|
Cerberus911 posted:Finally something to contribute. I can one-up that. An ASP.NET MVC3 web site I'm working on is littered with this code:
|
# ? Jun 26, 2013 08:21 |
|
|
# ? Jun 8, 2024 08:35 |
|
JawnV6 posted:Slammer had to do the same thing. Didn't fix it up after, but it's pretty common to craft a payload to avoid a null byte. Even better is crafting UTF-8 shellcode: http://www.phrack.org/issues.html?issue=62&id=9 Haven't seen anyone crafting shellcode that has the same statistical characteristics as human language which would be pretty nifty.
|
# ? Jun 26, 2013 12:28 |
|
Cerberus911 posted:Finally something to contribute. This is just a toggle. sure, container.visible = !container.visible probably would've been cleaner but maybe he's just used to ternary operators and thought it was more explicit this way.
|
# ? Jun 26, 2013 14:07 |
|
Bunny Cuddlin posted:This is just a toggle. sure, container.visible = !container.visible probably would've been cleaner but maybe he's just used to ternary operators and thought it was more explicit this way. What's more explicit than "thing = !thing"? Using a conditional operator just makes it take an extra 5 seconds to parse.
|
# ? Jun 26, 2013 15:00 |
|
Ithaqua posted:What's more explicit than "thing = !thing"? Using a conditional operator just makes it take an extra 5 seconds to parse. Yeah, I'm with you, but I guess some people are not. I've seen stuff like this a few times, specifically conditionals that are equivalent to a single && operation or || operation. One time after updating such code to just use &&, someone saw the commit (I think the person who originally wrote the code, though I never checked) and told me that the conditional was used in order to be more explicit and so he changed it back. I don't at all see how it makes things more clear and I agree that it makes things less clear since you're swapping out a very fundamental binary operation for a ternary operation with a constant argument. Maybe at the moment you're writing it, your train of thought brought you to the more convoluted ?: operation (I think we've all done something along those lines at some point), but that doesn't mean that further reducing the code is a bad idea.
|
# ? Jun 26, 2013 15:19 |
|
That Turkey Story posted:Yeah, I'm with you, but I guess some people are not. I've seen stuff like this a few times, specifically conditionals that are equivalent to a single && operation or || operation. One time after updating such code to just use &&, someone saw the commit (I think the person who originally wrote the code, though I never checked) and told me that the conditional was used in order to be more explicit and so he changed it back. I don't at all see how it makes things more clear and I agree that it makes things less clear since you're swapping out a very fundamental binary operation for a ternary operation with a constant argument. Maybe at the moment you're writing it, your train of thought brought you to the more convoluted ?: operation (I think we've all done something along those lines at some point), but that doesn't mean that further reducing the code is a bad idea. Yeah, I'm not saying I think it's a great way to express that, I'm just saying I understand where it comes from. I wouldn't call it a horror though.
|
# ? Jun 26, 2013 15:56 |
|
That Turkey Story posted:Yeah, I'm with you, but I guess some people are not. I've seen stuff like this a few times, specifically conditionals that are equivalent to a single && operation or || operation. One time after updating such code to just use &&, someone saw the commit (I think the person who originally wrote the code, though I never checked) and told me that the conditional was used in order to be more explicit and so he changed it back. I don't at all see how it makes things more clear and I agree that it makes things less clear since you're swapping out a very fundamental binary operation for a ternary operation with a constant argument. Maybe at the moment you're writing it, your train of thought brought you to the more convoluted ?: operation (I think we've all done something along those lines at some point), but that doesn't mean that further reducing the code is a bad idea. I worked on a project years ago where one of the guys on the project couldn't remember the difference between the ~ and ! operators in C. Instead, he opted to not use either of them "for clarity." code:
He also read that compiler optimizations can cause runtime errors and decided that they should be disabled, which is great when you are working on an embedded micro. It was not a fun time.
|
# ? Jun 26, 2013 16:14 |
|
Cerberus911 posted:Finally something to contribute. As my Fave author says quote:The way you determine Good code from Bad code is WTF's per minute
|
# ? Jun 26, 2013 16:39 |
|
^^^^ Yeah I've seen that before, love it. Who was that, Atwood?JawnV6 posted:Slammer had to do the same thing. Didn't fix it up after, but it's pretty common to craft a payload to avoid a null byte. Oh, I know, I know. I just really love the idea of Insomniac writing a professional payload for their own software. I guess maybe this happens more than I thought?
