p-lang thread: (now (have you (problems two)))

The Something Awful Forums > Discussion > Serious Hardware/Software Crap > YOSPOS > p-lang thread: (now (have you (problems two)))

«‹›1784 »

Cocoa Crispies: Jul 20, 2001; Vehicular Manslaughter!; Pillbug

Notorious b.s.d. posted:

No, it really isn't. It is a terrible article.

reminder that patio11/kalzeuze,mzeus the "startup guru" works in a starbucks making an excel macro

Jerry SanDisky posted:

the only sensible whitelist is []

they just need to break the yaml poo poo because yaml is bad

# ? Jan 31, 2013 18:21

Adbot: ADBOT LOVES YOU

# ? May 26, 2024 01:54

Notorious b.s.d.: Jan 25, 2003; by Reene

Cocoa Crispies posted:

they just need to break the yaml poo poo because yaml is bad

yaml is bad but yaml didn't cause the exploit

the problem was that they were unpacking yaml into arbitrary objects whose type was controlled by the attacker.

their yaml deserializer was not designed for security. running untrusted code is a Hard Problem. imagine just having a perl FreezeThaw library taking arbitrary user input. that would be an obviously stupid, stupid thing to do. that's what the rails guys did.

they literally set up every single rails-using website to accept untrusted code and execute it. this was not a buffer overflow or subtle xss. this was just straight-up stupid.

# ? Jan 31, 2013 18:29

Blotto Skorzany: Nov 7, 2008; He's a PSoC, loose and runnin'
came the whisper from each lip
And he's here to do some business with
the bad ADC on his chip
bad ADC on his chiiiiip

incidentally, spring and struts have both had similar vulns

# ? Jan 31, 2013 18:39

Wheany: Mar 17, 2006; Spinya^{ha^{ha^haha}ha}ha_{ha_{ha_haha}ha}ha!; Doctor Rope

Hard NOP Life posted:

I already do, so doing this backwards is going to be hell I'm sure

surround all your javascript code with this:

JavaScript code:

(function () {
"use strict";

//put your code here

}());

then run it through jshint (or jslint if you hate yourself).

that should help you in catching scoping related bugs (which are the most wtf-y bugs imo) as early as possible.

# ? Jan 31, 2013 18:41

Ericadia: Oct 31, 2007; Not A Unicorn

Hard NOP Life posted:

I already do, so doing this backwards is going to be hell I'm sure

It's really not that bad, and will probably give you some new insights/ideas about the way you write your jQuery.

# ? Jan 31, 2013 18:49

Janitor Prime: Jan 22, 2004; PC LOAD LETTER

What da fuck does that mean; Fun Shoe

Otto Skorzeny posted:

incidentally, spring and struts have both had similar vulns

How so? What kind of poo poo did they deserialize into executable code?

# ? Jan 31, 2013 19:03

Dr. Honked: Jan 9, 2011; eat it you slaaaaaaag

# ? Jan 31, 2013 19:07

Blotto Skorzany: Nov 7, 2008; He's a PSoC, loose and runnin'
came the whisper from each lip
And he's here to do some business with
the bad ADC on his chip
bad ADC on his chiiiiip

Hard NOP Life posted:

How so? What kind of poo poo did they deserialize into executable code?

i'm lazy so here are some links

spring vulns (2 arbitrary code execution, 5 privilege escalation) -> http://wouter.coekaerts.be/2011/spring-vulnerabilities

struts vulns (pretty much register_globals, lol) -> http://blog.o0o.nu/2010/07/cve-2010-1870-struts2xwork-remote.html

# ? Jan 31, 2013 19:07

Blotto Skorzany: Nov 7, 2008; He's a PSoC, loose and runnin'
came the whisper from each lip
And he's here to do some business with
the bad ADC on his chip
bad ADC on his chiiiiip

Dr. Honked posted:

# ? Jan 31, 2013 19:08

Workaday Wizard: Oct 23, 2009; by Pragmatica

Dr. Honked posted:

dickstream

# ? Jan 31, 2013 19:10

Cocoa Crispies: Jul 20, 2001; Vehicular Manslaughter!; Pillbug

Hard NOP Life posted:

How so? What kind of poo poo did they deserialize into executable code?

they deserialized things and fed them into live objects

https://community.rapid7.com/community/metasploit/blog/2013/01/09/serialization-mischief-in-ruby-land-cve-2013-0156

and part of how rails routing works means that you can eval code as part of their initialization

https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/multi/http/rails_xml_yaml_code_exec.rb#L66

