#dev | Logs for 2018-02-16
« return
[01:03:56] systemd-blockchaind is now known as upstart
[04:59:24] -!- cortex [cortex!~cortex@189.173.iux.rk] has joined #dev
[05:59:05] <SoyGuest55194> bug report - incorrect uri escaping in comments: https://soylentnews.org
[05:59:06] <aqu4> ^ "3SoylentNews Comments | How Close are we to Peak Social Media?"
[05:59:07] <exec> └─ 13SoylentNews Comments | How Close are we to Peak Social Media?
[05:59:12] <upstart> ^ 03SoylentNews Comments | How Close are we to Peak Social Media? ( https://soylentnews.org )
[05:59:13] <aqu4> ^ "3SoylentNews Comments | How Close are we to Peak Social Media?"
[05:59:44] <SoyGuest55194> wow, dumb bots are taking over
[06:00:21] <chromas> Oh yeah, aqu4 was gone by the time dbot came in
[06:00:38] <chromas> upstart: enable bot aqu4
[06:00:38] <upstart> k
[06:00:56] <chromas> oh I guess i'm retarded
[06:01:10] <chromas> I thought upstart was titling aqu4's output
[06:01:33] -!- upstart [upstart!~init@0::1] has parted #dev
[06:02:02] <SoyGuest55194> upstart repeating the url is asking for recursion...
[06:02:46] <chromas> it just shows the url when it's a redirect butt yeah. All the bots are titling now
[06:03:03] <SoyGuest55194> I did look at rehash, but it's not exactly clear where the bug is. Data.pm probably
[06:03:19] <SoyGuest55194> but that code is a mess
[06:07:04] <chromas> Time to switch to pipecode
[06:09:01] * chromas checks in on pipedot
[06:09:16] <chromas> It's pretty snappy. I wonder how it'd hold up against sn-level traffics
[06:10:17] <chromas> Just noticed it'sn't been updated in many moons though
[06:43:24] <SoyGuest55194> i thought pipedot was the more sensible approach - slash was the one designed to be thrown away.
[06:43:47] <SoyGuest55194> back to basics, just what's needed, nothing more
[06:45:32] <chromas> It's pretty slick. Looks like submissions are mostly spam on it but nobody's editing to accept any submissions at the moment
[06:45:50] * chromas needs an editor for that terrible sentence
[08:17:49] -!- cortex has quit [Quit: Textual IRC Client: www.textualapp.com]
[11:52:43] <Bytram> SoyGuest55194: It's not entirely clear atm (need moah coffee) but it seems to me that the original link "https://en.wikipedia.org/wiki/What%27s_that_got_to_do_with_the...%3F" is being transformed to be "https://en.wikipedia.org/wiki/What's_that_got_to_do_with_the...?"
[11:52:45] <Bytram> but...
[11:52:47] <exec> ├─ 13What's that got to do with the...?" - Wikipedia
[11:52:47] <exec> └─ 13What's that got to do with the... - Wikipedia
[11:53:58] <Bytram> in a URL, the "?" is typically used to start a list of arguments to the page; https://example.com etc.
[11:53:58] <aqu4> ^ "3Example Domain"
[11:54:00] <exec> └─ 13Example Domain
[11:54:03] <Bytram> lol
[11:54:50] <Bytram> so, ISTM we need to *preserve* the "%3F" as entered, instead of converting it to it's UTF-8 representation "?"
[11:54:55] <Bytram> ^^^ TheMightyBuzzard
[11:55:46] <Bytram> doing so may have untoward side effects which escape me this early in the AM.
[13:14:11] <SoyGuest55194> Bytram: yeah, the ? should be a %3F, but we've "helpfully" decoded that, and then not recoded it again, I guess.
[13:15:59] <SoyGuest55194> browsers are prepared to do the right thing when they see a ' but won't touch a ? for the reasons you state, they presume it's deliberate
[22:19:47] <Bytram> SoyGuest55194: TheMightyBuzzard: I'd have to take a look at the code to tell for sure, but I expect the transformation from %3F to a Question Mark in a URL is rather localized... we may just want to special case transforming "%xx" to account for the time when we have "%3f" or "%3F" and leave those be... BUT... this is one HUGE can of potential gotchas wrt security and the like. The general term for this is "URL Encoding" AFAICT.
[22:32:22] <Bytram> Then, to make things even MORE interesting... toss in UTF-8... as in internationalization and domain names...
[22:32:51] <Bytram> Though dated, this page provides a good synopsis: https://www.owasp.org
[22:32:52] <aqu4> ^ "3Canonicalization, locale and Unicode - OWASP"
[22:32:54] <exec> └─ 13Canonicalization, locale and Unicode - OWASP
[22:34:42] <Bytram> NB: OWASP == Open Web Application Security Project
[22:42:43] <Bytram> This is another somewhat dated, but quite informative, read: http://www.cgisecurity.com
[22:42:44] <aqu4> ^ "3URL Encoded Attacks"
[22:42:45] <exec> └─ 13URL Encoded Attacks
[22:43:21] <exec> ~title off
[22:43:38] <exec> I guess I can't hear me.
[22:43:45] <Bytram> whacha do THAT for?
[22:43:53] <Bytram> ~title on
[22:43:55] <exec> titles already enabled for 10#dev
[22:44:21] <exec> Just giving aqu4 a chance to shine here :)
[22:45:11] <Bytram> k
[22:45:35] <exec> import upstart :D
[22:46:31] <chromas> Some anon was complaining about SN eating the section sign in his urls
[22:47:36] * Bytram tries to come up with a pun on a mime pretending to remove something and also somehow referencing a mime-type
[22:47:41] <chromas> This was the comment https://soylentnews.org
[22:47:42] <aqu4> ^ "3SoylentNews Comments | Subnautica Dev Fired Over Controversial Twitter Comments"
[22:47:43] <Bytram> biab -- dishes
[22:47:44] <exec> └─ 13SoylentNews Comments | Subnautica Dev Fired Over Controversial Twitter Comments
[22:48:48] <Bytram> yew... scroll back a bit... that's what I am refering to... factors that need to be considered when attempting to deal with that issue... it is FAR from trivial when security concerns are closely looked at.
[22:48:56] <Bytram> see also: http://www.cgisecurity.com
[22:48:56] <aqu4> ^ "3URL Encoded Attacks"
[22:48:58] <exec> └─ 13URL Encoded Attacks
[22:49:40] * chromas woods
[22:50:42] * Bytram chuckles
[22:50:49] * Bytram yawns
[22:50:49] * MrPlow flips a Skittle into Bytram's gaping mouth
[22:50:59] * Bytram goes to do his dishes and take a break