|
iamthexander posted:How would a remote attacker know enough about the data schema to create a UNION query and copy the shell to that location? I remember 8 or 9 years ago I ran a web server that I let other folks use. One guy I lent web space to created a "templating engine" where their URLs were all stuff along the lines of: code:
I stupidly forgot to turn off allow_url_fopen in the PHP install, which was enabled by default. So an attacker just had to hit code:
Thankfully this "feature" is no longer enabled by default in PHP. In PHP5 they split the access controls out for fopen() and include(), so under the default configuration, you can fopen() a URL but you cannot include() a URL. kitten smoothie fucked around with this message at 21:30 on Jan 2, 2012 |
# ¿ Jan 2, 2012 21:25 |
|
|
# ¿ Apr 28, 2024 14:52 |
|
moynar posted:Timezones, weekdays, leap years and clocks are real life horrors. Ugh, corner cases. In a past life I worked for a company that sold time & attendance and payroll systems. Dealing with a particularly prickly DST problem was one of the catalysts for me to quit that job.
|
# ¿ Jan 7, 2012 09:39 |
|
qntm posted:Are none of you aware that there is a single, centrally-maintained time zone database which handles all of those things? On one consulting assignment I ended up having to reconcile the following: - a timeclock/payroll system which relies on Java's time calculations, which relies upon these databases (e.g. you punched in at 10p and out at 6a on "spring forward" day, so translating to UTC offsets and subtracting end from start, you worked 7 hours). The system was bult on the fairly reliable assumption that people are to be paid for the time they worked. - A union contract that says people should not be paid based on common sense, and if they work across DST changeovers then they get paid "by the clock." So 10p-6a means they get 8 hours pay, period. So they gain a free hour pay on forward day and get screwed an hour on backward day. - This corner case affected maybe 10 of 10,000 employees, so it could be handled by manual adjustment, and that's how they dealt with it in their previous system. But this client was willing to have us burn tens of thousands of dollars in consulting time to try to automate it. We gave tons of pushback on it because there was no ROI on that spending, and finally they saw it our way after having to have it personally approved by the CFO. I quit that job 3 years ago and went into biotech. Dealing with time is a pain in the rear end. Curing cancer is way easier. kitten smoothie fucked around with this message at 18:51 on Jan 7, 2012 |
# ¿ Jan 7, 2012 18:48 |
|
Haystack posted:So looking into it, that attack happened/was possible because Rails developers (including Github!) have a habit of stuffing data directly from HTTP params into Rails's ORM without validation. That's insane. Imagine code like this (which is probably all over various Rails apps) code:
You are supposed to define "attr_accessible" in your models to whitelist what attributes are allowed to be updated in this mass-assignment manner. It seems like perhaps attr_accessible should default to an empty list so that nothing could accidentally be stomped on in this way?
|
# ¿ Mar 4, 2012 22:57 |
|
Of all the questionable figures in open source software history, Stallman eating his own toejam seems like one of the harmless bits. It's not like he killed his wife or anything.
|
# ¿ Mar 21, 2012 22:27 |
|
God of Mischief posted:I totally forgot about the -m flag until it was brought up in here. Even when I do only need a one-line comment about the commit, I just let it open the text editor because why the gently caress not? It gives me another overview of the files I'm committing and gives me a moment to back out in case of "oh gently caress I forgot to run tests/change another related class/stage another file" (happens quite a bit). quote:git commit -a. My other team members seem to love it quite a bit and I end up asking them "why is this file here it has nothing to do with your commit message WHAT ARE YOU DOING". My colleagues don't seem to care either way and most seem to use -a. I stopped when I went through my commit histories on a side project and wondered if I was making drunken commits because why were these other files winding up here.
|
# ¿ Jan 18, 2013 04:20 |
|
tef posted:http://nsaunders.wordpress.com/2012/10/22/gene-name-errors-and-excel-lessons-not-learned/ Somewhat topical: http://madhadron.com/?p=263 Do we have a bioinformatics thread in these here parts? We should.
