Search Amazon.com:
Register a SA Forums Account here!
JOINING THE SA FORUMS WILL REMOVE THIS BIG AD, THE ANNOYING UNDERLINED ADS, AND STUPID INTERSTITIAL ADS!!!

You can: log in, read the tech support FAQ, or request your lost password. This dumb message (and those ads) will appear on every screen until you register! Get rid of this crap by registering your own SA Forums Account and joining roughly 150,000 Goons, for the one-time price of $9.95! We charge money because it costs us $3,400 per month for bandwidth bills alone, and since we don't believe in shoving popup ads to our registered users, we try to make the money back through forum registrations.
«638 »
  • Post
  • Reply
The Gripper
Sep 14, 2004
i am winner


Jabor posted:

I like how the Rails guys are all "but insecure-by-default is a feature!"
The "well it's not our fault developers used an insecure feature!" argument is pretty great, considering the majority of tutorials result in code that could be vulnerable, and it isn't mentioned at all that there are security implications to it. They've created a framework that is touted as being the solution for developers who just want to get the job done without worrying about the *magic* behind it, but with this issue their solution is "well you should have understood that magic before you started".

Is this much different to PHP's Register Global Variables? The implications are similar though with RGV the attacker would need to know the name of a vulnerable variable ($is_logged_in etc.) and the developer would need to ignore all the "GOOD GOD DON'T USE THIS FEATURE" warnings (back before it was completely removed); with this Rails issue the attacker would have a good idea of what to use from the output of the default generators, and developers likely wouldn't even stumble across an at-your-own-risk warning before deployment.

Is this a +1 for PHP for making Register Globals off-by-default, then eventually completely removing it? This might just be a first!

Adbot
ADBOT LOVES YOU

Suspicious Dish
Sep 24, 2011



I don't understand how register_globals is a security bug at all. It's a terrible idea, sure, but not a security risk. The biggest argument that I've heard is that apparently arguments from $_GET get filled in before arguments from $_POST, so the user can add &admin=1 to the query string to get admin privileges or something. Do people really expect valid and correct information in $_POST or $_COOKIE or any of the other globals? Of course $_POST['admin'] is much more secure!

gibbed
Apr 10, 2006



Suspicious Dish posted:

I don't understand how register_globals is a security bug at all. It's a terrible idea, sure, but not a security risk. The biggest argument that I've heard is that apparently arguments from $_GET get filled in before arguments from $_POST, so the user can add &admin=1 to the query string to get admin privileges or something. Do people really expect valid and correct information in $_POST or $_COOKIE or any of the other globals? Of course $_POST['admin'] is much more secure!
No, nothing related to the different sources, people are just stupid.

php:
<?php
if (user_authenticated()) {
  $admin 1;
}

if ($admin) {
 ...
}
?>

Jabor
Jul 16, 2010

#1 Loser at SpaceChem

Suspicious Dish posted:

I don't understand how register_globals is a security bug at all. It's a terrible idea, sure, but not a security risk. The biggest argument that I've heard is that apparently arguments from $_GET get filled in before arguments from $_POST, so the user can add &admin=1 to the query string to get admin privileges or something. Do people really expect valid and correct information in $_POST or $_COOKIE or any of the other globals? Of course $_POST['admin'] is much more secure!

The real security vulnerability comes in when you're not explicitly initializing values.

For example:

php:
<?php
if(user_is_admin()) {
  $is_admin true;
}

if($is_admin) {
  
}?>

With register_globals, an attacker can just append ?is_admin=true to subvert the above code.

Suspicious Dish
Sep 24, 2011



Wouldn't that already cause an "unset variable" error in PHP? Or do people really just Google for "php unset variable" and go "oh OK disable_errors(); should fix it".

ToxicFrog
Apr 26, 2008


Suspicious Dish posted:

Wouldn't that already cause an "unset variable" error in PHP? Or do people really just Google for "php unset variable" and go "oh OK disable_errors(); should fix it".

Even without disable_errors(), unset variables in PHP are boolean false in an if context - no error is raised.

Steampunk Hitler
Sep 19, 2011

I can tell you how to bottle fame, brew glory, and even put a stopper in death.


