succeed':921 'sun':540 'system':236,244 'tab':172,932,1028 'take':753,995 'technic':328 'temporari':351 'termin':295,724,737,813 'test':220 'text':646,652 'thank':115 'think':74,445,659,851,984 'three':41 'throw':464 'touch':367,778 'transient':341 'tri':289,484 'true':514 'ts.openwall.com':16 'tue':2 'turistu':11 'turistu.github.io':325,842 'turistu.github.io/firefox/bash-pastejack.html':841 'turistu.github.io/firefox/pastejack.html](https://turistu.github.io/firefox/pastejack.html)':324 'turn':602,763,880,961 'unix/linux':243 'unrel':817 'use':431 'user':148,152,342,401,623,656,708,774,797,814,819,826 'utter':965 'v':384 'valuabl':435 'version':207,1064 'via':195,596 'visibl':96 'way':875,910 'wayland':246,912,917,957 'week':42 'window':176,182,377,925,928,1005 'windows-styl':376 'without':68,80,437,640 'work':230,284 'workaround':436,442,719 'workflow':890 'wors':59 'would':83,261 'write':131,371,420 'writexprimari':310,782,918 'written':809 'x11':21,123,427 'xpinstall.signatures.required':512 'yet':634 'zsh':688"
  +cross: false
  +upVotes: 0
  +downVotes: 0
  +ranking: 1697959616
  +visibility: "visible             "
  +apId: "https://lemmy.world/post/7123900"
  +editedAt: null
  +createdAt: DateTimeImmutable @1697907616 {#75
    date: 2023-10-21 19:00:16.0 +02:00
  }
}
"Scheb\TwoFactorBundle\Security\Authorization\Voter\TwoFactorInProgressVoter"
ACCESS ABSTAIN
"App\Security\Voter\EntryCommentVoter"
ACCESS ABSTAIN
"App\Security\Voter\EntryVoter"
ACCESS DENIED
"App\Security\Voter\MagazineVoter"
ACCESS ABSTAIN
"App\Security\Voter\MessageThreadVoter"
ACCESS ABSTAIN
"App\Security\Voter\MessageVoter"
ACCESS ABSTAIN
"App\Security\Voter\NotificationVoter"
ACCESS ABSTAIN
"App\Security\Voter\OAuth2UserConsentVoter"
ACCESS ABSTAIN
"App\Security\Voter\PostCommentVoter"
ACCESS ABSTAIN
"App\Security\Voter\PostVoter"
ACCESS ABSTAIN
"App\Security\Voter\UserVoter"
ACCESS ABSTAIN
Show voter details
4 DENIED moderate
App\Entity\Entry {#1846
  +user: Proxies\__CG__\App\Entity\User {#1899 …}
  +magazine: App\Entity\Magazine {#289
    +icon: Proxies\__CG__\App\Entity\Image {#270 …}
    +name: "linux@lemmy.ml"
    +title: "linux"
    +description: """
      From Wikipedia, the free encyclopedia\n
      \n
      Linux is a family of open source Unix-like operating systems based on the Linux kernel, an operating system kernel first released on September 17, 1991 by Linus Torvalds. Linux is typically packaged in a Linux distribution (or distro for short).\n
      \n
      Distributions include the Linux kernel and supporting system software and libraries, many of which are provided by the GNU Project. Many Linux distributions use the word “Linux” in their name, but the Free Software Foundation uses the name GNU/Linux to emphasize the importance of GNU software, causing some controversy.\n
      \n
      ### Rules\n
      \n
      - Posts must be relevant to operating systems running the Linux kernel. GNU/Linux or otherwise.\n
      - No misinformation\n
      - No NSFW content\n
      - No hate speech, bigotry, etc\n
      \n
      ### Related Communities\n
      \n
      - [!opensource@lemmy.ml](https://lemmy.ml/c/opensource)\n
      - [!libre_culture@lemmy.ml](https://lemmy.ml/c/libre_culture)\n
      - [!technology@lemmy.ml](https://lemmy.ml/c/technology)\n
      - [!libre_hardware@lemmy.ml](https://lemmy.ml/c/libre_hardware)\n
      \n
      Community icon by [Alpár-Etele Méder](https://www.iconfinder.com/pocike), licensed under [CC BY 3.0](https://creativecommons.org/licenses/by/3.0/)
      """
    +rules: null
    +subscriptionsCount: 1
    +entryCount: 1406
    +entryCommentCount: 28632
    +postCount: 6
