|
Uncomfortable Gaze posted:So CSON is a thing, a coffescript variant of JSON. I saw this monstrosity on http://atom.io/,
|
# ? Mar 2, 2014 18:46 |
|
|
# ? May 17, 2024 18:11 |
|
It's certainly less annoying to edit by hand than JSON. I wish YAML was less of a bloated mess, as otherwise it's quite nice for hand-editable config files.
|
# ? Mar 2, 2014 18:47 |
|
MrMoo posted:I saw this monstrosity on http://atom.io/, Just noticed the atom parser is also vulnerable. https://github.com/atom/season/blob/1ca0b2730c92650d310b15c0fc660feec81105c6/src/cson.coffee#L96 code:
|
# ? Mar 2, 2014 19:21 |
|
Uncomfortable Gaze posted:Just noticed the atom parser is also vulnerable. I saw this and it made me laugh. gj forgetting the parsing part of your 'cson parser'
|
# ? Mar 2, 2014 19:32 |
|
Did I parse the data? Yeah, basically. Look, maybe I didn't validate every single little tiny token, no. But basically I parsed it, yeah...
|
# ? Mar 2, 2014 21:26 |
|
Internet Janitor posted:Did I parse the data? Yeah, basically. Look, maybe I didn't validate every single little tiny token, no. But basically I parsed it, yeah... It's just responsive parsing for the responsive Web.
|
# ? Mar 2, 2014 21:33 |
|
Uncomfortable Gaze posted:So CSON is a thing, a coffescript variant of JSON. Wait, why is this a thing? Doesn't CoffeeScript already let you write object literals in a dangerously terse way? Hence being able to implement it using eval...I give up.
|
# ? Mar 2, 2014 21:47 |
|
Novo posted:Wait, why is this a thing? Doesn't CoffeeScript already let you write object literals in a dangerously terse way? Hence being able to implement it using eval...I give up. Why is making curly braces and commas optional dangerously terse?
|
# ? Mar 2, 2014 22:31 |
|
Whitespace sensitivity, etc.
|
# ? Mar 3, 2014 02:55 |
|
Coffeescript: I may have to use javascript, but there's no way in hell I'm going to learn it!
|
# ? Mar 3, 2014 03:02 |
|
JSON is bad for config files, XML is bad for config files, YAML is bad for config files. just use EDN.
|
# ? Mar 3, 2014 03:44 |
|
Lumpy posted:Coffeescript: I may have to use javascript, but there's no way in hell I'm going to learn it! No it's more like, "I couldn't get enough of Javascript's many gotchas, please give me a language that keeps most of those and gives me some new ones too."
|
# ? Mar 3, 2014 03:46 |
|
Novo posted:CoffeeScript...dangerously terse This basically sums up my CoffeeScript experience.
|
# ? Mar 3, 2014 06:24 |
|
what was wrong with ini files?
|
# ? Mar 3, 2014 13:30 |
|
ijustam posted:what was wrong with ini files? Absolutely nothing. If all you need is a hand-editable key-value store for configuration data, ini files are drat near perfect. If you have more complex needs (like storing complex objects), then alas, you can't just use an ini file. And then everything breaks down, because there's no good solution, just a few not-that-bad ones.
|
# ? Mar 3, 2014 13:44 |
|
I thought I had seen everything. $comma_pipe was in my nightmares. No, that was only the beginning:php:<? function MapValsToBasedefs($fnames, $basedefs) { //$fnames = array_map('strtolower', $fnames); foreach($basedefs as $arname=>$basedef) { global $$arname; $$arname = SetToNull( $$arname); $$arname = FindAndMapFieldsToTableNames($basedef, $fnames, $$arname); foreach ($$arname as $fld=>$idx) { if ($idx !== null) { $offsetArr[$idx] = $fld; } } // $$offsetArr = array_flip($$arname); cant use array_flip when some values are null if (count($offsetArr)) ksort($offsetArr); $arname_Offset = "{$arname}_Offset"; global $$arname_Offset; $$arname_Offset = $offsetArr; } return true; } ?>
|
# ? Mar 3, 2014 15:51 |
|
I love how php's variable variables enable bad programmers' worst impulses.
|
# ? Mar 3, 2014 16:26 |
|
So, a bunch of Russian hackers broke into MtGox and stole their trading engine. Let's take a look:PHP code:
|
# ? Mar 3, 2014 16:50 |
|
IT BEGINS posted:I thought I had seen everything. $comma_pipe was in my nightmares. No, that was only the beginning: Wait wait wait, so the variable variable being created from the array key and made global, is then immediately set to null... what is the point??
