WTF Bites
-
@Polygeekery said in WTF Bites:
Apparently you haven't seen the prices of lumber lately.
Cotdamn, that's depressing.
Status: Thinking of selling my boxes for profit...
-
@Polygeekery said in WTF Bites:
@Tsaukpaetra said in WTF Bites:
exorbitantly expensive for a few pieces of wood stapled together
Apparently you haven't seen the prices of lumber lately. Around here the prices are 3-4X what they were before the toilet paper apocalypse.
To be fair, lumber prices started going through the roof before the toilet paper apocalypse. That might have compounded, but isn’t the ultimate cause.
$/bdft.
Retarded units thread
-
@topspin side
This is what happens when you try to zoom in on Amazon mobile. Reminds me of the time
used to shove the side bar in your face when zooming. Some other sites, I think reddit, still do that and it kind of makes me think browsers should just block websites from reacting to gestures at all.
-
$/bdft.
Retarded units thread
You're not wrong. One year I made end grain patterned cutting boards for xmas gifts. I needed two contrasting woods and I estimated how much lumber I needed of which sizes, etc. I quickly converted that to board feet in my head and somehow totally fucked it up. I go to the hardwoods dealer and picked rock maple and purpleheart and by my earlier (incorrect) board feet calculations I estimated it to be ~$150 in wood, maybe $200 tops. It ended up being well over $500. Which made me have to decide quickly whether I even liked those people that much.
I never got around to making one of those cutting boards for us and with the increase in lumber prices that chunk of leftover purpleheart is probably now worth $500 on its own.
-
@Polygeekery said in WTF Bites:
that chunk of leftover purpleheart is probably now worth $500 on its own.
Meh, I would guess it to be about 12bdft, so around $200. This all depends on whether or not I once again fucked up my estimate.
-
@Polygeekery said in WTF Bites:
Because spousal hearing. (This goes for both sides and depends on the discussion at the time.)
: I think we should get a new mattress.
: Good idea. I'd like a new mistress, too.
: Do you have a preference?
: I don't really care, but whatever you order should be a firm or semi-firm model.
-
@Zerosquare but not too hard.
-
@Polygeekery said in WTF Bites:
and then wait on the refund from the previous purchase.
And wait.
And wait.
And wait.
And wait.
...
Remember: they already have your money.
-
@Zerosquare said in WTF Bites:
@Polygeekery said in WTF Bites:
Because spousal hearing. (This goes for both sides and depends on the discussion at the time.)
: I think we should get a new mattress.
: Good idea. I'd like a new mistress, too.
: Do you have a preference?
: I don't really care, but whatever you order should be a firm or semi-firm model and preferably a redhead.FTFM
-
-
@HardwareGeek said in WTF Bites:
We already know you like to live dangerously.
The anthem of my 20s:
-
@Polygeekery I figured it'd be this
-
-
-
The Wikipedia article about board feet describes one bdft as
the volume of a one-foot (305 mm) length of a board, one foot wide and one inch (25.4 mm) thick.
which to me sounds like a roundabout way of saying the volume of one square foot of lumber one inch tall.
But I guess they wanted to emphasize that the measurements will usual only vary in length, for some reason?
Edit to clarify: by "for some reason" I mean the emphasis, not the measurements. I'm assuming measurements will vary in length as boards are cut into planks, but I'll be the first to admit I have no experience in carpentry and woodworking.
-
the volume of a one-foot (305 mm) length of a board, one foot wide and one inch (25.4 mm) thick.
So that is one square-foot-inch, which could be expressed as 144 cubic inches.
What was the word describing "144"? A "gross"? So, in the end, a "gross cubic inch".
-
@BernieTheBernie that definitely sounds like a gross unit.
-
@remi Both board-foot and square-foot sound like the classical ailments people would use to attempt to get out of military conscription.
-
But I guess they wanted to emphasize that the measurements will usual only vary in length, for some reason?
In Dutch we know the 'strekkende meter' (lit: stretching metre) which is used whenever two dimensions are fixed by manufacture and the third is, well, per metre.
-
Trying to use
ffmpegto create an animation from individual frames. Several parts of it are in a different folder. After I looked up the half billion options to figure out how to specify the list of file names:$ ffmpeg -y -f concat -i files.txt -pix_fmt yuv420p -all -the -other -options out.mp4 ... Shitload of output ... [concat @ 0x182eea0] Unsafe file name '../animation_part_1/frame.0000.png' files.txt: Operation not permittedWhat the fuck is an "unsafe file name"? What difference does it make if you read a png file from this directory or a parent directory?