    +postCommentCount: 214
    +isAdult: false
    +customCss: null
    +lastActive: DateTime @1729583542 {#299
      date: 2024-10-22 09:52:22.0 +02:00
    }
    +markedForDeletionAt: null
    +tags: null
    +moderators: Doctrine\ORM\PersistentCollection {#261 …}
    +ownershipRequests: Doctrine\ORM\PersistentCollection {#257 …}
    +moderatorRequests: Doctrine\ORM\PersistentCollection {#246 …}
    +entries: Doctrine\ORM\PersistentCollection {#204 …}
    +posts: Doctrine\ORM\PersistentCollection {#162 …}
    +subscriptions: Doctrine\ORM\PersistentCollection {#224 …}
    +bans: Doctrine\ORM\PersistentCollection {#141 …}
    +reports: Doctrine\ORM\PersistentCollection {#127 …}
    +badges: Doctrine\ORM\PersistentCollection {#105 …}
    +logs: Doctrine\ORM\PersistentCollection {#95 …}
    +awards: Doctrine\ORM\PersistentCollection {#84 …}
    +categories: Doctrine\ORM\PersistentCollection {#71 …}
    -id: 73
    +apId: "linux@lemmy.ml"
    +apProfileId: "https://lemmy.ml/c/linux"
    +apPublicUrl: "https://lemmy.ml/c/linux"
    +apFollowersUrl: "https://lemmy.ml/c/linux/followers"
    +apInboxUrl: "https://lemmy.ml/inbox"
    +apDomain: "lemmy.ml"
    +apPreferredUsername: "linux"
    +apDiscoverable: true
    +apManuallyApprovesFollowers: null
    +privateKey: null
    +publicKey: null
    +apFetchedAt: DateTime @1729583596 {#293
      date: 2024-10-22 09:53:16.0 +02:00
    }
    +apDeletedAt: null
    +apTimeoutAt: null
    +visibility: "visible             "
    +createdAt: DateTimeImmutable @1698929468 {#292
      date: 2023-11-02 13:51:08.0 +01:00
    }
  }
  +image: null
  +domain: Proxies\__CG__\App\Entity\Domain {#1911 …}
  +slug: "With-Firefox-on-X11-any-page-can-pastejack-you-anytime"
  +title: "With Firefox on X11, any page can pastejack you anytime"
  +url: "https://www.openwall.com/lists/oss-security/2023/10/17/1"
  +body: """
    Date: Tue, 17 Oct 2023 03:17:36 +0300 From: turistu To: oss-security@…ts.openwall.com Subject: with firefox on X11, any page can pastejack you anytime\n
    \n
    Note to the moderator: I have already submitted this to the firefox people three weeks ago, and according to them, this is not a real security issue, or at least not worse than those pesky scripts which you cannot kill without killing firefox itself; if you think the same, just ignore this without replying.\n
    \n
    I would however appreciate if you let this through and so give it some visibility so that the other 2 or 3 people who may be affected by this could learn about it.\n
    \n
    Thank you very much.\n
    \n
    ====\n
    \n
    In firefox running on X11, any script from any page can freely write to the primary selection, and that can be easily exploited to run arbitrary code on the user’s machine.\n
    \n
    No user interaction is necessary – any page able to run javascript can do it, including e.g. a page from a background tab of a minimized window, an iframe inside such a window, an error page, a sandboxed iframe, a page that has reloaded itself via `meta http-equiv=refresh`, etc.\n
    \n
    This applies to all the versions of mozilla/firefox and their derivatives (seamonkey, etc) that I was able to test, including the latest nightly.\n
    \n
    ### Example\n
    \n
    The simplest example, which works in the default configurations of systems like OpenBSD or Alpine Linux (= any Unix/Linux system where Wayland is not the default and the default *shell* does not implement bracketed-paste), would go like this:\n
    \n
    Load the following snippet in firefox:\n
    \n
    ```\n
    \n
    <span style="color:#323232;">\n
    </span><span style="color:#323232;">intentionally left blank\n
