- Feature Articles
- CodeSOD
- Error'd
-
Forums
-
Other Articles
- Random Article
- Alex's Soapbox
- Announcements
- Best of…
- Best of Email
- Best of the Sidebar
- Bring Your Own Code
- Coded Smorgasbord
- Mandatory Fun Day
- Off Topic
- Representative Line
- News Roundup
- Editor's Soapbox
- Software on the Rocks
- Souvenir Potpourri
- Sponsor Post
- Tales from the Interview
- The Daily WTF: Live
- Virtudyne
Admin
But we're still filtering out
aol.com$right?:nine: :zero: :trolleybus:
Admin
And #, !, $, %, &, ', *, /, =, ?, ^, `, {, }, |, ~.
Admin
I'm sure there's more. I have managed to avoid learning any but the most basic of old-school Perl/Awk-style regexes so far, so I just know know if the regex above matched anything but letters.
Admin
Well, if they are assigning the function to a variable in the global scope, you could hypothetically prevent them from defining it if you created a non-configurable, non-writable property of the
[image]windowobject before their script runs...Admin
alternatively if they don't spaff function references around in all their callbacks you could just replace their function in the global scope with one that trturns true/false as appopriate.
Admin
Admin
Admin
the correlation is not entirely unintended.
Admin
Oh, yeah, except for the people that typed it wrong twice.
I once overheard a system manager talking about how he brought an IBM host to its knees: He said, "I wanted to delete the volume, so I typed the command, checked it, and saw I'd typo'd the volume name. So I typo'd it again and pressed enter."
(Somewhere, I have a comic from years ago. It showed a bunch of circus clowns doing various things in a systems room, when the boss steps in. Caption: "Okay, which one of you clowns is responsible for yesterday's downtime?")
And here's an idea for the room: Why don't all these infernal regex engines provide a built-in pattern for email validation?
Something like:
[:email:]In use:
/^[:email:]$/Admin
Replacing their function after the page loads might work, but it depends on how they set up the event handler.
And if I knew that, it would probably be easier to just remove the event handler.
Admin
Because someone will yell about whatever it misses or falsely claims as bad. If you are checking them with a reg ex you need to determine what bad you are OK with, not everyone has the same bads that are acceptable.
Admin
Which is why Chrome now plain ignores it for password input fields.
Admin
I'd noticed that a particular page at work started working for me. I wasn't really paying attention to when it happened exactly, but I just figured they pulled their heads out of their asses. Oops.
Admin
Reminds me of this commit* which fixed a bug in which an extra space between
/usrand/lib/nvidia-current/xorg/xorgcaused the entirety of/usrto berm -rf'ed.Admin
Also, make sure it doesn't have non-printable characters in it. A \r\n in an email address can ruin your day...
I'd validate that you have printables, then an @, then some printables, with a warning if there's no dot in the latter half. You don't need to get nearly as weird as bang paths to break a letters-only validator -- I've had GMail's +-alias syntax get rejected by dumb email "validation" logic before, and it's quite frustrating.Admin
So many people are arguing for this, but in my experience far stronger limits have shown to be useful (things like no domain names without ".com",".net",".org" but I basically only deal with the US). That or you can silently accept things and just fix them for users (".cmo" to ".com"), but it's easier to get them to fix it.
Admin
I've mentioned this before, but HP's laptop registration software is a big offender here.
Admin
Yeah, any character that's legal, but I specifically care about - because both my domain and often1 name parts contain -, and that has caused me trouble in the past.
1I used to use an MDA that, when delivering to
name-suffixcould apply special filtering rules based onsuffix. I still use this for one-time addresses when a random site needs my email address. Unfortunately, it's mostly useless, as 99% of my spam comes to my basic name.Admin
Same browser? Seems awfully restrictive. You've never gotten a "Check your email for an activation link" message and said, "I don't have time to finish this now, I'll do it later." and when "later" comes you're reading your email on a different computer? Or you've closed your browser and lost your session cookies? Or even had a mailer that can open URLs itself instead of opening them in your usual browser?
Try this, too: Expire the nonce after a couple minutes, just to annoy people whose mailboxes get checked on a schedule rather than in real-time.
Admin
I just love it, and this community:
:laughing:
Admin
Hey, I resen
[image]Admin
It is not even necessary to do this intentionally. Topic drift is a natural thing (as much as Jeff would like it not to happen); the subject of the conversation floats hither and yon like a feather in a breeze. On TDWTF, the breeze is an F5 hurricane.
Admin
Yeah :smile: like one of those fans you get in wind tunnels and the like, where its only one direction.
