• (disco) in reply to Jaloopa

    But we're still filtering out aol.com$ right?

    :nine: :zero: :trolleybus:

  • (disco) in reply to lolwhat

    And #, !, $, %, &, ', *, /, =, ?, ^, `, {, }, |, ~.

  • (disco) in reply to HardwareGeek
    HardwareGeek:
    And - please.

    I'm sure there's more. I have managed to avoid learning any but the most basic of old-school Perl/Awk-style regexes so far, so I just know know if the regex above matched anything but letters.

  • (disco) in reply to EmptyJayy

    Well, if they are assigning the function to a variable in the global scope, you could hypothetically prevent them from defining it if you created a non-configurable, non-writable property of the window object before their script runs...

    [image]
  • (disco) in reply to anotherusername

    alternatively if they don't spaff function references around in all their callbacks you could just replace their function in the global scope with one that trturns true/false as appopriate.

  • (disco) in reply to accalia
    accalia:
    spaff
    I found the Urban Dictionary definitions for that…
  • (disco) in reply to flabdablet
    flabdablet:
    . Nobody should ever send an email with a clickable link to a login page; that pattern should belong only to phisherfolk.
    One thing I'd like to see some low-value places (e.g. forums like this) support is an option, instead of just a password reset link, to send a "you are now logged in" link. Just something that has some large randomly-generated ID that immediately logs you in. Half the time I go through a password reset I'm using it for basically that anyway..
  • (disco) in reply to RaceProUK

    the correlation is not entirely unintended.

  • (disco) in reply to loose
    loose:
    At the end of the day, the best and only way to validate something like an email is to get the User to type it in twice.

    Cutting and pasting sorta defeats the object of the exercise. I suppose persistent practicioners of this - who are only harming themselves, will eventually get the internet equivalent of a Darwin Award.

    Oh, yeah, except for the people that typed it wrong twice.

    I once overheard a system manager talking about how he brought an IBM host to its knees: He said, "I wanted to delete the volume, so I typed the command, checked it, and saw I'd typo'd the volume name. So I typo'd it again and pressed enter."

    (Somewhere, I have a comic from years ago. It showed a bunch of circus clowns doing various things in a systems room, when the boss steps in. Caption: "Okay, which one of you clowns is responsible for yesterday's downtime?")


    And here's an idea for the room: Why don't all these infernal regex engines provide a built-in pattern for email validation?

    Something like: [:email:]

    In use: /^[:email:]$/

  • (disco) in reply to accalia

    Replacing their function after the page loads might work, but it depends on how they set up the event handler.

    And if I knew that, it would probably be easier to just remove the event handler.

  • (disco) in reply to CoyneTheDup
    CoyneTheDup:
    Why don't all these infernal regex engines provide a built-in pattern for email validation?

    Because someone will yell about whatever it misses or falsely claims as bad. If you are checking them with a reg ex you need to determine what bad you are OK with, not everyone has the same bads that are acceptable.

  • (disco) in reply to dkf
    dkf:
    I hate it when sites go to great lengths to disable this sort of thing.

    Which is why Chrome now plain ignores it for password input fields.

  • (disco) in reply to Ragnax

    I'd noticed that a particular page at work started working for me. I wasn't really paying attention to when it happened exactly, but I just figured they pulled their heads out of their asses. Oops.

  • (disco) in reply to CoyneTheDup
    CoyneTheDup:
    I once overheard a system manager talking about how he brought an IBM host to its knees: He said, "I wanted to delete the volume, so I typed the command, checked it, and saw I'd typo'd the volume name. So I typo'd it again and pressed ."

    Reminds me of this commit* which fixed a bug in which an extra space between /usr and /lib/nvidia-current/xorg/xorg caused the entirety of /usr to be rm -rf'ed.

  • (disco) in reply to accalia
    accalia:
    additionally you should have no validation on the email address other than "does it have an @ and a domain part?" any other validation should be warning level only "it looks like you might be missing part of your domain

    Also, make sure it doesn't have non-printable characters in it. A \r\n in an email address can ruin your day...

    Jaloopa:
    Personally, I'd validate letters, an @, some more letters, with a warning if there's no dot after the @. Of course, the usual counter to that is that bangpaths or some other weirdness are allowed by the standard so even that is cutting out some legitimate emails, and that's where the proper flaming starts
    I'd validate that you have printables, then an @, then some printables, with a warning if there's no dot in the latter half. You don't need to get nearly as weird as bang paths to break a letters-only validator -- I've had GMail's +-alias syntax get rejected by dumb email "validation" logic before, and it's quite frustrating.
  • (disco) in reply to tarunik
    tarunik:
    I'd validate that you have printables, then an @, then some printables, with a warning if there's no dot in the latter half.

