- Feature Articles
- CodeSOD
- Error'd
-
Forums
-
Other Articles
- Random Article
- Alex's Soapbox
- Announcements
- Best of…
- Best of Email
- Best of the Sidebar
- Bring Your Own Code
- Coded Smorgasbord
- Mandatory Fun Day
- Off Topic
- Representative Line
- News Roundup
- Editor's Soapbox
- Software on the Rocks
- Souvenir Potpourri
- Sponsor Post
- Tales from the Interview
- The Daily WTF: Live
- Virtudyne
Admin
So someone couldn't figure out how to restructure their code to allow for a private or protected function? Odd solution.
Admin
umm wait a minute, please tell me this is a transcription error.
If you pass in the proper password it fails and raises an exception, but any other string as password allows it to happen? WTF?! (in it's original meaning)
Note from Alex: Sorry, this was a transcription error. I fixed it. The original code was identical with the exception of using string.compare(). I changed it to != (well actually == by mistake) b/c it made the WTF a lot easier to immediatley see.
Admin
I don't buy this. Whoever wrote this had to be a complete retard to not understand how private/protected/internal methods work with C# (assuming the language was not changed to protect the incompetent); what, did they think everything HAD to be made public, and then use this "password" shit to restrict access?
This is a bit hard to believe, that someone with a job as a developer (who presumably understands the language), doesn't understand how access modifiers work. If this bit needed access by an external module (which is bad in and of itself), and for whatever reason said module couldn't be included in the same assembly (to make use of the Internal keyword) then there's a bigger WTF than shitty code.
Admin
Hmm, I have to start using that, since at the moment any idiot can call my methods.
Mike5
Admin
If you pass in the proper password it fails and raises an exception,
I bet the API users never saw that coming. Must be very secure.Admin
Admin
That is assuming that the '==' operator does what the author thinks it does.
That is not true for Java, or C++, but I don't know about C#.
Admin
Admin
It's C# code, obviously, so the == operator does what we think it does.
Mixing up == and != in critical if-clauses is bad, no matter if that method is declared private, public or "skript kiddiez please look here".
Nice password anyway.
Admin
Hmmmm, X-windows was written in C, where there isn't really any concept of public/private (well, ok, there's static), but declared, by convention, that you shouldn't touch certain fields in the data structures ("handles") it passed back to the caller because they were private to X-windows.
Maybe this person was trying to follow the same paradigm? twitches
Admin
C++ tends to use public: as a block rather than giving individual access control to each member. In addition, throwing an object allocated with new is a bad idea for C++.
Admin
Private, Protected and Internal are nice.. But if you need to expose the function to an external consumer, then you need to make sure no one can cheat that way (Well actually you should make sure that the flag gets set correctly on all occasions).
Also private does not protect your function from unauthorized access... It just makes it more annoying ;) But the "secure" string passwod, hardcoded inside the functon, makes it reallllly hard to figure what password to use to FINALLY get the exception
Admin
Yeah, "==" works great for object comparisons .... sheesh. There's the WTF.
Admin
Not so obviously. It's perfectly valid Java syntax as well.
Admin
No, nevermind, I'm dumb. Here's my WTF, there's not return type on the method.
Admin
Except that there is.
Admin
You sir are correct...
...as to how that's a WTF i don't know though...
Admin
Except for the comments. Clearly C#
Admin
Actually, there is: "void". What makes it "not java" is the "bool" type parameter, the "ArgumentException" exception, and the comment block.
Although those could be in-house developed types and documentation systems for java to avoid using those untrustworthy "boolean", "IllegalArgumentException", and "javadoc" stuff provided by those completely undependable folks at sun...
Admin
Technically, internal and private methods/properties can still be accessed using reflection. Assuming that they obfuscated the string, then this would guarentee that only someone who knew the password could call it.
That doesn't mean it's a horrible example of code though ;-)
Admin
And java has not ArgumentException and it doesn't declare the method as throws ArgumentException.
Admin
Admin
Jeebus ... can we just retire the "hard-coded, plain-text password" WTF already?
This site is getting repetitive, and it was only funny the first 100 times.
Admin
This is how it should be done:
public: int SecretFunction(int arg1, int arg2, AuthorizationCallback callbackfn) { if (callbackfn("Please present your credentials to access this function", "P4$$w0rD")) { error("You don't have authorization to call this function!!! The password should have been P4$$w0rD. Please don't tell this password to anybody else. And don't call this function again."); return -63; }
}
Admin
This is totally dumb. They should have done something along the lines of:
public void OverrideIsUpdated(String password, bool status) { if (md5(password) != "e1e8fe2e3e77f30640cf66a47d06fe4f") { throw new ArgumentException("Invalid password specified!" + " This method is for internal use only!", "Password"); } _IsUpdated = status; ... snip ... }Admin
I speak only to the fact that == will work for string comparison in C++. I do not think that this is C++ by any means.
