|
Jabor posted:I like how the Rails guys are all "but insecure-by-default is a feature!" Is this much different to PHP's Register Global Variables? The implications are similar though with RGV the attacker would need to know the name of a vulnerable variable ($is_logged_in etc.) and the developer would need to ignore all the "GOOD GOD DON'T USE THIS FEATURE" warnings (back before it was completely removed); with this Rails issue the attacker would have a good idea of what to use from the output of the default generators, and developers likely wouldn't even stumble across an at-your-own-risk warning before deployment. Is this a +1 for PHP for making Register Globals off-by-default, then eventually completely removing it? This might just be a first!
|
#
?
Mar 5, 2012 06:39
|
|
|
|
| # ? Apr 25, 2024 17:50 |
|
|
I don't understand how register_globals is a security bug at all. It's a terrible idea, sure, but not a security risk. The biggest argument that I've heard is that apparently arguments from $_GET get filled in before arguments from $_POST, so the user can add &admin=1 to the query string to get admin privileges or something. Do people really expect valid and correct information in $_POST or $_COOKIE or any of the other globals? Of course $_POST['admin'] is much more secure!
|
|
#
?
Mar 5, 2012 07:05
|
|
|
Suspicious Dish posted:I don't understand how register_globals is a security bug at all. It's a terrible idea, sure, but not a security risk. The biggest argument that I've heard is that apparently arguments from $_GET get filled in before arguments from $_POST, so the user can add &admin=1 to the query string to get admin privileges or something. Do people really expect valid and correct information in $_POST or $_COOKIE or any of the other globals? Of course $_POST['admin'] is much more secure! php:<?php if (user_authenticated()) { $admin = 1; } if ($admin) { ... } ?>
|
|
#
?
Mar 5, 2012 07:07
|
|
|
Suspicious Dish posted:I don't understand how register_globals is a security bug at all. It's a terrible idea, sure, but not a security risk. The biggest argument that I've heard is that apparently arguments from $_GET get filled in before arguments from $_POST, so the user can add &admin=1 to the query string to get admin privileges or something. Do people really expect valid and correct information in $_POST or $_COOKIE or any of the other globals? Of course $_POST['admin'] is much more secure! The real security vulnerability comes in when you're not explicitly initializing values. For example: php:<?php if(user_is_admin()) { $is_admin = true; } if($is_admin) { }?>
|
|
#
?
Mar 5, 2012 07:10
|
|
|
Wouldn't that already cause an "unset variable" error in PHP? Or do people really just Google for "php unset variable" and go "oh OK disable_errors(); should fix it".
|
|
#
?
Mar 5, 2012 07:13
|
|
|
Suspicious Dish posted:Wouldn't that already cause an "unset variable" error in PHP? Or do people really just Google for "php unset variable" and go "oh OK disable_errors(); should fix it". Even without disable_errors(), unset variables in PHP are boolean false in an if context - no error is raised.
|
|
#
?
Mar 5, 2012 07:17
|
|
|
Janin posted:https://github.com/rails/rails/issues/5228 The best part about this is how this has been known for like 4 years, and time and time again Rails Core has basically said it's not their problem, end developers should know this etc etc. The very same day that Github gets exploited using it they commit a change to Rails so that new projects by default have a whitelist instead of a blacklist.
|
|
#
?
Mar 5, 2012 12:40
|
|
|
ToxicFrog posted:Even without disable_errors(), unset variables in PHP are boolean false in an if context - no error is raised. No error with the default error reporting level, although it does produce a "notice" (below the default level at which errors are shown). PHP does provide the ability to pick up on mistakes like this although it goes out of its way to hide it.
|
|
#
?
Mar 5, 2012 12:47
|
|
|
Found this ticket lurking in an old pile of tickets opened by an ex-employee (that she had created and then assigned to herself). They are all great, but this one may be the best.quote:Ticket #7111 (new Enhancement (Functional))
|
|
#
?