Janin posted:

https://github.com/rails/rails/issues/5228

Russian programmer discovers massive security vulnerability in Rails. He reports it to the issue tracker, then the issue gets closed by Rails devs.

He uses it to re-open the issue, as a proof-of-concept.

Rails devs close it again.

He files Issue #5239: I'm Bender from Future. from the year 3012, and re-opens the original issue.

Rails devs close it again.

He submits a new file, "hacked", to the main Rails repository and re-opens the original issue.



The best part about this is how this has been known for like 4 years, and time and time again Rails Core has basically said it's not their problem, end developers should know this etc etc. The very same day that Github gets exploited using it they commit a change to Rails so that new projects by default have a whitelist instead of a blacklist.

Hammerite
Mar 9, 2007

And you don't remember what I said here, either, but it was pompous and stupid.

ToxicFrog posted:

Even without disable_errors(), unset variables in PHP are boolean false in an if context - no error is raised.

No error with the default error reporting level, although it does produce a "notice" (below the default level at which errors are shown). PHP does provide the ability to pick up on mistakes like this although it goes out of its way to hide it.

npe
Oct 15, 2004


Found this ticket lurking in an old pile of tickets opened by an ex-employee (that she had created and then assigned to herself). They are all great, but this one may be the best.

quote:

Ticket #7111 (new Enhancement (Functional))
Opened 9 months ago

Use Hexdecimal To Store Global Integer Constants

Description

This will utlizes java's GC better and faster. Additionally this will use a little less memory.

Munkeymon
Aug 14, 2003

Motherfucker's got an
armor-piercing crowbar!
Rigoddamndicuλous.

Look Around You posted:

Also is PHP supposed to be case sensitive?

Well, yes and no. Literally

TOO SCSI FOR MY CAT
Oct 12, 2008

this is what happens when you take UI design away from engineers and give it to a bunch of hipster art student "designers"


code:
foreign import ccall unsafe "opendir"
	c_opendir :: CString -> IO (Ptr ())

foreign import ccall unsafe "opendir"
	c_closedir :: Ptr () -> IO CInt
I wonder why my directory traversal is leaking FDs

Plorkyeran
Mar 21, 2007

Plorky Pig, let's get that Maria+Holic typesetting done yeah? You're starting to develop the requtation of lazy and slow, so ammend that for your own sake


Munkeymon posted:

Well, yes and no. Literally
At least it's consistent between built-in and user defined things.

Opinion Haver
Apr 9, 2007



Janin posted:

code:
foreign import ccall unsafe "opendir"
	c_opendir :: CString -> IO (Ptr ())

foreign import ccall unsafe "opendir"
	c_closedir :: Ptr () -> IO CInt
I wonder why my directory traversal is leaking FDs

I've never used the Haskell FFI; explain?

TOO SCSI FOR MY CAT
Oct 12, 2008

this is what happens when you take UI design away from engineers and give it to a bunch of hipster art student "designers"


yaoi prophet posted:

I've never used the Haskell FFI; explain?
There's nothing haskell-specific here. Just read the names.

given
code:
-- defines a Haskell function named "c_opendir" which calls the C procedure prototype:
--
--   void *opendir(char *)
--
foreign import ccall unsafe "opendir"
    c_opendir :: CString -> IO (Ptr ())

-- defines a Haskell function named "c_closedir" which calls the C procedure protoype:
--
--   int opendir(void *)
--
foreign import ccall unsafe "opendir"
    c_closedir :: Ptr () -> IO CInt
what do you think happens when they're used in this function?

code:
dirptr <- c_opendir cPathToFile
-- do stuff with dirptr
checkNotFail (c_closedir dirptr)

TOO SCSI FOR MY CAT fucked around with this message at Mar 5, 2012 around 18:36

Opinion Haver
Apr 9, 2007



Ohh, now I get it. Nice.

Hammerite
Mar 9, 2007

And you don't remember what I said here, either, but it was pompous and stupid.

Plorkyeran posted:

At least it's consistent between built-in and user defined things.

Is it? Variables are case-sensitive but functions, even user-defined functions, are case-insensitive.

code:
function butt () {
    echo 'fart';
}

BUTT();

Plorkyeran
Mar 21, 2007

Plorky Pig, let's get that Maria+Holic typesetting done yeah? You're starting to develop the requtation of lazy and slow, so ammend that for your own sake


Er, yes? Both built-in functions and user-defined functions are case-insensitive, and I was amused by the fact that the page actually had to say that.

