Status: Writing server software. The corresponding client was written by another team, and is supposedly already complete and working, although its networking code has never been tested (since there was no server to test it with). Let’s see if it works...
Posts made by VinDuv
-
RE: The Official Status Thread
-
RE: "Shell Shock", the bash complement to heartbleed (AS IF)
Sure, but any way, you have to be pretty stupid to not sanitize whatever you're receiving, specially, when doing system calls. I mean, it's SQL injection stupidity all over again.
Most programs do not receive input from environment variables. They just ignore them. I’m all for validating input before acting on it, but worrying about non-input data seems overkill for me. Should every program ever written carefully clean up their environment on startup? Should system(3) wipe up the environment before forking? Maybe. But if your program tries to check every aspect of the system before deciding to run, it will not get any work done.
-
RE: "Shell Shock", the bash complement to heartbleed (AS IF)
Can someone explain this exploit in terms understandable to a non Linux user? From what I can gather, you can set functions as Bash environment variables, and these are then executed whenever Bash is loaded?
You can define functions in
bash
with the following syntaxhello () { echo "Hello, world"; }
You can export these functions so they are available to a child bash process by calling
export -f hello
. When you do this, Bash sets the environment variablehello
to the value() { echo "Hello, world"; }
and exports it.
When the child Bash process is started, it scans its environment variables. It finds the environment variablehello=() { echo "Hello, world"; }
which was exported by its parent. Since the value starts with()
, it concatenates the variable name with its value and executes it.
So in that case, it will executehello () { echo "Hello, world"; }
and the function will be correctly redefined.
The problem is that it blindly trusts the environment variables to have the correct syntax. If it finds an environment variable
hello=() { echo "Hello, world"; }; malicious_command
, it will executehello () { echo "Hello, world"; }; malicious_command
resulting in the immediate execution of
malicious_command
as soon as Bash starts.This is a serious problem for two reasons:
- Environment variables are inherited recursively by child processes
- The
/bin/sh
shell, which is oftenbash
, is used by most shell scripts; starting a shell script with a malicious environment variable is then sufficient to trigger the attack./bin/sh
is also used when a program wants to execute a shell command (see system(3)), so programs running shell commands are also vulnerable.
Besides CGI scripts, there may be ways to do a privilege escalation on a vulnerable system if a privileged program ends up running shell commands, or shell scripts.
-
RE: The forum only has one passable poster
More like, I wonder if my bot has missed something, or if there really are 9000 PMs between @Vinduv and the others that have managed to read more posts.
I really don’t know. I have a grand total of 9 PMs (most of them were used to debug @SignatureGuy). and don’t use a bot for reading, only for liking in that thread. -
RE: Poll: next month's Stupid Thread of the Month?
character or word based, and how long should the chains be?
Whatever floats your boat, as long as it does not produce “Dwarf Fortress Dwarf Fortress Dwarf Fortress Dwarf Fortress <huge image> Dwarf Fortress Dwarf Fortress” -
RE: Poll: next month's Stupid Thread of the Month?
what source would you want to use for the chains?
-
RE: WTF is up with the Favicon?
Unread topic count?
Yes. I’m pretty sure I’ve seen some discussion on meta.d about that.
EDIT: WTF just happened? I have changed that sentence before submitting, but it submitted the old version anyway. -
RE: The Fresh Synchronization
As much as I like Java, I think the decision to allow programmers to synchronize on any object was a bad one. Similarly for adding
wait
,notify
and so on to the baseObject
class, where those features should have been assigned specifically to a specialized utility class.
What’s even more confusing is that Java also provides dedicaced synchronization objects (Lock, Condition), which also inherit from Object (obviously) and thus get the standard lock/monitor interface.
On Lock objects, you need to uselock.lock()
andlock.unlock()
and never usesynchronize
; on Condition objects, you need to callcond.await()
instead ofcond.wait
, andcond.signal()
instead ofcond.notify()
. If you mix these up, it won’t work correctly. -
RE: Moar downtime? who was playing with bots again?
Wonder if it's possible to poison discourse editor by using a browser that doesn't support utf8 (ie, one of the bots we have running around)
With Firefox you can edit and resend a request. Just put some invalid bytes in the POST* data (%FF is a good candidate since this byte is always invalid in UTF-8) and send it out.
I have already tried this in various places but did not get anything except HTTP 500 errors (probably a UnicodeDecodeError, or whatever Ruby uses, being thrown when the request is handled).* Discourse uses PUT requests to send out posts, but you know what I mean
-
RE: Can we *please* nuke the fucking bots?