|
# ? Mar 3, 2014 17:08 |
|
ohgodwhat posted:Ah, but what about X tunneling over SSH to Windows, where you then have to copy and paste text into gedit if you wanted to transfer something to the server? Oh and then you need to transfer binary files this way because SCP and its ilk are a security risk? As in, you can ssh into the system, and X forwarding is enabled, but sftp is disabled? On the plus side, you can still transfer stuff with tar cv <paths> | ssh user@host tar x -C <destination>
|
# ? Mar 3, 2014 17:34 |
|
ToxicFrog posted:As in, you can ssh into the system, and X forwarding is enabled, but sftp is disabled? Or maybe just rsync or scp
|
# ? Mar 3, 2014 17:45 |
|
ToxicFrog posted:As in, you can ssh into the system, and X forwarding is enabled, but sftp is disabled? I'm a huge fan of using tar over unencrypted nc #yolo #swag.
|
# ? Mar 3, 2014 18:41 |
|
Suspicious Dish posted:So, a bunch of Russian hackers broke into MtGox and stole their trading engine. Let's take a look: PHP code:
|
# ? Mar 3, 2014 18:44 |
|
Suspicious Dish posted:So, a bunch of Russian hackers broke into MtGox and stole their trading engine. Let's take a look: That the actual implementation of something bitcoin-related is terrible (bonus points for being in PHP, though), I'm not that surprised, but what reason they have to need to generate .kml files?
|
# ? Mar 3, 2014 18:46 |
|
ToxicFrog posted:As in, you can ssh into the system, and X forwarding is enabled, but sftp is disabled? I was connecting from Windows, there was no tar, and I don't know if putty can be used like that. Steve French posted:Or maybe just rsync or scp Yeah, if they were available. It's not like this isn't a solved problem as long as IT isn't paranoid.
|
# ? Mar 3, 2014 18:49 |
|
EAT THE EGGS RICOLA posted:
The best part is that self::getNullAddr() can return false instead of a null wallet for whatever reason, and this guy is none the wiser.
|
# ? Mar 3, 2014 18:53 |
|
ohgodwhat posted:I was connecting from Windows, there was no tar, and I don't know if putty can be used like that. Yeah the implication was simply that if ssh and tar are available, scp or rsync probably are as well.
|
# ? Mar 3, 2014 19:31 |
|
HardDisk posted:The best part is that self::getNullAddr() can return false instead of a null wallet for whatever reason, and this guy is none the wiser. Worse, half of the calls have checking, the other don't. Worse worse, sometimes an exception is thrown, sometimes the caller just returns false. Worse worse worse, the reason that getNullAddr can return false is when a database insert fails. Dude, that's not in the loving return false; category, that's a "log, rollback and exit NOW" thing. At first glance, the code was only architected incorrectly, but it's clear that it's insidiously wrong in lots of happy ways. Happy for us, at least.
|
# ? Mar 3, 2014 20:03 |
|
Steve French posted:Or maybe just rsync or scp ...both of which require the sftp subsystem, the lack of which was the original horror ohgodwhat was complaining about. I was suggesting tar | ssh as an improvement over pasting poo poo into an X-forwarded text editor. ohgodwhat posted:I was connecting from Windows, there was no tar, and I don't know if putty can be used like that. If you're doing X forwarding, you're running X locally, which is probably part of some large package like Cygwin or MKS that includes tar and command-line ssh. I figured it was at least worth suggesting.
|
# ? Mar 3, 2014 20:08 |
|
ToxicFrog posted:...both of which require the sftp subsystem,
|
# ? Mar 3, 2014 20:14 |
ToxicFrog posted:...both of which require the sftp subsystem, the lack of which was the original horror ohgodwhat was complaining about. I was suggesting tar | ssh as an improvement over pasting poo poo into an X-forwarded text editor. I'm pretty sure that if you have SSH, you have SFTP (ie FTP over SSH). SCP is a program that can use different protocols (like SSH or FTP) to copy files. rsync is a utility that syncs the contents of directories, and also can use multiple protocols.
|
|
# ? Mar 3, 2014 20:17 |
|
down with slavery posted:I'm pretty sure that if you have SSH, you have SFTP (ie FTP over SSH). The SFTP subsystem can be enabled or disabled independently of the rest of the sshd, which will definitely disable 'sftp' and I thought would also disable 'scp' and 'rsync' (over ssh), although apparently I'm wrong about those latter two.
