WTF Bites
-
@LaoC Time to get them lawyers out of cold storage again.
I'd have expected it to be hot storage.
You're not deep enough into Hell I see.
The treacheries of these souls were denials of love (which is God) and of all human warmth. Only the remorseless dead center of the ice will serve to express their natures. As they denied God's love, so are they furthest removed from the light and warmth of His Sun. As they denied all human ties, so are they bound only by the unyielding ice.
-
@HardwareGeek said in WTF Bites:
@hungrier A laptop measured in tons is not a laptop.
Central Workers Portable Computing Committee prove you wrong.
-
@LaoC Time to get them lawyers out of cold storage again.
I'd have expected it to be hot storage.
You're not deep enough into Hell I see.
The treacheries of these souls were denials of love (which is God) and of all human warmth. Only the remorseless dead center of the ice will serve to express their natures. As they denied God's love, so are they furthest removed from the light and warmth of His Sun. As they denied all human ties, so are they bound only by the unyielding ice.
Balmy.
-
I really hate it when I follow a link in an email, get redirected to login, and then after logging in, the site forgets where I was trying to go and dumps me back at my home page.
-
@LaoC Time to get them lawyers out of cold storage again.
I'd have expected it to be hot storage.
You'd think so, but lawyers are cold-blooded creatures.
-
-
-
@hungrier Well, it does list 2 days...
-
@boomzilla said in WTF Bites:
I really hate it when I follow a link in an email, get redirected to login, and then after logging in, the site forgets where I was trying to go and dumps me back at my home page.
Filed under: ServiceHow
-
@boomzilla said in WTF Bites:
I really hate it when I follow a link in an email, get redirected to login, and then after logging in, the site forgets where I was trying to go and dumps me back at my home page.
This is one of these things that used to work, because they were included by default in all major frameworks, but now the soydevs don't even know what it was and why it was there, sort of like aqueducts in ~400AD.
-
@boomzilla said in WTF Bites:
I really hate it when I follow a link in an email, get redirected to login, and then after logging in, the site forgets where I was trying to go and dumps me back at my home page.
Also the American Association for the Advancement of Science thinks that that's the most convenienest way. Just go to www.science.org, table of contents, access an article and be greeted that you need to login. After login, you are back at the homepage...
-
I'm back in that project with 13 threads and
256255 SMSes.I noticed a curious pattern. Let's say there's a class
Bar
with propertyfoo
. This guy always writes two methods:setFoo
(private), which simply sets the value andSetFoo
which sets the value and saves it to database (yes, the pointer to the database service, among other things, is injected to what is basically a value object). As a bonus, sometimes there's a classBars
, which holds a collection ofBar
objects, and it also hasSetFoo
(but nofoo
), even two of them with different type signatures. What they do is simply callSetFoo
(the uppercase one) on allBar
s in the collection, or on the specified one if you provide id as the second argument.
It makes for great debugging, especially that my IDE doesn't understand some macros which makes features like "go to declaration" and "find usages" unreliable.In another place I found a piece code which creates a temporary file with mkstemp(), reads a value from database, dumps it to the file by executing
echo... > ...
with the value concatenated. Then that file is read with std::istream, and the value is written in another file, also using a stream. This contraption appeared long ago, with a message saying something about "parsing tabs and newlines". But what is there to parse? the "\t" and "\n" characters are all there from the beginning, so why would they need any parsing? I'm scared to touch it.
-
@sebastian-galczynski said in WTF Bites:
This contraption appeared long ago, with a message saying something about "parsing tabs and newlines". But what is there to parse? the "\t" and "\n" characters are all there from the beginning, so why would they need any parsing? I'm scared to touch it.
If the value is injected into the echo unquoted, it will replace tabs and newlines by spaces. It will also do tilde expansion, parameter expansion, command substitution... if the data from this is passed by a user (even a registered logged-in one) it is perfectly reasonable to file this as a security problem and terminate it with prejudice.
-
@PleegWat If they don't believe you, make sure the value contains
$(rm -rf --no-preserve-root /)
. Make someone else press enter.
-
@PleegWat If they don't believe you, make sure the value contains
$(rm -rf --no-preserve-root /)
. Make someone else press enter.Fortunately, it's not passed by a user, not even the super-admin user. But yeah, it's double-quoted, so the exploit would still work. And if it was single-quoted, it would still need escaping, lest the user breaks out of the quotes.
-
@BernieTheBernie said in WTF Bites:
@boomzilla said in WTF Bites:
I really hate it when I follow a link in an email, get redirected to login, and then after logging in, the site forgets where I was trying to go and dumps me back at my home page.
Also the American Association for the Advancement of Science thinks that that's the most convenienest way. Just go to www.science.org, table of contents, access an article and be greeted that you need to login. After login, you are back at the homepage...
If only there were any way to correct this!
