|
Notorious b.s.d. posted:No, it really isn't. It is a terrible article. reminder that patio11/kalzeuze,mzeus the "startup guru" works in a starbucks making an excel macro Jerry SanDisky posted:the only sensible whitelist is [] they just need to break the yaml poo poo because yaml is bad
|
# ? Jan 31, 2013 18:21 |
|
|
# ? May 26, 2024 01:54 |
|
Cocoa Crispies posted:they just need to break the yaml poo poo because yaml is bad yaml is bad but yaml didn't cause the exploit the problem was that they were unpacking yaml into arbitrary objects whose type was controlled by the attacker. their yaml deserializer was not designed for security. running untrusted code is a Hard Problem. imagine just having a perl FreezeThaw library taking arbitrary user input. that would be an obviously stupid, stupid thing to do. that's what the rails guys did. they literally set up every single rails-using website to accept untrusted code and execute it. this was not a buffer overflow or subtle xss. this was just straight-up stupid.
|
# ? Jan 31, 2013 18:29 |
|
incidentally, spring and struts have both had similar vulns
|
# ? Jan 31, 2013 18:39 |
|
Hard NOP Life posted:I already do, so doing this backwards is going to be hell I'm sure surround all your javascript code with this: JavaScript code:
that should help you in catching scoping related bugs (which are the most wtf-y bugs imo) as early as possible.
|
# ? Jan 31, 2013 18:41 |
|
Hard NOP Life posted:I already do, so doing this backwards is going to be hell I'm sure It's really not that bad, and will probably give you some new insights/ideas about the way you write your jQuery.
|
# ? Jan 31, 2013 18:49 |
|
Otto Skorzeny posted:incidentally, spring and struts have both had similar vulns How so? What kind of poo poo did they deserialize into executable code?
|
# ? Jan 31, 2013 19:03 |
|
|
# ? Jan 31, 2013 19:07 |
|
Hard NOP Life posted:How so? What kind of poo poo did they deserialize into executable code? i'm lazy so here are some links spring vulns (2 arbitrary code execution, 5 privilege escalation) -> http://wouter.coekaerts.be/2011/spring-vulnerabilities struts vulns (pretty much register_globals, lol) -> http://blog.o0o.nu/2010/07/cve-2010-1870-struts2xwork-remote.html
|
# ? Jan 31, 2013 19:07 |
|
|
# ? Jan 31, 2013 19:08 |
|
dickstream
|
# ? Jan 31, 2013 19:10 |
|
Hard NOP Life posted:How so? What kind of poo poo did they deserialize into executable code? they deserialized things and fed them into live objects https://community.rapid7.com/community/metasploit/blog/2013/01/09/serialization-mischief-in-ruby-land-cve-2013-0156 and part of how rails routing works means that you can eval code as part of their initialization https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/multi/http/rails_xml_yaml_code_exec.rb#L66
|
# ? Jan 31, 2013 19:16 |
|
tef your talk was fun and interesting, i especially liked the bits about education because i have a kid on the way and that has been flavouring thought patterns a lot lately the question about specialisation near the end got me thinking that if little kids had some general-purpose programming classes, similar to how they have writing classes, then you could specialise them as adults while building on that knowledge. you wouldn't have to teach them the basicest of basic programming concepts while also teaching them opengl in depth, or bioinformatics voodoo plus even if they don't become capital-p programmers then as businessfolk they can at least make better excel spreadsheets and interact with software teams more closely (and handwave away complexity with more confidence). you would also get more diversity, participation, etc in programming because it wouldn't just be the white sons of white programmers who get into it
|
# ? Jan 31, 2013 20:03 |
|
if someone comes to you with an X-Y question and you routinely push them for X before answering isn't that sort of smashing their creative spirit
|
# ? Jan 31, 2013 20:07 |
|
Gazpacho posted:if someone comes to you with an X-Y question and you routinely push them for X before answering isn't that sort of smashing their creative spirit They should be oppressed
|
# ? Jan 31, 2013 20:14 |
|
just send them to high school that'll take care of it
|
# ? Jan 31, 2013 20:17 |
|
Otto Skorzeny posted:i'm lazy so here are some links the spring vulnerabilities pertain to RMI, where the author is knowingly deserializing and executing code. this is a Hard Problem, and everybody's gonna make mistakes. (notably one does not typically permit RMI from untrusted users on the open internet) struts i will give you, that one is just as dumb as the rails bug
|
# ? Jan 31, 2013 20:33 |
|
ninjeff posted:the question about specialisation near the end got me thinking that if little kids had some general-purpose programming classes, similar to how they have writing classes, then you could specialise them as adults while building on that knowledge. i've been trying to put together a metalshop-style programming class afterschool program for 5-8th graders at my kids school.