    </span>\n
    ```\n
    \n
    Then pretend to forget about it, and go about your work. Sooner or later, when trying to paste something in the terminal with shift-Insert or middle click, you will end up running the command `writeXPrimary()` has injected just between your copy and paste.\n
    \n
    live example of that snippet: [turistu.github.io/firefox/pastejack.html](https://turistu.github.io/firefox/pastejack.html)\n
    \n
    ### Short technical explanation\n
    \n
    Browsers like firefox have the concepts of “secure context” (e.g. `https://`) and “transient user activation”; the javascript from the page gets some temporary powers as soon as you have interacted *even so little* with the page, like clicked, touched, etc.\n
    \n
    For instance, writing with `Clipboard.writeText()` to the windows-style Ctrl-C Ctrl-V *clipboard* selection is only possible from secure contexts and only in the short while after the user has clicked a button, etc on the page. As this bug demonstrates, those prerequisites are not needed for writing to the *primary* selection, which on X11 is much more used and much more valuable.\n
    \n
    ### Workaround\n
    \n
    Without patching firefox, the only workaround I can think about is disabling the `Clipboard.selectAllChildren()` function from an addon’s content script, e.g. like this:\n
    \n
    ```\n
    \n
    <span style="color:#323232;">let block = function(){ throw Error('blocked') };\n
    </span><span style="color:#323232;">exportFunction(block, Selection.prototype, { defineAs: 'selectAllChildren' });\n
    </span>\n
    ```\n
    \n
    Complete extension here at [github.com/turistu/odds-n-ends/raw/…/no-sel.xpi](https://github.com/turistu/odds-n-ends/raw/main/firefox/no-sel.xpi).\n
    \n
    I tried to submit it to addons.mozilla.org but they didn’t accept it. If you’re running firefox-esr, the development edition or nightly, you can just `set xpinstall.signatures.required` to true in `about:config` and install it with `firefox no-sel.xpi`.\n
    \n
    ### Firefox Patch\n
    \n
    ```\n
    \n
    <span style="color:#323232;">diff -r 9b362770f30b layout/generic/nsFrameSelection.cpp\n
    </span><span style="color:#323232;">--- a/layout/generic/nsFrameSelection.cpp\tFri Oct 06 12:03:17 2023 +0000\n
    </span><span style="color:#323232;">+++ b/layout/generic/nsFrameSelection.cpp\tSun Oct 08 11:04:41 2023 +0300\n
    </span><span style="color:#323232;">@@ -3345,6 +3345,10 @@\n
    </span><span style="color:#323232;">     return;  // Don't care if we are still dragging.\n
    </span><span style="color:#323232;">   }\n
    </span><span style="color:#323232;"> \n
    </span><span style="color:#323232;">+  if (aReason &amp; nsISelectionListener::JS_REASON) {\n
    </span><span style="color:#323232;">+    return;\n
    </span><span style="color:#323232;">+  }\n
    </span><span style="color:#323232;">+\n
    </span><span style="color:#323232;">   if (!aDocument || aSelection.IsCollapsed()) {\n
    </span><span style="color:#323232;"> #ifdef DEBUG_CLIPBOARD\n
    </span><span style="color:#323232;">     fprintf(stderr, "CLIPBOARD: no selection/collapsed selectionn");\n
    </span>\n
    ```\n
    \n
    The idea of this patch was to *always* prevent javascript from indirectly messing with the primary selection via the Selection API. However, it turned out that the `JS_REASON` flag was not reliable; if javascript calls some function like `addRange()` or `selectAllChildren()` while the user has started dragging but hasn’t released the mouse button yet, that code will be called *without* that flag but with the text set by javascript, not the text selected by the user. However, I think that this patch is still enough to fill the glaring hole opened by `selectAllChildren()`.\n
