Visual Studio WTF

Arantor

@TimeBandit said in Visual Studio WTF:

@PleegWat said in Visual Studio WTF:

Even without that, I've seen frameworks pretty close to include($_GET['file']). And if you then pass ?file=/etc/passwd/ what happens is exactly what you wish wouldn't.

Why does you webserver process can read the /etc/passwd file?

Because sanitisation is hard.

That said, PHP does have a feature for this exact situation (too bad many hosts fuck up the config for it) where you explicitly say “you can’t go above this directory as a base”, often the web document root, or the user’s home folder. The latter is its own can of worms, naturally.

The other thing is that this is not a PHP exclusive issue, there’s no reason at least in theory why other languages and environments couldn’t do the same, but YMMV.

dkf

@Arantor said in Visual Studio WTF:

this is not a PHP exclusive issue

Yes, but they sure make it seem necessary to leave the lying around where anyone can use it.

BernieTheBernie

@TimeBandit said in Visual Studio WTF:

@PleegWat said in Visual Studio WTF:

Even without that, I've seen frameworks pretty close to include($_GET['file']). And if you then pass ?file=/etc/passwd/ what happens is exactly what you wish wouldn't.

Why does you webserver process can read the /etc/passwd file?

Because it runs as root.
Why would anyone configure that differently?

TimeBandit

@BernieTheBernie said in Visual Studio WTF:

Because it runs as root.

Why would anyone configure that differently?

Why would anyone make the effort of changing the default of running it under an unprivileged user?

BernieTheBernie

@TimeBandit No, not can do that! Bad guy! Always use root! Everything then worky.

Tsaukpaetra

@BernieTheBernie said in Visual Studio WTF:

Everything then worky.

It certainly helps in situations where your foot happens to not be on the ground anymore.

Arantor

@BernieTheBernie said in Visual Studio WTF:

@TimeBandit said in Visual Studio WTF:

@PleegWat said in Visual Studio WTF:

Even without that, I've seen frameworks pretty close to include($_GET['file']). And if you then pass ?file=/etc/passwd/ what happens is exactly what you wish wouldn't.

Why does you webserver process can read the /etc/passwd file?

Because it runs as root.
Why would anyone configure that differently?

The only times PHP runs as root in my presence are the Docker containers on my dev machine where I do not give any fucks. The rest of the time it is isolated to its own user.

PleegWat

@BernieTheBernie said in Visual Studio WTF:

@TimeBandit said in Visual Studio WTF:

@PleegWat said in Visual Studio WTF:

Even without that, I've seen frameworks pretty close to include($_GET['file']). And if you then pass ?file=/etc/passwd/ what happens is exactly what you wish wouldn't.

Why does you webserver process can read the /etc/passwd file?

Because it runs as root.
Why would anyone configure that differently?

It does not. The name of /etc/passwd is misleading. It does not (any more) contain password hashes. It does contain user names, IDs, descriptions, login shells, and other information that may be valuable to attackers.
The passwords are in /etc/shadow which is (checks) 0640 root/shadow. It does not appear my shadow group contains any users.

Bulb

@Arantor said in Visual Studio WTF:

@Bulb no, it’s not. The TS build is really a full AOT compile step in a way PHP’s isn’t.

PHP’s include/require are evaluated at runtime. And can be completely dynamic - require($file) is completely legal.

Python import statements are also evaluated at runtime, and there is a function form that is completely dynamic. Almost nobody uses the later, because it also broke distutils long before any attempt at typing, but conditional imports are quite common. But conditional imports also can be usefully type-checked ahead of time.

This means what you are loading and passing in literally cannot be inferred at compile time because what you’re compiling isn’t knowable at what you’re calling compile time.

Compile time is “the moment the PHP file is invoked” and often won’t be until just before use with autoloading being the prevalent style.

Autoloading isn't an obstacle at all. The references are there and the files that will be considered for autoloading are there too, so the type-checker can just resolve them the same way.

Add to that the amount of dynamic shit in the frameworks today and you’re building a right storm of “cannot properly typecheck except at runtime”

In part this is just about teaching the type-checker about the frameworks, which is not principally different from teaching it about the standard runtime, just more work, because there are multiple frameworks.

The biggest issue is importing things like styles and headers and such. For those what would really be useful is a declaration of contract: a style is any file in styles directory, and any such file should export X and Y (of some specific shape). And then you can both check that the style exports what it's supposed to, and that the code importing a style expectations match.

So I agree that the way PHP is used probably makes it a lot harder, but still think useful ahead-of-time type-checking would be possible to add.

Arantor

@Bulb said in Visual Studio WTF:

the files that will be considered for autoloading are there too

Nope.

Firstly, Composer's list is static, but if you add new classes to the filesystem they'll be autoloaded anyway if they're in the correct places (at least in default Composer configuration)

Secondly, you can at runtime add more autoloaders, both on top of Composer and directly into Composer, which literally have no more than 'class name goes in, true comes out if we were able to load the class' and this can be 100% dynamic, up to and including running eval() to literally define the code on the fly if you want.

For some pretty reasons I have a bastard autoloader on one project that quietly mirrors things across namespaces, such that if NS1\SubNS\Class exists inside one set of files, it'll load that, otherwise it'll look for NS2\SubNS\Class, load that then create a runtime alias of NS1\SubNS\Class and treat it as if NS1\SubNS\Class was just found as originally expected.

Bulb

@Arantor That you can does not mean that you should.