|
# ? Jan 31, 2013 20:33 |
|
polpotpi posted:just send them to high school that'll take care of it
|
# ? Jan 31, 2013 20:37 |
|
rotor posted:i've been trying to put together a metalshop-style programming class afterschool program for 5-8th graders at my kids school. that owns, please update us on how it goes i'm working on a PL (and compiler, not just blowing smoke) that will hopefully be good for education. starting to get queasy about if i'm just projecting my nostalgia though. then again i figure something is better than nothing, right?
|
# ? Jan 31, 2013 20:40 |
|
just fork turing and market it outside canada
|
# ? Jan 31, 2013 20:47 |
|
rotor posted:i've been trying to put together a metalshop-style programming class afterschool program for 5-8th graders at my kids school. get em some arduinos
|
# ? Jan 31, 2013 20:47 |
|
Werthog 95 posted:get em some arduinos I'm on the fence about this. On one hand, making things that do things in the physical world is super cool and motivating, on the other hand it means programming AND electronics instead of one or the other.
|
# ? Jan 31, 2013 21:04 |
|
get some prebuilt shields and poo poo so they don't have to worry about the electronics side? though i guess that's pretty limiting then
|
# ? Jan 31, 2013 21:13 |
|
Notorious b.s.d. posted:the recent bugs were caused by throwing untrusted, unverified, unchecked data submitted by the user at a third party library that made no security promises or guarantees quote:who knew that sometimes third party deserializer libraries didn't have "accept untrusted data from internet" as a top design goal? oh right everyone, ever, since like 1991
|
# ? Jan 31, 2013 21:17 |
|
Notorious b.s.d. posted:struts i will give you, that one is just as dumb as the rails bug it was even dumber, because with java being a compiled language to be able to run interpreted code you have to interpret it yourself
|
# ? Jan 31, 2013 21:23 |
|
Otto Skorzeny posted:i'm lazy so here are some links thanks for the links, the struts ones is just
|
# ? Jan 31, 2013 21:32 |
|
Werthog 95 posted:get some prebuilt shields and poo poo so they don't have to worry about the electronics side? though i guess that's pretty limiting then yeah, that's kind of the issue. at some point it just becomes "lets assemble these toys." I'm still thinkin. Spitting out PWM based on a pot to control the position of a servo can get you a long way, and neither the programming or electronics are too hard. I'm just worried that it's watering down both topics.
|
# ? Jan 31, 2013 22:14 |
|
so why is yaml so bad? just seems like a different take on xml?? idk i don't use this stuff
|
# ? Jan 31, 2013 22:17 |
|
my stepdads beer posted:so why is yaml so bad? it's not, no one actually cares about this garbage
|
# ? Jan 31, 2013 22:23 |
|
Hard NOP Life posted:thanks for the links, the struts ones is just struts was poo poo anyways cause its jsp
|
# ? Jan 31, 2013 22:25 |
|
Shaggar posted:struts was poo poo anyways cause its jsp What's so bad about JSP? (Serious question.)
|
# ? Jan 31, 2013 22:36 |
|
prefect posted:What's so bad about JSP? (Serious question.) contains the letter p (therefore its a p-lang)
|
# ? Jan 31, 2013 22:53 |
|
prefect posted:What's so bad about JSP? (Serious question.) <%= LETS MIX UP OUR CODE AND MARKUP THAT'S FUN %>
|
# ? Jan 31, 2013 23:16 |
|
prefect posted:What's so bad about JSP? (Serious question.) its essentially php in java form. like its fine if you're gonna make some basic stuff or whatever, but it quickly becomes an unmaintainable mess for large projects. struts is probably somewhat better cause of mvc but I still hate jsp. right now im using razor and its probably the best of the lot, but its still a stupid web template language.
|
# ? Jan 31, 2013 23:16 |
|
Zaxxon posted:<%= LETS MIX UP OUR CODE AND MARKUP THAT'S FUN %>
|
# ? Jan 31, 2013 23:16 |
|
are we still doing this this was under 10cm of snow when i got home that was pretty rad e: the binding is coming apart and a punch of pages are ruined, thanks usps Posting Principle fucked around with this message at 23:38 on Jan 31, 2013 |
# ? Jan 31, 2013 23:28 |
|
Sang- posted:contains the letter p (therefore its a p-lang) NICE!
|
# ? Jan 31, 2013 23:29 |
|
currently learning sml for this pl coursera thing this much recursion is making my brain hurt
|
# ? Jan 31, 2013 23:31 |
|
Symbolic Butt posted:currently learning fml for this pl coursera thing
|
# ? Jan 31, 2013 23:33 |
|
|
# ? May 26, 2024 01:54 |
|
my stepdads beer posted:so why is yaml so bad? just seems like a different take on xml?? idk i don't use this stuff yaml is more a different take on json than on xml, and the problem in this case is that yaml supports user-defined types (unlike json), and the rails yaml serializer & parser is built to automatically support arbitrary ruby objects. and then there's the delightful wrinkle that the rails xml parser supports embedded yaml for some reason and the rails json parser just hands the json text off to the yaml parser because yaml is a superset of json
|
# ? Jan 31, 2013 23:36 |