|
# ? Jun 26, 2013 18:40 |
|
Zaphod42 posted:^^^^ Yeah I've seen that before, love it. Who was that, Atwood? I just love that the thought process was probably like "poo poo we need to patch this and we have no patch code --- wait some loving idiot used strcpy to fill the EULA string that we pull from online... It's a static buffer too!! poo poo maybe we can use it to use a buffer overflow attack on our own code!!! *hacking away* OH poo poo IT WORKED!!! Now let's blog about how loving stupid we were on multiple levels because it's a loving hilarious story!" e: seriously literally every part of that story is loving gold. Look Around You fucked around with this message at 08:29 on Jun 27, 2013 |
# ? Jun 27, 2013 08:27 |
|
To be fair, that was a game on PS2, where the network consisted of a separate adapter that like 1% of customers bought, with basically no OS support.
|
# ? Jun 27, 2013 09:01 |
|
it is posted:
Haha I remember this company. They're a division of a very large hardware company where I was nominally a QA intern. They had the entire team of 7 people and me, as well as using a software engineer with another team for the UI design, spending the entire time I was there writing the world's simplest CRUD app. It's just a scheduler; it scans the network for hardware and lets you reserve it for a certain amount of time or indefinitely. That's really about it. The company poured probably hundreds of thousands of dollars into developing it instead of using some much much much cheaper solution for some reason. Highlights: The fact that they had a bunch of QA folks writing software instead of doing actual QA, for one. The QA department had practically no automated testing around their own code. I, the intern, was responsible for writing all the unit tests. I don't think they had any integration testing at all. You'd think the QA department would know better. The entire webapp was on a single page (which is cool I guess, some webapps really are just one page), and all the javascript was one file. A 1000-line, uncommented file. I had to modify this file without actually knowing any javascript; I suspect the author didn't know any either. I was reporting bugs no one could reproduce. Turns out the code was fine (in a sense); the problem was the computer they gave me to work with was so slow that I was reporting bugs that depended on being able to click on things before the AJAX had finished. I wish I worked the other internship I had an offer from, where the guy I was dating (who was, 100% coincidentally, friends with the person who interviewed me which no one knew until after I had the offer letter in hand) told me my interviewer thought I was cute and was Facebook stalking me afterwards.
|
# ? Jun 27, 2013 14:32 |
|
it is posted:You'd think the QA department would know better. It is the weirdest loving thing. When I'm writing code as "test", I'm all over exhaustive testing, finding every possible way to break something, thorough automation, getting mad about unit tests, etc. The minute I put on my "dev" hat? Hell, it works on my machine, ship it.
|
# ? Jun 27, 2013 19:35 |
|
it is posted:Highlights: QA is a cost-center.
|
# ? Jun 27, 2013 19:55 |
|
Dessert Rose posted:It is the weirdest loving thing. When I'm writing code as "test", I'm all over exhaustive testing, finding every possible way to break something, thorough automation, getting mad about unit tests, etc. Unit tests should be the developers' responsibility as well as QA. Perhaps even more than QA. I treat unit tests as production code. If they're failing, it's an issue that needs to be fixed before anything is checked in. And fixing the issue isn't just "comment that poo poo out", either.
|
# ? Jun 27, 2013 21:51 |
|
Ithaqua posted:Unit tests should be the developers' responsibility as well as QA. Perhaps even more than QA. I treat unit tests as production code. If they're failing, it's an issue that needs to be fixed before anything is checked in. And fixing the issue isn't just "comment that poo poo out", either. Yeah, that's what I meant by getting mad about them - it's an uphill battle to get devs to write them a lot of the time.
|
# ? Jun 27, 2013 22:05 |
|
Java code, everything is a booleancode:
code:
|
# ? Jun 28, 2013 02:25 |
|
the code around that must be fascinating if it made more sense to negate an xor than to check equality.
|
# ? Jun 28, 2013 03:09 |
|
Funnily enough, in the original version the parentheses weren't necessary - !isBar ^ isJustFucked is equivalent.