    \n
    ### About the example and bracketed-paste\n
    \n
    The bracketed paste feature of bash/readline and zsh means that you cannot just append a CR or LF to the payload and be done, it’s the user who has to press ENTER for it to run.\n
    \n
    However, workarounds exist. For instance, some terminals like mlterm don’t filter out the pasted data, and you can terminate the pasting mode early by inserting a `e201~` in the payload.\n
    \n
    For bash, you can take advantage of some quirks in the readline library to turn off the highlighting and make the payload invisible to the user. E.g.:\n
    \n
    ```\n
    \n
    <span style="color:#323232;">let payload = 'touch ~/LOL-' + Date.now() / 1000;\n
    </span><span style="color:#323232;">writeXPrimary('n' + payload + 'n'.repeat(100) + ' '.repeat(30)\n
    </span><span style="color:#323232;">\t+ 'n'.repeat(100))\n
    </span>\n
    ```\n
    \n
    which will confuse the user with the same screen as when some stray background job had written something to the terminal:\n
    \n
    ```\n
    \n
    <span style="color:#323232;">user@...t:~$ : previous unrelated command\n
    </span><span style="color:#323232;">user@...t:~$\t&lt;-- paste here\n
    </span><span style="color:#323232;">#   &lt;-- cursor here, most users will just hit Enter to get a new prompt\n
    </span>\n
    ```\n
    \n
    live example of that snippet: [turistu.github.io/firefox/bash-pastejack.html\n
    \n
    Just to be clear, I don’t think that either mlterm, bash, nor the shells that don’t do have that bracketed-paste feature are at fault here in any way (and I personally always turn off that misfeature as it badly interferes with my workflow): It’s firefox which should get all the blame for letting random javascript evade its pretended “sandbox” in this way.\n
    \n
    ### About Wayland\n
    \n
    For firefox running in Wayland, `writeXPrimary()` will only succeed when the firefox window (the main window, not necessarily the tab the code runs in) has the focus. Otherwise the selection will be cleared. At first I assumed that this is something specific to the Wayland protocol, but that turned out to be utterly false; it’s just some quirk, bug or “feature” specific to either firefox itself or GTK.\n
    \n
    But I think that’s still bad enough, even if the page should take care to only set the selection when the main window has gained focus.\n
    \n
    And of course, all this doesn’t affect the situation where you’re copying and pasting in another firefox tab with a different context, origin, etc; and all the other situations where you don’t appreciate having random javascript you don’t even know about messing with your copy &amp; paste.\n
    \n
    ===\n
    \n
    This is a slightly edited version of [github.com/turistu/odds-n-ends/…/pastejack.md](https://github.com/turistu/odds-n-ends/blob/main/firefox/pastejack.md).\n
    \n
    I will correct any errors or omissions and also add more info there.
    """
  +type: "link"
  +lang: "en"
  +isOc: false
  +hasEmbed: false
  +commentCount: 8
  +favouriteCount: 0
  +score: 0
  +isAdult: false
  +sticky: false
  +lastActive: DateTime @1725264437 {#1861
    date: 2024-09-02 10:07:17.0 +02:00
  }
  +ip: null
  +adaAmount: 0
  +tags: null
  +mentions: null
  +comments: Doctrine\ORM\PersistentCollection {#1949 …}
  +votes: Doctrine\ORM\PersistentCollection {#1894 …}
  +reports: Doctrine\ORM\PersistentCollection {#2402 …}
  +favourites: Doctrine\ORM\PersistentCollection {#1386 …}
