Search Amazon.com:
Register a SA Forums Account here!
JOINING THE SA FORUMS WILL REMOVE THIS BIG AD, THE ANNOYING UNDERLINED ADS, AND STUPID INTERSTITIAL ADS!!!

You can: log in, read the tech support FAQ, or request your lost password. This dumb message (and those ads) will appear on every screen until you register! Get rid of this crap by registering your own SA Forums Account and joining roughly 150,000 Goons, for the one-time price of $9.95! We charge money because it costs us $3,400 per month for bandwidth bills alone, and since we don't believe in shoving popup ads to our registered users, we try to make the money back through forum registrations.
«664 »
  • Post
  • Reply
dwazegek
Feb 11, 2005

WE CAN USE THIS


Ender.uNF posted:

I am seriously considering never opening another PDF file.

How safe is it to use an alternate PDF reader? I've been using SumatraPDF with the browser plugin disabled, but all this poo poo has me in -mode

Adbot
ADBOT LOVES YOU

Mr. Fish
Nov 4, 2009

small and orange


dwazegek posted:

How safe is it to use an alternate PDF reader? I've been using SumatraPDF with the browser plugin disabled, but all this poo poo has me in -mode

I think Sumatra is currently the best choice for people who just want a PDF reader without all the weird Adobe stuff, it also makes life easier for people who use LaTex.

horse mans
May 11, 2011

voices in winter


I imagine OS X's built in PDF support is restricted enough not to have to worry about a majority of these cases, but I haven't watched the video yet. Feel free to indicate otherwise.

pokeyman
Nov 26, 2006

Fix this shit pokeyman!


At least one remote execution vulnerability has been found in iOS's PDF rendering, and I imagine it shares a ton of code with OS X's version.

MrMoo
Sep 14, 2000


I would hedge that Chrome's PDF viewer has more eyes on the security front.

jarito
Aug 26, 2003



MrMoo posted:

I would hedge that Chrome's PDF viewer has more eyes on the security front.

It's also sandboxed away from anything which provides some benefits, although I think the sandbox was breached recently in Pwn2Own or some other contest.

Ender.uNF
Sep 28, 2001
Lowtax giveth, and Lowtax taketh away.

The video is four parts and somewhat annoying to watch because the presenter is obviously an inexperienced public speaker but I suggest you watch it anyway. PDF is seriously a horror. At least as bad as PHP.

GrumpyDoctor
Jan 25, 2005

Trust me. I'm a doctor. An ANGRY doctor.

This guy isn't a programmer so I'm not so much lamenting his incompetence as making a face:
code:
public void DoNotPrint()
{
    bDoNotPrint = true;
}

public bool Print()
{
    return !bDoNotPrint;
}

Optimus Prime Ribs
Jul 25, 2007



Well I got tasked with figuring out how code (which was written by a guy who doesn't work here anymore) works.
This is what some of it looks like (formatting preserved):

code:
var slide_contents = param.split("&&");
		
			
			
			if(slide_contents[0].indexOf('/photo/') > -1){

			 if( slide_contents[0].indexOf('.php') == -1 && slide_contents[0].indexOf('.swf') == -1){
				  window.parent.document.getElementById('photoContainer').innerHTML = "<img src='" + slide_contents[0] + "'>";
			 }
			 else{
				  window.parent.document.getElementById('photoContainer').innerHTML = "<iframe frameborder='0' scrolling='auto' width='400' height='300' name='slideframe' id='slideframe' src='" + slide_contents[0] + "' marginheight='0' marginwidth='0'></iframe>";
			 }
			}
      else{
				if( slide_contents[0].indexOf('.php') == -1 && slide_contents[0].indexOf('.swf') == -1){
				  window.parent.document.getElementById('slidesContainer').innerHTML = "<img src='" + slide_contents[0] + "'>";
				  document.getElementById('checkpoints_div').innerHTML = "<iframe src='update_checkpoints.php?url=" + slide_contents[0] + "' width='0' height='0'></iframe>";			   
        }
			 else{
				window.parent.document.getElementById('slidesContainer').innerHTML = "<iframe frameborder='0' scrolling='auto' width='600' height='450' name='slideframe' id='slideframe' src='" + slide_contents[0] + "' marginheight='0' marginwidth='0'></iframe>";
			 }
			}
And yep, this is all running in an iframe, modifying HTML elements in its parent window.