Mar 5, 2012 16:43
|
|
|
Look Around You posted:Also is PHP supposed to be case sensitive? Well, yes and no. Literally
|
|
#
?
Mar 5, 2012 16:44
|
|
|
code:
|
|
#
?
Mar 5, 2012 18:44
|
|
|
Munkeymon posted:Well, yes and no. Literally
|
|
#
?
Mar 5, 2012 18:47
|
|
|
Janin posted:
I've never used the Haskell FFI; explain?
|
|
#
?
Mar 5, 2012 18:50
|
|
|
yaoi prophet posted:I've never used the Haskell FFI; explain? given code:code:TOO SCSI FOR MY CAT fucked around with this message at 19:36 on Mar 5, 2012 |
|
#
?
Mar 5, 2012 19:30
|
|
|
Ohh, now I get it. Nice.
|
|
#
?
Mar 5, 2012 19:36
|
|
|
Plorkyeran posted:At least it's consistent between built-in and user defined things. Is it? Variables are case-sensitive but functions, even user-defined functions, are case-insensitive. code:
|
|
#
?
Mar 5, 2012 20:26
|
|
|
Er, yes? Both built-in functions and user-defined functions are case-insensitive, and I was amused by the fact that the page actually had to say that.
|
|
#
?
Mar 5, 2012 20:41
|
|
|
Munkeymon posted:Well, yes and no. Literally
|
|
#
?
Mar 5, 2012 21:10
|
|
|
Plorkyeran posted:Er, yes? Both built-in functions and user-defined functions are case-insensitive, and I was amused by the fact that the page actually had to say that. Oh, right. I misinterpreted your post as meaning "at least all built-in things are a specific one of the two, and also all user-defined things are a specific one of the two".
|
|
#
?
Mar 5, 2012 23:44
|
|
|
Janin posted:https://github.com/rails/rails/issues/5228 Note that there are two distinct portions of this. One was that he posted this as a rails issue and when it was closed because the main rails committers said it was up to developers to implement checks, he exploited the rails app on GitHub (one of the larger rails running apps) to prove a point. There has been tons of argument over what the default in rails should be, a lot of the main rail committers were opposed to the idea (I am not really sure the exact reason but it probably has something to do with having to be right all the time). This pretty much forced their hand in implementing a whitelist rather than the blacklist
|
|
#
?
Mar 6, 2012 01:08
|
|
|
Scaevolus posted:Awesome, if I ever have to use PHP again I'm going to write all my keywords in caps and say that I thought it was BASIC. also use WHILE .. ENDWHILE etc http://php.net/manual/en/control-structures.alternative-syntax.php
|
|
#
?
Mar 6, 2012 06:30
|
|
|
loving hell how is there always more?
|
|
#
?
Mar 6, 2012 09:12
|
|
|
code:
|
|
#
?
Mar 6, 2012 12:47
|
|
|
tef posted:also use WHILE .. ENDWHILE etc http://php.net/manual/en/control-structures.alternative-syntax.php PHP is designed for use as a templating language. Ergo, it is useful to cut down on the number of braces in views where possible, as they add unnecessary clutter. A Good Feature.
|
|
#
?
Mar 6, 2012 12:49
|
|
|
Huragok posted:
Wait, why would he even want to switch ... to the current running thread? What?
|
|
#
?
Mar 6, 2012 13:30
|
|
|
Just went through fixing 404s on that php site I'm helping someone out on. After looking at the logs it turns out about 25% of all requests 404 in some way. This is because 1)previous implementors put LightBox calls on all pages even though it's only used on one page, and then incompletely took out LightBox without removing those references 2)previous implementors would wrap flash calls (on every page) in swfobject_modified.js despite the fact it's not installed 3)previous implementors assumed every object would have an image attribute and didn't do any sanity checking to maybe see if (empty($image_name)). 130,000 404s fixed in about an hour. This whole thing is like a seedy frankenstein lurching from one side of the room to another. It might not be clear but I'm losing a lot of respect for the previous implementors.
|
|
#
?