  +notifications: Doctrine\ORM\PersistentCollection {#1370 …}
  +badges: Doctrine\ORM\PersistentCollection {#1375 …}
  +children: []
  -id: 17198
  -titleTs: "'anytim':10 'firefox':2 'page':6 'pastejack':8 'x11':4"
  -bodyTs: "'+0000':538 '+0300':9,547 '+3345':550 '-3345':548 '/firefox/bash-pastejack.html':843 '/firefox/pastejack.html](https://turistu.github.io/firefox/pastejack.html)':326 '/lol-':779 '/no-sel.xpi':479 '/pastejack.md':1069 '/turistu/odds-n-ends/':1068 '/turistu/odds-n-ends/blob/main/firefox/pastejack.md).':1072 '/turistu/odds-n-ends/raw/':478 '/turistu/odds-n-ends/raw/main/firefox/no-sel.xpi).':482 '03':6,535 '04':544 '06':533 '08':542 '10':551 '100':787,792 '1000':781 '11':543 '12':534 '17':3,7,536 '2':101 '2023':5,537,546 '3':103 '30':789 '36':8 '41':545 '6':549 '9b362770f30b':528 'a/layout/generic/nsframeselection.cpp':530 'abl':158,218 'accept':494 'accord':45 'activ':343 'add':1082 'addon':454 'addons.mozilla.org':489 'addrang':618 'adocu':568 'advantag':754 'affect':108,1016 'ago':43 'alpin':240 'alreadi':34 'also':1081 'alway':586,879 'anoth':1026 'anytim':27 'api':599 'append':694 'appli':203 'appreci':85,1044 'arbitrari':144 'areason':562 'aselection.iscollapsed':569 'assum':949 'b/layout/generic/nsframeselection.cpp':539 'background':171,806 'bad':886,988 'bash':750,855 'bash/readline':686 'blame':899 'blank':273 'block':462,466,468 'bracket':259,679,682,866 'bracketed-past':258,678,865 'browser':330 'bug':412,972 'button':405,633 'c':381 'call':614,639 'cannot':66,692 'care':555,996 'clear':847,945 'click':302,366,403 'clipboard':385,572,575 'clipboard.selectallchildren':450 'clipboard.writetext':373 'code':145,636,934 'command':309,818 'complet':472 'concept':335 'config':517 'configur':234 'confus':795 'content':456 'context':338,392,1032 'copi':316,1022,1057 'correct':1075 'could':111 'cours':1011 'cr':696 'ctrl':380,383 'ctrl-c':379 'ctrl-v':382 'cursor':823 'data':733 'date':1 'date.now':780 'debug':571 'default':233,250,253 'definea':470 'demonstr':413 'deriv':212 'develop':504 'didn':492 'diff':526 'differ':1031 'disabl':448 'doesn':1014 'done':704 'drag':560,626 'e.g':166,339,458,775 'e201':745 'earli':741 'easili':140 'edit':505,1063 'either':853,977 'end':305 'enough':665,989 'enter':713,830 'equiv':199 'error':184,465,1077 'esr':502 'etc':201,214,368,406,1034 'evad':904 'even':359,990,1051 'exampl':225,228,320,676,837 'exist':720 'explan':329 'exploit':141 'exportfunct':467 'extens':473 'fals':966 'fault':871 'featur':684,868,974 'fill':667 'filter':729 'firefox':19,39,70,120,270,332,439,501,522,524,893,914,924,978,1027 'firefox-esr':500 'first':947 'flag':608,642 'focus':939,1008 'follow':267 'forget':277 'fprintf':573 'freeli':130 'fri':531 'function':451,463,616 'gain':1007 'get':349,832,896 'github.com':477,481,1067,1071 'github.com/turistu/odds-n-ends/':1066 'github.com/turistu/odds-n-ends/blob/main/firefox/pastejack.md).':1070 'github.com/turistu/odds-n-ends/raw/':476 'github.com/turistu/odds-n-ends/raw/main/firefox/no-sel.xpi).':480 'give':93 'glare':669 'go':262,281 'gtk':981 'hasn':628 'highlight':766 'hit':829 'hole':670 'howev':84,600,657,718 'http':198 'http-equiv':197 'idea':580 'ifdef':570 'ifram':178,188 'ignor':78 'implement':257 'includ':165,221 'indirect':590 'info':1084 'inject':312 'insert':299,743 'insid':179 'instal':519 'instanc':370,722 'intent':271 'interact':153,358 'interfer':887 'invis':771 'issu':54 'javascript':161,345,588,613,649,903,1047 'job':807 'js':564,606 'kill':67,69 'know':1052 'later':287 'latest':223 'layout/generic/nsframeselection.cpp':529 'learn':112 'least':57 'left':272 'let':88,461,776,901 'lf':698 'librari':761 