Not sure if it counts as bug



  • But still feels strange...

    0_1479370489584_login_fail.png



  • <!-- a padding to disable MSIE and Chrome friendly error page --> <!-- a padding to disable MSIE and Chrome friendly error page --> <!-- a padding to disable MSIE and Chrome friendly error page --> <!-- a padding to disable MSIE and Chrome friendly error page --> <!-- a padding to disable MSIE and Chrome friendly error page --> <!-- a padding to disable MSIE and Chrome friendly error page --> <!-- a padding to disable MSIE and Chrome friendly error page --> <!-- a padding to disable MSIE and Chrome friendly error page --> <!-- a padding to disable MSIE and Chrome friendly error page --> <!-- a padding to disable MSIE and Chrome friendly error page --> <!-- a padding to disable MSIE and Chrome friendly error page -->


  • Discourse touched me in a no-no place

    @Zecc said in Not sure if it counts as bug:

    <!-- a padding to disable MSIE and Chrome friendly error page -->

    We've been here before: https://what.thedailywtf.com/post/796751





  • @PJH Yep. But maybe stripping off html tag and anything afterward on .ajaxTransport() could help.

    Or maybe some part of this forum will get whole HTML page with AJAX calls so cannot do this? I don't know.



  • @cheong said in Not sure if it counts as bug:

    @PJH Yep. But maybe stripping off html tag and anything afterward on .ajaxTransport() could help.

    Or maybe some part of this forum will get whole HTML page with AJAX calls so cannot do this? I don't know.

    Why should the software handle the case of the server being dead during a request?



  • @ben_lubar Those javascripts should handle "bad input", shouldn't it? Just like when Google dropped their OAuthv1 support, their authentication server redirect the request to a page with announcement on discontinuing the server and suggest all people still depends on OAuthv1 move to OAuthv2 now. This change had chokes a dozen "auto-login auto-login" sites and their script now will check the response content for HTML before processig it.

    Just that in the case the input is created by server, not user.



  • @ben_lubar said in Not sure if it counts as bug:

    @cheong said in Not sure if it counts as bug:

    @PJH Yep. But maybe stripping off html tag and anything afterward on .ajaxTransport() could help.

    Or maybe some part of this forum will get whole HTML page with AJAX calls so cannot do this? I don't know.

    Why should the software handle the case of the server being dead during a request?

    Because it's expecting 200 OK and some JSON, and it gets something else and something else? Why should it just dutifully print that, when it's obviously wrong?



  • @anotherusername said in Not sure if it counts as bug:

    Because it's expecting 200 OK and some JSON

    Actually, if you had tried it instead of just guessing, you'd see that an actual invalid username results in a 403 with a content-type of text/html; charset=utf-8 and a response body of [[error:no-user]] for an invalid username, and so on.



  • @ben_lubar so it's expecting 403 Forbidden and some weird data format they invented. It gets 502 Bad Gateway and some HTML. My point still stands.



  • @anotherusername with the composer closed, try quoting my previous post.


  • area_deu

    @ben_lubar What



  • @ben_lubar said in Not sure if it counts as bug:

    @anotherusername said in Not sure if it counts as bug:

    Because it's expecting 200 OK and some JSON

    Actually, if you had tried it instead of just guessing, you'd see that an actual invalid username results in a 403 with a content-type of text/html; charset=utf-8 and a response body of User does not exist for an invalid username, and so on.

    0_1479455860984_watindeed.png

    What indeed.



  • @Zecc

    User does not exist

    Category does not exist

    You do not have enough privileges for this action.

    You can't purge the main post, please delete the topic instead



  • @Maciejasjmj or the other way round?

    [[error:username-taken]]

    [[error:csrf-invalid]]

    [[error:blacklisted-ip]]

    You seem to have stumbled upon a page that does not exist. Return to the home page.



  • @Maciejasjmj said in Not sure if it counts as bug:

    @Maciejasjmj or the other way round?

