I haz a forum!
-
So I hacked together a brand new web forum server over the course of about a week. I'm calling it WTForum, and it's up at http://52.191.136.51/. It uses CKEditor (a HTML WYSIWYG editor) because everyone seems to hate marking up, down, and sideways. It's running off a Firebird database on a low-powered Azure cloud server.
I'm going out for a couple hours. See if you can break it in that time, and see how many s you can find!
It's extremely simple--there's no CSS, no JavaScript except for CKEditor, etc. It should handle registration, login/logout, topic creation, and posting of replies to topics correctly.
There is no HTML validation yet. Please don't try to break things with XSS or other stupid HTML tricks; I haven't gotten around to implementing that.
There is also no user profiles yet, or up/down voting. These will be implemented soon.
Passwords are stored securely with a standard BCrypt hash/salt scheme. Registration asks for email but doesn't validate it yet.
Like I said, I hacked this together in about a week. Enjoy!
-
#1: You have to log in after registering, it doesn't do that automatically.
#2: It does not check that an image is an image.
#3: There's a misc hidden and unusabletextarea
under the title in the editing window that I'm not sure what it does.
#4:
https://i.imgur.com/kapDLMn.png
Every time I click this link, it adds another/topics/
but doesn't actually go anywhere interesting.
This is because if I clickGeneral
from theHome
page, it goes to/categories/1
instead of/category/1
so it goes to the regularCategories
page but the URL is now/categories/1
instead of/categories
, which breaks it.
This also occurs if I click theGeneral
link from/category/1
, leading back to/categories/1
.
-
@pie_flavor #1 is by design. #2 is HTML validation. #3 is an artifact of the way CKEditor works; just ignore it.
#4 is a legitimate bug. I'll fix it once I get home.
-
The register form doesn't seem to be recognized by my password manager (LastPass) so when I generated a random password and submitted the form, LastPass didn't save the info and now I have an account with a password I don't know. I'll be waiting on the Forgot Password feature...
-
@lb_ said in I haz a forum!:
The register form doesn't seem to be recognized by my password manager (LastPass)
Any idea why that would be?
-
@pie_flavor Try it now.
-
-
@pie_flavor I thought I had implemented that command, but I didn't.
Fixed now.
-
-
@r10pez10 Yes you did. I'll have to look into how to fix that...
-
@masonwheeler said in I haz a forum!:
there's no CSS
Well, I mean, you could have a little bit of CSS...
-
@tsaukpaetra We've got a handful of frontend gurus on here. I'm not one of them. If one of them wants to contribute something useful, I'd welcome the help...
-
@masonwheeler said in I haz a forum!:
@tsaukpaetra We've got a handful of frontend gurus on here. I'm not one of them. If one of them wants to contribute something useful, I'd welcome the help...
Do you have repo we can issue pull requests to?
BTW, the site seems to just be giving a 404 after I registered & signed in. Don't know if it's a coincidence or if I broke something.
I also didn't get any sort of a "registration successful" email - again, don't know if that's a missing feature or a bug.
-
-
@unperverted-vixen said in I haz a forum!:
BTW, the site seems to just be giving a 404 after I registered & signed in. Don't know if it's a coincidence or if I broke something.
That was a hiccup in my deployment just now. Try again and it should be working.
I also didn't get any sort of a "registration successful" email - again, don't know if that's a missing feature or a bug.
Missing feature. That's the next thing I'm working on, now that I've fixed up @r10pez10's HTML shredding bug in the preview column.
-
What is this toxic hellstew forum? No client-side rendering fed by a download of the entire forum database? Is this still 2017?
-
@masonwheeler said in I haz a forum!:
That was a hiccup in my deployment just now. Try again and it should be working.
Much more better.
New bugs:
-
There seems to be something really weird going on cookie-wise. I deleted my cookie in Chrome, but subsequent requests still sent a cookie with the same SessionId, and then recreated one with the reply. However, I guess the path was sufficiently munged that the site treated me as signed out, somehow? Could be a browser issue, but I've never seen anything like that on other sites.