-
-
@sebastian-galczynski said in WTF Bites:
@PleegWat If they don't believe you, make sure the value contains
$(rm -rf --no-preserve-root /)
. Make someone else press enter.Fortunately, it's not passed by a user, not even the super-admin user. But yeah, it's double-quoted, so the exploit would still work. And if it was single-quoted, it would still need escaping, lest the user breaks out of the quotes.
If it's double-quoted, unless it contains double quotes, it doesn't actually do anything to tabs.
-
If it's double-quoted, unless it contains double quotes, it doesn't actually do anything to tabs.
So you say remove it? But if it actually does something (to tabs or anything else), that change will crash the entire system (it's an important config file) and someone will have to drive there and press a button...
-
@sebastian-galczynski said in WTF Bites:
@BernieTheBernie said in WTF Bites:
access an article
Uhmm, www.sci-hub.st?
Not necessary: I have an official login via a university library.
-
@sebastian-galczynski said in WTF Bites:
If it's double-quoted, unless it contains double quotes, it doesn't actually do anything to tabs.
So you say remove it? But if it actually does something (to tabs or anything else), that change will crash the entire system (it's an important config file) and someone will have to drive there and press a button...
Ouch, config. In that case they may actually be using it for parameter expansion.
-
Ouch, config. In that case they may actually be using it for parameter expansion.
AFAIK They don't. The default value, which is not changed anywhere in the code, has no expansions. This code is full of such mysterious bits which got there at some point and they just stay because everyone is scared to touch them. This is what you get when you let a fresh graduate (after an early 2000s OOP-focused curriculum) write everything with no review. Everything has a pointer to everything, control flow is mostly by try/catch and instead of a pure function you have a sequentially coupled object with methods like 'init()', 'doCalculations()' and 'getResult()'.
-
-
@sebastian-galczynski said in WTF Bites:
I'm scared to touch it.
Don't be. But use long tools to transfer it to the trash; it adds nothing but potential trouble as it stands. Holding it in a file might make sense if it was from a BLOB or CLOB, but it sounds like the code wouldn't work at all if it was less than a tiny fraction of the size of memory. But temporary files are tricky in many ways, and should only be used if there is no better way. Making temp files with
echo >
is... bad outside of actual shell scripts.
-
New benefit at work this year: Prudential Insurance that pays out for various accidents, emergency room visits, etc. So I signed up and the other day got mail from them saying that I should set up an account in their portal where I can make claims, etc. Cool...I don't have a claim to make right now but I'd like to be prepared just in case. Follow the links and end up here:
Ah, "Register Now." That looks like what I need. So I click it. A javascript "link," natch. It goes here:
https://mybenefits/nonssocontroller/newUserReg.htm
Good jerb, guys. I went to their "Accessibility Help" page and told them about how I can't access the registration page.
-
@boomzilla said in WTF Bites:
I went to their "Accessibility Help" page and told them about how I can't access the registration page.
: Damn. Someone reported a problem using our Accessibility Help page.
: Shall we fix it?
: Nah, sounds like work. We should just make our Accessibility page less accessible.
-
@Zerosquare said in WTF Bites:
@boomzilla said in WTF Bites:
I went to their "Accessibility Help" page and told them about how I can't access the registration page.
: Damn. Someone reported a problem using our Accessibility Help page.
: Shall we fix it?
: Nah, sounds like work. We should just make our Accessibility page less accessible.Promote this man!
-
That's a bold strategy, Cotton...
-
@sebastian-galczynski said in WTF Bites:
that change will crash the entire system (it's an important config file) and someone will have to drive there and press a button...
..... Why are you telling scary stories?
-
That's a bold strategy, Cotton...
Tried and tested variant of bait-and-switch, works all the time
-
That's a bold strategy, Cotton...
Tried and tested variant of bait-and-switch, works all the time
Why would you want to keep old chats around? Especially in teams? Id rather just burn teams to the ground completely.
-
That's a bold strategy, Cotton...
Tried and tested variant of bait-and-switch, works all the time
Why would you want to keep old chats around? Especially in teams? Id rather just burn teams to the ground completely.
I was about to say "to search them for stuff you might need" until I tried to remember the last time Teams search produced a useful result
-
@sebastian-galczynski said in WTF Bites:
This contraption appeared long ago, with a message saying something about "parsing tabs and newlines". But what is there to parse? the "\t" and "\n" characters are all there from the beginning, so why would they need any parsing? I'm scared to touch it.
If the value is injected into the echo unquoted, it will replace tabs and newlines by spaces.
Actually, no, if it is injected unquoted, shell won't interpret either
\n
or\t
as escape sequences (I think there isn't a universal one at all, but for bash it would be$'\n'
and$'\t'
), but will interpret the\
as an escape character and gobble it up, so you'll getn
andt
instead. While actual spaces and tabs will be replaced by single space and actual newlines will break the command.If it is instead injected quoted, it depends on which echo. Some
echo
s do that by default (e.g. dash's and zsh's), otherecho
s do it only when the-e
option is given (e.g. bash's and gnu coreutil's).It will also do tilde expansion, parameter expansion, command substitution... if the data from this is passed by a user (even a registered logged-in one) it is perfectly reasonable to file this as a security problem and terminate it with prejudice.
