• (cs) in reply to Norman Diamond
    Norman Diamond:
    Also don't forget all those programs that use exceptions to process ordinary, expected events. Logs of those events are even more exceptionally horrible. Success can be worse than failure.
    We're still dealing with an internally developed API (and I'm using the word loosely here) that throws java.lang.Exception. For everything. If something goes wrong, if there's a database exception, or if an object is not found, you get a java.lang.Exception. As a side note, the database it accesses has no integrity constraints.
  • fjf (unregistered) in reply to Tractor
    Tractor:
    Koblin:
    "Hey, Adam, you broke my code! I always do

    error(foobar, "waiting for data; sleep 1");

    After your last change, this doesn't wait for the data anymore."

    That wouldn't actually work, as Runtime#exec isn't a fully-fledged shell. The reparsed log message will be passed as arguments including ";" to /usr/bin/logger rather than being used to spawn additional processes.

    Right, so the real WTF is incorrect comments getting featured. Although I must admit it is more fun that way. He should have executed "/bin/sh -c logger blahblahblah". That immediately saves you from having to type the exact path to logger, so it's better right?

    OK, so perhaps there's no arbitrary code execution, but you probably could add some options to logger, e.g. to override the log priority or tag or (perhaps depending on the version of logger) send data to an arbitrary socket (-u), and at least screw up the actual log message (by cutting out what looks like options), intentionally (to obscure some other attack) or unintentionally (to make the log even less useful when needed).

  • MightyM (unregistered) in reply to fasas
    fasas:
    Coyne:
    Bobby Tables:
    jspenguin:
    And what happens when the application tries to log "; rm -rf / # ?
    Exactly. So doing a System.out.println() would not have been equivalent to this code, see ...

    Exactly. So when he junked this code, he broke the application. (http://xkcd.com/1172/) But he can fix it quick by adding a flag to say whether it works the old way or the new way.

    I didn't even click on the link and knew it was some fag linking xkcd. It's not clever. It's not funny. Just the word "colors" with a link under it and the short, useless, one sentence post was all I needed to know that you were linking the cartoon where the men demonstrate their knowledge of other "colors".

    It was funny to read when it came out. It's even funny when clicking on the Random button on the site and seeing it. It's NOT funny when someone links to it from a one-sentence post and thinks they're so fucking clever to have discovered xkcd.

    You probably still use lmgtfy and think you're so damn clever.

    It means in real life, you're an unoriginal hipster doofus.

    Got anything to do with sanitizing inputs to a SQL database, etc.? Link to Bobby Tables. Got a nerd-project slow-ass turing machine? Like a minecraft logic circuit from redstone? Link to the one where it's some guy alone in the world making a computer out of rocks. Got a story about password security or encryption? Link to the one where they beat the password out of the guy with a wrench.

    Fuck off. You're not clever.

    I didn't even read the text and knew it was some fag copying the same overused rant. It's not clever. It's not funny. Just the word "colors" was all I needed to know that you were copying the rant without even adapting it to the post you're replying to.

    It was funny to read when it came out. It's NOT funny when someone copy-pastes it every f***ing time they see a XKCD link.

    You probably still use lmgtfy and think you're so damn clever.

    It means in real life, you're an unoriginal hipster doofus.

    Got anything to do with sanitizing inputs to a SQL database, etc.? Rant about Bobby Tables. Got a nerd-project slow-ass turing machine? Like a minecraft logic circuit from redstone? Rant about the one where it's some guy alone in the world making a computer out of rocks. Got a story about password security or encryption? Rant about the one where they beat the password out of the guy with a wrench.

    Fuck off. You're not clever.

