#dev | Logs for 2015-06-25
« return
[03:09:10] -!- cmn32480 has quit [Quit: See You Later]
[11:30:59] -!- cmn32480 [cmn32480!~cmn32480@Soylent/Staff/Editor/cmn32480] has joined #dev
[14:58:46] <FatPhil> Has anyone taken a look at VortexCortex' html (and thus script) injection attack documented here: https://soylentnews.org
[14:58:47] <aqu4> ^ "3SoylentNews Comments | A Disaster Foretold - and Ignored: LOpht's Warnings About the Internet Drew Notice but Little Action"
[15:00:10] <FatPhil> Looks like slashcode is interpreting the % codes itself, and echoing even dangerous ones unescaped
[15:01:03] <FatPhil> Couldn't find an obvious s/%[0-9a-f]{2}/...-alike in the code, though
[15:01:52] <FatPhil> hmmm, or maybe that's not what's happening, perhaps I should actually check a GET before being so sure
[15:05:36] <TheMightyBuzzard> FatPhil, yeah me and pj been on it for a while
[15:06:15] <FatPhil> Anyway, the %22 is being turned into a " before it reaches the browser.
[15:06:31] <FatPhil> Looks like it's in the expansion of title="$badstuff"
[15:06:49] <FatPhil> making progress? do you need another pair of eyes?
[15:07:10] <TheMightyBuzzard> we got a fix in for it already just not cleaning up already entered badness
[15:07:23] <TheMightyBuzzard> THAT is complicated
[15:08:50] <FatPhil> so it's cleaned before it hits the DB, and the DB's then considered safe?
[15:08:57] <TheMightyBuzzard> yep
[15:09:22] <TheMightyBuzzard> links are anyway. pretty much everything else is done other ways.
[15:09:26] <FatPhil> I sometimes think it's best to store the raw sewage, and then make sure you process it carefully each time you need to handle it.
[15:10:17] <TheMightyBuzzard> link mangling is already set up pretty solid for input, output there is nothing and we'd have to write it all from scratch.
[15:10:51] <FatPhil> are your patches already in the git repo? I just pulled the latest
[15:12:24] <TheMightyBuzzard> erm, the fix is, yes. getting retroactive badness out is in another branch.
[15:12:33] <TheMightyBuzzard> we're still debating it
[15:12:47] <TheMightyBuzzard> welcome to tag in and take my place. i think i fried my brain.
[15:16:07] <FatPhil> Is there a sandbox I can try to find badness with. As it does look like you're trying to remove badness, which means that some other badness might still sneak through.
[15:16:18] <TheMightyBuzzard> yep, dev
[15:17:40] <FatPhil> permits anonymous posts?
[15:17:55] <TheMightyBuzzard> sure
[15:18:06] <TheMightyBuzzard> it's the please break it server
[15:20:08] <FatPhil> now I'm worried to turn on JS!
[15:21:04] <TheMightyBuzzard> har
[15:22:44] <FatPhil> view source is enough at the moment...
[15:24:28] <TheMightyBuzzard> nothing especially malicious on it
[15:25:17] <FatPhil> waiting for dev.soylentnews.org ...
[15:25:48] <FatPhil> IS that my badness, or the internet's crapness?
[15:26:43] <FatPhil> "Dev.SN is dead developers" - hahah!
[15:27:01] <TheMightyBuzzard> there's no telling really
[15:28:08] <TheMightyBuzzard> okay, i need food and a nap
[15:29:06] <FatPhil> timing out after 60s, it seems. repeatable.
[15:29:47] <TheMightyBuzzard> dev is?
[15:30:10] <TheMightyBuzzard> showing fine to me
[15:30:24] <FatPhil> yup, each time I press preview, it returns a mangled page after 60s
[15:30:54] <FatPhil> Infinite loop from while($url =~ /%/) ?
[15:31:12] <TheMightyBuzzard> yeah, gota fix in for that it just ain't live yet
[15:31:25] <FatPhil> Ah, OK
[15:32:07] <FatPhil> hahah - that wasn't even deliberate, I had left a stray % in the string unintentionally!
[15:33:28] <TheMightyBuzzard> noticed that while i was smoking after pj put it in
[15:33:49] <TheMightyBuzzard> anyway, afk in search of grub
[15:42:03] <FatPhil> ditto, food needed here too
[16:21:37] <FatPhil> If anything the cleaning's too brutal - this URL is mangled due to $url =~ s/&(.+?);//g;
[16:21:41] <FatPhil> <a href="http://asdf.org/a?p=1&q=2;r=3">That should be a 3-parameter query</a>
[16:22:15] <FatPhil> /&\w+;/ would be less brutal
[20:36:31] -!- cmn32480 has quit [Quit: See You Later]
[21:31:08] -!- cmn32480 [cmn32480!~cmn32480@Soylent/Staff/Editor/cmn32480] has joined #dev
[23:16:03] cmn32480 is now known as poo_ping