Apparently,-safe 0fixes this.
-
What the fuck is an "unsafe file name"?
Apparently...
A file path is considered safe if it does not contain a protocol specification and is relative and all components only contain characters from the portable character set (letters, digits, period, underscore and hyphen) and have no period at the beginning of a component.
So, relative paths are unsafe, apparently? But only if it's the initial part.
Edit: Apparently the diff for when this was introduced:
-
In Dutch we know the 'strekkende meter' (lit: stretching metre)
In German: der laufende Meter (literally the running meter)
-
What the fuck is an "unsafe file name"?
Perhaps some web server related idea: a hacker could try to get to other folders on the machine with relative paths...
https://what.thedailywtf.com/../../images/topsecret/hardcore.jpg
-
@BernieTheBernie said in WTF Bites:
What the fuck is an "unsafe file name"?
Perhaps some web server related idea: a hacker could try to get to other folders on the machine with relative paths...
https://what.thedailywtf.com/../../images/topsecret/hardcore.jpgThat’s … not my problem?
Something something other side of the airtight hatchway.
-
@loopback0 said in WTF Bites:
@Polygeekery I figured it'd be this
I half expected that link to be Firestarter by Prodigy.
-
What the fuck is an "unsafe file name"? What difference does it make if you read a png file from this directory or a parent directory?
A filename that lies outside of the document root. The tool appears to be designed largely to be run from shitty php and other cgi scripts. Because, to be fair, that's how a lot of people do actually run it.
-
@BernieTheBernie said in WTF Bites:
What the fuck is an "unsafe file name"?
Perhaps some web server related idea: a hacker could try to get to other folders on the machine with relative paths...
https://what.thedailywtf.com/../../images/topsecret/hardcore.jpgThe web server will reject that. But it won't reject
https://what.thedailywtf.com/video.php?src=../../images/topsecret/hardcore.mov. Wherevideo.phpis a quickly cobbled together PHP script (other CGI abominations also permitted) that does fuckall validation.
-
@Bulb and yet somehow
rmorcatdon’t have this weird notion…
Or, as I said above, absolutely the wrong layer for bad validation.I just want to create a video. At least it has a built-in
sudo stfuoption.
-
At least it has a built-in
sudo stfuoption.Forward-thinking happens once in a while!
-
The Wikipedia article about board feet describes one bdft as
the volume of a one-foot (305 mm) length of a board, one foot wide and one inch (25.4 mm) thick.
which to me sounds like a roundabout way of saying the volume of one square foot of lumber one inch tall.
But I guess they wanted to emphasize that the measurements will usual only vary in length, for some reason?
Edit to clarify: by "for some reason" I mean the emphasis, not the measurements. I'm assuming measurements will vary in length as boards are cut into planks, but I'll be the first to admit I have no experience in carpentry and woodworking.
Hardwoods are usually sold as "random widths and lengths", with only the thickness dimension (the one you're calling height) fixed.
@Polygeekery's example had purpleheart being sold at thicknesses of 4/4 or 8/4. The correct interpretation is that you could choose between having your pieces of purpleheart be 4 quarters of an inch thick (i.e. one inch) or 8 quarters of an inch thick (two inches)
-
@Bulb and yet somehow
rmorcatdon’t have this weird notion…Because there isn't much need to call those from php scripts. They also predate php.
Or, as I said above, absolutely the wrong layer for bad validation.
It is. It is also very practical layer for it, because there is just one ffmpeg, but thousands of crappy php scripts.
I just want to create a video. At least it has a built-in
sudo stfuoption.Well, you are not the first one who just wants to create a video.
-
@Polygeekery
I was expecting a certain Rick song
-
@GuyWhoKilledBear said in WTF Bites:
The Wikipedia article about board feet describes one bdft as
the volume of a one-foot (305 mm) length of a board, one foot wide and one inch (25.4 mm) thick.
which to me sounds like a roundabout way of saying the volume of one square foot of lumber one inch tall.
But I guess they wanted to emphasize that the measurements will usual only vary in length, for some reason?
Edit to clarify: by "for some reason" I mean the emphasis, not the measurements. I'm assuming measurements will vary in length as boards are cut into planks, but I'll be the first to admit I have no experience in carpentry and woodworking.
Hardwoods are usually sold as "random widths and lengths", with only the thickness dimension (the one you're calling height) fixed.