    So many people are arguing for this, but in my experience far stronger limits have shown to be useful (things like no domain names without ".com",".net",".org" but I basically only deal with the US). That or you can silently accept things and just fix them for users (".cmo" to ".com"), but it's easier to get them to fix it.

  • (disco) in reply to tarunik
    tarunik:
    I've had GMail's +-alias syntax get rejected by dumb email "validation" logic before, and it's quite frustrating.

    I've mentioned this before, but HP's laptop registration software is a big offender here.

  • (disco) in reply to christop

    Yeah, any character that's legal, but I specifically care about - because both my domain and often1 name parts contain -, and that has caused me trouble in the past.

    1I used to use an MDA that, when delivering to name-suffix could apply special filtering rules based on suffix. I still use this for one-time addresses when a random site needs my email address. Unfortunately, it's mostly useless, as 99% of my spam comes to my basic name.

  • (disco) in reply to flabdablet
    flabdablet:
    Not a login action, please. Just a link including a nonce that pairs with a browser cookie to confirm that the email was received by the same user on the same computer as the browser that filled in the email form.

    Same browser? Seems awfully restrictive. You've never gotten a "Check your email for an activation link" message and said, "I don't have time to finish this now, I'll do it later." and when "later" comes you're reading your email on a different computer? Or you've closed your browser and lost your session cookies? Or even had a mailer that can open URLs itself instead of opening them in your usual browser?

    Try this, too: Expire the nonce after a couple minutes, just to annoy people whose mailboxes get checked on a schedule rather than in real-time.

  • (disco)

    I just love it, and this community:

    1. Start a Topic, or better yet, wait for somebody to start one.
    2. Toss something in from out of the left field.
    3. Stir it a bit, or bait someone else to do it.
    4. Sit back and watch.
    5. Profit as the topic gets totally hijacked.

    :laughing:

  • (disco) in reply to Jaloopa
    Jaloopa:
    We still make jokes about Windows bluescreening, so why not?

    Hey, I resen

    [image]
  • (disco) in reply to loose

    It is not even necessary to do this intentionally. Topic drift is a natural thing (as much as Jeff would like it not to happen); the subject of the conversation floats hither and yon like a feather in a breeze. On TDWTF, the breeze is an F5 hurricane.

  • (disco) in reply to HardwareGeek
    HardwareGeek:
    On TDWTF, the breeze is an F5 hurricane.

    Yeah :smile: like one of those fans you get in wind tunnels and the like, where its only one direction.

    Question is: Does it blow or suck?

    lame, I know, but it's the best I can do at this time of the night

  • (disco) in reply to accalia
    accalia:
    you send them an email with an activastion link in it

    How would http://www.activision.com/ help anything?

  • (disco) in reply to loose
    loose:
    Question is: Does it blow or suck?

    Depends on which way you're facing trying to go. :P

  • (disco) in reply to Ragnax
  • (disco) in reply to Eldelshell

    Are you sure their proxy can set different cache policy according to different pages?

  • (disco) in reply to HardwareGeek

    I have had an address containing - for ~15 years now and last month was the first time I encountered a site that considered it invalid.

  • (disco) in reply to narbat
    narbat:
    Same browser? Seems awfully restrictive.

    Well, it would be a shame for some random person elsewhere in the world to be able to confirm an email address you happened to fat-finger. If you can tell me of some way to avoid the click-to-login-page phish-alike pattern that's one-click convenient, doesn't require login, and doesn't involve matching up the email verification nonce against something left behind in the user's browser, I'm all ears.

    Backing the clicky thing up with a nonce that the user has to paste into a form on your site after logging in by hand should cover the rest of your use cases, I believe.

  • (disco) in reply to obeselymorbid

    I'm beginning to experience this sort of discrimination with my main public email. I just take my business elsewhere, or use any of the infinitely possible ones available @mydomain.fc.uk.u (no, that is not my real domain and, for narrative effect, I thought it would be nice to have something opposite to .me) :smiling_imp:

