WTF Bites

dkf

I've been applying patches to 3rd party dependencies in every other project. If you do it as a patch during the build, after update it will either apply and almost certainly work too, or fail obviously and you update the patch. Most Linux distribution packages do it too, so it's not exactly unusual.

Having dealt with that sort of thing a bit, the downstream package distributors are encouraged to feed upstream any changes that they need that aren't really just build-time configuring the system with things like choices of paths and so on. The smaller the effort needed to get builds done, the better.

Bulb

@dkf Certainly. But

Upstream might get a round toit only in two months. Or Years.
Upstream might even apply it to the current version, which does not help when you are maintaining a stable release.
Upstream might have a Different Opinion™ (e.g. about where files should be installed that is incompatible with The FHS)

so in practice there is plenty of patches all over the place.

TwelveBaud

Bulb

Back in 1996 they've apparently implemented tainting for JavaScript in Netscape and included it as experimental option (off by default) in version 3.0. But they've long since dropped it again.

Why is it that this fairly useful validation check never made it to most languages?

remi

No, Amazon, this is not how "sort by prices, low to high" works.

Trying very hard to be charitable towards them, possibly the first one is there because there is one "other seller on Amazon" that sells it for EUR 0.40 (likely "plus EUR 42 bazillions for shipping"). But then the third one has another seller at EUR 1.92 so it should be before the second one where the lowest advertised price is EUR 10.10.

More realistically, Amazon's "lowest price first" actually means "lowest prices somewhat towards the top, but let's inject whatever items we want to push at the top spots of that list."

(edit: also, yes, it very much looks like the first one is selling a print-out of the DVD jacket... from the page I don't think it really is but anyway that's obviously not the one I ordered so we'll never know)

Carnage

@Bulb said in WTF Bites:

Back in 1996 they've apparently implemented tainting for JavaScript in Netscape and included it as experimental option (off by default) in version 3.0. But they've long since dropped it again.

Why is it that this fairly useful validation check never made it to most languages?

Just treat any data from an external source as untrustworthy, be it another system, end users or god almighty himself. Every bit of data should be treated as untrustworthy until it has been secured in some way, so the taint feature seems a bit superfluous. I guess if the language is up to all kinds of shenanigans with data before you get your grubby mitts on it, it might be useful, but then the language is horrible.

TwelveBaud

@remi Maybe it's sorting by the blu-ray price? Or maybe the "l'expédition" fee shown doesn't cover everything required for "livraison", perhaps missing import duties?

Tsaukpaetra

Status: Why, if there is unreachable code, do I have to make sure that said unreachable code is still syntactically correct?!?!?

Trying to determine if this function I deleted will affect anything but can't get around all the stuff I've quasi-deleted (with an early return) still complaining it's not there. Grrr....

Zecc

@Tsaukpaetra said in WTF Bites:

Status: Why, if there is unreachable code, do I have to make sure that said unreachable code is still syntactically correct?!?!?

If for nothing else, because brace levels must be interpreted to know where the unreachability ends.

Zecc

@Tsaukpaetra said in WTF Bites:

Trying to determine if this function I deleted will affect anything but can't get around all the stuff I've quasi-deleted (with an early return) still complaining it's not there. Grrr....

Oh, is that what you meant by "syntactically correct"? That's not the same thing.

Tsaukpaetra

@Zecc said in WTF Bites:

@Tsaukpaetra said in WTF Bites:

Trying to determine if this function I deleted will affect anything but can't get around all the stuff I've quasi-deleted (with an early return) still complaining it's not there. Grrr....

Oh, is that what you meant by "syntactically correct"? That's not the same thing.

Yeah. What I basically did was put an assert(false);return; at the top of some functions, many of which call another function. This was easier than block-commenting out several hundred lines of shit while I was observing for the effect of doing thing.

Once I flunked out all the functions that called that other function, I then deleted that other function, and all of the sudden "Oh noes, this code that doesn't run can't call that other function! Critical fail!"

Naturally I fixed that by deleting the offensive (not-able-to-be-run-except-if-hacked-to-do-so) code, but my point is: Why is it still checking shit that doesn't matter?

topspin

@Tsaukpaetra said in WTF Bites:

Status: Why, if there is unreachable code, do I have to make sure that said unreachable code is still syntactically correct?!?!?

Because anything else would be a gigantic

Trying to determine if this function I deleted will affect anything but can't get around all the stuff I've quasi-deleted (with an early return) still complaining it's not there. Grrr....

Not trying to be helpful, but have you heard of comments?

Tsaukpaetra

@topspin said in WTF Bites:

Not trying to be helpful, but have you heard of comments?