Mar 6, 2012 13:43
|
|
|
Beef posted:Wait, why would he even want to switch ... to the current running thread? What? The script interpreter will run away if an infinite loop happens. To kill the thread (elsewhere) Abort() on Executor is called. He wanted to make sure the thread executing the Interpret method was the right thread to kill. Yup.
|
|
#
?
Mar 6, 2012 13:49
|
|
|
i barely GNU her! posted:PHP is designed for use as a templating language. Ergo, it is useful to cut down on the number of braces in views where possible, as they add unnecessary clutter. A Good Feature. While there's a lot of justified hate for PHP in this thread, I have to say that the alternative syntax is really helpful with templates/views. I'm also going to say that it's a good feature that really isn't used enough. I'm all for the PHP hate, but at least hate where hate is due.
|
|
#
?
Mar 6, 2012 14:49
|
|
|
Mogomra posted:While there's a lot of justified hate for PHP in this thread, I have to say that the alternative syntax is really helpful with templates/views. I'm also going to say that it's a good feature that really isn't used enough. I didn't mention it for any other reason than to make scaveolus' next php code look more like basic edit: you guys have seen reddit.com/r/lolphp/ right?
|
|
#
?
Mar 6, 2012 14:51
|
|
|
A method. pHouseNumber is passed as a string that is the first "word" of the first line of the address. This error was being caught then re-thrown without the call stack about 4 times. One of those bugs that broke a lot of things. About an hour to finally hunt it down and then another hour of glaring at it wishing death on the previous developer. If Not String.IsNullOrEmpty(pHouseNumber) AndAlso CInt(pHouseNumber) > 0 Then (For non VB.NET devs: CInt casts as int, AndAlso is a short-circuit AND evaluation)
|
|
#
?
Mar 7, 2012 20:54
|
|
|
hobofood posted:CInt casts as int I haven't used VB.NET, only VBscript -- does cint still clamp the value to a 16-bit signed integer (i.e. -32768 to 32767)? 
|
|
#
?
Mar 7, 2012 21:13
|
|
|
Lysidas posted:I haven't used VB.NET, only VBscript -- does cint still clamp the value to a 16-bit signed integer (i.e. -32768 to 32767)? Fortunately we now have real ints (thank gently caress for the .NET framework, saviour of business developers everywhere)
|
|
#
?
Mar 7, 2012 21:15
|
|
|
On the topic of register_globals in PHP, one thing to keep in mind is that the order globals are actually registered is variable and based on some obscure INI setting somewhere. This comes into play pretty badly if you end up relying on something like $REMOTE_ADDR (from $_SERVER['REMOTE_ADDR']) and... oops, someone used index.php?REMOTE_ADDR=FuckYou and now your PHP application is recording weird IPs. (And god forbid you rely on something like DOCUMENT_ROOT. )This is a real issue I've had to fix from really old legacy code circa 2001 when nobody knew better. Always a blast.
|
|
#
?
Mar 9, 2012 09:22
|
|
|
Java:code:
|
|
#
?
Mar 12, 2012 11:41
|
|
|
There is so much wrong with that chunk of code I don't even know where to begin. Who wrote that?
|
|
#
?
Mar 12, 2012 13:33
|
|
|
It's not production code, the horror is the concept.
|
|
#
?
Mar 12, 2012 13:52
|
|
|
It's almost as if member variables weren't virtual. 
|
|
#
?
Mar 12, 2012 14:03
|
|
|
Maybe I am the horror for expecting two references to the same thing to behave in the same way.
|
|
#
?
Mar 12, 2012 14:18
|
|
|
Shouldn't have declared a second int then. 
|
|
#
?
Mar 12, 2012 14:33
|
|
|
|
| # ? Apr 25, 2024 17:50 |
|
|
Goat Bastard posted:Maybe I am the horror for expecting two references to the same thing to behave in the same way.
|
|
#
?
Mar 12, 2012 14:49
|
|