|
# ¿ Jan 28, 2013 05:24 |
|
See also: the HTTP verb parser in nginx.
|
# ¿ Jan 29, 2013 18:33 |
|
pigdog posted:What could possibly go wrong with a presumption like that? "Everything's A Dollar" store acquired by "Everything's A Grand," database conversion claims six lives
|
# ¿ Feb 2, 2013 18:15 |
|
I used to work on a team where my coworkers would try to take us all to eat at a place where the menu is in hieroglyphics, but understanding it is moot because no matter what you order, the food is spoiled.
|
# ¿ Feb 6, 2013 04:24 |
|
To be fair, around here if you fail to read FAQs and community guidelines you are very likely to earn a badge of some sort edit: anyone have a link to the yospos thread? kitten smoothie fucked around with this message at 15:25 on Feb 6, 2013 |
# ¿ Feb 6, 2013 15:18 |
|
What's the best alternative to HN, at least where I can find the few gems of good knowledge without the useless startup circlejerk?
|
# ¿ Feb 10, 2013 18:47 |
|
pseudorandom name posted:Is there a site like /r/programming except "Check out this amazing C feature!" with a link to the atexit() man page doesn't get 300 upvotes? I'm happily willing to accept that, as it's still far preferable to poo poo like this ("I am a minimalist! I get my shirts tailored! I buy Apple!") or the 374th Aaron Swartz related article.
|
# ¿ Feb 11, 2013 16:24 |
|
So the assignments instead of equality tests notwithstanding, either they're not using strict mode, or they named a sub "z" elsewhere and so it didn't barf on "!z" when they meant "!$z." I am assuming the former but everything else in there makes me think the latter isn't out of the question either
|
# ¿ Mar 7, 2013 06:18 |
|
Zhentar posted:in MUMPS, e if is a syntactically valid else if (although the style is a bit unusual). I haven't written in MUMPS but from what I've seen of it, everything looks a bit unusual.
|
# ¿ Mar 8, 2013 17:09 |
|
My first thought: "What's wrong with an array implementation? It's even in the CLR book." My second thought: "Oh."
|
# ¿ Mar 9, 2013 17:58 |
|
Germane to the discussion of funky unicode (and sorry for the HN link)
|
# ¿ Mar 19, 2013 04:31 |
|
Optimus Prime Ribs posted:It seems like there's not a single person working on the Ouya who actually knows what they're doing. I love the comment on that post from one of the Ouya guys, that basically reads "we're too busy prematurely 'unveiling' this console to process a refund on your credit card due to our goof, why don't you wait a few weeks to get money back that we shouldn't have taken from you."
|
# ¿ Mar 27, 2013 18:50 |
|
Scaramouche posted:
Assuming of course that the purpose of the function is the same and it is just using different criteria to Get A Thing given the data type passed in.
|
# ¿ Mar 29, 2013 19:19 |
|
the talent deficit posted:Macports and fink legitimately destroy systems. Homebrew is better, but only because it does less. I do all my development now on 'disposable' vms. Vagrant helps This. Once you can checkin your project's entire environment config into git along with the source code and can stupidly easily spin up a VM with all your dependencies, it's amazingly liberating. I decided to wipe & reinstall my Mac when I got an SSD and it surprised me how much I really needed to "back up" anymore, really just my photos and music. My development work is all in Github or Bitbucket and I can quickly clone it and be back off to the races with a "vagrant up."
|
# ¿ Apr 17, 2013 19:29 |
|
Suspicious Dish posted:git is pretty nice tech, but I wish the tools were more consistent. Yep, this is stuff is a little annoying. http://stevelosh.com/blog/2013/04/git-koans/ quote:“How can I view a list of all tags?”
|
# ¿ Apr 20, 2013 04:20 |
|
Mogomra posted:I had to do that once. They had me take a personality test and an IQ test I have to imagine that a bona fide IQ test administered by a licensed psychologist is prohibitively expensive to use as a general employment screening tool.