'like':237,263,331,365,459,617,725 'linux':241 'littl':361 'live':319,836 'load':265 'machin':150 'main':927,1004 'make':768 'may':106 'mean':689 'mess':591,1054 'meta':196 'middl':301 'minim':175 'misfeatur':883 'mlterm':726,854 'mode':740 'moder':31 'mous':632 'mozilla/firefox':209 'much':118,429,433 'n':783,785,790 'necessari':155 'necessarili':930 'need':418 'new':834 'night':224,507 'no-sel.xpi':523 'note':28 'nsiselectionlisten':563 'oct':4,532,541 'omiss':1079 'open':671 'openbsd':238 'origin':1033 'oss':14 'oss-secur':13 'otherwis':940 'page':23,128,157,168,185,190,348,364,409,993 'past':260,291,318,680,683,732,739,821,867,1024,1058 'pastejack':25 'patch':438,525,583,662 'payload':701,748,770,777,784 'peopl':40,104 'person':878 'peski':62 'possibl':389 'power':352 'prerequisit':415 'press':712 'pretend':275,906 'prevent':587 'previous':816 'primari':134,423,594 'prompt':835 'protocol':958 'quirk':757,971 'r':527 'random':902,1046 're':498,1021 'readlin':760 'real':52 'reason':565,607 'refresh':200 'releas':630 'reliabl':611 'reload':193 'repeat':786,788,791 'repli':81 'return':552,566 'run':121,143,160,307,499,717,915,935 'sandbox':187,907 'screen':801 'script':63,125,457 'seamonkey':213 'secur':15,53,337,391 'select':135,386,424,595,598,653,942,1001 'selectallchildren':471,620,673 'selection.prototype':469 'selection/collapsed':577 'selectionn':578 'set':511,647,999 'shell':254,858 'shift':298 'shift-insert':297 'short':327,397 'simplest':227 'situat':1018,1039 'slight':1062 'snippet':268,323,840 'someth':292,810,953 'soon':354 'sooner':285 'specif':954,975 'start':625 'stderr':574 'still':559,664,987 'stray':805 'style':378 'subject':17 'submit':35,486 'succeed':921 'sun':540 'system':236,244 'tab':172,932,1028 'take':753,995 'technic':328 'temporari':351 'termin':295,724,737,813 'test':220 'text':646,652 'thank':115 'think':74,445,659,851,984 'three':41 'throw':464 'touch':367,778 'transient':341 'tri':289,484 'true':514 'ts.openwall.com':16 'tue':2 'turistu':11 'turistu.github.io':325,842 'turistu.github.io/firefox/bash-pastejack.html':841 'turistu.github.io/firefox/pastejack.html](https://turistu.github.io/firefox/pastejack.html)':324 'turn':602,763,880,961 'unix/linux':243 'unrel':817 'use':431 'user':148,152,342,401,623,656,708,774,797,814,819,826 'utter':965 'v':384 'valuabl':435 'version':207,1064 'via':195,596 'visibl':96 'way':875,910 'wayland':246,912,917,957 'week':42 'window':176,182,377,925,928,1005 'windows-styl':376 'without':68,80,437,640 'work':230,284 'workaround':436,442,719 'workflow':890 'wors':59 'would':83,261 'write':131,371,420 'writexprimari':310,782,918 'written':809 'x11':21,123,427 'xpinstall.signatures.required':512 'yet':634 'zsh':688"
  +cross: false
  +upVotes: 0
  +downVotes: 0
  +ranking: 1697959616
  +visibility: "visible             "
  +apId: "https://lemmy.world/post/7123900"
  +editedAt: null
  +createdAt: DateTimeImmutable @1697907616 {#75
    date: 2023-10-21 19:00:16.0 +02:00
  }
}
"Scheb\TwoFactorBundle\Security\Authorization\Voter\TwoFactorInProgressVoter"
ACCESS ABSTAIN
"App\Security\Voter\EntryCommentVoter"
ACCESS ABSTAIN
"App\Security\Voter\EntryVoter"
ACCESS DENIED
"App\Security\Voter\MagazineVoter"
ACCESS ABSTAIN
"App\Security\Voter\MessageThreadVoter"
ACCESS ABSTAIN
"App\Security\Voter\MessageVoter"
ACCESS ABSTAIN
"App\Security\Voter\NotificationVoter"
ACCESS ABSTAIN
"App\Security\Voter\OAuth2UserConsentVoter"
ACCESS ABSTAIN
"App\Security\Voter\PostCommentVoter"
ACCESS ABSTAIN
"App\Security\Voter\PostVoter"
ACCESS ABSTAIN
"App\Security\Voter\UserVoter"
ACCESS ABSTAIN
Show voter details
5 DENIED edit
App\Entity\Magazine {#289