Yeah yeah, it was getting deleted anyways so I thought to save myself some typing and just put in a return;. My fault I guess, too lazy and didn't work.

bugmenot

@Bulb said in WTF Bites:

Back in 1996 they've apparently implemented tainting for JavaScript in Netscape and included it as experimental option (off by default) in version 3.0. But they've long since dropped it again.

Why is it that this fairly useful validation check never made it to most languages?

You made me curious so I did some digging. The first occurrence of tainting I can find is in the 1989 release of Perl 3.0, where it was enabled automatically in setuid scripts. See the perl.man.4 file in the repository. From there it was extended and made generally available in the form of the -T command line switch in the 1994 release of Perl 5.0. See pod/perlrun.pod. From there it seems to have been copied to JavaScript (along with a surprising number of other features).

I would argue that a good static type system and interfaces that make use of the type system eliminate the need for a special "taint" feature. For example, you could have separate UnsafeString and SafeString types and all input functions would return UnsafeStrings. That way you could never accidentally pass unvalidated user input to system functions because the type checker would yell at you.

However, no one seems to do that, so a runtime check is better than nothing.

As for why they dropped it from Netscape, their approach was questionable:

Furthermore, tainting does not even absolutely prevent data from being sent where it shouldn't be; it only prevents it from automatically being sent there. Whenever an attempt to export data violates the tainting rules, the user will be prompted with a dialog box asking them whether the export should be allowed. If they so choose, they can allow the export.

... yeah, that sounds great. I know some browsers that implemented something similar for cookies and it sucked. Just bombard the user with pop-ups because we all know the user always knows what is safe and what isn't.

Everyone else probably never learned about taint mode because everybody knows that Perl has cooties and just studying it makes you go blind, or something.

Zerosquare

Everything that involves Javascript is tainted by definition anyways

Gąska

@bugmenot said in WTF Bites:

Everyone else probably never learned about taint mode because everybody knows that Perl has cooties and just studying it makes you go blind, or something.

I read the Raku thread and it certainly burned my retinas, among other things.

Tsaukpaetra

Status: talk about taints is making me want vulvas.

Gąska

@Tsaukpaetra is there ever a time you don't want vulvas?

dkf

@bugmenot said in WTF Bites:

I would argue that a good static type system and interfaces that make use of the type system eliminate the need for a special "taint" feature. For example, you could have separate UnsafeString and SafeString types and all input functions would return UnsafeStrings. That way you could never accidentally pass unvalidated user input to system functions because the type checker would yell at you.

That's doable except that the the process of untainting is horrible, and strings are usually designed as immutable types (so they can be used safely as security tokens). Instead, arguably taintedness should be something that can be applied to other types as well (it's perhaps a type attribute like const or volatile in C and C++) but that's a whole separate can of worms. (The Perl method for untainting was typically Perl: use a regexp…)

Yet another case where “oh this looks simple” leads to “oh no, it wasn't at all”.

HardwareGeek

@dkf said in WTF Bites:

The Perl method for untainting was typically Perl: use a regexp…

IIRC (I never used tainting much, if at all), it was taking a substring, whether by character position or pattern matching. The assumption was (is?) that if you, the programmer, know enough about the string's contents to manipulate in that way, you know enough to decide whether to trust it. Whether that's a good assumption is a different question.

bugmenot

@dkf I'd probably go for a parameterized type a la Tainted<String>. That way you could in principle have distinct Tainted<List<T>>, List<Tainted<T>>, or even Tainted<Love<Tainted<T>>>.

Of course, then you'd have to figure out what Tainted<Tainted<T>> means, so maybe not.

Gąska

@bugmenot said in WTF Bites:

Of course, then you'd have to figure out what Tainted<Tainted<T>> means, so maybe not.

You could just ignore this case as dumb. Like Atomic<Atomic<T>>. Technically it exists, but nobody will ever use it.

dkf

@Gąska said in WTF Bites:

@bugmenot said in WTF Bites:

Of course, then you'd have to figure out what Tainted<Tainted<T>> means, so maybe not.

You could just ignore this case as dumb. Like Atomic<Atomic<T>>. Technically it exists, but nobody will ever use it.

It's simple: Atomic<Atomic<T>> is a waste of an atomic so it needs to be radioactive…

Bulb

@Carnage said in WTF Bites:

@Bulb said in WTF Bites:

Back in 1996 they've apparently implemented tainting for JavaScript in Netscape and included it as experimental option (off by default) in version 3.0. But they've long since dropped it again.

Why is it that this fairly useful validation check never made it to most languages?