|
# ? Mar 3, 2014 20:20 |
ToxicFrog posted:The SFTP subsystem can be enabled or disabled independently of the rest of the sshd, which will definitely disable 'sftp' and I thought would also disable 'scp' and 'rsync' (over ssh), although apparently I'm wrong about those latter two. News to me. I guess I've just never seen that because it makes no sense (we are in the coding horrors thread after all) except as a method to piss sysadmins off.
|
|
# ? Mar 3, 2014 20:22 |
|
ToxicFrog posted:The SFTP subsystem can be enabled or disabled independently of the rest of the sshd, which will definitely disable 'sftp' and I thought would also disable 'scp' and 'rsync' (over ssh), although apparently I'm wrong about those latter two. I'm not sure about scp -- running scp file host: seems to connect to a remote host over SSH, run scp -t destination-directory and dump file contents over the network pipe. It would be reasonable for scp to refuse to operate on the remote host if the sftp subsystem is disabled in the SSH configuration, but I haven't found any documentation one way or the other with some (very) quick searching. rsync, though, essentially operates by running ssh remote-host rsync --server --whatever-other-args and piping the standard rsync protocol over the SSH tunnel. This should be completely independent of whether the sftp subsystem is enabled on the remote host.
|
# ? Mar 3, 2014 20:38 |
|
Lysidas posted:I'm not sure about scp -- running scp file host: seems to connect to a remote host over SSH, run scp -t destination-directory and dump file contents over the network pipe. It would be reasonable for scp to refuse to operate on the remote host if the sftp subsystem is disabled in the SSH configuration, but I haven't found any documentation one way or the other with some (very) quick searching. By "default," the sftp subsystem isn't enabled. I use quotes because something like this is in the default sshd_config: code:
|
# ? Mar 3, 2014 20:57 |
|
down with slavery posted:News to me. I guess I've just never seen that because it makes no sense (we are in the coding horrors thread after all) except as a method to piss sysadmins off. Now, this means that scp/rsync support requires that the user has remote login capability and that those commands are allowed to be executed. Also, the local and remote scp/rsync programs have to be compatible with each other. I don't believe either is standardized, but scp is both and old and simple enough protocol that implementations retain compability with each other, while rsync is a sufficiently complex-but-useful program that everyone uses the same effective implementation. SFTP is a bit different. It's relies on the SSHv2 concept of a "subsystem", which is a mechanism that allows the remote facility to be called by a general name, instead of relying on a specific binary to be available in PATH. The SFTP protocol itself is an IETF Draft standard with multiple implementations, with OpenSSH's implementation being quite common. Anyways, SFTP, since it is called as an SSHv2 subsystem (in the absense of being piggy-backed on a completely different transport), is typically explicitly defined as such. Thus, with OpenSSH, you can turn off SFTP support in sshd_config, but it necesarilly depends on sshd itself being available. Furthermore, SFTP is a "relatively recent", optional addition to the SSH protocol suite, so, you may well come across machines whose SSH installations simply don't support it. Of course, just to make things more complicated, some "scp" programs may internally attempt to use SFTP with the traditional scp remote command as a fallback. It's also possible to transfer files over an ssh connection using non-ssh-specific remote commands (e.g., "ssh user@remote 'cat > ~/dest_file' < ~/src_file"), a mechanism that might be implemented by GUI clients in the event that neither SFTP nor scp are available.
|
# ? Mar 3, 2014 21:01 |
|
Suspicious Dish posted::buttcoin: This entire pastebin entry is a reason why namespacing in PHP should only be allowed by people can do it properly. PHP code:
|
# ? Mar 3, 2014 21:01 |
|
Westie posted:This entire pastebin entry is a reason why namespacing in PHP should only be allowed by people can do it properly. The argument you're making is against stupid broken tightly-coupled untestable "OO" code that is actually mostly procedural because it uses almost nothing but incestuous static methods to talk to itself. It's not an argument about namespacing.
|
# ? Mar 3, 2014 21:04 |
|
McGlockenshire posted:The argument you're making is against stupid broken tightly-coupled untestable "OO" code that is actually mostly procedural because it uses almost nothing but incestuous static methods to talk to itself. It's not an argument about namespacing. That's also a valid point. But still, he could have used 'Bitcoin::somethingElse' or even just 'self::somethingElse' - but the NS abuse was the one thing that was screaming at me.
|
# ? Mar 3, 2014 21:08 |
|
|
# ? May 17, 2024 18:11 |
|
Just found this test case in my project, recently added by a dev who had given notice and is gone now. Java code:
Gazpacho fucked around with this message at 22:19 on Mar 3, 2014 |
# ? Mar 3, 2014 22:06 |