|
It's kind of impressive the way people manage to write platform-specific Java code. The most recent example I can think of was someone assuming that C:\TEMP would always exist and would always be writable. ("But isn't there a Java API for creating temp files?" Why, yes! There is! And I'm fairly sure C:\TEMP stopped being the temp directory when Windows 95 was released!)
|
# ? Oct 30, 2014 23:29 |
|
|
# ? Apr 27, 2024 09:08 |
|
HappyHippo posted:You're in luck. http://www.wolframalpha.com/input/?...6+c+%26%26+d%29 This is pretty neat.
|
# ? Oct 30, 2014 23:37 |
|
First thing this morning. Formatted for readability (imagine everything left aligned).php:<? // a few PHP vars, an include... use _local\_data\somepath\DerpData; ?> <!-- 40 lines of unformatted HTML --> <ul class="derp-group"> <? $arr_derps = array( new DerpData("Lorem.png","app=110000&loc=331") ,new DerpData("ipsum.png","app=110000&loc=332") ,new DerpData("dolor.png","app=110000&loc=333") ,new DerpData("sit.png","app=110000&loc=334") ,new DerpData("amet.png","app=110000&loc=442") ,new DerpData("consectetur.png","app=110000&loc=445") ,new DerpData("adipisicing.png","app=110000&loc=446") ,new DerpData("elit.png","app=110000&loc=447") ,new DerpData("Unde.png","app=110000&loc=440") ,new DerpData("amet.png","app=110000&loc=448") ); $length = sizeof($arr_derps); for ($j = 0; $j < $length; $j++) { $ds = $arr_derps[$j]; ?> <li class="derp-item"> <a class="derp-liner" href="/derp/#!<?= $ds->href; ?>"> <span class="derp-content"> <img src="/_img/derp-app/logos/<?= $ds->src; ?>" /> </span> </a> </li> <? } ?> </ul> <!-- 80 more lines of unformatted HTML --> (again, re-formatted for readability) php:<? class DerpData { public $css; public $src; public $href; function __construct($src, $href = '#', $css = '') { $this->css = $css; $this->src = $src; $this->href = $href; } public function __destructor() { $this->css = NULL; $this->src = NULL; $this->href = NULL; } } ?>
|
# ? Oct 31, 2014 00:40 |
|
Found a controller in our application that is a general 'update table' API which takes in table name, column to update, update value, and where clause. There is no security on this other than you have to be logged in, and no restrictions on what table you can touch. Also, the SQL is not parameterized, so if you want to delete instead of update, good news! I pointed this out to my manager and there was basically no response (this is the true horror). Also found a page that works by maintaining a SQL string via post backs, executing whatever you send in, and will display the second column of whatever you selected in the UI. This is in order to use a convenience method for turning an ADODB record set to a select list, not because it needs anything from the database - literally SELECT 1, 'thing one' UNION SELECT 2, 'thing two' is the sort of SQL statement it builds. This was to build a shuttle box control - I replaced the whole awful thing with fifty lines of vanilla JavaScript. The thrills of being put on the security task team for a horribly written fifteen year old application. Definitely looking for a new job.
|
# ? Oct 31, 2014 12:48 |
|
YanniRotten posted:Found a controller in our application that is a general 'update table' API which takes in table name, column to update, update value, and where clause. There is no security on this other than you have to be logged in, and no restrictions on what table you can touch. Also, the SQL is not parameterized, so if you want to delete instead of update, good news! In one Classic ASP application I worked on, there was a page that lived on one of the web servers that had a big input box and a button labelled "SUBMIT". No one noticed it for years because it was one file among hundreds of others, and all of the original developers were long gone. It would just execute whatever query you typed in and display the results. This was public-facing and behind no security whatsoever, however it wasn't linked from any other pages.
|
# ? Oct 31, 2014 14:37 |
|
Your posts always make me feel happy about my PHP. One thing I don't like about other people, is they think that this is acceptable: code:
code:
|
# ? Oct 31, 2014 16:03 |
|
FamDav posted:why are you developing not in a VM of your prod environment. That's a horror for another thread though not a coding one but a process one.