Question is: Does it blow or suck?
lame, I know, but it's the best I can do at this time of the night
Admin
How would http://www.activision.com/ help anything?
Admin
Depends on which way you're
facingtrying to go. :PAdmin
Firefox too
Admin
Are you sure their proxy can set different cache policy according to different pages?
Admin
I have had an address containing
-for ~15 years now and last month was the first time I encountered a site that considered it invalid.Admin
Well, it would be a shame for some random person elsewhere in the world to be able to confirm an email address you happened to fat-finger. If you can tell me of some way to avoid the click-to-login-page phish-alike pattern that's one-click convenient, doesn't require login, and doesn't involve matching up the email verification nonce against something left behind in the user's browser, I'm all ears.
Backing the clicky thing up with a nonce that the user has to paste into a form on your site after logging in by hand should cover the rest of your use cases, I believe.
Admin
I'm beginning to experience this sort of discrimination with my main public email. I just take my business elsewhere, or use any of the infinitely possible ones available @mydomain.fc.uk.u (no, that is not my real domain and, for narrative effect, I thought it would be nice to have something opposite to .me) :smiling_imp:
Admin
my $email_address = qr/ ^ (?&address) $ (?(DEFINE) (?<DIGIT> [0-9] ) (?<ALPHA> [A-Za-z] ) (?<ctext> (?&NO_WS_CTL) | [!-'*-\[\]-~] ) (?<qtext> (?&NO_WS_CTL) | [!\#-\[\]-~] ) (?<atext> (?&ALPHA) | (?&DIGIT) | [!\#$%&'*+\-\/=?^_`{|}~] ) (?<ccontent> (?&ctext) | (?"ed_pair) | (?&comment) ) (?<text> [\x{01}-\x{09}\x{0B}\x{0C}\x{0E}-\x{7F}] ) (?<qcontent> (?&qtext) | (?"ed_pair) ) (?<DQUOTE> " ) (?<CRLF> \x{0D}\x{0A} ) (?<WSP> [\ \t] ) (?<atom> (?&CFWS)? (?&atext)+ (?&CFWS)? ) (?<dot_atom_text> (?&atext)+ ( \. (?&atext)+ )* ) (?<word> (?&atom) | (?"ed_string) ) (?<comment> \( ( (?&FWS)? (?&ccontent) )* (?&FWS)? \) ) (?<NO_WS_CTL> [\x{01}-\x{08}\x{0B}\x{0C}\x{0E}-\x{1F}\x{7F}] ) (?<quoted_pair> \\ (?&text) ) (?<dtext> (?&NO_WS_CTL) | [!-Z^-~] ) (?<dcontent> (?&dtext) | (?"ed_pair) ) (?<FWS> ( (?&WSP)* (?&CRLF))? (?&WSP)+ ) (?<domain_literal> (?&CFWS)? \[ ( (?&FWS)? (?&dcontent) )* (?&FWS)? \] (?&CFWS)? ) (?<quoted_string> (?&CFWS)? (?&DQUOTE) ( (?&FWS)? (?&qcontent) )* (?&FWS)? (?&DQUOTE) (?&CFWS)? ) (?<dot_atom> (?&CFWS)? (?&dot_atom_text) (?&CFWS)? ) (?<local_part> (?&dot_atom) | (?"ed_string) ) (?<domain> (?&dot_atom) | (?&domain_literal) ) (?<phrase> (?&word)+ ) (?<mailbox_list> (?&mailbox) (?: , (?&mailbox) )* ) (?<address_list> (?&address) (?: , (?&address) )* ) (?<CFWS> (?: (?&FWS)? (?&comment) )? ( (?: (?&FWS)? (?&comment) ) | (?&FWS) ) ) (?<display_name> (?&phrase) ) (?<angle_addr> (?&CFWS)? < (?&addr_spec) > (?&CFWS)? ) (?<group> (?&display_name) : (?: (?&mailbox_list) | (?&CFWS) ) ; (?&CFWS) ) (?<addr_spec> (?&local_part) @ (?&domain) ) (?<name_addr> (?&display_name)? (?&angle_addr) ) (?<mailbox> (?&name_addr) | (?&addr_spec) ) (? (?&mailbox) | (?&group) ) ) /x;No flame war required. This one is the complete RFC
Admin
:trolleybus:
Admin
[email protected]...Admin
I submit that it'd be worse for some random person elsewhere in the world to be unable to do anything about the email address you happened to fat-finger, and which now results in unwanted email coming to them.