  • Bobby Tables (unregistered) in reply to fasas
    fasas:
    Coyne:
    Exactly. So when he junked this code, he broke the application. (http://xkcd.com/1172/) But he can fix it quick by adding a flag to say whether it works the old way or the new way.
    I didn't even click on the link and knew it was some fag linking xkcd.
    Wow, so you are able to see "xkcd.com" and recognize it's linking xkcd without clicking on it. You're a genius.
    Just the word "colors" with a link under it
    ... except you slightly misspelled "xkcd" ...
    and the short, useless, one sentence post
    ... and slightly miscounted the sentences ...
    was all I needed to know that you were linking the cartoon where the men demonstrate their knowledge of other "colors".
    ... and slightly confused "knowledge" with "ignorance" and "colors" with "workarounds" ...
    Got anything to do with sanitizing inputs to a SQL database, etc.? Link to Bobby Tables.
    ... and abused my good name. There's not even an SQL database here, just a stupid logger.
  • Swedish tard (unregistered) in reply to Severity One
    Severity One:
    Ah, there's the bottleneck: 
    public void error(String logID, String errStr) {
  StringBuffer errLogCmd = new StringBuffer("/usr/bin/logger -p ");
  try {
    Runtime rt = Runtime.getRuntime();
    errLogCmd.append(errlogFacility);
    errLogCmd.append(" -t ");
    errLogCmd.append(logID);
    errLogCmd.append(" ");
    errLogCmd.append(errStr);
    rt.exec(errLogCmd.toString());
  } catch (Exception ele) {
    System.out.println("Exception encountered writing error log." + ele.getMessage());
  }
}
    He should have used StringBuilder instead. No need for a thread-safe object that is instantiated within a method. Geez, don't people read the JavaDocs?

    Indeed, why even use StringBuilder when + will do the jurb just awesomely?

  • Simon (unregistered)

    Wait... the Runtime.exec() call wasn't the cause of the performance problems? Then given how horrendously expensive forking a JVM tends to be, the real cause must be absolutely epic!

  • (cs) in reply to Swedish tard
    Swedish tard:
    Severity One:
    He should have used StringBuilder instead. No need for a thread-safe object that is instantiated within a method. Geez, don't people read the JavaDocs?
    Indeed, why even use StringBuilder when + will do the jurb just awesomely?
    Because the + operator for strings uses StringBuffer underneath. Geez, don't people decompile byte code?
  • (cs) in reply to Severity One
    Severity One:
    Because the + operator for strings uses StringBuffer underneath. Geez, don't people decompile byte code?
    Actually it's not specified.
    Java Language Specification:
    An implementation may choose to perform conversion and concatenation in one step to avoid creating and then discarding an intermediate String object. To increase the performance of repeated string concatenation, a Java compiler may use the StringBuffer class or a similar technique to reduce the number of intermediate String objects that are created by evaluation of an expression.

    For primitive types, an implementation may also optimize away the creation of a wrapper object by converting directly from a primitive type to a string.

    Geez, does nobody here know the specs?
  • (cs) in reply to Simon
    Simon:
    Wait... the Runtime.exec() call *wasn't* the cause of the performance problems? Then given how horrendously expensive forking a JVM tends to be, the *real* cause must be absolutely epic!

    The root cause was Java itself. :D

  • (cs) in reply to AN AMAZING CODER
    AN AMAZING CODER:
    QJo:
    I have cause on occasion nowadays to read java (rarely needing to write it any more) and have at time bewailed the fact that log4j isn't routinely used. The answer I get is that the logging package and the techniques therein were written well before log4j was invented, and there is no need to break a perfectly well-written and documented existing package, despite its having been written in-house.

    This may have been the reason behind the initial coding of this particular instance, but the follow-up thought (that this is perfectly well-written) is admittedly less accurate.

    I was going to troll you about using log4j, considering it's pretty old and being replaced by Logback (and even SLF4J). But, if those are the type of people you deal with, you don't deserve that type of trolling :-(

    So here's the thing. You got a perfectly adequate application. It's got a whole slew of functionality, having evolved over the last 10 years or so. Then someone at e.g. Apache releases a package whose functionality overlaps some of the code in your app which works fine and hasn't caused trouble

    Why the fucking fuckety fuck would you replace what's perfectly good code with the new package? Unless it had distinct advantages, an easy migration path and a seamless user experience, you'd have to be a fucking lunatic to do so. And then some cunt comes along and says "You shouldn't be using log4j, you got to use this shittybugger cuntfuck code that's even newer and more fashionable.

    Move away from the fucking terminal NOW.

  • (cs) in reply to berd
    berd:
    fasas:
    Coyne:
    Bobby Tables:
    jspenguin:
    And what happens when the application tries to log "; rm -rf / # ?
    Exactly. So doing a System.out.println() would not have been equivalent to this code, see ...