Echo does not, the shell does. Which means it is only the case if it is executed through shell. … but it clearly is, otherwise the
>
wouldn't be interpreted either.Yeah, it's a disaster waiting to happen.
-
Making temp files with echo > is... bad outside of actual shell scripts.
Making temp files with
echo >
is bad even in actual shell scripts, because differentecho
s behave differently! Including between bash and dash and it's anyone's guess which of these two any random Linux system will have pointed to by/bin/sh
.If you want to make a temp file in a shell script and actually know how it will behave, you should use either
printf
orcat <<EOF
(orcat <<"EOF"
orcat <<'EOF
—that controls which expansions you'll get).
-
Echo does not, the shell does. Which means it is only the case if it is executed through shell. … but it clearly is, otherwise the
>
wouldn't be interpreted either.Correct. The shell also performs word splitting, which is what replaces sequences of actual tab and newline characters or spaces in an unquoted strings by single spaces.
I am unsure if newline acts as a command separator if it occurs in an otherwise suitable location in a string passed to
/bin/sh -c
.Yeah, it's a disaster waiting to happen.
Quite so. Whenever you need any of the replacement logic offered by the shell, particularly outside a shell script, you ought to find a suitable library routine or roll your own. Never inject anything in a shell command which does not originate from a string literal.
In fact, in C, you should probably just have this in a header file you always include:
#undef system #define system "Usage of the system() function is banned in this codebase"
Use the
exec()
family orposix_spawn()
instead, since both of those allow passing in arguments. If you really need to specify a small shell script inline, you can use an argument vector like:argv[0] = "bash"; argv[1] = "-c"; argv[2] = "inline bash script as a compile time literal, which references $1 and $2"; argv[3] = "first argument to the script"; argv[4] = "second argument to the script"; argv[5] = NULL;
-
I am unsure if newline acts as a command separator if it occurs in an otherwise suitable location in a string passed to /bin/sh -c.
Yes, it does.
-
That's a bold strategy, Cotton...
My company has set a policy to keep chats for 48 hours only. Can't loose chats when you don't keep them in the first place
Also it's particularly when someone sends you a chat on Friday afternoon and when you start working on Monday the message is gone, but not the notification (we also get notification emails but I think they only contain the start of the message, for long ones).
-
(we also get notification emails but I think they only contain the start of the message, for long ones).
Just think of the load on poor old Exchange if they didn't helpfully shorten the messages!!111
-
Tizen API says
{ "landscape": "landscape" }
If I rotate the TV, will it change the key, value or both?
-
Or neither?
-
@Zerosquare Good point, that would explain the rotated screenshots
Edit: can't link to a post. The link works, but only once (?!).
-
Another great pattern from our highly credentialed genius: Every other loop is a
while(true)
, and it only ends by breaks or throwing, which usually happens in complicated if/else blocks. Of course one of those loops didn't end after I changed something in a different place. It's so nasty I'm starting to think he was punking them.
-
@sebastian-galczynski said in WTF Bites:
If I rotate the TV, will it change the key, value or both?
Yes.
-
@sebastian-galczynski said in WTF Bites:
@Zerosquare Good point, that would explain the rotated screenshots
Which ones? That points to a post about catching
Error
in Java.Edit: can't link to a post. The link works, but only once (?!).
You can, by copying the link target from the timestamp of the post. Which has a form
https://what.thedailywtf.com/post/
nnnnn, presumably so it works across Jeffing™.
-
@sebastian-galczynski said in WTF Bites:
Every other loop is a
while(true)
, and it only ends by breaks or throwing, which usually happens in complicated if/else blocks.It is a Software Pattern ("Loop-and-a-Half") that applies to structured imperative programming languages, and can be correct sometimes. When there is work you need to do each time round the loop before taking the first termination decision; "work" here means anything that is more than you really want to have in a subexpression. Sometimes, the better answer is to split the work into it's own function... but very much not always. (It depends on how local state is used.) If the condition is at the beginning or end of the loop, there are usually better choices (
while
anddo
/while
in C-like naming conventions).
-
When there is work you need to do each time round the loop before taking the first termination decision
This is C++, there's do..while for that.
You can, by copying the link target from the timestamp of the post. Which has a form https://what.thedailywtf.com/post/nnnnn, presumably so it works across Jeffing™.
Yes it does.
-
@sebastian-galczynski said in WTF Bites:
This is C++, there's do..while for that.
That's for decision-at-the-end loops. Sometimes you need a loop like this:
-
@dkf Flowchart with arrows? I see
goto
s.
-
-
@sebastian-galczynski said in WTF Bites:
This is C++, there's do..while for that.
That's for decision-at-the-end loops. Sometimes you need a loop like this:
Yes, sometimes you need a
break
, but if you have only breaks, there's something wrong with you. The code in question didn't need any breaks at all, and the three loops could be replaced with a foreach inside a do..while on a single expression.