The Daily WTF: Curious Perversions in Information Technology

Loose Bree · 2014-01-09 Reply Admin

It's nice to see actual WTF-ery on 'The Daily Regex'.

chubertdev · 2014-01-09 Reply Admin

Shill:
I thought for sure the WTF was going to be that they were using LIKE in their database query causing the underscore in the correct email to act like a wildcard. Silly me - instead they made the . act like a wildcard by unnecessarily introducing regular expressions. Obviously I'm not thinking big enough with these WTFs.

The article reminded me of an issue I saw like that. A user was searching for something like "john_doe", and was confused that results like "johnmdoe" and "john4doe" were coming up.

chubertdev · 2014-01-09 Reply Admin

cellocgw:
Herr Otto Flick:
Anon:
TRWTF is that some of the commenters still think it is OK to "validate" email addresses.
It hasn't been OK, nor has it been POSSIBLE, to "validate" email addresses for a decade, why are you still trying?

Utter bollocks, email addresses are trivial to validate.

Send an email to the email address with a secret token inside

ask user to supply token

Validated email address

Moron

Except that it's not all that hard to hijack the recipient email address in many cases. Some enterprising fellow grabbed some yahoo-mail addresses which had been allowed to expire, BUT which were still the "backup verification" address and semi-abandoned secondary sites. By getting the old "forgot my password" message emailed to the yahoo addresses, he took over other domain accesses from the true owner.

I don't see how that's even remotely related. In your scenario, the address is verified as being real, just not by the original/correct user.

chubertdev · 2014-01-09 Reply Admin

edit: double post, and the delete button doesn't work

2014-01-09 Reply Admin

anonymous:
Geoff:
Strictly speaking [email protected] and [email protected] are different address.

To add complication, user@example and [email protected] is equal - the domain part is case non-sensitive.

According to RFC, DNS is case-insensitive...

If you look, you might see some DNS servers querying your DNS server with odd mixed case expressions such as wwW.exAMPlE.Com.

The basic idea is that the DNS server querying your DNS server will be better able to distinguish a spoofed response from a real response by seeing if the mixed case in the response matches the request.

clively · 2014-01-09 Reply Admin

Hint to users.

If it's broke and you are okay with that then shut up.

If it's broke and you want it fixed THEN report it.

If it isn't broke but you want it to work differently..well, shut up.

2014-01-09 Reply Admin

Is the user who "complained about having too much access" and a user for which the bug "was saving so much time" is the same user?

2014-01-09 Reply Admin

Anon:
Which of the standards?

Whichever is the current RFC that defines the syntax of email addresses, of course.

chubertdev · 2014-01-09 Reply Admin

luptatum:
Anon:
Which of the standards?
Whichever is the current RFC that defines the syntax of email addresses, of course.

2324

2014-01-09 Reply Admin

qbolec:
Is the user who "complained about having too much access" and a user for which the bug "was saving so much time" is the same user?

Yes. Which just shows that the user is the idiot and would be better off keeping their mouth shut.

2014-01-09 Reply Admin

foo AKA fooo:
pjt33:
RFoxmich:
anonymous:
TRWTF is ...
That and "Wait, no, I want it back!" she said. "I make so many typos using that form, it was saving me so much time!"
That's blatant nonsense added to pad out the story, so it doesn't count.
It's obviously fictional, but it's short and to the point, without introducing redundant characters, obscure quotes and long filler text. To me that's an acceptable level of creative writing (provided the rest of the story is real).

I guess you're new here.

2014-01-09 Reply Admin

Gene Wirchenko:
On a similar tack, there is "Falsehoods Programmers Believe About Names" at [url=http://www.kalzumeus.com/2010/06/17/falsehoods-programmers-believe-about-names/].

I tried e-mailing the guy with several additions but he's not accepting anything. I forgot most of what I mailed to him, but here are two.

Elizabeth II's last name is not II.