-
The site is issuing new cookies for each "subfolder" (I assume either controller or action), instead of just the site root.
-
EDIT TO ADD: If you submit a reply but are not logged in, it reloads the reply window with a "You are not logged in" message (good). It also throws away the message content (bad).
-
-
@unperverted-vixen Oy. Cookies. I don't even want to dig into that code--that's a different framework, not part of the one week it took to set this up--but I guess I'll have to.
As for losing content... yeah. I'll fix that up. But probably not right now, because it's almost bedtime here.
-
This is neat! I like the lack of scroll craziness. I wonder why the 'reply' page takes so long to load though...
-
@bb36e Does the page take along time to load, or does the reply box (the CKEditor widget) take a long time to load?
-
@masonwheeler the widget comes in a long time after the page loads. Once there's a load of other CSS and JavaScript blocking loading it will all be taking the same amount of time.
The preview is a bit dodgy with formatting
-
@masonwheeler said in I haz a forum!:
@bb36e Does the page take along time to load, or does the reply box (the CKEditor widget) take a long time to load?
And to check your progress:
-
@masonwheeler for me, the reply page takes a couple of seconds to appear, and then maybe a second later the reply widget appears on it
-
-
@r10pez10 Fixed now.
-
@ben_lubar said in I haz a forum!:
What is this toxic hellstew forum? No client-side rendering fed by a download of the entire forum database? Is this still 2017?
10/10 for Precentor Waterly impression, would read again.
Filed Under:Don't hold back there, Ben, tell us how you really feel about the criticisms of NodeBB...
-
@raceprouk said in I haz a forum!:
@masonwheeler said in I haz a forum!:
@bb36e Does the page take along time to load, or does the reply box (the CKEditor widget) take a long time to load?
And to check your progress:
Useful stuff, thanks. I've added support for caching, ETag, and GZip compression. That should make the JavaScript load a fair bit faster.
-
You can click New Topic when you're not logged in and it will take you to the editor, where you can compose the post which will subsequently vanish into the ether once you actually try to post it.
-
-
@maciejasjmj ...and that's why I asked people not to mess around with stuff I hadn't implemented validation for yet.
-
@cabrito I saw your post asking for Quote and implemented it.
-
@masonwheeler said in I haz a forum!:
@maciejasjmj ...and that's why I asked people not to mess around with stuff I hadn't implemented validation for yet.
@masonwheeler Is this how you treat your valuable customer @Maciejasjmj for improving your forum by approx 140%?
Jeez, Why don't you just post image memes and ban him from the forums?
-
@masonwheeler said in I haz a forum!:
@pie_flavor I thought I had implemented that command, but I didn't.
Fixed now.
Does
<img src="logout.php" />
work on your forum?
-
@jaloopa said in I haz a forum!:
@masonwheeler the widget comes in a long time after the page loads. Once there's a load of other CSS and JavaScript blocking loading it will all be taking the same amount of time.
The preview is a bit dodgy with formatting
Wait wait wait--- Lorne Kates, have I used your forum?!?
-
@masonwheeler said in I haz a forum!:
@maciejasjmj ...and that's why I asked people not to mess around with stuff I hadn't implemented validation for yet.
Sorry, the urge to break stuff is stronger than I am.
-
@maciejasjmj OK, I scrubbed those posts and added a validation step that checks for the
<script>
tag. Just try and do that again, I dare you...
-
@lorne-kates said in I haz a forum!:
Does
<img src="logout.php" />
work on your forum?No, because it's not implemented in PHP.
Having said that, I do need to implement some sort of image validation to prevent stuff like that. I've got stuff to do, but I'll work on that later today.
-
@masonwheeler said in I haz a forum!:
@lorne-kates said in I haz a forum!:
Does
<img src="logout.php" />
work on your forum?No, because it's not implemented in PHP.
Having said that, I do need to implement some sort of image validation to prevent stuff like that. I've got stuff to do, but I'll work on that later today.
Fuck that shit. Here's what you do.
- On login/session start, per user, create a GUID. That's the logout nonce.