Those are all from the gaming topic though. hard to complain about spam when you talk in the spam topic.
One solution could be to disable the Nice Post badges, since we have Mediocre Poster, Passable Poster and Reasonnable Poster anyway.
-
RE: Gfycat onebox
Done.
http://gfycat.com/MeaslyNextKiskadee
Not sure why it's not moving though (or, at least, it's not here in the preview.)
You have an extra /t in your URL.
Also, why do I see a video of eggs getting shot in your post, and a JPEG of a table in the preview window of this post? -
RE: Archive validity testing cancel dialog
ETA I mean the French, not you.
Instead of blaming me, maybe you could blame the translator who chose in the 80's to use the same word for both terms? -
RE: Dear lazydiscurse, is there a "mark all (in a category) as read?"
Already mentioned here:
http://what.thedailywtf.com/t/there-are-unread-topics-i-dont-want-to-read/535/2
Non-onboxed link (to have a larger click target, because the onebox is not very practical):
http://what.thedailywtf.com/t/there-are-unread-topics-i-dont-want-to-read/535/2Still not implemented AFAIK.
I’ve not pressed the issue further, since I‘ve learn that the “Dimiss Unread” button is really a “Mute all topics with unread posts” button, which I don’t want to use. -
RE: Archive validity testing cancel dialog
I think I’ve seen some errors dialogs which read
Nothing to undo. [Cancel]
That’s fine until you translate it to French, where « Annuler » is used for both “Cancel” and “Undo”.
Hilarity ensues. -
RE: The Official Status Thread
Ah - perhaps not then. It's probably a PO-Box that's been listed then...
The “Registrant name” seems to imply that it’s indeed La Poste itself which registered the domain. Actually, the whole whois seems identical to the one for laposte.net, safe for the various IDs. Strange... -
RE: The Official Status Thread
Appears to be these guys:
http://www.laposte.fr/particulier (SFW)
That’s the French post office.
Wait, what? -
RE: The Official Status Thread
Reconsidering the previous idea after seeing that building each file requires a gcc command line sufficiently long to overflow a 117x56 terminal.
-
RE: The Official Status Thread
Status: Considering building some C program manually, because I have to change one of its files many times, and its Makefile is so broken it rebuilds everything every time.
-
RE: TDWTF: now with WTF daily.
I don't think I've seen a "lots of tabs open indefinitely, have a tab for every site you regularly visit" vs "tabs should be closed when they're done with, use bookmarks/speed dials for sites you regularly visit" flamewar on here before.
The “how many tabs should I use” thread is here. -
RE: Conversations overheard
The main problem is that there are few Mac antiviruses that actually target Mac malware. I’m even inclined to think that “few” == 0 in that context.
I also never seen a Mac malware in my entire life, and no Windows malware since Sasser. -
RE: Explicating the survival of the Shell as default OSS UI
Part of the cause of this may be that, as I understand, remote X is a synchronous protocol, where each draw operation is sent to and confirmed by the server before the next draw operation starts.
Also because most X applications do their own text and graphics rendering, and send the finished bitmap to the X server.
-
RE: This site design made me say WTF
Too bad its ancient design is not actually compatible with older browsers…
-
RE: The Question is What Is The Question?
Did you not look up at the top of the page where the topic is in big friendly(ish) letters?
Isn’t reading a barrier to writing? -
RE: The Question is What Is The Question?
Shouldn't you be getting flagged about now?
Am I TRWTF for forgetting which topic I’m on when I reply to a post?
Filed under: can I blame Discourse? -
RE: The Question is What Is The Question?
Did you notice the thread title??
Are you using multiple question marks to compensate for some of your previous posts? -
RE: The Question is What Is The Question?
Are you sure using the keyboard effectively will solve my confusion here?
What’s wrong with being confused?
-
RE: Chromebooks don't work very well without internet
In PHP,
exit(0);
exits with the status "0".exit("0");
prints 0 and then exits with the status "0".
And in Python,sys.exit(0)
also exits with status 0, butsys.exit("0")
prints0
to stderr and exits with status1
... -
RE: 🎂The cupcake thread of celebrations.
I find it rather disturbing to have to look at pictures of text.
I am more disturbed by the random-looking text colors with various degrees of readability and the sad attempt at justified text.
Filed under: For some reason I can’t stand tiny white-on-black text -
RE: Bot Duel!
Think the script is stable enough yet to leave it running from a terminal on my Ubuntu server?