|
# ¿ May 6, 2013 21:37 |
|
Lysidas posted:(emphasis mine) I am actually really surprised by how cordial the other list members are being when responding to this person; I expected them to just rip the guy to shreds but they're actually making some reasonable effort to help him and not look like absolute dicks. Good on them. But they're still finding very clever ways to make fun of the dude. Case in point, from down-thread: quote:> > For Below issue , O/S is Windows7. Good lord, did I hate when my clients did this when I was in consulting.
|
# ¿ Jun 17, 2013 16:17 |
|
Strong Sauce posted:FYI for others wondering, this is on a mailing-list. An archive of it is here although I don't know if its complete. Here's a link to the whole thread. Sorry for not including it when I started quoting other messages. http://thread.gmane.org/gmane.comp.version-control.git/228065
|
# ¿ Jun 17, 2013 16:49 |
|
Aleksei Vasiliev posted:This is horrifying but also justified? This reminds me of the story of AOL using a buffer overflow in their own AIM software as a means to identify unofficial clients and kick them off. http://www.geoffchappell.com/notes/security/aim/index.htm
|
# ¿ Jun 25, 2013 01:40 |
|
Munkeymon posted:I think https://bugzilla.mozilla.org/show_bug.cgi?id=238041 deserves the same treatment. Things which have happened during the timeframe that this bug has been open - We have seen two Papal elections, three Presidential elections, and four new members of the Supreme Court - The Red Sox broke their curse - Hurricanes Katrina and Sandy - The Space Shuttle program was reinstated, and then terminated - The iPhone (hell, six iPhones) - Steve Jobs came out that he had cancer, had surgery, had more surgery several years later, then died - Duke Nukem Forever shipped
|
# ¿ Jul 1, 2013 21:36 |
|
seiken posted:LoseThos is now TempleOS and has an incredible video on the front page. His HN post history is pretty great too, although you'll need to be logged in and have showdead turned on to see it because he's obviously been hellbanned over there. https://news.ycombinator.com/threads?id=losethos
|
# ¿ Jul 3, 2013 19:05 |
|
Che Delilas posted:Is this where I ask about "EmployeeID" vs. "EmployeeId" vs. "Employee_ID" vs. Employee_Id" vs. "Employee_id" ? pfft, everyone who's had to touch PeopleSoft knows it's EMPLID
|
# ¿ Jul 10, 2013 03:03 |
|
contrapants posted:Years ago in middle school, NetNanny was installed on all the computers at school. When we had to type reports up, we had to write a heading that included our name, subject, date, and title of the assignment. Could've been worse, you could've had to write a paper on JFK and have to say he was "buttbuttinated" or else the filter would keep triggering on "rear end." http://en.wikipedia.org/wiki/Scunthorpe_problem
|
# ¿ Jul 25, 2013 14:29 |
|
I had to print out code listings in my intro courses (then again, it was the 90s). In spite of that being a course requirement, the graders occasionally liked to make passive aggressive remarks about wasting paper. The best was when you'd end up with one closing curly brace on the last page and nothing else. They'd usually fill up the empty space with a drawing of a very angry tree.
|
# ¿ Jul 26, 2013 05:33 |
|
KaneTW posted:It's intended to make the student count drop down to 75 or whatever. Yeah, primarily he's trying to weed people out, and I guess maybe he's trying to make a statement of protest about the university not being able to provide sufficient TAs (I assume they don't have the budget to do so, because at a university as big as Berkeley you should be able to find plenty of willing and qualified victims so long as you can pay them). Part of me wonders if once the student count drops below his crisis threshold, he'd say "hey folks, thanks for sticking this out, now let's have some fun" and start treating the students like the adults they are.
|
# ¿ Aug 30, 2013 14:06 |
|
it is posted:The real reason you make little commits all the time is that it minimizes the amount of time your code differs from master This. I got burned once and now I do my work on a branch that I do lots of little commits on and rebase from master every morning. Never again do I want to spend a whole day resolving merge conflicts.