@Polygeekery's example had purpleheart being sold at thicknesses of 4/4 or 8/4. The correct interpretation is that you could choose between having your pieces of purpleheart be 4 quarters of an inch thick (i.e. one inch) or 8 quarters of an inch thick (two inches)
I don't think I've used the word "height", but I did use the word "tall" so I'll give you that.
Thank you for helping me check my interpretation of the unit ("just a fancy name for sqft of lumber 1 inch thick") was correct.
-
relative paths...
https://what.thedailywtf.com/../../images/topsecret/hardcore.jpgThe web server will reject that.
Nowadays - but long in the past?
I played with Apache and IIS in the 1990ies. I am not sure if that was an issue still back then. And even pikachu 
won't be surprised if it suddenly became an issue again.
-
@BernieTheBernie pretty sure Apache always handled that correctly, that ../ successively takes you to document root but no further.
It’s the CGI scripts that don’t have such restrictions you have to watch out for, especially the ones that might not live entirely inside the document root in the first place.
-
@BernieTheBernie pretty sure Apache always handled that correctly, that ../ successively takes you to document root but no further.
I believe Apache just flat out rejects paths with
..in them, because resolving them (by simply simplifyinganything/..to nothing) is the job of the browser. That's per HTTP specification.It’s the CGI scripts that don’t have such restrictions you have to watch out for, especially the ones that might not live entirely inside the document root in the first place.
Indeed. Because query parameters are stringly-typed, the specification does not place any requirements on them like it does for paths and then if a cgi script (or other applet) blindly interprets them as paths, vulnerability will happen.
-
@Tsaukpaetra said in WTF Bites:
So, relative paths are unsafe, apparently? But only if it's the initial part.
Yes.
Path Traversal | OWASP Foundation
Path Traversal on the main website for The OWASP Foundation. OWASP is a nonprofit foundation that works to improve the security of software.
Of course, that's not a worry if you're typing in a command, but a big problem if you're accepting input from the interwebs.
-
@Bulb I have seen Apache resolve ../ components in the past. Hard to test right now as I dint have anything to hand that is bare honest to goodness Apache only (everything conveniently around me is either nginx only or nginx in front of Apache)
But I have definitely both seen and written code that uses ../ for path traversal.
Though that may be going back a while, it would have been best part of 20 years ago so I wouldn’t rule out either it having changed, and/or misremembering, but I feel confident in remembering having done it.
-
@BernieTheBernie pretty sure Apache always handled that correctly, that ../ successively takes you to document root but no further.
It’s the CGI scripts that don’t have such restrictions you have to watch out for, especially the ones that might not live entirely inside the document root in the first place.
Or the popular
include $GET[section]
-
Or, as I said above, absolutely the wrong layer for bad validation.
This. Trying to save incompetent webdevs from themselves in a video processing tool is not the right place. (Same goes for ImageMagick, which has some "this is convenient for lazy webdevs"-features by default in its command line.)
-
While I agree with you, the reason they have these “features” is because when things go badly higher up the chain, they are blamed instead.
-
@GuyWhoKilledBear said in WTF Bites:
The Wikipedia article about board feet describes one bdft as
the volume of a one-foot (305 mm) length of a board, one foot wide and one inch (25.4 mm) thick.
which to me sounds like a roundabout way of saying the volume of one square foot of lumber one inch tall.
But I guess they wanted to emphasize that the measurements will usual only vary in length, for some reason?
Edit to clarify: by "for some reason" I mean the emphasis, not the measurements. I'm assuming measurements will vary in length as boards are cut into planks, but I'll be the first to admit I have no experience in carpentry and woodworking.
Hardwoods are usually sold as "random widths and lengths", with only the thickness dimension (the one you're calling height) fixed.
@Polygeekery's example had purpleheart being sold at thicknesses of 4/4 or 8/4. The correct interpretation is that you could choose between having your pieces of purpleheart be 4 quarters of an inch thick (i.e. one inch) or 8 quarters of an inch thick (two inches)
Correct, but with the caveat that most dealers will "burn" some fraction of an inch over that when you are purchasing rough stock. I would expect rough stock sold as 4/4 to measure 1/8"-1/4" over 1" so that when surfaced I end up with 1" stock.
If purchasing S2S or S4S stock, which has been surfaced on two or four sides, it will be much closer to it's advertised measure. But you're also going to pay quite a bit more.
