|
Series DD Funding posted:An RFC-compliant regex doesn't exist because comments can nest infinitely Regexes aren't regular though, most implementations are Turing complete
|
#
?
Feb 18, 2016 19:33
|
|
|
|
| # ? May 28, 2024 23:32 |
|
|
Does your signup form really want to accept an email address that has comments in it, though. If for some reason you were using a fully spec-compliant email address parser, would you do anything but tell your user to stop loving around and just input an address without comments.
|
|
#
?
Feb 18, 2016 20:20
|
|
|
Munkeymon posted:What if I consider excluding people who care deeply enough about whether forms will accept their technically-RFC-compliant
|
|
#
?
Feb 18, 2016 20:42
|
|
|
My favorite was when my bank or T-Mobile or something started rejecting my password because it didn't support the special characters I was using. It rejected them as I was logging in with the password I already had. I still don't get that. If I want wacky Unicode in my passwords, I should be allowed to!
|
|
#
?
Feb 18, 2016 21:09
|
|
|
CPColin posted:I still don't get that. If I want wacky Unicode in my passwords, I should be allowed to! Should also be the case for security questions. "Very well sir, what was the nam- oh god what is that emoji doing to its...?"
|
|
#
?
Feb 18, 2016 21:14
|
|
|
"Please paste your security image in the box below."
|
|
#
?
Feb 18, 2016 21:24
|
|
|
One time I encountered website with a signup form that silently truncated the password field but a login form that did not. Great times were had by all!
|
|
#
?
Feb 18, 2016 21:30
|
|
|
For a long time, unix systems used a DES based encryption scheme on passwords where only the first 8 characters you typed mattered. You could hammer in line noise and it wouldn't make a difference as long as you got those first 8 letters correct.
|
|
#
?
Feb 18, 2016 21:40
|
|
|
Bonfire Lit posted:that's fine, but please don't be one of the million websites that "validate" email addresses by rejecting everything that contains characters besides alphanumerics and full stop this is the worst. I can't use my legitimate firstname.lastname@url.tld email address because of this stuff. many don't let you use the +comment thing, which I like to use to figure out who's spamming me.
|
|
#
?
Feb 18, 2016 21:44
|
|
|
My parents have had their email address rejected at least once because it ended in @q.com. Needless to say they don't use that one anymore.
|
|
#
?
Feb 18, 2016 21:48
|
|
|
LeftistMuslimObama posted:many don't let you use the +comment thing, which I like to use to figure out who's spamming me. My solution was to start handling my own email, set up postfix with a catch-all. This does increase the blind-fire spam a little bit because it means I have to accept all mail, but it also means I can "create" new email addresses on the fly when signing up on sites.
|
|
#
?
Feb 18, 2016 21:52
|
|
|
That just seems more trouble than it's worth since you then have to filter spam yourself.
|
|
#
?
Feb 18, 2016 22:02
|
|
|
xzzy posted:My solution was to start handling my own email, set up postfix with a catch-all. This does increase the blind-fire spam a little bit because it means I have to accept all mail, but it also means I can "create" new email addresses on the fly when signing up on sites. This but I use Google Apps for it because gently caress running my own mail server.
|
|
#
?
Feb 18, 2016 22:04
|
|
|
It's not that bad. Granted it's not gmail's "never ever see a spam message again" level of quality but spamassassin is really good at its job. Odds are kind of stacked against me anyways, I've had the same primary address for 18 years and that poo poo is guaranteed to be in every bulk emailer's address book.
|
|
#
?
Feb 18, 2016 22:08
|
|
|
PHP giveth: https://git.php.net/?p=php-src.git;...6362baf5b848467 PHP taketh: https://git.php.net/?p=php-src.git;a=commit;h=a0724d30817600540946b41e40f4cfc2a0c30f80
|
|
#
?
Feb 18, 2016 22:11
|
|
|
EpicCodeMonkey posted:PHP giveth: So their RNG implementation was buggy, they committed a fix, then the fix got reverted because it broke users who relied on the previous buggy RNG to output the same specific series of values? Is that what's going on here?
|
|
#
?
Feb 18, 2016 22:18
|
|
|
gonadic io posted:Regexes aren't regular though, most implementations are Turing complete What is the regex that recognizes A^n B^n C^n?
|
|
#
?
Feb 18, 2016 22:34
|
|
|
Dr. Stab posted:What is the regex that recognizes A^n B^n C^n? Most libraries dip into a subset of context free/sensitive grammars when it's a feature you'd want. I can write a perl regex that matches palindromes.
|
|
#
?