|
# ? Oct 31, 2014 16:50 |
|
Westie posted:One thing I don't like about other people, is they think that this is acceptable: I don't get it. Unless is dostuff() the same method and not doThis() doThat()? edit: Basically: code:
itskage fucked around with this message at 18:31 on Oct 31, 2014 |
# ? Oct 31, 2014 18:28 |
|
itskage posted:I don't get it. Unless is dostuff() the same method and not doThis() doThat()? yes that's the point it's repeated code
|
# ? Oct 31, 2014 19:34 |
|
KaneTW posted:yes that's the point it's repeated code I don't know if I see the problem here. How else would you suggest checking whether the evaluation of expression throws an exception?
|
# ? Oct 31, 2014 19:39 |
Newf posted:I don't know if I see the problem here. How else would you suggest checking whether the evaluation of expression throws an exception? code:
|
|
# ? Oct 31, 2014 19:40 |
More than likely the else had another condition or did something else but it was removed at some point.
|
|
# ? Oct 31, 2014 19:46 |
|
Ithaqua posted:In one Classic ASP application I worked on, there was a page that lived on one of the web servers that had a big input box and a button labelled "SUBMIT". No one noticed it for years because it was one file among hundreds of others, and all of the original developers were long gone. I have joked about adding this kind of feature to our application many times, since we might as well have it. It wouldn't introduce anything a determined attacker can't already do, it would just be more user friendly.
|
# ? Oct 31, 2014 20:18 |
|
Manslaughter posted:More than likely the else had another condition or did something else but it was removed at some point. I'd love for that to be true. That probably is the case, but I've seen times when that isn't the case.
|
# ? Oct 31, 2014 20:59 |
|
KaneTW posted:yes that's the point it's repeated code Okay, that's what I thought just wanted to double check because it's so blatantly obvious that I thought maybe I was wrong.
|
# ? Oct 31, 2014 22:53 |
|
YanniRotten posted:I have joked about adding this kind of feature to our application many times, since we might as well have it. It wouldn't introduce anything a determined attacker can't already do, it would just be more user friendly. I know you're being facetious, but I'll paraphrase something I read once: Deadbolts aren't there to keep out criminals, they're there to keep out honest people.
|
# ? Nov 1, 2014 20:33 |
|
Che Delilas posted:I know you're being facetious, but I'll paraphrase something I read once: Deadbolts aren't there to keep out criminals, they're there to keep out honest people. I understand that a pretty minimal level of application security is often 'good enough' for an enterprise application where your users are generally non-malicious, non-technical, and probably don't care at all about stealing or damaging data. However, this goes out the window when your company is trying to sell to security-minded clients, and somebody from sales loses their mind and allows them access to a demo system which they can scan for security issues. You then have to scramble to do whatever you possibly can to make their next scan come back as more favorable, and you probably wish you'd built your system with some minimal level of security. I ended up on the fix it squad for this kind of scenario - it is not fun! I think you absolutely have to secure your application to the extent that using social engineering to obtain an admin login becomes the most appealing attack vector. I'm not talking about encasing your house in thirty feet of concrete to prevent a thief from stealing your stuff - the bare minimum for a web application should be zero exposure to SQL and script injection. These aren't hard things to prevent, if you're thinking about them from day one, but they're an absolute horror to implement once you have hundreds of pages with inadequate protection, some of which fundamentally require SQL injection to function!
|
# ? Nov 1, 2014 22:18 |
|
YanniRotten posted:I understand that a pretty minimal level of application security is often 'good enough' for an enterprise application where your users are generally non-malicious, non-technical, and probably don't care at all about stealing or damaging data.
|
# ? Nov 1, 2014 22:50 |
There's really no way to prevent a Snowden type leak though that I'm aware of. At the end of the day there will always be someone with a set of keys and if the person with the keys wants to release the data... it's going to happen.
|
|
# ? Nov 1, 2014 23:03 |
|
YanniRotten posted:I understand that a pretty minimal level of application security is often 'good enough' for an enterprise application where your users are generally non-malicious, non-technical, and probably don't care at all about stealing or damaging data. I think you missed my point, which was not that a minimal level of security is good enough for some things. It was that a minimal level of security is still better than opening your door wide and asking people to please not go in. Obviously you were exaggerating to illustrate the fact that your product's security wasn't nearly good enough.
