| --- Log opened Mon Nov 19 00:00:21 2018 |
| 00:22 | | Vornicus [Vorn@ServerAdministrator.Nightstar.Net] has joined #code |
| 00:22 | | mode/#code [+qo Vornicus Vornicus] by ChanServ |
| 00:34 | <&McMartin> | Man, trying to talk my way through an Objective-C implementation and pointing out all the wacky bits needed for a novice to follow along gets tedious fast |
| 00:37 | <~Vornicus> | Having seen ...not terribly much obj-c code, *every goddamn line* is wacky |
| 00:37 | <~Vornicus> | it's like two languages built on top of one another |
| 00:53 | <&McMartin> | It is in fact exactly this thing |
| 00:53 | <&McMartin> | The two languages are Smalltalk and C |
| 00:53 | <&McMartin> | But unlike C++, Objective-C is actually a superset of C. |
| 00:55 | <&[R]> | TIL: the million lols attack |
| 00:55 | <&[R]> | Gotta love how absolutely overkill XML is for anything |
| 00:56 | <&McMartin> | Isn't that attack based on recursive entity definition? |
| 00:56 | <&[R]> | Yup |
| 00:56 | <&McMartin> | That's a pretty trivial attack. You can do that attack with the C preprocessor. |
| 00:56 | <&[R]> | Right, but you can hit pretty much any XML parser with it |
| 01:01 | <&McMartin> | Yeah, the basic attack vector here is "recursive macro expansion" |
| 01:01 | <&McMartin> | That's really not hilarious overkill |
| 01:02 | <&[R]> | Well specifically the things I was seeing with it |
| 01:02 | <&McMartin> | This may be different than the one I remember |
| 01:02 | <&McMartin> | But the one I remember was that you defined &lol0; to be "lol" |
| 01:02 | <&[R]> | XML base spec includes a way for a file on the filesystem to have its contents replace the contents of elements when parsed |
| 01:03 | <&McMartin> | And then &lol1; to be &lol0;&lol0; |
| 01:03 | <&McMartin> | And then &lol2; to be &lol1;&lol1; |
| 01:03 | <&McMartin> | etc |
| 01:03 | <&[R]> | Same thing allows arbitrary strings, which is how the million lols is done |
| 01:03 | <&McMartin> | And then &lol40; ends up being 3TB. |
| 01:04 | <&McMartin> | So, you know, yeah, congratulations, you just defined a 3TB symbol in less than a kilobyte |
| 01:04 | <&[R]> | Right |
| 01:05 | <&[R]> | But people use very, very small subsets of XML, not realizing there's problematic "features" like that |
| 01:05 | <&[R]> | Then they have to deal with massive attack surfaces due to simply chosing to use XML |
| 01:05 | <&McMartin> | I'd say "Entities are pretty core" |
| 01:06 | <&[R]> | Rather than something that is actually simple |
| 01:06 | <&McMartin> | If you want a small attack surface, use plaintext |
| 01:06 | <&McMartin> | ... or IFF. |
| 01:07 | | * Mahal has to reread the lol thing three times toget it, approves. |
| 01:08 | <&McMartin> | That said, even with plaintext |
| 01:08 | <&McMartin> | Someone can just straight-up feed you a 3TB file. |
| 01:08 | <&McMartin> | Or pump /dev/urandom into stdin |
| 01:09 | <&[R]> | You can actually block those fairly trivially, and would as basic best practices |
| 01:10 | <&McMartin> | So can libxml2 =P |
| 01:11 | <&McMartin> | The objection here is that if you want some kind of guarantee of security of any kind, the correct attitude to take is "stop telling computers to do things. Use as your computation model a mainframe running a COBOL program that turns individual punchcards into other, different punchcards." |
| 01:11 | <&McMartin> | And there's a lot of things out there that do not do this but which really should. |
| 01:12 | <&[R]> | No, the objection here is "people want a dumb parser, but are using a turning complete language instead" |
| 01:12 | <&[R]> | Likely unknowningly |
| 01:12 | <&McMartin> | This is, in short, not a flaw in XML as a format; the million lols is a valid XML document |
| 01:13 | <&[R]> | Every XML document I've seen has clearly been meant for a system that expects dumb-parsing |
| 01:14 | <&McMartin> | You've never seen an XHTML document that uses —? |