Just treat any data from an external source as untrustworthy, be it another system, end users or god almighty himself. Every bit of data should be treated as untrustworthy until it has been secured in some way, so the taint feature seems a bit superfluous.

Taint check is simply a kind of dynamic analysis that verifies that you indeed do treat all data as untrustworthy until secured in some way. It does not change the way you write the code, just provides some guard against forgetting to secure the data. And that is not superfluous at all, especially if you have some poorly trained monkeys on your team, which in corporate setting you almost always do.

Note that in languages with reasonably strict type system this can be implemented using types (have distinct types for already checked values ready to be passed to various sensitive interfaces), and some frameworks do do that, including the one we are using. It's just that javascript is rather typefluid and that the framework can't prevent someone calling the ‘standard library’ functions directly that don't have the protection, so I'd like some automated checker in addition to the manual review.

I guess if the language is up to all kinds of shenanigans with data before you get your grubby mitts on it, it might be useful, but then the language is horrible.

The language is not up to any shenanigans at all.

@bugmenot said in WTF Bites:

I would argue that a good static type system and interfaces that make use of the type system eliminate the need for a special "taint" feature. For example, you could have separate UnsafeString and SafeString types and all input functions would return UnsafeStrings. That way you could never accidentally pass unvalidated user input to system functions because the type checker would yell at you.

However, no one seems to do that, so a runtime check is better than nothing.

Actually some do, but it is generally constrained to the templating engines. I've seen it in some Haskell templating engine (don't remember which one, but it's quite possible all of them do; type-system tricks are fairly popular in Haskell). The genshi engine for Python does (it escapes everything unless you explicitly build XML fragment), and angular also mostly does (it escapes everything in substitution and sanitizes everything when binding properties unless you explicitly marked it as trusted, which creates a SafeSomething wrapper type.).

However except for Perl and apparently Ruby (I know very little Ruby) no other language seems to do it on the level of built-in types and standard library.

@bugmenot said in WTF Bites:

... yeah, that sounds great. I know some browsers that implemented something similar for cookies and it sucked. Just bombard the user with pop-ups because we all know the user always knows what is safe and what isn't.

Mmmmmkay. Yeah, this conflicts with the policy, long proven wrong, but still persisting for backward compatidebility, of trying to keep going in face of errors, which is very detrimental to security. Anyway, I would probably not try to leave it running in production, just enable it for the functional test, so it blows up there and any missing sanitization gets added.

In this regard it might be possible to even implement it as some kind of browser plugin and perhaps bundled with Selenium WebDriver, but nobody appears to have done so.

Zecc

@bugmenot I'd go for an actual subtype, as there are more subtypes of strings: SQL, all kinds of URI, markup, ...

Edit: d by @Bulb. Of course I'm slower than light.

Bulb

@bugmenot said in WTF Bites:

Everyone else probably never learned about taint mode because everybody knows that Perl has cooties and just studying it makes you go blind, or something.

I quite liked Perl 5. It has a bunch of superfluous syntactic ~~sugar~~ alcohol, and some weirdness around the scalar vs. list context, but otherwise it is a very simple language underneath.

@Gąska said in WTF Bites:

I read the Raku thread and it certainly burned my retinas, among other things.

Raku, a.k.a. Perl 6, is a different matter though. It is the dog and cat's rewrite of Perl. Lost quite a bit of the underlying simplicity. There is a reason why Perl 5 is still being maintained.

Gąska

@Zecc said in WTF Bites:

@bugmenot I'd go for an actual subtype, as there are more subtypes of strings: SQL, all kinds of URI, markup, ...

A subtype of string would be useless in this context. A tainted string has to be a supertype of string, so you can use a regular string wherever tainted string is OK, but not the other way around.

Bulb

@Zecc said in WTF Bites:

@bugmenot I'd go for an actual subtype, as there are more subtypes of strings: SQL, all kinds of URI, markup, ...

Edit: d by @Bulb. Of course I'm slower than light.

In most languages you can't subclass strings. But you should be able to wrap them with automatic conversion to plain string, which is just as good. And yes, you need different types of safe strings depending on what use they are supposed to be safe for.

That's probably also the reason why it's not in the standard library too – what would a string sanitized for use in SQL mean in standard library that never works with SQL? It could have a tool for safe paths though (checking they point to approved subtree).

Bulb

@Gąska said in WTF Bites:

@Zecc said in WTF Bites:

@bugmenot I'd go for an actual subtype, as there are more subtypes of strings: SQL, all kinds of URI, markup, ...

A subtype of string would be useless in this context. A tainted string has to be a supertype of string, so you can use a regular string wherever tainted string is OK, but not the other way around.

It depends whether you are creating new type for the tainted case or for the safe case. And which is more reasonable again depends on context.