|
# ? Jun 28, 2013 10:56 |
|
So we do website archiving, we crawl a website and take a copy of everything we find. We just found a totally unsecured webadmin.php page with delete functionality. Fortunately for us the crawler is not quite clever enough to submit the forms to delete pages without human intervention* but drat that could have gone very very wrong. * It can submit forms in general but taking a particular sequence of actions like "select delete from the drop down, mark the checkbox then submit" require deliberate scripting.
|
# ? Jun 28, 2013 12:54 |
|
A web spider that submits POST requests is the real horror.
|
# ? Jun 28, 2013 14:20 |
|
It's pretty common for more sophisticated crawlers.
|
# ? Jun 28, 2013 14:22 |
|
Jabor posted:A web spider that submits POST requests is the real horror. No, it's websites that you browse with POST that are the horror.
|
# ? Jun 28, 2013 14:25 |
|
KaneTW posted:It's pretty common for more sophisticated crawlers. Then it's a pretty common horror?
|
# ? Jun 28, 2013 15:19 |
|
The web is the real horror.
|
# ? Jun 28, 2013 15:20 |
|
Jabor posted:Funnily enough, in the original version the parentheses weren't necessary - !isBar ^ isJustFucked is equivalent. I don't care how much of a horror it is, if there's more than one Boolean operator in an expression the parentheses are going in.
|
# ? Jun 28, 2013 16:55 |
|
fritz posted:I don't care how much of a horror it is, if there's more than one Boolean operator in an expression the parentheses are going in. 100% THIS. I can remember & binds more tightly than |, but once you introduce xor and everything like that I have no clue.
|
# ? Jun 28, 2013 18:50 |
|
Ranma posted:Java code, everything is a boolean Write a test that loads up a jpeg of the truth table that you drew for him.
|
# ? Jun 28, 2013 20:31 |
|
Strong Sauce posted:Write a test that loads up a jpeg of the truth table that you drew for him. Seriously, a unit test for this would have taken all of 2 minutes to write and give you pretty indisputable evidence. That's generally the approach I take when telling someone their practice is needlessly complicated.
|
# ? Jun 28, 2013 21:05 |
|
Zombywuf posted:The web is the real horror. Truer words were never spoken.
|
# ? Jun 28, 2013 22:00 |
|
Dietrich posted:Seriously, a unit test for this would have taken all of 2 minutes to write and give you pretty indisputable evidence. Tests can't prove the absence of bugs
|
# ? Jun 28, 2013 22:02 |
|
fritz posted:I don't care how much of a horror it is, if there's more than one Boolean operator in an expression the parentheses are going in. Removing the parentheses actually changes the operation, it's just that (!isBar) ^ isJustFucked == isBar ^ (!isJustFucked) == !(isBar ^ isJustFucked)
|
# ? Jun 28, 2013 22:54 |
|
So this MySQL bug has been open for seven years as of today and someone... well... https://www.youtube.com/watch?v=oAiVsbXVP6k im pretty sure that's max headroom
|
# ? Jun 29, 2013 03:30 |
|
GrumpyDoctor posted:Tests can't prove the absence of bugs I work with people who take this line of thinking to the extreme and say tests are a waste of time. According to some, the only way to test an app is manually. No mention of why we have had to issue a fix for 1500+ bugs in the first year this app has been in production.
|
# ? Jun 29, 2013 16:40 |
|
Ranma posted:Java code, everything is a boolean Just look at it as elements of GF(2); obviously 1+(a+b) = ab+(1+a)(1+b)
|
# ? Jun 29, 2013 17:31 |
|
Python code:
|
# ? Jun 29, 2013 20:06 |
|
I guess they really can't stand enumerate(). Or readability.
|
# ? Jun 29, 2013 20:15 |
One of the Python's strengths is readability. So if you gently caress that up you are doing something wrong.
|
|
# ? Jun 29, 2013 20:23 |
|
Tesseraction posted:I guess they really can't stand enumerate(). Or data[desired_key]
|
# ? Jun 29, 2013 20:24 |
|
|
# ? Jun 8, 2024 08:35 |
|
I think they want to get the specific index of the key, which is pretty terrible as dict doesn't maintain order when built, so good job to that guy for not checking data structure implementations.
|
# ? Jun 29, 2013 20:27 |