  +icon: Proxies\__CG__\App\Entity\Image {#270 …}
  +name: "linux@lemmy.ml"
  +title: "linux"
  +description: """
    From Wikipedia, the free encyclopedia\n
    \n
    Linux is a family of open source Unix-like operating systems based on the Linux kernel, an operating system kernel first released on September 17, 1991 by Linus Torvalds. Linux is typically packaged in a Linux distribution (or distro for short).\n
    \n
    Distributions include the Linux kernel and supporting system software and libraries, many of which are provided by the GNU Project. Many Linux distributions use the word “Linux” in their name, but the Free Software Foundation uses the name GNU/Linux to emphasize the importance of GNU software, causing some controversy.\n
    \n
    ### Rules\n
    \n
    - Posts must be relevant to operating systems running the Linux kernel. GNU/Linux or otherwise.\n
    - No misinformation\n
    - No NSFW content\n
    - No hate speech, bigotry, etc\n
    \n
    ### Related Communities\n
    \n
    - [!opensource@lemmy.ml](https://lemmy.ml/c/opensource)\n
    - [!libre_culture@lemmy.ml](https://lemmy.ml/c/libre_culture)\n
    - [!technology@lemmy.ml](https://lemmy.ml/c/technology)\n
    - [!libre_hardware@lemmy.ml](https://lemmy.ml/c/libre_hardware)\n
    \n
    Community icon by [Alpár-Etele Méder](https://www.iconfinder.com/pocike), licensed under [CC BY 3.0](https://creativecommons.org/licenses/by/3.0/)
    """
  +rules: null
  +subscriptionsCount: 1
  +entryCount: 1406
  +entryCommentCount: 28632
  +postCount: 6
  +postCommentCount: 214
  +isAdult: false
  +customCss: null
  +lastActive: DateTime @1729583542 {#299
    date: 2024-10-22 09:52:22.0 +02:00
  }
  +markedForDeletionAt: null
  +tags: null
  +moderators: Doctrine\ORM\PersistentCollection {#261 …}
  +ownershipRequests: Doctrine\ORM\PersistentCollection {#257 …}
  +moderatorRequests: Doctrine\ORM\PersistentCollection {#246 …}
  +entries: Doctrine\ORM\PersistentCollection {#204 …}
  +posts: Doctrine\ORM\PersistentCollection {#162 …}
  +subscriptions: Doctrine\ORM\PersistentCollection {#224 …}
  +bans: Doctrine\ORM\PersistentCollection {#141 …}
  +reports: Doctrine\ORM\PersistentCollection {#127 …}
  +badges: Doctrine\ORM\PersistentCollection {#105 …}
  +logs: Doctrine\ORM\PersistentCollection {#95 …}
  +awards: Doctrine\ORM\PersistentCollection {#84 …}
  +categories: Doctrine\ORM\PersistentCollection {#71 …}
  -id: 73
  +apId: "linux@lemmy.ml"
  +apProfileId: "https://lemmy.ml/c/linux"
  +apPublicUrl: "https://lemmy.ml/c/linux"
  +apFollowersUrl: "https://lemmy.ml/c/linux/followers"
  +apInboxUrl: "https://lemmy.ml/inbox"
  +apDomain: "lemmy.ml"
  +apPreferredUsername: "linux"
  +apDiscoverable: true
  +apManuallyApprovesFollowers: null
  +privateKey: null
  +publicKey: null
  +apFetchedAt: DateTime @1729583596 {#293
    date: 2024-10-22 09:53:16.0 +02:00
  }
  +apDeletedAt: null
  +apTimeoutAt: null
  +visibility: "visible             "
  +createdAt: DateTimeImmutable @1698929468 {#292
    date: 2023-11-02 13:51:08.0 +01:00
  }
}
"Scheb\TwoFactorBundle\Security\Authorization\Voter\TwoFactorInProgressVoter"
ACCESS ABSTAIN
"App\Security\Voter\EntryCommentVoter"
ACCESS ABSTAIN
"App\Security\Voter\EntryVoter"
ACCESS ABSTAIN
"App\Security\Voter\MagazineVoter"
ACCESS DENIED
"App\Security\Voter\MessageThreadVoter"
ACCESS ABSTAIN
"App\Security\Voter\MessageVoter"
ACCESS ABSTAIN
"App\Security\Voter\NotificationVoter"
ACCESS ABSTAIN
"App\Security\Voter\OAuth2UserConsentVoter"
ACCESS ABSTAIN
"App\Security\Voter\PostCommentVoter"
ACCESS ABSTAIN
"App\Security\Voter\PostVoter"
ACCESS ABSTAIN
"App\Security\Voter\UserVoter"
ACCESS ABSTAIN
Show voter details