Gazpacho
Jun 18, 2004



Yeah yeah, misindented code. Worked on some for four years, then later worked in a job where the offshore devs regularly sent misindented code for review and refused to correct it to standards. Cry me a river and go learn Python you baby.

Zamujasa
Oct 27, 2010

Link, some day you will leave this island...
I just know it in my heart...
Please, just don't ever forget this song... or me...


I just run all of that crap through a code formatter. If the formatter ends up breaking something it was honestly probably broken before, too.

I'm not sure if misindented code is worse than outright not indented code, though. One is just lame, the other is outright malicious sometimes.

hobbesmaster
Jan 28, 2008

We are Legion, a terminal of the Geth.


Gazpacho posted:

Yeah yeah, misindented code. Worked on some for four years, then later worked in a job where the offshore devs regularly sent misindented code for review and refused to correct it to standards. Cry me a river and go learn Python you baby.

I swear sometimes someone installed an indentation mangler as an svn hook on my server or something.

I once went to another coworker kinda annoyed at what he committed... looked perfect on his computer. Probably somehow set it to spaces instead of tabs or something but it was a real

Hmm... thinking about it... a whitespace mangler script as a svn hook would be one hell of a prank.

qntm
Jun 17, 2009


The real horror that this is still an issue, anywhere. Every text editor should automatically format code the way you want to look at it. File comparison wossnames should use the formatting you want to see. It should be a solved problem by now.

Zombywuf
Mar 29, 2008



qntm posted:

The real horror that this is still an issue, anywhere. Every text editor should automatically format code the way you want to look at it. File comparison wossnames should use the formatting you want to see. It should be a solved problem by now.

The hard part is what format do you save it as?

Sinestro
Oct 31, 2010

WOULD YOU LIKE TASTY
GELATIN INFANT?


Zombywuf posted:

The hard part is what format do you save it as?

It doesn't matter, as long as it's readable from cat. v v

Zombywuf
Mar 29, 2008



Sinestro posted:

It doesn't matter, as long as it's readable from cat. v v

And doesn't make every commit the size of your whole codebase.

SlightlyMadman
Jan 14, 2005



Gazpacho posted:

Yeah yeah, misindented code. Worked on some for four years, then later worked in a job where the offshore devs regularly sent misindented code for review and refused to correct it to standards. Cry me a river and go learn Python you baby.

At my last job, the CTO had the most horribly formatted code I'd ever seen in my life. I ended up using python for as much of my new development as I possibly could, just to avoid him going in and mangling my code. He tried to mess with it a few times but he could never get anything to compile so we just reverted his changes. He was also a terrible programmer, so this was quite a blessing.

What about an svn hook that runs a whitespace formatter, and if it passed some threshold of changes, rejected the commit. In my experience, anyone who can't think straight enough to format their whitespace has other problems too.

trex eaterofcadrs
Jun 17, 2005
My lack of understanding is only exceeded by my lack of concern.

Zombywuf posted:

The hard part is what format do you save it as?

There's always Victor's "save it as an AST... somehow" solution.

Plorkyeran
Mar 21, 2007

Plorky Pig, let's get that Maria+Holic typesetting done yeah? You're starting to develop the requtation of lazy and slow, so ammend that for your own sake


Save the AST as sexprs.

trex eaterofcadrs
Jun 17, 2005
My lack of understanding is only exceeded by my lack of concern.

Plorkyeran posted:

Save the AST as sexprs.

Skip the middle man and just write lisp

Thermopyle
Jul 1, 2003

...the stupid are cocksure while the intelligent are full of doubt. —Bertrand Russell


SlightlyMadman posted:

At my last job, the CTO had the most horribly formatted code I'd ever seen in my life. I ended up using python for as much of my new development as I possibly could, just to avoid him going in and mangling my code. He tried to mess with it a few times but he could never get anything to compile so we just reverted his changes. He was also a terrible programmer, so this was quite a blessing.

What about an svn hook that runs a whitespace formatter, and if it passed some threshold of changes, rejected the commit. In my experience, anyone who can't think straight enough to format their whitespace has other problems too.

I've never worked anywhere with a CTO, but it seems odd that one would be writing code.