# ? Jan 31, 2013 19:16

ninjeff: Jan 19, 2004

tef your talk was fun and interesting, i especially liked the bits about education because i have a kid on the way and that has been flavouring thought patterns a lot lately

the question about specialisation near the end got me thinking that if little kids had some general-purpose programming classes, similar to how they have writing classes, then you could specialise them as adults while building on that knowledge. you wouldn't have to teach them the basicest of basic programming concepts while also teaching them opengl in depth, or bioinformatics voodoo

plus even if they don't become capital-p programmers then as businessfolk they can at least make better excel spreadsheets and interact with software teams more closely (and handwave away complexity with more confidence). you would also get more diversity, participation, etc in programming because it wouldn't just be the white sons of white programmers who get into it

# ? Jan 31, 2013 20:03

Gazpacho: Jun 18, 2004; by Fluffdaddy; Slippery Tilde

if someone comes to you with an X-Y question and you routinely push them for X before answering isn't that sort of smashing their creative spirit

# ? Jan 31, 2013 20:07

Janitor Prime: Jan 22, 2004; PC LOAD LETTER

What da fuck does that mean; Fun Shoe

Gazpacho posted:

if someone comes to you with an X-Y question and you routinely push them for X before answering isn't that sort of smashing their creative spirit

They should be oppressed

# ? Jan 31, 2013 20:14

Squinty Applebottom: Jan 1, 2013

just send them to high school that'll take care of it

# ? Jan 31, 2013 20:17

Notorious b.s.d.: Jan 25, 2003; by Reene

Otto Skorzeny posted:

i'm lazy so here are some links

spring vulns (2 arbitrary code execution, 5 privilege escalation) -> http://wouter.coekaerts.be/2011/spring-vulnerabilities

struts vulns (pretty much register_globals, lol) -> http://blog.o0o.nu/2010/07/cve-2010-1870-struts2xwork-remote.html

the spring vulnerabilities pertain to RMI, where the author is knowingly deserializing and executing code. this is a Hard Problem, and everybody's gonna make mistakes. (notably one does not typically permit RMI from untrusted users on the open internet)

struts i will give you, that one is just as dumb as the rails bug

# ? Jan 31, 2013 20:33

rotor: Jun 11, 2001; classic case of pineapple derangement syndrome

ninjeff posted:

the question about specialisation near the end got me thinking that if little kids had some general-purpose programming classes, similar to how they have writing classes, then you could specialise them as adults while building on that knowledge.

i've been trying to put together a metalshop-style programming class afterschool program for 5-8th graders at my kids school.

# ? Jan 31, 2013 20:33

Gazpacho: Jun 18, 2004; by Fluffdaddy; Slippery Tilde

polpotpi posted:

just send them to high school that'll take care of it

my high school programming teach kept a kit of 7400 chips in a storage room and let me make stuff with them :allears:

# ? Jan 31, 2013 20:37

ninjeff: Jan 19, 2004

rotor posted:

i've been trying to put together a metalshop-style programming class afterschool program for 5-8th graders at my kids school.

that owns, please update us on how it goes

i'm working on a PL (and compiler, not just blowing smoke) that will hopefully be good for education. starting to get queasy about if i'm just projecting my nostalgia though. then again i figure something is better than nothing, right?

# ? Jan 31, 2013 20:40

Posting Principle: Dec 10, 2011; by Ralp

just fork turing and market it outside canada

# ? Jan 31, 2013 20:47

GameCube: Nov 21, 2006

rotor posted:

i've been trying to put together a metalshop-style programming class afterschool program for 5-8th graders at my kids school.

get em some arduinos

# ? Jan 31, 2013 20:47

rotor: Jun 11, 2001; classic case of pineapple derangement syndrome

Werthog 95 posted:

get em some arduinos

I'm on the fence about this. On one hand, making things that do things in the physical world is super cool and motivating, on the other hand it means programming AND electronics instead of one or the other.

# ? Jan 31, 2013 21:04

GameCube: Nov 21, 2006

get some prebuilt shields and poo poo so they don't have to worry about the electronics side? though i guess that's pretty limiting then

# ? Jan 31, 2013 21:13

Zombywuf: Mar 29, 2008

Notorious b.s.d. posted:

the recent bugs were caused by throwing untrusted, unverified, unchecked data submitted by the user at a third party library that made no security promises or guarantees

In the olden days people had to find buffer overflow vulnerabilities and use them to inject shellcode. Now you can rely on the framework just executing code you send it.

quote:

who knew that sometimes third party deserializer libraries didn't have "accept untrusted data from internet" as a top design goal? oh right everyone, ever, since like 1991

No one has security in mind until too late. It would be nice, however, if when I ask a string to be turned into data it didn't execute arbitrary code.