Zecc

@Gąska said in WTF Bites:

A subtype of string would be useless in this context. A tainted string has to be a supertype of string, so you can use a regular string wherever tainted string is OK, but not the other way around.

Depends on your point of view. I was thinking of plain strings, as well as other subtypes of strings, as tainted.
To use a string in a particular context you'd need to provide an instance of the particular subtype the context demands.

@Bulb said in WTF Bites:

It depends whether you are creating new type for the tainted case or for the safe case. And which is more reasonable again depends on context.

~~I'm failing to see how safe by default is more reasonable.~~ Okay, at API boundaries it could more reasonable to expect arbitrary strings, always checking and cleaning them up if necessary, for user-friendliness reasons.
Even so, the base string is considered tainted.

dkf

@Bulb said in WTF Bites:

In most languages you can't subclass strings. But you should be able to wrap them with automatic conversion to plain string, which is just as good. And yes, you need different types of safe strings depending on what use they are supposed to be safe for.

That's probably also the reason why it's not in the standard library too – what would a string sanitized for use in SQL mean in standard library that never works with SQL? It could have a tool for safe paths though (checking they point to approved subtree).

The feature that it might be nice to have in the baseline language is provenance tracking so it is at least possible to determine where values came from, even if the value-judgement of that source (e.g., tainted or not) is not determined in the language itself.

Atazhaia

@Gąska said in WTF Bites:

You could just ignore this case as dumb. Like Atomic<Atomic<T>>. Technically it exists, but nobody will ever use it.

Rule of programming: If it can be done, no matter how stupid or backwards or fucked up it is, somebody will have done it.

remi

@TwelveBaud said in WTF Bites:

@remi Maybe it's sorting by the blu-ray price? Or maybe the "l'expédition" fee shown doesn't cover everything required for "livraison", perhaps missing import duties?

Could be. I didn't search any further (and I'm not planing to), but anyway from a user point of view it's an awful sort, even if it's . Though anyway at the point where most items in the results are actually at least two items (DVD / blu-ray), and have several prices and sub-prices (shipping) for each of those items, I'm not sure there is any way of sorting by "price" that makes sense.

cvi

While messing around with the joystick APIs in Linux, I discovered that my (gaming) mouse also appears as a joystick. Besides exposing some of the button states, it also exposes a single analog axis. The axis isn't related to the position, however. After some fiddling around, it turns out that I can push the mouse wheel to the left and right, like a 1D analog stick.

The manufacturer does expose pushing that as an additional set of button presses (for gaming reasons, I've configured it to output 'j' and 'k', respectively; pushing it all the way to the left/right will in fact generate the corresponding key press in addition to the analog signal). Never knew that it was an actual analog sensor, though, and I'm pretty sure the software from the manufacturer doesn't expose that functionality.

hungrier

@cvi Is it this mouse?

Rat Pro gaming mouse has swappable sensor, analog side scrolling

cvi

@hungrier Yep.

Guess they did at least announce the feature ... Will double-check their software in Windows if I remember to do so the next time I boot over. (Could check random games to see if they support joysticks/gamepads, and then see if I could configure them to use that single axis for something sensible, except for and the fact that it would cut into valuable gaming time.)

MrL

@hungrier said in WTF Bites:

@cvi Is it this mouse?

Rat Pro gaming mouse has swappable sensor, analog side scrolling

Very very good mouse.

error

I tried to access an intranet documentation resource on Confluence. It told me I didn't have access, and gave me a link to a form to send an email to an admin request access. I submitted the form, and received an email asking me to approve myself.

Gąska

@Atazhaia said in WTF Bites:

@Gąska said in WTF Bites:

You could just ignore this case as dumb. Like Atomic<Atomic<T>>. Technically it exists, but nobody will ever use it.

Rule of programming: If it can be done, no matter how stupid or backwards or fucked up it is, somebody will have done it.

Well, yes, but Atomic<Atomic<T>> is already legal and nobody has a problem with it.

Zecc

@error said in WTF Bites:

I submitted the form, and received an email asking me to approve myself.

Did you accept?

error

@Zecc said in WTF Bites:

@error said in WTF Bites:

I submitted the form, and received an email asking me to approve myself.

Did you accept?

I don't want to belong to any club that would accept me as a member.

HardwareGeek

@Gąska said in WTF Bites:

@bugmenot said in WTF Bites:

Of course, then you'd have to figure out what Tainted<Tainted<T>> means, so maybe not.

You could just ignore this case as dumb. Like Atomic<Atomic<T>>. Technically it exists, but nobody will ever use it.

"Hold my beer."