Admin
Code written by pure genius.
Admin
For me the wtf isn't that the password is in plane text, but that a "set" method has a password at all.
Admin
Would you buy it if I told you that I'd seen something identical (well, except that it did the string check correctly) in some C++ code on my last project?
Edit: add quote
Admin
I with TheRubyWarlock, this is a fake.
Admin
This sort of thing happens in the hardware world all the time. Microcontrollers password protect the flash write registers, and the manufacturer lists the password (a simple string of 0xAA's and 0x55's, usually) in the datasheet.
This keeps broken code from burning out the flash memory by randomly writing to registers until the cells wear out.
Admin
agreed with the two other chaps; fake!
Admin
The comments are worse than the article :D Is it just me or should there be a rule against writing too obvious code? seriously... "P#$$w0rd"?!
Admin
In the Linux kernel API, after you have root privilege and whatever security capabilities you need, you also have to supply special parameters to the system reboot() and halt() system calls. The parameter value required is one of the birth dates of Linus Torvalds or his descendents, encoded in hexadecimal.
Never mind that supplying invalid parameters to half a dozen other system calls, sometimes while not root or not holding any special privileges, will often achieve the same effect as halt() in Linux.
(ducking)
I've seen data sheets that go on for pages (the "data sheet" is really a phone-book-sized document) about how to change RAM voltage on a system board. No real password here, but an obscure set of address space overlays and non-standard I/O registers that would be impossible to discover without a data sheet or by reverse engineering existing software that could already talk to the device.
Then there's TPM, which is an API that has not only password protected methods, but methods with cryptographically secure authentication schemes.
Admin
You're missing the point. This one would be no less a WTF if the password were looked up from a database in which it is stored in a hashed format.
In fact, it would be even more so.
Admin
Admin
But I wrote ArgumentException extends RuntimeException so I didn't have to screw around with all that trying and catching.
Admin
That was a reply to : "And java has not ArgumentException and it doesn't declare the method as throws ArgumentException."
throw new UserIsAMoronException("Look at me! I'm on the internets");
Admin
The programmer really just wanted to keep themselves from ever using the function. ;-)
Admin
That works until you get some library that calls that function. Then you could just reverse engineer it to determine what password was used. If all of the override uses were only distributed internally then the preprocessor should have been used instead to remove the method in external releases.
If this was Java instead then using the != might just have worked since passing in a String from a different Classloader may be a different reference.
Admin
I could buy this being real. I've seen similar being done before by in-house small app developers who either (a) didn't understand security, or (b) didn't want to have a reliance on the networks guys and so went and wrote their own security layer.
Of course, you could just go digging in the binary with a hex editor and pull out the password that way...
Admin
I've seen much worse. I've seen remote systems downloading ALL of the system's passwords to check a user login. And I mean unencrypted passwords. That was much, much, much worse. The same company would usually take 1 week to authorize the installation of any "free software". Yes, they mostly blocked all the free software because of "security issues".
Admin
Haha...best response yet.
That is truly doing the wrong thing the right way.
Countdown to somebody responding to this post with the made-up word "dehash": 10...9...8...
Admin
You know, you think people would get it - but at one point I actually ran into an idiot that challenged me that "C++ was broken because you could just smash your way through the flimsy protection mechanism" (using the mechanism you describe). Of course, he also insisted on calling it "C--", no doubt believing that made him look all smart and grown up.
The really shocking thing is this, though: this didn't happen on the internet ("Where Trolls Roam Free"), this was a real person in a face to face discussion...
Admin
Actually, the MD5 version above could be a less-than-terrible idea, especially if the password is taken from user input at runtime (and not stored anywhere on disk in plaintext).
Sure, you'd be better off pulling the hash from someplace external (with write access controlled by the OS). But the OP didn't say whether this was for an "enterprise" system or just something used in-house. Plenty of times, I've written an in-house app where myself and a small team are using e.g. a tracking database where I, as the developer, can do some "power user" things with which I don't want the worker-bee users to shoot themselves in the foot. In such cases -- where it's not critical security, but rather an elaborate "are you sure" prompt -- I might find myself using a trick like this.
I guess calling it "a trick like this" kind of admits that it's a WTF, though.
Admin
The scary thing is that's close to what is considered "best practices" to implement a singleton in PHP4...
Admin
Admin
This programmer is obviously a junior programmer.
Admin
It's a 'shop. I can tell by the pixels.
Admin
Actually, it will work for C++, and 99% of the time it will work for Java. As long as the calling function also uses a String literal (which I imagine it would, this seems to be something they have hard coded into the method and such strings are normally declared as string literals), the two String refrences will refer to the same object in the string pool iff they are the same string.