  • (disco) in reply to Jaloopa
    my $email_address = qr/ ^ (?&address) $
        (?(DEFINE)
            (?<DIGIT> [0-9] )
            (?<ALPHA> [A-Za-z] )
            (?<ctext> (?&NO_WS_CTL) | [!-'*-\[\]-~] )
            (?<qtext> (?&NO_WS_CTL) | [!\#-\[\]-~] )
            (?<atext> (?&ALPHA) | (?&DIGIT) | [!\#$%&'*+\-\/=?^_`{|}~] )
            (?<ccontent> (?&ctext) | (?"ed_pair) | (?&comment) )
            (?<text> [\x{01}-\x{09}\x{0B}\x{0C}\x{0E}-\x{7F}] )
            (?<qcontent> (?&qtext) | (?"ed_pair) )
            (?<DQUOTE> " )
            (?<CRLF> \x{0D}\x{0A} )
            (?<WSP> [\ \t] )
            (?<atom> (?&CFWS)? (?&atext)+ (?&CFWS)? )
            (?<dot_atom_text> (?&atext)+ ( \. (?&atext)+ )* )
            (?<word> (?&atom) | (?"ed_string) )
            (?<comment> \( ( (?&FWS)? (?&ccontent) )* (?&FWS)? \) )
            (?<NO_WS_CTL> [\x{01}-\x{08}\x{0B}\x{0C}\x{0E}-\x{1F}\x{7F}] )
            (?<quoted_pair> \\ (?&text) )
            (?<dtext> (?&NO_WS_CTL) | [!-Z^-~] )
            (?<dcontent> (?&dtext) | (?"ed_pair) )
            (?<FWS> ( (?&WSP)* (?&CRLF))? (?&WSP)+ )
            (?<domain_literal> (?&CFWS)? \[ ( (?&FWS)? (?&dcontent) )* (?&FWS)? \] (?&CFWS)? )
            (?<quoted_string> (?&CFWS)? (?&DQUOTE) ( (?&FWS)? (?&qcontent) )* (?&FWS)? (?&DQUOTE) (?&CFWS)? )
            (?<dot_atom> (?&CFWS)? (?&dot_atom_text) (?&CFWS)? )
            (?<local_part> (?&dot_atom) | (?"ed_string) )
            (?<domain> (?&dot_atom) | (?&domain_literal) )
            (?<phrase> (?&word)+ )
            (?<mailbox_list> (?&mailbox) (?: , (?&mailbox) )* ) 
            (?<address_list> (?&address) (?: , (?&address) )* ) 
            (?<CFWS> (?: (?&FWS)? (?&comment) )? ( (?: (?&FWS)? (?&comment) ) | (?&FWS) ) )
            (?<display_name> (?&phrase) )
            (?<angle_addr> (?&CFWS)? < (?&addr_spec) > (?&CFWS)? )
            (?<group> (?&display_name) : (?: (?&mailbox_list) | (?&CFWS) ) ; (?&CFWS) )
            (?<addr_spec> (?&local_part) @ (?&domain) )
            (?<name_addr> (?&display_name)? (?&angle_addr) )
            (?<mailbox> (?&name_addr) | (?&addr_spec) )
            (?
    (?&mailbox) | (?&group) ) ) /x;

    No flame war required. This one is the complete RFC

  • (disco) in reply to EmptyJayy
    EmptyJayy:
    Now I'm getting more pissed and motivated to figure out enough GreaseMonkey to prevent loading that script... get a proper pc

    :trolleybus:

  • (disco) in reply to boomzilla
    boomzilla:
    But we're still filtering out `aol.com$` right?

    [email protected]...

  • (disco) in reply to flabdablet

    I submit that it'd be worse for some random person elsewhere in the world to be unable to do anything about the email address you happened to fat-finger, and which now results in unwanted email coming to them.

  • (disco) in reply to flabdablet
    flabdablet:
    Not a login action, please. Just a link including a nonce that pairs with a browser cookie to confirm that the email was received by the same user on the same computer as the browser that filled in the email form.

    I'd agree, except reality is a bit more of an ass than you seem to think. You can't rely on going back into the same session, and you can't rely on going back into the same browser, and you can't rely on a short timeout either. Users just don't cooperate with that sort of thing.

    For example, we used to use a greylisting system for email keyed off the sender/recipient pair; the first email would get bounced back for 30 minutes. This was particularly bad with providers who liked to use a unique sender for each email as part of their bounce tracking code…

  • (disco) in reply to dkf

    ...and when they disable copy/paste on the email address and 'repeat password' fields.

    Clue: My passwords tend to look like this: "J4gDUi7e4jGBTdjIUGHgdry".

    Yeah, I'm totally going to type that twice. Or ... maybe I'll just give your site a miss.

  • (disco) in reply to accalia
    accalia:
    assuming of course that it's not burried in a script bundle that has tons of actually useful functionality in it.

