This way we know it will always be correct



  • For the last year before I left WTFCSES, I moved to a newly formed team doing web development. One of the first changes was to replace the existing WTF of a sign-up system (put in information, wait for us to physically mail you a letter with your username and temp password) with the somewhat more standard "give us an email when you sign up, and we'll send you a URL to complete registration" process. One of my colleagues, "Harry", wrote a method to generate the URL in the email (pseudocoded from memory):

    public String buildUrl(HttpServletRequest request, String guid) {
    // OP: guid was generated by the DB, because we all came from a DB development culture, and no one realized UUID existed
       String strRequest = request.getRequestUrl().toString();
       String ctx = request.getContextPath();
       int idx = strRequest.indexOf(ctx) + ctx.size();
       String result = strRequest.substring(0, idx) + "/confirm.do?guid=" + guid;  // TRWTF is Java Struts
       return result;
    }
    

    When this was initially checked in, I asked Harry why he did that substring thing, and not take the protocol, host, port, and context from the request via the existing getters and manually concat them. His response was that some or all of the URL might eventually change, and "this way we know it will always be correct." Harry was notorious for being impossibly stubborn and for treating code critiques as attacks on him personally, so I decided to let it drop, perhaps unwisely. Surely it was just an ugly hack, and it couldn't do anything bad, right?

    It was release day, everything had been tested like mad, and we were all feeling good. We deployed the jar, waited an hour to make sure the sign-up emails were being sent, then went home for the weekend (TRWTF is releasing on Friday afternoon), basking in our victory.

    On Monday, we returned to discover the Contact Us email was flooded with pretty much every potential new sign-up emailing to say the email URL was broken. What happened?

    Well, our dev region URLs were something like "https://bluhbluh.stateofwtf.gov/bluhbluhdev/index.do". Production was "https://bluhbluh.stateofwtf.gov/bluhbluh/index.do". And so, we were sending users emails asking them to complete registration by clicking "https://bluhbluh/confirm.do?guid=123456789"


  • Winner of the 2016 Presidential Election

    The best is when internal DNS happily resolves bluhbluh (sans TLD), leading to it passing internal QA.



  • @ArrivingRaptor said:

    ...so I decided to let it drop, perhaps unwisely. Surely it was just an ugly hack, and it couldn't do anything bad, right?


    Yep, you are OOTRWTFs... others being Harry, releasing on Friday afternoon and everyone who even glanced at a bit of code that uses indexof/substring (or regex replace) without making damn sure that there wouldn't be any unexpected matches...


Log in to reply
 

Looks like your connection to What the Daily WTF? was lost, please wait while we try to reconnect.