Scaevolus
Apr 16, 2007



Munkeymon posted:

Well, yes and no. Literally
Awesome, if I ever have to use PHP again I'm going to write all my keywords in caps and say that I thought it was BASIC.

Hammerite
Mar 9, 2007

And you don't remember what I said here, either, but it was pompous and stupid.

Plorkyeran posted:

Er, yes? Both built-in functions and user-defined functions are case-insensitive, and I was amused by the fact that the page actually had to say that.

Oh, right. I misinterpreted your post as meaning "at least all built-in things are a specific one of the two, and also all user-defined things are a specific one of the two".

Strong Sauce
Jul 2, 2003

You know I am not really your father.

Janin posted:

https://github.com/rails/rails/issues/5228

Russian programmer discovers massive security vulnerability in Rails. He reports it to the issue tracker, then the issue gets closed by Rails devs.

He uses it to re-open the issue, as a proof-of-concept.

Rails devs close it again.

He files Issue #5239: I'm Bender from Future. from the year 3012, and re-opens the original issue.

Rails devs close it again.

He submits a new file, "hacked", to the main Rails repository and re-opens the original issue.



Note that there are two distinct portions of this. One was that he posted this as a rails issue and when it was closed because the main rails committers said it was up to developers to implement checks, he exploited the rails app on GitHub (one of the larger rails running apps) to prove a point.

There has been tons of argument over what the default in rails should be, a lot of the main rail committers were opposed to the idea (I am not really sure the exact reason but it probably has something to do with having to be right all the time). This pretty much forced their hand in implementing a whitelist rather than the blacklist

tef
May 30, 2004

Avoid Symmetry, Allow Complexity, Introduce Terror


Scaevolus posted:

Awesome, if I ever have to use PHP again I'm going to write all my keywords in caps and say that I thought it was BASIC.

also use WHILE .. ENDWHILE etc http://php.net/manual/en/control-st...tive-syntax.php

pokeyman
Nov 26, 2006

Fix this shit pokeyman!


loving hell how is there always more?

Huragok
Sep 14, 2011


code:
Thread Executor { get; set; }

...

public string Interpret(string js)
{
    object result;
    lock(Thread.CurrentThread)
    {
          this.Executor = Thread.CurrentThread;
          result = SomeotherLibrary.Evaluate(js)
    }

    ...
}

chmods please
Apr 28, 2009

The machine is a piece of shit!


tef posted:

also use WHILE .. ENDWHILE etc http://php.net/manual/en/control-st...tive-syntax.php

PHP is designed for use as a templating language. Ergo, it is useful to cut down on the number of braces in views where possible, as they add unnecessary clutter. A Good Feature.

Beef
Jul 26, 2004


Huragok posted:

code:
Thread Executor { get; set; }

...

public string Interpret(string js)
{
    object result;
    lock(Thread.CurrentThread)
    {
          this.Executor = Thread.CurrentThread;
          result = SomeotherLibrary.Evaluate(js)
    }

    ...
}


Wait, why would he even want to switch ... to the current running thread? What?

Scaramouche
Mar 26, 2001

SPACE FACE! SPACE FACE!

Just went through fixing 404s on that php site I'm helping someone out on. After looking at the logs it turns out about 25% of all requests 404 in some way. This is because 1)previous implementors put LightBox calls on all pages even though it's only used on one page, and then incompletely took out LightBox without removing those references 2)previous implementors would wrap flash calls (on every page) in swfobject_modified.js despite the fact it's not installed 3)previous implementors assumed every object would have an image attribute and didn't do any sanity checking to maybe see if (empty($image_name)). 130,000 404s fixed in about an hour. This whole thing is like a seedy frankenstein lurching from one side of the room to another. It might not be clear but I'm losing a lot of respect for the previous implementors.

Huragok
Sep 14, 2011


Beef posted:

Wait, why would he even want to switch ... to the current running thread? What?

The script interpreter will run away if an infinite loop happens. To kill the thread (elsewhere) Abort() on Executor is called. He wanted to make sure the thread executing the Interpret method was the right thread to kill.