|
# ? Nov 2, 2014 01:03 |
|
down with slavery posted:There's really no way to prevent a Snowden type leak though that I'm aware of. At the end of the day there will always be someone with a set of keys and if the person with the keys wants to release the data... it's going to happen. There really is, though. A "Snowden-style" leak occurs when there are zero access controls and insufficient auditing oversight along with a courageous individual in a morally ambiguous environment and a commandment to not rock the gravy train, even though Manning did basically the same kind of thing a year before. You run the risk of having a disgruntled employee leak all of your information if you don't properly compartmentalize it. That's not even something we are taking about, though, or what your first concern should be. You should make sure that your application's publicly facing access doesn't have SQL injection or XSS vulnerabilities or other dumb stuff like that.
|
# ? Nov 2, 2014 02:00 |
|
NFX posted:MSDN: About Menus USER resources are global to the current session, you absolutely can leak them (or even just overuse them) to the point applications won't launch anymore or will have weird glitches. There are KB articles on how to setup a bigger session heap if you keep running out, but it won't help when you outright run out of slots (there are fixed maximum counts of objects for every type, with an absolute hard limit of 2^16 due to the 16-bit identifiers) Luckily most user resources are tied to a process or thread and will clean up automatically on termination, but some are either supposed to be shared (like "global atoms", a session-global table of strings used to share things like window class names, custom event names, etc.) or have unclear ownership (like menus). I think in Windows pre-Vista the only way to fix such a leak was to reboot, because user applications ran in the persistent session 0 (well, in Windows XP you could use fast user switching to start new sessions, and those would end on logout, but the first login would use session 0). Since Vista every time you login you get a separate session, and session 0 is reserved for system processes and services, so a logout will suffice. This simplifies a lot of bookkeeping (there are like 4 or 5 different session tracking systems, all with slightly different lifetimes) and I wonder why they didn't do it before One interesting and terrifying fact about sessions: since there's a ton of Win32 code and state in kernel mode, too many concurrent sessions (like in a terminal server) would quickly run you out of kernel address space, which could be as little as 1 GB. What happens instead is that a region of kernel address space is context switched based on the current thread's process's session, like a process but in kernel mode NFX posted:That would as crazy as causing BSODs by closing a program at the wrong time. Well that's a bug. A nasty bug caused by an extremely tricky kernel API, to be fair, but just a bug. Though an older version of the memory locking API didn't think twice about BSODing instead of returning an error I could fill an entire coding horrors thread with stuff like this
|
# ? Nov 3, 2014 12:30 |
|
YanniRotten posted:hundreds of pages with inadequate protection, some of which fundamentally require SQL injection to function! What? Can you elaborate on this, I don't understand how something like that could arise without people realising it's a bad idea..
|
# ? Nov 3, 2014 13:44 |
|
Hammerite posted:What? Can you elaborate on this, I don't understand how something like that could arise without people realising it's a bad idea.. It's really what it sounds like - there are pages that have controls which manipulate SQL strings, which are then maintained through post backs in hidden form parameters to tell the server the query it should run to grab the data to be displayed on the page. Yes, this is very obviously a bad idea, and I'm as confused as you when it comes to trying to understand how this made it into the code at all, let alone in multiple places. We're fixing them as we find them, but it's not a small project.
|
# ? Nov 3, 2014 14:20 |
|
hackbunny posted:I could fill an entire coding horrors thread with stuff like this Please do
|
# ? Nov 3, 2014 18:33 |
|
hackbunny posted:I could fill an entire coding horrors thread with stuff like this Would bookmark that thread so hard.
|
# ? Nov 3, 2014 19:43 |
|
Volmarias posted:Please do Doesn't it already exist? (in the 'pos)
|
# ? Nov 3, 2014 20:13 |
|
hackbunny posted:or have unclear ownership (like menus) People pay money for this? e: I've heard you should never rewrite software from scratch, but how about just scrapping it outright? Hey guys, we obviously can't write kernel code, so how about we toss this piece of poo poo out the window and run our cool stuff on a kernel that works instead? Karate Bastard fucked around with this message at 20:46 on Nov 3, 2014 |
# ? Nov 3, 2014 20:37 |
|
Westie posted:Doesn't it already exist? (in the 'pos) Unfortunately, people other than hackbunny post in that thread.