Even when a person has a first name, middle name, and last name, and has reached the age of 30, the assumption that she knows what her name is is an invalid assumption. My wife even had a passport with what she thought her name was, before she learned that it wasn't her name. She had to get a court order to correct her name to what she'd been using all her life.

Oh wait, here's a worth WTF for this site. Last month she used her embassy's web site to submit an application to renew her passport. The embassy's web site even mojibake'd one of the characters in that country's own language.

2014-01-09 Reply Admin

If Antoine is on the phone with a user, that would mean Antoine is on the helpdesk, right?

So, Antoine, and others on the helpdesk going by the article ("In DroneDeliveries' giant cubicle farm, so many hands touch so many pieces of code that a warehouse of monkeys could make better code") are making (and committing) on the fly changes to production code. It's a Developestuction environment.

This, and none of the other commenters noticing it, are TRWTFs

HardwareGeek · 2014-01-09 Reply Admin

Spencer:
So, Antoine, and others on the helpdesk ... are making (and committing) on the fly changes to production code....
This, and none of the other commenters noticing it, are TRWTFs

There is nothing in the article to indicate the elapsed time between the original report and Antoine's return call. It could have been days or weeks, plenty of time for adequate testing (not that DroneDeliveries appears to be the sort of place that actually had adequate testing), or at least a proper release cycle. I wouldn't be surprised if you're right, but the story doesn't say one way or the other.

2014-01-10 Reply Admin

Unrelated, but just saw the WTF in the ad banner: "Deploy from hudson with buildmaster", its called Jenkins now =)

2014-01-10 Reply Admin

Geoff:
Strictly speaking [email protected] and [email protected] are different address. Almost every mail delivery agent I have ever worked with treats them as the same but the specifications really do call for treating the mailbox part of the address as a label; and the MTAs largely get it right.
Using a simple equality check where e-mail address are being utilized as user names is probably the most correct because when both [email protected] and [email protected] try and sign up for your service they are going to be very frustrated, but then if you don't at least ucase() when the thousands [email protected] type address users attempt to login as [email protected] they are going to be similar frustrated. Wrong though they may be, their numbers are greater; so when management gets the "bug" reports they are going to win.

All in all regex is probably not the way to do it but you do need to tolerate some address mugging.

Why not just convert everything that is entered in the registration box and login box to lower case before you even do anything with it? That seems far less complicated. Why would there be a need to use upper case for an e-mail address? There simply is no need for it, even if a very few users might wish to utilize that. It's not worth the time to set your system up just so a few users can have upper case characters in their e-mail address that they use to login. The accounts are treated as one and the same when you send an e-mail to them anyway, so typing some letters in upper case doesn't matter in the end. Just convert them to lower case and let the users type it however they want.

dkf · 2014-01-10 Reply Admin

Norman Diamond:
Elizabeth II's last name is not II.

Yeah, it's Windsor. As in Barbara.

2014-01-10 Reply Admin

dkf:
Norman Diamond:
Elizabeth II's last name is not II.
Yeah, it's Windsor. As in Barbara.

Nope, it's Mountbatten-Windsor. She is married, you know (source).

2014-01-10 Reply Admin

bob:
Because of Turkish uppercase 'i' ?
so string.toLowerCase() then?

There I fixed it.

Instead of relying on the assumption that this will not fail in another language why not shove that problem over to the folks at MS and have their implementation handle it.

String.Compare(emailOne, emailTwo, StringComparison.CurrentCultureIgnoreCase);

2014-01-10 Reply Admin

Naomi:
Geoff:
Strictly speaking [email protected] and [email protected] are different address. Almost every mail delivery agent I have ever worked with treats them as the same but the specifications really do call for treating the mailbox part of the address as a label; and the MTAs largely get it right.
Using a simple equality check where e-mail address are being utilized as user names is probably the most correct because when both [email protected] and [email protected] try and sign up for your service they are going to be very frustrated, but then if you don't at least ucase() when the thousands [email protected] type address users attempt to login as [email protected] they are going to be similar frustrated. Wrong though they may be, their numbers are greater; so when management gets the "bug" reports they are going to win.

