• sloosecannon (disco)
    <post>
       <frist/>
    </post>
    
  • Yazeran (disco)

    And this boys and girls is why you should always include a possibility for executing a system exec (after proper sandboxing/sanitizing of cause) whenever you are designing / programming anything that can accept data from any source where you are not in absolute control.

    By doing that, your users can always create their own filters / converters so they do not have to make horrors like the one in the article. The horror works, but adding just one more layer of XML would likely summon something evil (the inner regex is there three times already, all you need to do is replace that with 'H*****' and we all know what will happen in that case)

  • Dragnslcr (disco) in reply to Yazeran
    Yazeran:
    The horror works, but adding just one more layer of XML would likely summon something evil (the inner regex is there three times already, all you need to do is replace that with '**Beetlejuice**' and we all know what will happen in that case)

    Fixed that for you.

  • Protoman (disco) in reply to Yazeran
    Yazeran:
    And this boys and girls is why **you should always include a possibility for executing a system exec** (after proper sandboxing/sanitizing of cause) whenever you are designing / programming anything **that can accept data from any source where you are not in absolute control.**

    :rofl:

    You just described a huge class of security vulnerabilities. Proper sandbox/sanitizing: easier said that done.

    Having extension mechanisms is a good idea. When they're available, administrators should be able to use them to do what they need, whether they're custom scripts in a DSL or general-purpose programming language, a C shared library extension, shell script, or whatever (and as you said, sandbox them as much as you posibly can).

    But making those extension mechanisms accessible with untrusted data from any source? :rofl:

  • LB_ (disco)

    I think paula forgot to list this again.

  • Spectre (disco)

    Here's the same thing as a sexpression, because I was bored:

    (* (* (+ (/ (& scary
                   8388607)
                8388608)
             1)
          (<< 1
              (- (& (>> scary
                        23)
                    255)
                 127)))
       (if (eq (& (>> scary
                      31)
                  1)
               1)
           -1
           1))
    

    Where scary is:

    (baseNToInt 16
                (regex '(?:0x)?([0-9a-fA-F][0-9a-fA-F])\\s*([0-9a-fA-F][0-9a-fA-F])\\s*([0-9a-fA-F][0-9a-fA-F])\\s*([0-9a-fA-F][0-9a-fA-F])'
                       (getRowOid '.1.3.6.1.4.1.2011.2.217.1.4.1.1.6')
                       '%4$s%3$s%2$s%1$s'))
    

    TRWTF is that this doesn't handle subnormals and zeroes correctly.

  • anotherusername (disco) in reply to LB_
    Comment held for moderation.
  • boomzilla (disco)
  • Rhywden (disco) in reply to Dragnslcr
    Dragnslcr:
    Yazeran:
    The horror works, but adding just one more layer of XML would likely summon something evil (the inner regex is there three times already, all you need to do is replace that with '**BeetlejuiceHastur**' and we all know what will happen in that case)

    Fixed that for you.

    Fixed that fix for you.

  • Yazeran (disco) in reply to Protoman

    I assumed that only system admins could create said filters (and that they would do a proper job at it) and I also assumed that the default configuration was NOT to allow executes so they have to be enabled explicitly once there is a good reason. If default is to allow, and any odd developer/user could create them, then yes huge security hole.

    And yes, proper sandboxing/sanitizing is a hard thing to do, but with proper care it can be done correctly.

  • anonymous234 (disco)

    The funny thing is that XML is a natural representation for computer programs, which are after all (in every programming paradigm that's actually used) just trees and vectors of operations.

    Yet it's utterly unreadable for humans. So much for XML being human-centered.

  • aliceif (disco)
    Comment held for moderation.
  • LB_ (disco) in reply to anonymous234
    anonymous234:
    The funny thing is that XML is a natural representation for computer programs

    I would argue that JSON is far more natural than XML.

  • RFoxmich (disco)

    I deal with software that interfaces to hardware all the time. IMHO TRWTF are hardware designers that torture us software guys by building arcane interfaces just because they can.

    Having dealt with MODBUS in the distant past - well that's a WTF as well.

  • dkf (disco) in reply to anonymous234
    anonymous234:
    So much for XML being human-centered.

    It's better than ASN.1, but so is Ebola.

  • urkerab (disco) in reply to Dragnslcr
    Dragnslcr:
    Yazeran:
    The horror works, but adding just one more layer of XML would likely summon something evil (the inner regex is there three times already, all you need to do is replace that with '**Beetlejuice**' and we all know what will happen in that case)

    Fixed that for you.

    I myself got flamed earlier this month for making the same mistake, but the character is in fact named after the star; it's the film that is named after the two objects that the character uses to help Lydia guess his name.

  • PleegWat (disco) in reply to dkf

    Least ASN.1 is honest about needing a machine to be parsed.

  • anotherusername (disco) in reply to RFoxmich
    RFoxmich:
    I deal with software that interfaces to hardware all the time. IMHO TRWTF are hardware designers that torture us software guys by building arcane interfaces just because they can.

    Having dealt with MODBUS in the distant past - well that's a WTF as well.

    What's so bad about it? It was a format that worked well in its time, and still has its applications. Disclosure: I have to maintain a system that uses it.

    Granted, if you're talking about Modbus TCP/IP, one does wonder why they didn't just take the opportunity to move to something else. But what? Some other proprietary binary format (which Modbus TCP/IP certainly is)? XML? JSON?

  • Martha (unregistered)

    Why are you including a 10MB image in this post?

Leave a comment on “Best of 2015: Once You Eliminate the Impossible…”

Log In or post as a guest

Replying to comment #:

« Return to Article