SlightlyMadman
Jan 14, 2005



Thermopyle posted:

I've never worked anywhere with a CTO, but it seems odd that one would be writing code.

It was a small company, and they gave many of the senior employees "officer" or "director" titles when they couldn't afford to give us raises. If that sounds screwed up and like they didn't know how to run a business, it's only the tip of the iceberg.

Ithaqua
Jul 18, 2003

Only in Kenya.

Thermopyle posted:

I've never worked anywhere with a CTO, but it seems odd that one would be writing code.

Depends on the team size. I worked at a place with a team of 5 and a CTO. He called himself the "CTO of Sealand", and he wrote badass code but also had 15 years of experience in managing teams and architecting software.

He also didn't code in every sprint; he would usually come in when we were swamped and decimate a big task in a day.

Ithaqua fucked around with this message at May 9, 2012 around 14:03

Zombywuf
Mar 29, 2008



Plorkyeran posted:

Save the AST as sexprs.

Polish notation with tokens separated by newlines would make for better diffing.

Plorkyeran
Mar 21, 2007

Plorky Pig, let's get that Maria+Holic typesetting done yeah? You're starting to develop the requtation of lazy and slow, so ammend that for your own sake


sexprs are just polish notation with support for variable arity, which most languages' ASTs will require

Contero
Mar 28, 2004



trex eaterofcadrs posted:

Skip the middle man and just write lisp

Forgive me for my misplaced rage here, this hits a little close to home.

People who say this drive me up the wall.

It's either "None shall borrow language features from lisp without accepting our lord and savior Paul Graham into your heart" or "If you're going to manipulate your code at the AST level in any conceivable way you might as well just switch to lisp since it's a perfect language "

I'm amazed that popular languages even have lambdas and closures the way lisp weenies are so possessive of anything remotely related their language of choice. Maybe in another 20 years mainstream languages will have real, actual macros.

horse mans
May 11, 2011

voices in winter


Contero posted:

Forgive me for my misplaced rage here, this hits a little close to home.

People who say this drive me up the wall.

It's either "None shall borrow language features from lisp without accepting our lord and savior Paul Graham into your heart" or "If you're going to manipulate your code at the AST level in any conceivable way you might as well just switch to lisp since it's a perfect language "

I'm amazed that popular languages even have lambdas and closures the way lisp weenies are so possessive of anything remotely related their language of choice. Maybe in another 20 years mainstream languages will have real, actual macros.

I've never heard anyone in the Lisp community say either of those things, and I can't name a single person who considers Paul Graham a Lisp figurehead. Maybe you have an aphasia?

Zamujasa
Oct 27, 2010

Link, some day you will leave this island...
I just know it in my heart...
Please, just don't ever forget this song... or me...


Hmm, the development version of our mobile site isn't working properly. Maybe it's just a issue with XSS because we probably have some hardcoded stuff in there and this domain wasn't ever used before.

(several minutes of aggrivated tweaking and fixing later, including disabling a forced redirect if you aren't using a mobile browser among other 'features')

OK, let's open the Net panel and see what kind of crazy AJAX poo poo we're pulling he--
code:
https://.../ourapi/...&user=notme&pass=notmine


code:
...
user = 'notme';
pass = 'notmine';
apiurl = 'https://<?= $_SERVER['HTTP_HOST']; ?>/ourapi/...&user=' + user ...
...




(On the "bright side" at least the "API" uses SESSION variables but auugh)



E: Oh, and every AJAX request is its very own little block of AJAX-For-Dummies copy-pasted code instead of something simple like $.get("url"). (and yes, jQuery is included in the page, so this is all patently loving absurd.)


E: This just keeps getting better. Debugging it with Firebug and oh boy oh boy, this is the page that keeps on giving. Apparently he tried to hard-wrap his lines in vi and that broke a whole bunch of Javascript stuff that may have never worked in the first place.

Zamujasa fucked around with this message at May 9, 2012 around 17:44

Contero
Mar 28, 2004



Fren posted:

I've never heard anyone in the Lisp community say either of those things, and I can't name a single person who considers Paul Graham a Lisp figurehead. Maybe you have an aphasia?