All in all regex is probably not the way to do it but you do need to tolerate some address mugging.

Why not just convert everything that is entered in the registration box and login box to lower case before you even do anything with it? That seems far less complicated. Why would there be a need to use upper case for an e-mail address? There simply is no need for it, even if a very few users might wish to utilize that. It's not worth the time to set your system up just so a few users can have upper case characters in their e-mail address that they use to login. The accounts are treated as one and the same when you send an e-mail to them anyway, so typing some letters in upper case doesn't matter in the end. Just convert them to lower case and let the users type it however they want.

Remember that 伊昭傑@郵件.商務 is a valid email address.

伊昭傑@екзампл.ком is also a valid email address.

CAPTCHA: appellatio - This is either a typo, or when <censored> <censored> and you <censored>.

2014-01-10 Reply Admin

chubertdev:
luptatum:
Anon:
Which of the standards?
Whichever is the current RFC that defines the syntax of email addresses, of course.

2324

Unfortunately the standard syntax for email addresses cannot be parsed by a regular expression (although there's a pretty long one that gets close); you would actually need a context-free grammar parser.

Luckily, nobody* actually uses the ugly parts of the standard that make e-mail addresses a context-free language, so a regex can work in practice most of the time.

(*for values of "nobody" that will be acceptable to project management but not acceptable to Internet pedants)

no laughing matter · 2014-01-10 Reply Admin

Name:
Unfortunately the standard syntax for email addresses cannot be parsed by a regular expression (although there's a pretty long one that gets close); you would actually need a context-free grammar parser.

Perl "regular" expressions allow a bit more than real regular expressions. The pretty long one is a Perl-RegEx, but only parses RFC822.

chubertdev · 2014-01-10 Reply Admin

Norman Diamond:
Gene Wirchenko:
On a similar tack, there is "Falsehoods Programmers Believe About Names" at [url=http://www.kalzumeus.com/2010/06/17/falsehoods-programmers-believe-about-names/].
I tried e-mailing the guy with several additions but he's not accepting anything. I forgot most of what I mailed to him, but here are two.
Elizabeth II's last name is not II.

Even when a person has a first name, middle name, and last name, and has reached the age of 30, the assumption that she knows what her name is is an invalid assumption. My wife even had a passport with what she thought her name was, before she learned that it wasn't her name. She had to get a court order to correct her name to what she'd been using all her life.

Oh wait, here's a worth WTF for this site. Last month she used her embassy's web site to submit an application to renew her passport. The embassy's web site even mojibake'd one of the characters in that country's own language.

Solution: don't marry a mail-order bride.

2014-01-10 Reply Admin

no laughing matter:
Name:
Unfortunately the standard syntax for email addresses cannot be parsed by a regular expression (although there's a pretty long one that gets close); you would actually need a context-free grammar parser.
Perl "regular" expressions allow a bit more than real regular expressions. The pretty long one is a Perl-RegEx, but only parses RFC822.

Validating against RFC822 and nothing is else is only acceptable if your mailserver also hasn't been updated since the early 1980s.

2014-01-10 Reply Admin

dgschrei:
bob:
Because of Turkish uppercase 'i' ?
so string.toLowerCase() then?

There I fixed it.

Instead of relying on the assumption that this will not fail in another language why not shove that problem over to the folks at MS and have their implementation handle it.
String.Compare(emailOne, emailTwo, StringComparison.CurrentCultureIgnoreCase);

If your current culture is different from the current culture of the mail server used by the destination, you'll still screw up.

2014-01-10 Reply Admin

Anon:
Remember that 伊昭傑@郵件.商務 is a valid email address.
伊昭傑@екзампл.ком is also a valid email address.

Not a problem. 伊昭傑 remains 伊昭傑 whether in upper or lower case, just like _-+ does.