Yup.

Mogomra
Nov 5, 2005

simply having a wonderful time


i barely GNU her! posted:

PHP is designed for use as a templating language. Ergo, it is useful to cut down on the number of braces in views where possible, as they add unnecessary clutter. A Good Feature.

While there's a lot of justified hate for PHP in this thread, I have to say that the alternative syntax is really helpful with templates/views. I'm also going to say that it's a good feature that really isn't used enough.

I'm all for the PHP hate, but at least hate where hate is due.

tef
May 30, 2004

Avoid Symmetry, Allow Complexity, Introduce Terror


Mogomra posted:

While there's a lot of justified hate for PHP in this thread, I have to say that the alternative syntax is really helpful with templates/views. I'm also going to say that it's a good feature that really isn't used enough.

I'm all for the PHP hate, but at least hate where hate is due.

I didn't mention it for any other reason than to make scaveolus' next php code look more like basic


edit: you guys have seen reddit.com/r/lolphp/ right?

hobofood
Jun 15, 2007



A method. pHouseNumber is passed as a string that is the first "word" of the first line of the address. This error was being caught then re-thrown without the call stack about 4 times. One of those bugs that broke a lot of things. About an hour to finally hunt it down and then another hour of glaring at it wishing death on the previous developer.

If Not String.IsNullOrEmpty(pHouseNumber) AndAlso CInt(pHouseNumber) > 0 Then

(For non VB.NET devs: CInt casts as int, AndAlso is a short-circuit AND evaluation)

Lysidas
Jul 26, 2002

John Diefenbaker is a madman who thinks he's John Diefenbaker.


hobofood posted:

CInt casts as int

I haven't used VB.NET, only VBscript -- does cint still clamp the value to a 16-bit signed integer (i.e. -32768 to 32767)?

hobofood
Jun 15, 2007



Lysidas posted:

I haven't used VB.NET, only VBscript -- does cint still clamp the value to a 16-bit signed integer (i.e. -32768 to 32767)?

Fortunately we now have real ints (thank gently caress for the .NET framework, saviour of business developers everywhere)

Zamujasa
Oct 27, 2010

Link, some day you will leave this island...
I just know it in my heart...
Please, just don't ever forget this song... or me...


On the topic of register_globals in PHP, one thing to keep in mind is that the order globals are actually registered is variable and based on some obscure INI setting somewhere.

This comes into play pretty badly if you end up relying on something like $REMOTE_ADDR (from $_SERVER['REMOTE_ADDR']) and... oops, someone used index.php?REMOTE_ADDR=FuckYou and now your PHP application is recording weird IPs. (And god forbid you rely on something like DOCUMENT_ROOT. )


This is a real issue I've had to fix from really old legacy code circa 2001 when nobody knew better. Always a blast.

Goat Bastard
Oct 20, 2004



Java:

code:
package sandbox;

class A {
	public int i = 1;
}

class B extends A {
	public int i = 2;
}

public class Sandbox {
	public static void main(String[] args) {
		B b = new B();
		A a = b;
		
		System.out.println(a == b);
		System.out.println(a.getClass() == b.getClass());
		System.out.println(a.i == b.i);
	}
}

Mesothelioma
Jan 6, 2009

Your favorite mineral related cancer!


There is so much wrong with that chunk of code I don't even know where to begin. Who wrote that?

Goat Bastard
Oct 20, 2004



It's not production code, the horror is the concept.

Vanadium
Jan 8, 2005



It's almost as if member variables weren't virtual.

Goat Bastard
Oct 20, 2004



Maybe I am the horror for expecting two references to the same thing to behave in the same way.

Vanadium
Jan 8, 2005



Shouldn't have declared a second int then.

Adbot
ADBOT LOVES YOU

Aleksei Vasiliev
May 7, 2007

Fuck the cowboys. Unf. Fuck em hard.

Goat Bastard posted:

Maybe I am the horror for expecting two references to the same thing to behave in the same way.
a.i and b.i are different ints, b.i is shadowing a.i, not overriding it.

  • 1
  • 2
  • 3
  • 4
  • 5
  • Post
  • Reply
«638 »