Feb 18, 2016 22:53
|
|
|
Dr. Stab posted:What is the regex that recognizes A^n B^n C^n? On .NET, ^(?'a'a)+(?'b-a'b)+(?(a)(?!))(?'c-b'c)+(?(b)(?!))$. Answer stolen from Stack Overflow.
|
|
#
?
Feb 18, 2016 22:54
|
|
|
sarehu posted:On .NET, ^(?'a'a)+(?'b-a'b)+(?(a)(?!))(?'c-b'c)+(?(b)(?!))$. Answer stolen from Stack Overflow. You didn't provide proper attribution  (yeah it looks like they thankfully struck down that proposal)
|
|
#
?
Feb 18, 2016 23:05
|
|
|
If anybody approaches me about this transgression, I'll simply run away, screaming, "FAIR USE!"
|
|
#
?
Feb 18, 2016 23:21
|
|
|
I once used a form that accepted initially setting the password fine, but managed (when logging in) to send a GET request without URL encoding my password. somehow. I have no idea how. They must have written javascript specifically to do this instead of submitting the form. Of course my password had an & in it. Latest annoyance: local health exchange disabled paste on their login and account creation pages because ~security~ I'm sure. Definitely more secure to not use a password manager's long randomly generated passwords. Definitely. I tried pasting into my bank's login the other week and discovered that they've added a popup explaining that they've disable right click because ~security~ of course. Thankfully ctrl+v worked. I think browsers should detect paste and right-click intercepts and deliberately offer a "hey did you actually want to just do that anyway?" option to the UI. Gives us a nice simple way to just go right around this garbage, and makes the website developers look appropriately stupid.
|
|
#
?
Feb 18, 2016 23:44
|
|
|
Reminds me of a registration renewal notice I got in the mail for, I think, my car. They had a webpage where you could go to do the registration instead of having to physically mail anything in. The page was customized to my specific name/car (so it was like http://dmv.gov/renewals/TMAsOldGreenBeaterCar or whatever), and as added security I had to input a key code that was in the notice they'd mailed to me. Except they mailed me the wrong goddamn key code. So I just viewed the Javascript, found the form validation logic, found the value they were expecting to get, and pasted that in. And it worked! 
|
|
#
?
Feb 18, 2016 23:49
|
|
|
TooMuchAbstraction posted:So their RNG implementation was buggy, they committed a fix, then the fix got reverted because it broke users who relied on the previous buggy RNG to output the same specific series of values? Is that what's going on here? Bingo. Benefit of the doubt, you might want it stable for unit tests or other tests. But in those cases you should be mocking it anyway, not hoping the PRNG can give repeatable output between runs.
|
|
#
?
Feb 18, 2016 23:51
|
|
|
The US Treasury's website silently truncates passwords to 16 characters on your signup form. The login page requires you to enter your password on one of those stupid onscreen keyboards. It's case insensitive. When I hit "submit", my password manager was able to grab the resulting password. 
|
|
#
?
Feb 18, 2016 23:52
|
|
|
sarehu posted:On .NET, ^(?'a'a)+(?'b-a'b)+(?(a)(?!))(?'c-b'c)+(?(b)(?!))$. Answer stolen from Stack Overflow. Oh, sure, obviously. Now what is the regex to simulate a turing machine?
|
|
#
?
Feb 18, 2016 23:54
|
|
|
Dr. Stab posted:Oh, sure, obviously. Now what is the regex to simulate a turing machine? In Perl, $foo =~ s/.*/$&/ee; is the same as $foo = eval $foo;.
|
|
#
?
Feb 19, 2016 02:15
|
|
|
Fun little bug I ran in to at work. I was seeing how easy it would be to update the project's version of Ember to the latest version, got fed up when something didn't work, and reset my changes. Now I have no local changes and it still doesn't work, saying it 'equireay' a jQuery version between 1.7 and 2.1. The project's version had 1.11 listed in the dependecy file. I clear every cache, clear out every folder that had temp files and proejct dependencies, still no dice. After googleing the error it turns out that someone somewhere screwed up and if you have the jQuery dependency listed using the semver '^1.11.3' then it might download a weirdo version that somehow Ember doesn't detect as between 1.7 and 2.1. The temporary fix was to make it just 1.11.3 instead of ^1.11.3. If you were going to install the project from scratch it wouldn't work at all because of this.
|
|
#
?
Feb 19, 2016 04:03
|
|
|
LeftistMuslimObama posted:this is the worst. I can't use my legitimate firstname.lastname@url.tld email address because of this stuff. many don't let you use the +comment thing, which I like to use to figure out who's spamming me. lol if you think spammers dont strip the +comment by now
|
|
#
?