    Username taken

    We were unable to log you in, likely due to an expired session. Please try again

    Sorry, your IP address has been banned from this community. If you feel this is in error, please contact an administrator.

    You seem to have stumbled upon a page that does not exist. Return to the <a href='http://html5zombo.com/'>home page</a>.

    Yup, that's it.



  • @ben_lubar said in Not sure if it counts as bug:

    @anotherusername with the composer closed, try quoting my previous post.

    Yeah, it requests some things that are HTML. I assume that's the point you're trying to make? But it's fetching the post to quote through WebSockets, not XMLHttpRequest.

    So if the server barfs, won't that connection just time out and fail? You're not performing an HTTP request, so why would it ever give you an HTTP status code and an HTML error page instead of what you requested?



  • @anotherusername said in Not sure if it counts as bug:

    @ben_lubar said in Not sure if it counts as bug:

    @anotherusername with the composer closed, try quoting my previous post.

    Yeah, it requests some things that are HTML. I assume that's the point you're trying to make? But it's fetching the post to quote through WebSockets, not XMLHttpRequest.

    So if the server barfs, won't that connection just time out and fail? You're not performing an HTTP request, so why would it ever give you an HTTP status code and an HTML error page instead of what you requested?

    See @Zecc's and @Maciejasjmj's posts for what I was referring to.



  • @ben_lubar You failed to mention that I had to highlight and then quote your post. I initially quoted your post without highlighting and it worked just fine.



  • @anotherusername said in Not sure if it counts as bug:

    @ben_lubar You failed to mention that I had to highlight and then quote your post. I initially quoted your post without highlighting and it worked just fine.

    Highlighting it is not required.



  • @ben_lubar ok, guess I just failed to notice it then. I don't see how it relates to the original post though.



  • @Zecc said in Not sure if it counts as bug:

    What indeed.

    Something that will either be abused or used to get someone an XSS :badger:. That's what.



  • <sub><sub><sup><small><sub><sub><sup><small><sub><sub><sup><small><sub><sub><sup><small><sub><sub><sup><small><sub><sub><sup><small><sub><sub><sup><small>H</small></sup></sub></sub></small></sup></sub></sub></small></sup></sub></sub></small></sup></sub></sub></small></sup></sub></sub></small></sup></sub></sub></small></sup></sub></sub>[[error:blacklisted-ip]]<sub><sub><sup><small><sub><sub><sup><small><sub><sub><sup><small><sub><sub><sup><small><sub><sub><sup><small><sub><sub><sup><small><sub><sub><sup><small>ighlight and quote this post...</small></sup></sub></sub></small></sup></sub></sub></small></sup></sub></sub></small></sup></sub></sub></small></sup></sub></sub></small></sup></sub></sub></small></sup></sub></sub>



  • @anotherusername said in Not sure if it counts as bug:

    <sub><sub><sup><small><sub><sub><sup><small><sub><sub><sup><small><sub><sub><sup><small><sub><sub><sup><small><sub><sub><sup><small><sub><sub><sup><small>Q</small></sup></sub></sub></small></sup></sub></sub></small></sup></sub></sub></small></sup></sub></sub></small></sup></sub></sub></small></sup></sub></sub></small></sup></sub></sub>Sorry, your IP address has been banned from this community. If you feel this is in error, please contact an administrator.<sub><sub><sup><small><sub><sub><sup><small><sub><sub><sup><small><sub><sub><sup><small><sub><sub><sup><small><sub><sub><sup><small><sub><sub><sup><small>uote this post...</small></sup></sub></sub></small></sup></sub></sub></small></sup></sub></sub></small></sup></sub></sub></small></sup></sub></sub></small></sup></sub></sub></small></sup></sub></sub>

    No, YOUR mother eats shit.


Log in to reply
 

Looks like your connection to What the Daily WTF? was lost, please wait while we try to reconnect.