-
@Polygeekery said in WTF Bites:
@GuyWhoKilledBear said in WTF Bites:
The Wikipedia article about board feet describes one bdft as
the volume of a one-foot (305 mm) length of a board, one foot wide and one inch (25.4 mm) thick.
which to me sounds like a roundabout way of saying the volume of one square foot of lumber one inch tall.
But I guess they wanted to emphasize that the measurements will usual only vary in length, for some reason?
Edit to clarify: by "for some reason" I mean the emphasis, not the measurements. I'm assuming measurements will vary in length as boards are cut into planks, but I'll be the first to admit I have no experience in carpentry and woodworking.
Hardwoods are usually sold as "random widths and lengths", with only the thickness dimension (the one you're calling height) fixed.
@Polygeekery's example had purpleheart being sold at thicknesses of 4/4 or 8/4. The correct interpretation is that you could choose between having your pieces of purpleheart be 4 quarters of an inch thick (i.e. one inch) or 8 quarters of an inch thick (two inches)
Correct, but with the caveat that most dealers will "burn" some fraction of an inch over that when you are purchasing rough stock. I would expect rough stock sold as 4/4 to measure 1/8"-1/4" over 1" so that when surfaced I end up with 1" stock.
If purchasing S2S or S4S stock, which has been surfaced on two or four sides, it will be much closer to it's advertised measure. But you're also going to pay quite a bit more.
I thought the prices you posted were for S2S.
-
@GuyWhoKilledBear they might have been? The last time I purchased purpleheart it was rough sawn. I typically purchase rough sawn when available. S2S or S4S lumber is usually just skip planed and gang ripped whereas I prefer to face joint all of my lumber before planing and edge joint before ripping. The straighter and squarer the lumber the easier it is to work with and easier to get tighter joinery on.
-
@Polygeekery said in WTF Bites:
@GuyWhoKilledBear they might have been? The last time I purchased purpleheart it was rough sawn. I typically purchase rough sawn when available. S2S or S4S lumber is usually just skip planed and gang ripped whereas I prefer to face joint all of my lumber before planing and edge joint before ripping. The straighter and squarer the lumber the easier it is to work with and easier to get tighter joinery on.
But what about the square leg at long off?
-
@GuyWhoKilledBear said in WTF Bites:
I thought the prices you posted were for S2S.
I just looked at their website and no, that was rough sawn. They carry very little surfaced lumber. You can have them surface it for you for a fee, but then it is just skip planed and gang ripped, no jointing.
-
@GuyWhoKilledBear said in WTF Bites:
I thought the prices you posted were for S2S.
I didn't know woodworking these days concerned itself with monadic second order theory of infinite complete binary trees
-
@Applied-Mediocrity said in WTF Bites:
@GuyWhoKilledBear said in WTF Bites:
I thought the prices you posted were for S2S.
I didn't know woodworking these days concerned itself with monadic second order theory of infinite complete binary trees
I'm sure if you cut down a binary tree, there'd be somebody looking to make an epoxy table out of it
-
-
@Polygeekery said in WTF Bites:
OMG, this GitHub could be a good example of how to not design software.
Notable excerpts:
Technically, it is a third party nginx module, available as a package for many UNIX-like platforms. This module, by default, reads a small subset of simple (and readable) rules containing 99% of known patterns involved in website vulnerabilities. For example, <, | or drop are not supposed to be part of a URI.
Simple and readable rules for filtering out patterns of vulnerabilities? Yeah, good luck with that.
Being very simple, those patterns may match legitimate queries, it is the Naxsi's administrator duty to add specific rules that will whitelist legitimate behaviours. The administrator can either add whitelists manually by analyzing nginx's error log, or (recommended) start the project with an intensive auto-learning phase that will automatically generate whitelisting rules regarding a website's behaviour.
So your module has, near as makes no difference, 100% chance of breaking my website? Good to know. But you included "an intensive auto-learning phase" that will automatically generate whitelisting rules? That seems like it will either not work at all and leave my website broken, or expose it to the vulnerabilities that you purport to block.
In short, Naxsi behaves like a DROP-by-default firewall, the only task is to add required ACCEPT rules for the target website to work properly.
Yep. This will absolutely break your website until you interact with it in every possible legitimate way, dig through the NGINX logs to see how it is broken, then whitelist the behavior that it fucked up and you will then need to write absolute fuckloads of tests to make sure no regressions occur with future changes and along the way you are almost certainly opening up vulnerabilities that it is supposed to block. Got it.