|
# ? Nov 3, 2014 20:40 |
|
Karate Bastard posted:People pay money for this? Windows kernel proper is pretty solid. Unfortunately the windowing/graphics subsystem is poo poo and filled with legacy code from Windows 3.x, it really shouldn't run in kernel mode. At least in Win8 (I think) large parts of video drivers actually run in user mode. Also I've heard that they've split win32k.sys in two in Win10? Not sure, didn't play with 10 yet.
|
# ? Nov 3, 2014 20:54 |
|
this just in. my coworker most definitely does not understand endianness, especially when it comes to sha256 and also bignums. looking at this code, it feels like he just swapped bytes and words around at loving random until something worked. literally: CPU: take a string of bytes, reverse the endianness of each word, send it to the microcontroller, microcontroller: reverse endianness again, hash it, reverse endianness, store the result, retrieve it, reverse endianness, append it to some other byte strings which have just been twice endianness-reversed, hash it, reverse endianness, reverse word order, do an RSA signature on it, reverse word order, send it back to the CPU CPU: reverse endianness of each word. literally the only one of these reversals that is necessary is where the whole thing is reversed before/after it is treated as a bignum by the RSA algorithm.
|
# ? Nov 3, 2014 21:28 |
|
Not really coding horror, but sometimes funny, the underhanded c contest has started again: http://underhanded.xcott.com/ Basically the idea is you're given the outline of an assignment and then have to program something that fulfils the initial criteria while also sneaking in some kind of underhanded functionality that isn't immediately obvious, either via obfuscation, the general obtuseness of C, or whatever. I haven't seriously touched C in over 10 years so a lot of it flies right over my head. Anyone willing to take samples from previous years and explain why it's underhanded is certainly welcome to.
|
# ? Nov 3, 2014 23:16 |
|
GrumpyDoctor posted:Unfortunately, people other than hackbunny post in that thread. Not if you filter it http://forums.somethingawful.com/showthread.php?threadid=3481275&userid=120693&perpage=40&pagenumber=1
|
# ? Nov 4, 2014 00:18 |
|
Scaramouche posted:Not really coding horror, but sometimes funny, the underhanded c contest has started again: Brb, just submitting the OpenSSL source code.
|
# ? Nov 4, 2014 00:34 |
|
Found this at the top of one of our core ETL scripts recently.Perl code:
|
# ? Nov 4, 2014 03:27 |
|
chmods please posted:Found this at the top of one of our core ETL scripts recently. At a previous job we had the system responsible for cleaning up when people were terminated stop working for a while (silently, of course). The problem, naturally, was that the person in whose home directory the script lived left the company. Fake edit: not completely silently, but there was another script that frequently lost a race for a file, so someone had done the obviously correct thing: filter out all the "No such file or directory" messages from the alert processing.
|
# ? Nov 4, 2014 03:36 |
|
pokeyman posted:Would bookmark that thread so hard.
|
# ? Nov 4, 2014 04:54 |
|
hackbunny posted:I could fill an entire coding horrors thread with stuff like this How do you know this stuff anyway? You're either an MS developer or a ReactOS developer. Which is it?
|
# ? Nov 5, 2014 01:07 |
|
Westie posted:How do you know this stuff anyway? You're either an MS developer or a ReactOS developer. Which is it? If you read through hackbunny's posts in the PL thread in YOSPOS (which I highly recommend you do), he mentions quite often that he worked on ReactOS.
|
# ? Nov 5, 2014 02:30 |
|
|
# ? Apr 27, 2024 09:08 |
|
I won't post any links in case it's considered but I highly recommend to browse through the leaked win2k sources. They're old but clearly show the difference in quality between the kernel and the windowing/graphics subsystem. Granted it's almost all in the name of compatibility with this or that. Hard to find a function without "HACK HACK HACK" or "THIS IS SO LOTUS123 CAN loving RUN". Edit: actual semi serious question to hackbunny or anyone else maybe more knowledgeable than me: how hard would be to make gui processes on non-active desktops still process messages and user/gdi apis to actually work on them? Since pretty much all of win32k state is global most user/gdi apis just return ACCESS_DENIED when targeted to non-active desktops, and threads on those inactive desktops seem to not process any (or most) window messages. Well I guess I answered myself. omeg fucked around with this message at 19:45 on Nov 5, 2014 |
# ? Nov 5, 2014 14:47 |