$ ps aux | grep [s]ignature nobody 30436 0.0 1.1 56244 12092 ? S sept.12 0:35 /usr/bin/python -u /srv/bots/signatureguy.py
Looks fine so far. (But I think I fixed some things since the last time I published the source code -- I will update it in a bit)
I use supervisor to run it. This way, it starts automatically, its output goes to a log file, and it’s restarted if it crashes.
-
RE: Traffic lights
https://meta.discourse.org/t/traffic-lights-algorithm/19992/2
@codlnghorror said:
It looks like you’re doing it wrong. Would you like some help?
-
RE: :fa_database: [Old Forum is still alive] Important Data
Maybe it’s time to dig up the migration topic again...
-
RE: The Question is What Is The Question?
Was feeding @SignatureGuy with random metaphysical questions so it could properly answer on this topic a good idea?
-
RE: The NEW Official Unofficial Discourse bug tracker!
[Error] Refused to display 'https://bitbucket.org/masamunewos/discoursebugs/issues' in a frame because it set 'X-Frame-Options' to 'SAMEORIGIN'. (about:blank, line 0)
-
RE: The duplicate post filter works really well.
well it certainly isn't fault-tolerant.
Bad HTTP status line? multiple times, apparently? WTF?!
-
RE: Need help with a Regex in PHP (Answered)
My problem is that middle capture group in my regex breaks everything. I basically want it to capture EVERYTHING that is not captured by the first or last capture group. How do I do that? Something crazy with backreferences?
Sounds like you need a non-greedy quantifier. Stick a
?
after the+
and it should work.Also, I’m not completely sure if PHP supports it, but you can put
?:
after the opening parenthesis of a group to avoid capturing it (so replacing(on
with(?:on
will avoid getting a useless "on bob" group in the results) -
RE: The Question is What Is The Question?
What did his original post say?
It was missing that character, you know, the one you type on your keyboard to bring up the keyboard shortcuts -- do you know how it’s called?
-
RE: Programming Confessions Thread
EDIT: Darn! we don't have mathjax enabled! @PJH, feature request?
We need DiscoBBHTLMarkjax because DiscoBBHTMLarkdown is not confusing enough.
-
RE: The Official Status Thread
Status: FUCKING HELL WHY DOES THIS MOUSE DOUBLE CLICK WHEN I CLICK ONCE?
Filed under: I though my taskbar buttons were broken, Also double-clicking triple-clicks -
RE: TDWTF: now with WTF daily.
It will automatically reload when you click a link, or if you don't click a link for a few hours, it pops up that message.
Why doesn’t it reload the whole page and put you back where you were? If it’s to avoid interrupting the user, maybe displaying a modal dialog is not the best way either...
The best way would probably be to stop updating things (since the user is not doing anything it’s not a big deal) and just reload the whole page when Discourse needs to make an AJAX call to load more posts or a topic.
-
RE: Apple Watch
For that matter, the TI-84 I had in high school has a bigger screen and costs more than three times less. It also tells the time, just like every other electronic device ever made.
Well, except for the TI-82, the TI-83, the TI-83+, the TI-86…
Filed under: I was the cool kid with my built-in-clock TI-84+, I also spent too much time writing flicker-free analog clock programs in TI-Basic -
RE: This is my favourite emoji
So to get the emoji to display properly I just have to adjust the css to display them as 64x64px?
The Bad Ideas thread is there.
Filed under: Random line height changes -
RE: Explicating the survival of the Shell as default OSS UI
In short, shell is simple, GUI is hard. GUI is built on layers on top of layers of libraries and dependencies. There are hundreds of things that can go wrong. And they often do.
A TTY layer is not a simple thing. Parsing and interpreting VT100 commands is hard. CLI programs work with strings, which are a pain to manipulate in C. There are multiple shells and commands which behave slightly differently.
So no, I don’t consider the current state of CLI programming to be “simple”. A new CLI implementation, possibly using serialized objects instead of text for data exchange could probably work way better.I have never used a CLI to fix problems on OS X or Windows, mostly because the GUI always works. Of course, on Linux, having X not starting up can still happen, but it’s becoming rarer.
-
RE: Apple Watch
Why do I need a watch when I already have a phone?
I have a watch and a phone, so I don’t have to take the phone out of my pocket every time I want to see what time it is. It’s also useful when the phone is charging.
I have no real interest in a smartwatch, though. A dumbwatch suits me just fine (I know I was saying the same thing about smartphones, but this time it will be different, I swear!).
In any case, Apple is not the first on the smartwatch market, so I guess there are people who are interested...The “No mention of battery life” surprises me. It’s probably indicated somewhere...
I've noticed a pattern. Every time I say "penis", @boomzilla likes my post.
Maybe he’s programming a bot...