# ? Jan 31, 2013 21:17

Max Facetime: Apr 18, 2009

Notorious b.s.d. posted:

struts i will give you, that one is just as dumb as the rails bug

it was even dumber, because with java being a compiled language to be able to run interpreted code you have to interpret it yourself

# ? Jan 31, 2013 21:23

Janitor Prime: Jan 22, 2004; PC LOAD LETTER

What da fuck does that mean; Fun Shoe

Otto Skorzeny posted:

i'm lazy so here are some links

spring vulns (2 arbitrary code execution, 5 privilege escalation) -> http://wouter.coekaerts.be/2011/spring-vulnerabilities

struts vulns (pretty much register_globals, lol) -> http://blog.o0o.nu/2010/07/cve-2010-1870-struts2xwork-remote.html

thanks for the links, the struts ones is just :laffo:

# ? Jan 31, 2013 21:32

rotor: Jun 11, 2001; classic case of pineapple derangement syndrome

Werthog 95 posted:

get some prebuilt shields and poo poo so they don't have to worry about the electronics side? though i guess that's pretty limiting then

yeah, that's kind of the issue. at some point it just becomes "lets assemble these toys."

I'm still thinkin. Spitting out PWM based on a pot to control the position of a servo can get you a long way, and neither the programming or electronics are too hard. I'm just worried that it's watering down both topics.

# ? Jan 31, 2013 22:14

cowboy beepboop: Feb 24, 2001

so why is yaml so bad? just seems like a different take on xml?? idk i don't use this stuff

# ? Jan 31, 2013 22:17

rotor: Jun 11, 2001; classic case of pineapple derangement syndrome

my stepdads beer posted:

so why is yaml so bad?

it's not, no one actually cares about this garbage

# ? Jan 31, 2013 22:23

Shaggar: Apr 26, 2006

Hard NOP Life posted:

thanks for the links, the struts ones is just

struts was poo poo anyways cause its jsp

# ? Jan 31, 2013 22:25

prefect: Sep 11, 2001; No one, Woodhouse.
No one.; Dead Man’s Band

Shaggar posted:

struts was poo poo anyways cause its jsp

What's so bad about JSP? (Serious question.)

# ? Jan 31, 2013 22:36

Sang-: Nov 2, 2007

prefect posted:

What's so bad about JSP? (Serious question.)

contains the letter p (therefore its a p-lang)

# ? Jan 31, 2013 22:53

Zaxxon: Feb 14, 2004; Wir Tanzen Mekanik

prefect posted:

What's so bad about JSP? (Serious question.)

<%= LETS MIX UP OUR CODE AND MARKUP THAT'S FUN %>

# ? Jan 31, 2013 23:16

Shaggar: Apr 26, 2006

prefect posted:

What's so bad about JSP? (Serious question.)

its essentially php in java form. like its fine if you're gonna make some basic stuff or whatever, but it quickly becomes an unmaintainable mess for large projects. struts is probably somewhat better cause of mvc but I still hate jsp.

right now im using razor and its probably the best of the lot, but its still a stupid web template language.

# ? Jan 31, 2013 23:16

Shaggar: Apr 26, 2006

Zaxxon posted:

<%= LETS MIX UP OUR CODE AND MARKUP THAT'S FUN %>

# ? Jan 31, 2013 23:16

Posting Principle: Dec 10, 2011; by Ralp

are we still doing this

this was under 10cm of snow when i got home that was pretty rad

e: the binding is coming apart and a punch of pages are ruined, thanks usps

Posting Principle fucked around with this message at 23:38 on Jan 31, 2013

# ? Jan 31, 2013 23:28

Wheany: Mar 17, 2006; Spinya^{ha^{ha^haha}ha}ha_{ha_{ha_haha}ha}ha!; Doctor Rope

Sang- posted:

contains the letter p (therefore its a p-lang)

NICE!

# ? Jan 31, 2013 23:29

Symbolic Butt: Mar 22, 2009; (_!_); Buglord

currently learning sml for this pl coursera thing

this much recursion is making my brain hurt

# ? Jan 31, 2013 23:31

Janitor Prime: Jan 22, 2004; PC LOAD LETTER

What da fuck does that mean; Fun Shoe

Symbolic Butt posted:

currently learning fml for this pl coursera thing

this much recursion is making my brain hurt

# ? Jan 31, 2013 23:33

Adbot: ADBOT LOVES YOU

# ? May 26, 2024 01:54

pseudorandom name: May 6, 2007

my stepdads beer posted:

so why is yaml so bad? just seems like a different take on xml?? idk i don't use this stuff

yaml is more a different take on json than on xml, and the problem in this case is that yaml supports user-defined types (unlike json), and the rails yaml serializer & parser is built to automatically support arbitrary ruby objects.

and then there's the delightful wrinkle that the rails xml parser supports embedded yaml for some reason and the rails json parser just hands the json text off to the yaml parser because yaml is a superset of json

# ? Jan 31, 2013 23:36

The Something Awful Forums > Discussion > Serious Hardware/Software Crap > YOSPOS > p-lang thread: (now (have you (problems two)))

«‹›1784 »