1. If you add new classes to the filesystem, they will be autoloaded. But that means you are doing changes to the application, and therefore should re-run the type-checker to validate your changes. At which point the type-checker sees the new set of classes to auto-load.
2. You can add more autoloaders, but you can also give them to the type-checker or tell the type-checker how they work. Presumably the type-checker would already know about the ones in common frameworks, and hopefully the list of non- reasons to roll your own is empty.
3. If you have a project, then a type-checker may not be able to help you, or not help you much. But that does not mean it's not a worthy goal to make a helpful type-checker for the non- cases. It may even make people start using PHP in a more maintainable way and that would be a double win.

Arantor

@Bulb you have to remember, this is the language that gave birth to WordPress, and this is a direct factor in the future of the language: they will not implement something that will actively fuck up WordPress or it’s ecosystem except in the tiniest, opt-in only ways first. And that means they’ll resist adding the kinds of controls you’re advocating for, even if they are objectively a good idea.

Bulb

@Arantor Typescript and mypy are completely opt-in as well. Any existing javascript and python continue to work as they always did, and you can introduce them into a project gradually. Any code not annotated with types simply continues to throw undefined attribute errors at runtime when you pass the wrong type.

Benjamin Hall

@TimeBandit said in Visual Studio WTF:

Why does your webserver process can read

Word salad thread is

BernieTheBernie

@Benjamin-Hall said in Visual Studio WTF:

@TimeBandit said in Visual Studio WTF:

Why does your webserver process can read

Word salad thread is

Where do you see a problem in that sentence? He put the webserver process into a can, and some inscription on that can reads "the /etc/passwd file".

Kamil Podlesak

@Arantor said in Visual Studio WTF:

Virtually every modern PHP application does this because, at the bottom of it all, is Composer, as our package manager.

You know, I don't want to imply that PHP is trash (I used to be a PHP developer too (then I took an arrow to the knee)), but why is the package manager named Composter?

Carnage

@HardwareGeek said in Visual Studio WTF:

@Arantor said in Visual Studio WTF:

there’s only one reason I have to touch octal in PHP

Setting Unix/Linux file permissions. Other than that, octal can die with the 1970s.

a+rwx
Octal can safely go die there too.

Arantor

@Kamil-Podlesak said in Visual Studio WTF:

@Arantor said in Visual Studio WTF:

Virtually every modern PHP application does this because, at the bottom of it all, is Composer, as our package manager.

You know, I don't want to imply that PHP is trash (I used to be a PHP developer too (then I took an arrow to the knee)), but why is the package manager named Composter?

It’s not, it’s Composer, as though one is creating music.

topspin

@Arantor which kind?

Arantor

@topspin well, Composer was created by a guy who once thought the correct action for rotating indexes in a search daemon was to have cron issue a killall -9 to the daemon process every 15 minutes rather than read the manual to discover the correct process (send SIGHUP to the daemon, which the search indexer tool would even do if properly configured)

And Composer is explicitly inspired by npm.

Make of this information what you will.

Tsaukpaetra

Status: I am in magical unicorn land again...

HardwareGeek

@Tsaukpaetra said in Visual Studio WTF:

Status: I am in magical unicorn land again...

Aren't you always?

Filed under: Black magic

TwelveBaud

@Tsaukpaetra You're referencing a version of WinForms from .NET Core (or .NET 5+), but the rest of your references are for .NET Framework. You can try installing the System.ComponentModel.Primitives package from NuGet but I suggest grooming your references/targeting first and seeing if that fixes it.

Tsaukpaetra

@TwelveBaud said in Visual Studio WTF:

@Tsaukpaetra You're referencing a version of WinForms from .NET Core (or .NET 5+), but the rest of your references are for .NET Framework. You can try installing the System.ComponentModel.Primitives package from NuGet but I suggest grooming your references/targeting first and seeing if that fixes it.

I'm not doing anything. I just asked stupid fucking Jet-fuel-brains to spit me out some decompiled code from a somewhat simple program.

Apparently that means generating a project that I can't open and Visual Studio can't adequately explain how to fix (WTF does it ask for a .Net 6 Targeting Pack that doesn't exist?).

After three hours of reinstalling Visual Studio and rebooting I just gave up. Even after figuring out the Dark Magic (much more secret than the typical magic) incantations to un-disappear the option for a .Net project (as opposed to a .Net Framework project) it still spouted hundreds of "you can't do that" at me regarding System.Drawing or whatever (It's a fucking COLOR jackasses) and "You fucking can't call internal functions!" that I couldn't fix without inspecting each problem only for the compiler to reveal more bullshit it just didn't really want to scare me with just yet.

It's fine, I was really only interested in the more critical aspects of the program as I'm going to effectively be making my own (the devs should really stop embedding the database connection creds inside the program) so all the BS fluff they do will be irrelevant anyways.

I just wish one of the two would have a meaningful answer that wasn't "Hey you need to know how the Linker works to implicate an answer from the red herrings".

BernieTheBernie

@Tsaukpaetra said in Visual Studio WTF:

Status: I am in magical unicorn land again...

In such cases, I look at the output from Build, and search for the first (!) error there. No, not the second, third or what ever. Frist. Resolve that, and the rest will follow quickly.

Tsaukpaetra

@BernieTheBernie said in Visual Studio WTF:

@Tsaukpaetra said in Visual Studio WTF:

Status: I am in magical unicorn land again...

In such cases, I look at the output from Build, and search for the first (!) error there. No, not the second, third or what ever. Frist. Resolve that, and the rest will follow quickly.

It's not getting far enough for the first error to make sense, but I'll see if I still have it up on Monday to check for your benefit.