    Exactly. So when he junked this code, he broke the application. (http://xkcd.com/1172/) But he can fix it quick by adding a flag to say whether it works the old way or the new way.

    I didn't even click on the link and knew it was some fag linking xkcd. It's not clever. It's not funny. Just the word "colors" with a link under it and the short, useless, one sentence post was all I needed to know that you were linking the cartoon where the men demonstrate their knowledge of other "colors".

    It was funny to read when it came out. It's even funny when clicking on the Random button on the site and seeing it. It's NOT funny when someone links to it from a one-sentence post and thinks they're so fucking clever to have discovered xkcd.

    You probably still use lmgtfy and think you're so damn clever.

    It means in real life, you're an unoriginal hipster doofus.

    Got anything to do with sanitizing inputs to a SQL database, etc.? Link to Bobby Tables. Got a nerd-project slow-ass turing machine? Like a minecraft logic circuit from redstone? Link to the one where it's some guy alone in the world making a computer out of rocks. Got a story about password security or encryption? Link to the one where they beat the password out of the guy with a wrench.

    Fuck off. You're not clever.

    What the actual fuck are you talking about? Do you understand the irony in calling someone an unoriginal hipster then proceeding to demonstrate your apparent knowledge of the same fads you (conveniently) now hate in your tirade of abuse? You are a fop.

    Please show a little sensitivity. I had a son who was a fop, and let me assure you, it was no laughing matter.

  • (cs) in reply to Key Logger
    Key Logger:
    chubertdev:
    I'll never understand why most error logging that you see is exceptionally horrible.
    No one designs for errors, so no one tests for errors, because no one wants errors, therefore they play this little mental mind trick and fool themselves into believing there will not be errors.

    I mean, did you ever sit down in a project kickoff meeting and hear "first of all, we want any problems that come up to be recorded in a way that will support statistical analysis to help us find and learn from our mistakes"?

    No. We don't make mistakes, so why would we want to know about them?

    That's also how most security vulnerabilities arise.

    Um yeah, actually we discussed this very topic in a project kick-off meeting this morning. We were specific about the techniques to be used for error reporting and recovery. Any kick-off meeting which does not address these matters is not a proper kick-off meeting, it's a girly chit-chat about periods.

  • (cs) in reply to Matt Westwood
    Matt Westwood:
    Please show a little sensitivity. I had a son who was a fop, and let me assure you, it was no laughing matter.
    Daddy, is that you?
  • jay (unregistered) in reply to jspenguin
    jspenguin:
    And what happens when the application tries to log "; rm -rf / # ?

    Many Linux distros today are smart enough to catch "rm -rf /" and give an error message rather than actually executing it.

    Try this on your system. See if you have one that catches it.

  • jay (unregistered) in reply to fasas
    fasas:
    Coyne:
    Bobby Tables:
    jspenguin:
    And what happens when the application tries to log "; rm -rf / # ?
    Exactly. So doing a System.out.println() would not have been equivalent to this code, see ...

    Exactly. So when he junked this code, he broke the application. (http://xkcd.com/1172/) But he can fix it quick by adding a flag to say whether it works the old way or the new way.

    I didn't even click on the link and knew it was some fag linking xkcd. It's not clever. It's not funny. Just the word "colors" with a link under it and the short, useless, one sentence post was all I needed to know that you were linking the cartoon where the men demonstrate their knowledge of other "colors".

    It was funny to read when it came out. It's even funny when clicking on the Random button on the site and seeing it. It's NOT funny when someone links to it from a one-sentence post and thinks they're so fucking clever to have discovered xkcd.

    You probably still use lmgtfy and think you're so damn clever.

    It means in real life, you're an unoriginal hipster doofus.

    Got anything to do with sanitizing inputs to a SQL database, etc.? Link to Bobby Tables. Got a nerd-project slow-ass turing machine? Like a minecraft logic circuit from redstone? Link to the one where it's some guy alone in the world making a computer out of rocks. Got a story about password security or encryption? Link to the one where they beat the password out of the guy with a wrench.

    Fuck off. You're not clever.