In a Japanese locale the lower case of ＴＨＩＳ is ｔｈｉｓ (those are wide characters, full width Romaji).

In a Turkish locale I wonder how to lowercase ＴＨＩＳ (I don't think there exists a wide character, full width lower case undotted i)

In a German locale the upper case of ß is still lower case, but I read that Unicode is inventing an upper case for it.

2014-01-12 Reply Admin

Case insensitive is better.

This reminds me of an old riddle: "This thing belongs to you, yet other people use it more than you do. What is it?" The answer is "your name".

For the users, it's just a lot easier for everyone not to have to explain to their Aunt Marge that (1) e-mail addresses are case-sensitive and (2) which case their particular e-mail address is. Not to mention that (3) on the telephone, or face to face for that matter, capital letters sound the same as lowercase letters; (4) less room for clerical errors; and (5) do you really want someone else reading your e-mail because Aunt Marge / the pointy-haired boss / whoever forgot to press (or forgot not to press) the shift key?

2014-01-13 Reply Admin

Palad1:
If only there was a way to check for string equality without case-sensitivity in .Net...

Google is your friend: http://msdn.microsoft.com/en-us/library/system.stringcomparison(v=vs.110).aspx

2014-01-13 Reply Admin

Cheong:
Palad1:
If only there was a way to check for string equality without case-sensitivity in .Net...

Google is your friend: http://msdn.microsoft.com/en-us/library/system.stringcomparison(v=vs.110).aspx

TRWTF is this reply to a comment which fails to get the joke, which also fails to get the no less than two explanations of the joke.

2014-01-13 Reply Admin

Norman Diamond:
In a German locale the upper case of ß is still lower case, but I read that Unicode is inventing an upper case for it.

Hmm, I never thought of that. Is ß normally written differently in all-caps? (about.com indicates that it won't occur at the beginning of a word, so you'd only have a capital ß if you're writing in all-caps.)

2014-01-13 Reply Admin

For some reason this font keeps looking to me like I'm seeing corn, not com... Maybe its this lousy 1280 x 800 monitor. Sorry, back to your regular dwtfery.

2014-01-13 Reply Admin

anonymous:
Norman Diamond:
In a German locale the upper case of ß is still lower case, but I read that Unicode is inventing an upper case for it.
Hmm, I never thought of that. Is ß normally written differently in all-caps? (about.com indicates that it won't occur at the beginning of a word, so you'd only have a capital ß if you're writing in all-caps.)

No, normally it is written using a German locale which doesn't have an upper case character for that. I read that Unicode is inventing an upper case for it. The reason Unicode's invention is Unicode's invention is that it isn't part of normal German.

http colon slash slash www dot the-interweb dot com /serendipity/index.php?/archives/80-Converting-strings-to-upper-case-is-tricky.html says that Java correctly capitalizes straße to STRASSE.

Akismet can kiß my aß.

Fuck you Akismet. Let's advertise stolen credit cards, will you be happy now?

No? How about Viagara then, Akismet?

if (akismet.judge(x) == human.judge(x)) {
  // it doesn't matter what we say here -- undefined behaviour
} else {
  cout << "what do we need to try next?"
}

lk;jfsdgkjs;kljgdkjlfjgs

Lorem akismet ipsum akismet I don't know the rest of it.

2014-01-14 Reply Admin

Reminds me of the joke about the customer coming to a grocery store. He comes in day after day, asking if they sell "death caps" ( http://en.wikipedia.org/wiki/Amanita_phalloides ).

When the shop owner is finally tired of the customer asking every single day and stocks them, the customer replies with "You'll have to dispose of them, they are very dangerous!".

2014-01-14 Reply Admin

anonymous:
Is ß normally written differently in all-caps?

I've only ever seen it written as SS in all-caps, but my experience is hardly representative.

2014-01-24 Reply Admin

"DroneDeliveries". I never would have expected for them to have a bug like that.

Universal Login System

Leave a comment on “Universal Login System”