The Daily WTF: Curious Perversions in Information Technology

Flip to a Blank Page

by Remy Porter in CodeSOD on 2018-09-20

You have a web application, written in Spring. Some pages live at endpoints where they’re accessible to the world. Other pages require authentication, and yet others require users belong to specific roles. Fortunately for you, Spring has features and mechanisms to handle all of those details, down to making it extremely easy to return the appropriate HTTP error.

Unfortunately for you, one of the developers on your team is a Rockstar™ who is Officially Very Smart and absolutely refuses to use the tools your platform provides. When that Certified Super Genius leaves the organization, you inherit their code.

16 comments - Last comment @ 2018-09-20

Westward Ho!

by Ellis Morning in Feature Articles on 2018-09-19

Buoy in the ocean

Roman K. once helped to maintain a company website that served a large customer base mainly within the United Kingdom. Each customer was itself a business offering a range of services. The website displayed these businesses on a map so that potential customers could find them. This was done by geocoding the business' addresses to get their longitude and latitude coordinates, then creating points on the map at those locations.

24 comments - Last comment @ 2018-09-20

Switch On Suppression

by Remy Porter in CodeSOD on 2018-09-18

Krista noticed our article explaining that switches were replacements for ifs. She sent in a version she found in her codebase, around the same idea:

	@SuppressWarnings("incomplete-switch")
	@Transactional
	public void removeAssetFromPackage(Package pkg, Asset assetToRemove) {
		pkg.getAssets().remove(assetToRemove);
		// Delete from DB and asset store.
		removeAsset(pkg, assetToRemove);

		// If we're removing LIVE asset, also delete AsyncJobs.
		switch (assetToRemove.getType()) {
			case LIVE:
				asyncJobService.removeAsyncJobsForPresentation(pkg);
				break;
		}

		// Flush package cache.
		cacheInvalidationService.invalidatePresenationCache(pkg);
	}

24 comments - Last comment @ 2018-09-20

The Secure Cloud API

by Remy Porter in CodeSOD on 2018-09-17

Melinda's organization has purchased a cloud-based storage system. Like any such system, it has a lovely API which lets you manage quotas and login tokens. It also had a lovely CLI, which was helpful for administrators to modify the cloud environment. Melinda's team built a PHP front-end that could not only manage files, but also allowed administrators to manage those quotas.

Melinda was managing those quotas, and when she clicked the link to view the quotas, she noticed the URL contained ?token=RO-cmV1c2luZyBrZXlzIGlzIFRSV1RG. When she went to modify the quota, the URL parameter became ?token=RW-cmV1c2luZyBrZXlzIGlzIFRSV1RG. That looked like a security key for their cloud API, transmitted in the open. The RW and RO looked like they had something to do with readwrite and readonly, but that wasn't the security model their storage provider used. When Melinda had another co-worker log in, they saw the same tokens. What was going on?

16 comments - Last comment @ 2018-09-19

Stay Away From California

by Mark Bowytz in Error'd on 2018-09-14

"Deep down, I knew this was one of the most honest labels I've ever seen," wrote Bob E.

27 comments - Last comment @ 2018-09-18

Crazy Like a Fox(Pro)

by Remy Porter in Feature Articles on 2018-09-13

“Database portability” is one of the key things that modern data access frameworks try and ensure for your application. If you’re using an RDBMS, the same data access layer can hopefully work across any RDBMS. Of course, since every RDBMS has its own slightly different idiom of SQL, and since you might depend on stored procedures, triggers, or views, you’re often tied to a specific database vendor, and sometimes a version.

And really, for your enterprise applications, how often do you really change out your underlying database layer?

21 comments - Last comment @ 2018-09-20

Padding Your Time

by Remy Porter in CodeSOD on 2018-09-12

Today will be a simple one, and it’s arguably low-hanging fruit, because once again, it’s date handling code. But it’s not handling dates where it falls down. It falls down on something much more advanced: conditionals. Supplied by “_ek1n”.

if ($min == 0) {
    if ($hours == 12) {
        $hours = 12;
        $min   = '00';
    } else {
        $hours = $hours;
        $min   = '00';
    }
}

21 comments - Last comment @ 2018-09-17

Wear a Dunder Cap

by Remy Porter in CodeSOD on 2018-09-11

In the Python community, one buzzword you’ll find thrown around is whether or not an approach is “pythonic”. It’s a flexible term, and something you can just throw out in code reviews, even if you’ve never written a line of Python in your life: “Is that Pythonic?”