    Who would actually do that⸮

    ;)

    dkf:
    The type-it-twice stuff is merely a prophylactic, since some people do consistent typos…

    $ npm help

    Usage: npm <command>

    where <command> is one of: add-user, adduser, apihelp, author, bin, bugs, c, cache, completion, config, ddp, dedupe, deprecate, docs, edit, explore, faq, find, find-dupes, get, help, help-search, home, i, info, init, install, isntall, issues, la, link, list, ll, ln, login, ls, outdated, owner, pack, prefix, prune, publish, r, rb, rebuild, remove, repo, restart, rm, root, run-script, s, se, search, set, show, shrinkwrap, star, stars, start, stop, submodule, t, tag, test, tst, un, uninstall, unlink, unpublish, unstar, up, update, v, version, view, whoami

    :smiley:

  • (disco) in reply to Onyx
    Onyx:
    isntall

    yeah i found that a while ago while working on SockSite. it made me go :wtf: then it made me go :heart_eyes_cat:

  • (disco) in reply to anotherusername
    anotherusername:
    which now results in unwanted email coming to them

    If you do it properly, they only get the single confirmation email, because your system won't send any others until it has a confirmed address to send them to.

    dkf:
    You can't rely on going back into the same session, and you can't rely on going back into the same browser, and you can't rely on a short timeout either. Users just don't cooperate with that sort of thing.

    Right, which is why the Right Thing is to include a visible, copyable nonce in the confirmation email as well, to be pasted into your site once they've logged on by hand, in case they can't make one-click confirmation work.

    My point is that if you are going to offer your users one-click confirmation convenience, then you really ought to limit the one-click process to work only via the same browser that triggered the confirmation email in the first place. Not necessarily the same session though; you can keep your browser-identifying nonce in a persistent cookie.

    It's really tempting to send a link to your logon page containing an embedded confirmation code, so the email address will be confirmed as soon as they log on through it, but doing that really does train your users to fall for phishing. Users like simple, clear-cut rules, and "we will never send you an email that asks you for your login details" is a good one.

  • (disco) in reply to obeselymorbid

    I haven't tried post-Oracle, but I could never register for anything at sun.com. (Considering that it was for Java, this was probably a blessing in disguise.)

  • (disco) in reply to HardwareGeek
    HardwareGeek:
    I could never register for anything at sun.com

    You didn't miss much…

  • (disco) in reply to flabdablet

    Well then the correct way would be to forgo any sort of link and instead use a short, random, plain-text (e.g. numeric) code. They go to the site, sign in using the password which only they should know, and when they're prompted to confirm their email address they enter the code.

    Then in the email provide a link that says "I did not request this email" which will take them to a page that allows them, after confirming the action, to remove and blacklist their email address from $random_idiot's account and force him to provide a different email address next time he tries to log in.

    In summary, if my email address is linked to $random_idiot's account, give me either some way to hijack the account and reset the password and/or delete the account, or have my email address removed from it and prevent them from using it again, at least with that account on that website.

    Know what's really fun? Trying to argue with support personnel that my gmail address with a . is the same mailbox as the gmail address without that ., which $random_idiot has attempted to use to sign up for a dozen or so different websites over the years.

  • (disco) in reply to flabdablet
    flabdablet:
    nonce

    Is this the worst named thing in computer science? I don't want Rolf Harris identifying my browser

  • (disco) in reply to Jaloopa
    Jaloopa:
    Is this the worst named thing in computer science? I don't want Rolf Harris identifying my browser

    Apple Watch has a new thing called "complications". (Yes, I know the name comes from horology, but if you're not a watch nerd, the name sounds pretty terrible.)

    There's only two things that are hard in computer science: cache invalidation, naming things, and off-by-one errors.

  • (disco) in reply to Protoman

    That's nowhere near as bad as having your browser send a paedophile for validation

  • (disco) in reply to Jaloopa

    And suddenly your previous comment makes sense.

  • (disco) in reply to Jaloopa
    Jaloopa:
    I don't want Rolf Harris identifying my browser
    Rolf is doing himself no favours at present.
  • (disco) in reply to dkf
    dkf:
    Users just don't cooperate

    There's The Real WTF, right there.

  • (disco)

    WOW!

    I see this has generated a bit of heat in the community :smile:

    In the world of enterprise security, evidently, ninjas scale the walls at night, hacking into workstations and peering at cached content.. well, at least they do that to Sony ;)

    As one commenter so eloquently stated, "As a Network Engineer, billy could have <insert captain obvious solution here>"... as a matter of fact, Billy did do that, however, Billy told someone who is not me that he is sick and tired of numbnuts so Billy decided to toss them under the bus.. The way Billy saw it, it was either them or him who was going to get tossed, and Billy wasn't about to get tossed.

    Billy configured a cache policy on his load balancer to band-aid the issue long enough for the devs to "fix" their code. It took them two weeks to circle back and try and figure out their problem, and to be honest, Billy isn't even certain they've done that. Maybe billy will have to do some more "routine security monitoring".

    Peace!

Leave a comment on “Paying Cache for Insurance”

Log In or post as a guest

Replying to comment #:

« Return to Article