|
# ¿ Sep 9, 2013 14:51 |
|
HFX posted:I use little commits and lots of topic branches for the following reasons: I forgot about this. If you just make one big rear end commit at the end of the day labeled "new feature lol" that touches a dozen files, then god help you when you need to find the one line that hosed up something completely unrelated.
|
# ¿ Sep 10, 2013 03:19 |
|
Ithaqua posted:lovely developers use that as a form of job security. "If it's hard to read and I'm the only person capable of maintaining the software, I can never be fired!" Reminded me of a former colleague of mine who wrote stuff like that. He wrote intentionally obfuscated code and if he left comments at all they were useless ones on the order of code:
He never checked in any of the code to source control, nor used any of our standard build procedures. He was building it himself in his home directory and manually copying a bunch of jar files to the central app server. It would not even start up without making a single useless query to a MySQL server hosted on his workstation (in spite of pulling its actual data from our main Oracle DB). Also, while we had a default umask that made things at the very least group-readable (in case you got hit by a bus, or went on PTO for a month) he overrode that and turned off read permissions for anyone but him, so we had to open a helpdesk ticket to even be able to look at his code. I thought he'd get canned when this came to light, but nope, that was ten years ago and he still works there
|
# ¿ Sep 13, 2013 21:01 |
|
If you work in bioinformatics you are just going to have to deal with some Perl from time to time. That's just the way of the world. It was the lingua franca of the Human Genome Project and has stuck since then. Some newer popular analysis software is Python or Java based (Galaxy, GATK) but there is still tons of Perl code out there in the community.
|
# ¿ Sep 19, 2013 07:13 |
|
Yeah, my previous employer (a genomics lab) was actually a Perl shop, although we designed our stuff in the same way you'd write any modern software project, and we had unit tests, CI, and modern version control. Basically, we wrote Perl because that's what the analysts in the lab, downstream of our software, who wrote the academic papers used. That being said: every day that I don't have to write Perl anymore is a day that the sun is a little brighter, the grass is a little greener, and my kid smiles a little more than the day before.
|
# ¿ Sep 19, 2013 14:48 |
|
ManlyWeevil posted:And as far as Perl, I write it every day as the backend to some Web pages. The only thing that drives me nuts is that there is no debugger, and printing variables out isn't practical in all contexts. Oh, and piss poor (read: practically no) IDE support. There totally is a Perl debugger, although it gets hairier if you're trying to remotely debug a script running on a server. ActiveState has some remote debugging hooks in Komodo IDE though so you can debug CGI or mod_perl, but that costs money. The downside to the Perl debugger is that the GUI to it is in TK, and it has this bug in the TK interaction where 10% of the time hitting "continue" will cause the thing to run away on you and ignore every breakpoint downstream.
|
# ¿ Sep 19, 2013 18:10 |
|
Monkeyseesaw posted:I'm coming around to the view that starting with OOP right out of the gate is a bad way to teach introductory programming. Seems more straightforward to introduce "data" and "operations on data" before jumping right into why you would want to combine the two for ~*abstraction*~. The semester before I started college was the first one that the CS department decided to abandon their intro course based on SICP and instead just make you buy a Java in a Nutshell and learn OO. I really think I missed out.
|
# ¿ Oct 5, 2013 01:06 |
|
piratepilates posted:Now the Butt class has the functions poop and fart, now let's create a class that inherits from Butt -- the DiarrheaButt class... Do not forget that Butt must be instantiated with a reference to a Colon, which implements the PoopFactory interface.
|
# ¿ Oct 5, 2013 23:00 |
|
|
# ¿ Apr 28, 2024 14:52 |
|
My Rhythmic Crotch posted:This hits close to home. I worked on software systems for medical particle accelerators for about 5 years... and... yeah. The Therac malfunctions were always gnawing at the back of my mind. Our stuff was better than the Toyota ECU, but only just. I should make a thread about it sometime. Please make that thread. I've always wondered about the software that drives things like medical accelerators and LASIK lasers, as to how that stuff is developed and vetted before it goes throwing potentially murderous or blinding energy at a human patient.
|
# ¿ Nov 1, 2013 01:46 |