The general rubric for what truly is “pythonic” is generally code that is simple and code that operates explicitly. There shouldn’t be any “magic”. But Python doesn’t force you to write “pythonic” code, and it provides loads of tools like decorators and metaclasses that let you get as complex and implicit as you like.

21 comments - Last comment @ 2018-09-14

Legacy Switchout

by Remy Porter in CodeSOD on 2018-09-10

About a decade ago, I attended a talk. The speaker made the argument that "legacy code" may have many possible interpretations, but the practical view was to simply think of legacy code as "code without unit tests". Thus, the solution to modernizing your legacy code was to simply write unit tests. Refactoring the code to make it testable would have the side effect of modernizing the code base, and writing tests would act as documentation. It's that easy.

Andrew is struggling with some legacy code right now. Worse, they're trying to integrate a large mountain of legacy code into a custom, in-house CI/CD pipeline. This particular pile of legacy code dates back to the mid-2000s, so everything in it is glued together via XML. It was some of that XML code which started failing when Andrew threw some unit tests at it.

22 comments - Last comment @ 2018-09-13

An Unfortunate Sign

by Mark Bowytz in Error'd on 2018-09-07

"Found this in the School of IT. 404: Women not found. Fairly accurate," wrote Maddie J.

27 comments - Last comment @ 2018-09-11

Not a Not Bad Approach

by Remy Porter in CodeSOD on 2018-09-06

In terms of elegance, I think the bitmask has a unique beauty. The compactness of your expression, the simple power of bitwise operators, and the way you can see the underlying implementation of numbers laid bare just speaks to me. Of course, bitmasks can be a bit opaque, and you may have to spend some time thinking about what foo &= 0xFF0000 is actually doing, but there’s also something alluring about it.

Of course, bitmasks are surprisingly hard. For example, let’s look at some code submitted anonymously. This code is meant to run on a line of coin-operated dryers. Depending on the particular install, how many coins a patron puts in, what modes have been enabled by the owner, and so on, different “extra” features might be disabled or not disabled.

36 comments - Last comment @ 2018-09-11

Caught Up in the Captcha

by Remy Porter in CodeSOD on 2018-09-05

Gregor needed to download a network driver. Upon clicking the link, a "captcha" appeared, presumably to prevent hotlinking to the driver files. It wasn't a real, image-based captcha, but a simple "here's some characters, type them into the box".

The code which popped up was "S i u x q F b j NaN 4". He hit the "new code" button, and got "T o A 0 J V s L NaN a". In fact, "NaN" showed up in the penultimate position in every code.

41 comments - Last comment @ 2018-09-13

SLA-p the Salesman

by Charles Robinson in Feature Articles on 2018-09-04

A Service-Level Agreement (SLA) is meant to ensure customer issues receive the attention they deserve based on severity. It also protects the support company from having customers breathing down their neck for frivolous issues. All of the parameters are agreed upon in writing ahead of time and both sides know the expectations. That is, until a salesman starts to meddle and mess things up, as happened at the place Dominick worked for.

Dominick was a simple remote support tech who fixed things for clients well ahead of the SLA. On the rare occasion there was a priority 1 issue - something stopping anyone in the company from doing work - they had 24 hours to fix it before large monetary penalties would start to rack up. One Friday a priority 4 issue (5 business day SLA) came in from the CFO of a new client. The ticket was assigned to Dominick, who had higher priority work to do for other clients, so he decided it could wait until the following week.

29 comments - Last comment @ 2018-09-13

Classic WTF: Security By Letterhead

by Jake Vinson in Feature Articles on 2018-09-03

It's a holiday in the US, so we're turning back the clock a bit.
How do you make sure nobody issues an unauthorized request for a domain transfer? This registrar has serious security to prevent just that kind of event. You know this must be a classic, because it involves fax machines. Original -- Remy

Security through obscurity is something we've all probably complained about. We've covered security by insanity and security by oblivity. And today, joining their ranks, we have security by letterhead.

John O'Rourke wrote in to tell us that as a part of his job, he often has to help clients transfer domain names. He's had to jump through all kinds of crazy hoops to transfer domain names in the past; including just about everything except literally jumping through hoops. After faxing in a transfer request and receiving a rejection fax an hour later, he knew he was in for a fight.

30 comments - Last comment @ 2018-09-20

Recent Articles