Again, forgive my misplaced and probably unjustified sperging out

Doctor w-rw-rw-
Jun 24, 2008


Zamujasa posted:

code:
https://.../ourapi/...&user=notme&pass=notmine


code:
...
user = 'notme';
pass = 'notmine';
apiurl = 'https://<?= $_SERVER['HTTP_HOST']; ?>/ourapi/...&user=' + user ...
...

To be fair, this isn't a risk on the wire, because SSL wraps the entire HTTP request (ever notice why virtual hosting on SSL is a nightmare? It's not possible on Apache without SNI extensions to TLS, since the Host: header is sent inside the SSL connection, not outside).

That said, exchanging a password for an authentication token is a better idea, and including the password in the GET request means that it could show up in logs, so it's still a bad practice, but it's not a gaping security hole that poses a clear and present danger. Just a dangerous practice if you ever get compromised to the point that someone's sniffing internal server traffic or reading server logs.

On the second thought, I bet the real security hole there could be HTTP_HOST. If the server serving it serves the page even if the Host: header is nonsense, I wonder if sending the request directly to the right ip but with "Host: http://www.maliciousdomain.com" might redirect it. I don't have enough faith in PHP to assume that such a boneheaded case would be protected against.

Zamujasa
Oct 27, 2010

Link, some day you will leave this island...
I just know it in my heart...
Please, just don't ever forget this song... or me...


Doctor w-rw-rw- posted:

To be fair, this isn't a risk on the wire

I guess the "notme" and "notmine" entries didn't make it obvious, but those are... well, not my username and not my password. They were another user's, hardcoded in the file.

trex eaterofcadrs
Jun 17, 2005
My lack of understanding is only exceeded by my lack of concern.

Contero posted:

Again, forgive my misplaced and probably unjustified sperging out

Man you got real mad at a joke.

Nipplebox
Jan 12, 2009



Fren posted:

I've never heard anyone in the Lisp community say either of those things, and I can't name a single person who considers Paul Graham a Lisp figurehead. Maybe you have an aphasia?

It's not as if there isn't a known "heh, finally caught up to Lisp" attitude out there. Happens to any marginalized community.

shrughes
Oct 11, 2008

(call/cc call/cc)


The real human horror is caring about ASTs and "smart" diffs and wanting smart text editors. These people are complicationists who are culturally biased towards ideas that make them feel smarter.

For the record, I am not joking.

Diff tools do not need to know about ASTs because they work perfectly fine without them and much more predictably without them. Text editors do not need to be AST-editors instead of text editors because that rips up line numbers and again makes things complicated. You end up never knowing what format your code is really in, and that has side effects like writing ad-hoc perl scripts to help with large renamings or refactorings much harder. That's not the only side effect, you surely get others because you decided to make things complicated instead of keeping them simple.

Opinion Haver
Apr 9, 2007



Look, I just want to know why we've been writing text using the same 26 letters for hundreds of years. Isn't it time we started using something more English 2.0?

pigdog
Apr 23, 2004


Speak for yourself, using languages other than English with computers used to be a lot bigger pain in the rear end.

pseudorandom name
May 6, 2007
INSOLENT


yaoi prophet posted:

Look, I just want to know why we've been writing text using the same 26 letters for hundreds of years. Isn't it time we started using something more English 2.0?

Bring back and !

HappyHippo
Nov 19, 2003
Do you have an Air Miles Card?

Toady posted:

It's not as if there isn't a known "heh, finally caught up to Lisp" attitude out there. Happens to any marginalized community.

"Any sufficiently complicated C or Fortran program contains an ad hoc, informally-specified, bug-ridden, slow implementation of half of Common Lisp."

Nipplebox
Jan 12, 2009



HappyHippo posted:

"Any sufficiently complicated C or Fortran program contains an ad hoc, informally-specified, bug-ridden, slow implementation of half of Common Lisp."

"...including Common Lisp."

Adbot
ADBOT LOVES YOU

Internet Janitor
May 17, 2008

"That isn't the appropriate trash receptacle."


HappyHippo posted:

"Any sufficiently complicated C or Fortran program contains an ad hoc, informally-specified, bug-ridden, slow implementation of half of Common Lisp."

No joke, I once unknowingly got into an argument with that guy about the need for progress in systems programming languages.

  • 1
  • 2
  • 3
  • 4
  • 5
  • Post
  • Reply
«664 »