    What in the world are you talking about? There's nothing in the xkcd that he linked to about "colors". The link does not include the word "colors". Is there some meta-joke that I'm missing here? Perhaps I was on vacation and there were a string of jokes about colors in between the Paula beans and the Irish girls?

    In any case, saying, "Hey, remember that funny story about ..." isn't necessarily obnoxious. Ranting and swearing about someone else's innocent attempt to amuse his fellows is.

    Or maybe this is a troll and I just don't get it.

  • jay (unregistered) in reply to no laughing matter
    no laughing matter:
    Severity One:
    Because the + operator for strings uses StringBuffer underneath. Geez, don't people decompile byte code?
    Actually it's not specified.
    Java Language Specification:
    An implementation may choose to perform conversion and concatenation in one step to avoid creating and then discarding an intermediate String object. To increase the performance of repeated string concatenation, a Java compiler may use the StringBuffer class or a similar technique to reduce the number of intermediate String objects that are created by evaluation of an expression.

    For primitive types, an implementation may also optimize away the creation of a wrapper object by converting directly from a primitive type to a string.

    Geez, does nobody here know the specs?

    "the compiler does it" != "the spec requires it"

    Just because the spec doen't require something doesn't mean that it isn't done. This is especially true when the spec that you quote specifically offers it as a possibility.

    "Yesterday I had lunch at Burger World."

    "That's a lie! There is no law requiring you to eat lunch at Burger World!"

  • (cs) in reply to jay
    jay:
    no laughing matter:
    Severity One:
    Because the + operator for strings uses StringBuffer underneath. Geez, don't people decompile byte code?
    Actually it's not specified.
    Java Language Specification:
    An implementation may choose to perform conversion and concatenation in one step to avoid creating and then discarding an intermediate String object. To increase the performance of repeated string concatenation, a Java compiler may use the StringBuffer class or a similar technique to reduce the number of intermediate String objects that are created by evaluation of an expression.

    For primitive types, an implementation may also optimize away the creation of a wrapper object by converting directly from a primitive type to a string.

    Geez, does nobody here know the specs?

    "the compiler does it" != "the spec requires it"

    Just because the spec doen't require something doesn't mean that it isn't done. This is especially true when the spec that you quote specifically offers it as a possibility.

    What version of the compiler are you talking about?

    "Severity One" claimed that his compiler uses StringBuffer but he did not specify which JDK and which version.

    The Spec allows "similar technique(s)" and on versions of the JDK which support StringBuilder (@since 1.5) it would be inefficient to use the older StringBuffer.

    Addendum (2013-02-14 15:15): EDIT:

    Ok tested it with Oracle JDK 1.7.0 and of course it spit out StringBuilder!

    Maybe time for "Severity One" to upgrade to a recent JDK!

  • Bill C. (unregistered) in reply to chubertdev
    chubertdev:
    Simon:
    Wait... the Runtime.exec() call *wasn't* the cause of the performance problems? Then given how horrendously expensive forking a JVM tends to be, the *real* cause must be absolutely epic!
    The root cause was Java itself. :D
    An epic root's cause is the same for exec() as for intern(). If Java is giving performance problems we should slow down and switch to Viagra, especially given how horrendously expensive forking can turn out to be.
  • Hellyeah (unregistered) in reply to BogusArgumentException

    Precisely. It doesn't. It calls, as the title of the OP suggests, fork and exec, not system. Them PHP kiddies.

  • qbolec (unregistered)

    TRWTF is using global variable named errlogFacility

  • (cs)

    And this is Java, so he has no excuse for concatenating unescaped strings as command-line arguments. (Unlike the PHP counterpart, java.lang.Runtime.exec has several overrides with execv-like injection protection.)

  • JJ (unregistered) in reply to fasas
    fasas:
    I didn't even click on the link [...]
    I gotta give you credit, you got three bites and a knock-off reply.

    To everyone who fell for it: this is a meme.

  • bfgpfj (unregistered)
    Comment held for moderation.
  • Jimmyanten (unregistered)
    Comment held for moderation.
  • Derekwaisy (unregistered)
    Comment held for moderation.

Leave a comment on “Fork and Log”

Log In or post as a guest

Replying to comment #:

Log Out

« Return to Article