- The link to the logout page should be
logout.html?nonce=<% $_SESSION["logout_nonce"] %>
- On
logout.py
, check if$_QUERYSTRING["nonce"] == $_SESSION["logout_nonce"] %>
before logging out.
Otherwise you'll just fuck up image validation, and people will get around it anyways.
-
@lorne-kates Logging in or out changes server (or session) state, and hence should require a POST request.
-
@lorne-kates said in I haz a forum!:
Fuck that shit. Here's what you do.
- On login/session start, per user, create a GUID. That's the logout nonce.
- The link to the logout page should be
logout.html?nonce=<% $_SESSION["logout_nonce"] %>
- On
logout.py
, check if$_QUERYSTRING["nonce"] == $_SESSION["logout_nonce"] %>
before logging out.
Otherwise you'll just fuck up image validation, and people will get around it anyways.
That's a pretty good idea.
I still need image validation for other reasons, but that should work.
Also, not implemented in Python.
-
@pleegwat said in I haz a forum!:
@lorne-kates Logging in or out changes server (or session) state, and hence should require a POST request.
That's an even better idea. You can't XSRF a POST.
-
@masonwheeler said in I haz a forum!:
@pleegwat said in I haz a forum!:
@lorne-kates Logging in or out changes server (or session) state, and hence should require a POST request.
That's an even better idea. You can't XSRF a POST.
I'm not making claims on it - I read it years ago and it may originate in the RFC. POST also won't get resubmitted by the browser as easily, it won't get cached, and it won't be done by a crawler (I think there's been a front page article on that).
EDIT: This does originate in the RFC. A potential case I did not remember is prefetching links - if your logout is a GET link the browser is in its rights to prefetch its contents without you clicking on it.
-
@pleegwat OK, now I just have to look up how to POST from clicking on a link. I used to know this... :(
-
@masonwheeler Make the “link” run some javascript. That javascript does the POST.
-
@dkf I know. I just needed to look up the details. Got it now.
-
@masonwheeler Well, in classic HTTP, you don't. Links load resources. Actions are performed by forms, with buttons.
-
@masonwheeler said in I haz a forum!:
Having said that, I do need to implement some sort of image validation to prevent stuff like that.
Instead of trying to fix it with image validation, you could fix the logout page.
For example:
- Inspecting the
referer
and displaying an error page if it isn't proper
(note that this will require the logout form be on its own specific page, e.g. inside an iframe) - Requiring the page load to be something other than
GET
(e.g.POST
) - Encoding a non-guessable parameter in the query string
Note that fixing it in this manner would also necessarily mean that someone couldn't use a bookmark to logout.
- Inspecting the
-
@masonwheeler said in I haz a forum!:
@pleegwat OK, now I just have to look up how to POST from clicking on a link. I used to know this... :(
The simplest method is to just use a form. HTML already supports this, and you don't even need Javascript:
<form action="/logout" method="POST"> <!-- If you're using one. Otherwise, just omit it the next line. --> <input type="hidden" name="session_nonce" value="..."> <input type="submit" value="Log out"> </form>
You can style the submit button so that it doesn't look like a button, if desired.
Or you can use an actual link to submit the form; something like
<a href="#" onclick="logoutForm.submit();">
. But that does require Javascript.
-
@masonwheeler said in I haz a forum!:
@cabrito I saw your post asking for Quote and implemented it.
Nitpick: quotes all the post, not only the selected area
-
@anotherusername said in I haz a forum!:
Instead of trying to fix it with image validation, you could fix the logout page.
For example:
- Inspecting the
referer
and displaying an error page if it isn't proper
(note that this will require the logout form be on its own specific page, e.g. inside an iframe) - Requiring the page load to be something other than
GET
(e.g.POST
) - Encoding a non-guessable parameter in the query string
Note that fixing it in this manner would also necessarily mean that someone couldn't use a bookmark to logout.
Fixed
logout
to usePOST
. Noreferer
check yet; I'll have to implement that. But once I do, it'll be implemented for every POST call on the server.
- Inspecting the