Feb 19, 2016 04:07
|
|
|
piratepilates posted:Fun little bug I ran in to at work. I was seeing how easy it would be to update the project's version of Ember to the latest version, got fed up when something didn't work, and reset my changes. That's npm for you. At any point in time, a minor version update to a dependency's dependency's dependency might break your project. It's not enough to pin the versions of your dependencies, you have to pin the versions of the entire dependency tree. Good luck getting shrinkwrap to work.
|
|
#
?
Feb 19, 2016 04:31
|
|
|
piratepilates posted:Fun little bug I ran in to at work. I was seeing how easy it would be to update the project's version of Ember to the latest version, got fed up when something didn't work, and reset my changes. I'm not quite getting what's going on. What does '^1.11.3' ostensibly mean? Who hosed up, npm or jquery?
|
|
#
?
Feb 19, 2016 05:07
|
|
|
pokeyman posted:I'm not quite getting what's going on. What does '^1.11.3' ostensibly mean? Who hosed up, npm or jquery? '^1.11.3' in npm semver description means "take the left-most non-zero digit in the version and update any number to the right of it", so in this case it will try to get the latest of the '1.x.x' versions of jQuery, which in this case is 1.12.0. For some reason apparently the version of Ember we're using (still pretty recent) has some kind of bug where if you use jQuery 1.12 instead of 1.11 it will presume you're using a version of jQuery outside of 1.7 to 2.1 and not work at all. I didn't take a great look at the github issue that I googled but it seemed to be an issue with Ember here. Either way it's all kind of hosed up and shouldn't have happened.
|
|
#
?
Feb 19, 2016 05:45
|
|
|
Got it, thanks!
|
|
#
?
Feb 19, 2016 05:54
|
|
|
Dessert Rose posted:The US Treasury's website silently truncates passwords to 16 characters on your signup form. So what your telling me, is that the next US financial crash is going to be caused by a 16 year old looking for hacker cred.
|
|
#
?
Feb 19, 2016 07:50
|
|
|
xzzy posted:For a long time, unix systems used a DES based encryption scheme on passwords where only the first 8 characters you typed mattered. You could hammer in line noise and it wouldn't make a difference as long as you got those first 8 letters correct. Fortunately people eventually figured out that this was bad. I haven't used a system configured this way for at least, uh, three years?
|
|
#
?
Feb 19, 2016 19:42
|
|
|
I don't know, it was known to be bad over 10 years ago. Encountering a system three years ago still using DES encryption may not be a coding horror but it's definitely an administration horror.
|
|
#
?
Feb 19, 2016 20:41
|
|
|
Before Seventh Edition, crypt() wasn't even DES. It was introduced in Third Edition as a software implementation of the WWII M-209 cipher machine, using the user's password as both the key and the message to encrypt with the cipher. That was good enough for a project pretty much internal to Bell Labs and used almost entirely for word processing in the early 70s. In Seventh Edition they changed it to 25 rounds of DES on a block of zeros because guessing M-209 results became too fast to be secure by 1978/1979. Technology marches on.
|
|
#
?
Feb 19, 2016 21:01
|
|
|
Ran into a really stupid issue today. I was trying to get a source tree from subversion onto my Windows box. In the repository are files called con.c and con.h. Windows doesn't let you create files (or folders) with the name 'con', even with an extension, because it's reserved. So svn pukes, and won't let you do anything until you cleanup. However, cleanup also fails, because it's still trying to do something with those files that Windows won't let it create. In order to fix it, I had to manually delete pending work from the svn SQLite database, and rename the offending files from a Linux machine and recommit them so they could be checked out from Windows. I can't believe that legacy crap still exists in Windows. 
|
|
#
?
Feb 19, 2016 22:40
|
|
|
Kilson posted:Ran into a really stupid issue today. I was trying to get a source tree from subversion onto my Windows box. In the repository are files called con.c and con.h. windows goes to a lot of trouble to support legacy poo poo. it's pretty admirable in a way just how hard they try to make sure that the bad software some company wrote in the 90s will still run today. Of course, in other ways it can be very inconvenient.
|
|
#
?
Feb 19, 2016 23:46
|
|
|
|
| # ? May 28, 2024 23:32 |
|
|
Kilson posted:Ran into a really stupid issue today. I was trying to get a source tree from subversion onto my Windows box. In the repository are files called con.c and con.h. It's only the win32 layer where that kind of crap exists, NT doesn't care. You can use cygwin or whatever to deal with files called con.c just fine. NT is a good operating system that's crippled by Microsoft only really supporting the Win32 subsystem.
|
|
#
?
Feb 20, 2016 03:20
|
|