Admin
I'd agree, except reality is a bit more of an ass than you seem to think. You can't rely on going back into the same session, and you can't rely on going back into the same browser, and you can't rely on a short timeout either. Users just don't cooperate with that sort of thing.
For example, we used to use a greylisting system for email keyed off the sender/recipient pair; the first email would get bounced back for 30 minutes. This was particularly bad with providers who liked to use a unique sender for each email as part of their bounce tracking code…
Admin
...and when they disable copy/paste on the email address and 'repeat password' fields.
Clue: My passwords tend to look like this: "J4gDUi7e4jGBTdjIUGHgdry".
Yeah, I'm totally going to type that twice. Or ... maybe I'll just give your site a miss.
Admin
Who would actually do that⸮
;)
Usage: npm <command>
where <command> is one of: add-user, adduser, apihelp, author, bin, bugs, c, cache, completion, config, ddp, dedupe, deprecate, docs, edit, explore, faq, find, find-dupes, get, help, help-search, home, i, info, init, install, isntall, issues, la, link, list, ll, ln, login, ls, outdated, owner, pack, prefix, prune, publish, r, rb, rebuild, remove, repo, restart, rm, root, run-script, s, se, search, set, show, shrinkwrap, star, stars, start, stop, submodule, t, tag, test, tst, un, uninstall, unlink, unpublish, unstar, up, update, v, version, view, whoami
:smiley:
Admin
yeah i found that a while ago while working on SockSite. it made me go :wtf: then it made me go :heart_eyes_cat:
Admin
If you do it properly, they only get the single confirmation email, because your system won't send any others until it has a confirmed address to send them to.
Right, which is why the Right Thing is to include a visible, copyable nonce in the confirmation email as well, to be pasted into your site once they've logged on by hand, in case they can't make one-click confirmation work.
My point is that if you are going to offer your users one-click confirmation convenience, then you really ought to limit the one-click process to work only via the same browser that triggered the confirmation email in the first place. Not necessarily the same session though; you can keep your browser-identifying nonce in a persistent cookie.
It's really tempting to send a link to your logon page containing an embedded confirmation code, so the email address will be confirmed as soon as they log on through it, but doing that really does train your users to fall for phishing. Users like simple, clear-cut rules, and "we will never send you an email that asks you for your login details" is a good one.
Admin
I haven't tried post-Oracle, but I could never register for anything at sun.com. (Considering that it was for Java, this was probably a blessing in disguise.)
Admin
You didn't miss much…
Admin
Well then the correct way would be to forgo any sort of link and instead use a short, random, plain-text (e.g. numeric) code. They go to the site, sign in using the password which only they should know, and when they're prompted to confirm their email address they enter the code.
Then in the email provide a link that says "I did not request this email" which will take them to a page that allows them, after confirming the action, to remove and blacklist their email address from $random_idiot's account and force him to provide a different email address next time he tries to log in.
In summary, if my email address is linked to $random_idiot's account, give me either some way to hijack the account and reset the password and/or delete the account, or have my email address removed from it and prevent them from using it again, at least with that account on that website.
Know what's really fun? Trying to argue with support personnel that my gmail address with a
.is the same mailbox as the gmail address without that., which $random_idiot has attempted to use to sign up for a dozen or so different websites over the years.Admin
Is this the worst named thing in computer science? I don't want Rolf Harris identifying my browser
Admin
Apple Watch has a new thing called "complications". (Yes, I know the name comes from horology, but if you're not a watch nerd, the name sounds pretty terrible.)
There's only two things that are hard in computer science: cache invalidation, naming things, and off-by-one errors.
Admin
That's nowhere near as bad as having your browser send a paedophile for validation
Admin
And suddenly your previous comment makes sense.
Admin
Admin
There's The Real WTF, right there.
Admin
WOW!
I see this has generated a bit of heat in the community :smile:
In the world of enterprise security, evidently, ninjas scale the walls at night, hacking into workstations and peering at cached content.. well, at least they do that to Sony ;)
As one commenter so eloquently stated, "As a Network Engineer, billy could have <insert captain obvious solution here>"... as a matter of fact, Billy did do that, however, Billy told someone who is not me that he is sick and tired of numbnuts so Billy decided to toss them under the bus.. The way Billy saw it, it was either them or him who was going to get tossed, and Billy wasn't about to get tossed.
Billy configured a cache policy on his load balancer to band-aid the issue long enough for the devs to "fix" their code. It took them two weeks to circle back and try and figure out their problem, and to be honest, Billy isn't even certain they've done that. Maybe billy will have to do some more "routine security monitoring".
Peace!