| 01:14 | <&[R]> | RSS, ATOM, XML-RPC, configuration files |
| 01:15 | <&McMartin> | I think I'm unimpressed by this particular case because the million lols is like the project someone here was doing years ago |
| 01:15 | <&McMartin> | Of trying to figure out how to hand-produce a PNG file that specified a 100000x100000 pixel RGBA image in a sane-looking size. |
| 01:16 | <&[R]> | I think you're being overly generous with how much influence the million lols attack has on my actual point. |
| 01:16 | <&McMartin> | Well |
| 01:16 | <&McMartin> | 16:55 <&[R]> TIL: the million lols attack |
| 01:16 | <&McMartin> | 16:55 <&[R]> Gotta love how absolutely overkill XML is for anything |
| 01:16 | <&McMartin> | I am indeed reading this as "the million lols attack is evidence of the massive overkillness of XML" |
| 01:16 | <&[R]> | That was merely the catalyst for my realization: XML is NOT A DUMB PARSER, yet clearly MANY people think it is |
| 01:17 | <&[R]> | And that's the issue |
| 01:17 | <&[R]> | Nearly every actual use of XML clearly wanted a dumb-parser |
| 01:17 | <&[R]> | Hence, XML is overkill, because it does *way* more than needed for that basic functionality |
| 01:18 | <&McMartin> | Right, but that comes out to "like #include and #define, which obviously nobody would ever intentionally want for configuration files" and then I'm not on the same road you are. |
| 01:18 | <&McMartin> | Because they "obviously" would want that but they "shouldn't" |
| 01:19 | <&[R]> | Hell, during the buzz of it all, it was clearly being marketted as a simple encoding protocol |
| 01:19 | <@celticminstrel> | That almost instantly made me think of httpd configuration files. |
| 01:20 | | Kindamoody is now known as Kindamoody[zZz] |
| 01:21 | <&ToxicFrog> | [R]: during "the buzz" it was being marketed as a markup language and as a natural way of generalizing and improving upon HTML, which is something it's actually good at |
| 01:21 | <&ToxicFrog> | And then endless legions of hateful idiots started using it as a data encoding format instead. |
| 01:21 | <@celticminstrel> | s/HTML/SGML/ |
| 01:21 | <@celticminstrel> | I mean, what else is it supposed to be if not a data encoding format |
| 01:21 | <&[R]> | ToxicFrog: I use "marketted" to mean the buzz around it |
| 01:22 | <&[R]> | IE: what those "hateful idiots" were talking about |
| 01:22 | <&ToxicFrog> | celticminstrel: like I, and the original XML designers, said...a markup language. A way of annotating human-readable text for machine processing. |
| 01:23 | <@celticminstrel> | So RSS is an example of this, I suppose? |
| 01:23 | <&[R]> | Now I'm sure XML actually has some legitimate uses |
| 01:23 | <@celticminstrel> | IIRC Netscape used an SGML format for storing bookmarks, I suppose that too would be an example of this? |
| 01:23 | <&[R]> | But for most of the uses it actually ended up being used for... no. It's pure overkill. |
| 01:25 | <@celticminstrel> | But I guess the Apple plist format is not? |
| 01:25 | <@celticminstrel> | Though they changed the format at some point to be more JSON-like. |
| 01:25 | <&ToxicFrog> | XHTML is a good example of XML as markup language, I've run into XML-based replacements for man pages before. SGML I'm not familiar with. RSS is XML-as-data-encoding and could be replaced with JSON or EDN with no loss of functionality (but much smaller parsing libraries). |
| 01:25 | <&ToxicFrog> | I don't know anything about pList. |
| 01:25 | <@celticminstrel> | Um ToxicFrog. |
| 01:25 | <@celticminstrel> | SGML is literally the predecessor to XML. |
| 01:25 | <@celticminstrel> | HTML 4 and earlier were an SGML application. |
| 01:26 | <@celticminstrel> | Just as XHTML is an XML application. |
| 01:26 | <&ToxicFrog> | Aah. Neat. |
| 01:26 | <&McMartin> | Docbook is also SGML and while the XML equivalent of it did not catch on it is also an obvious application. |
| 01:27 | <&McMartin> | Apple plists have XML, JSON, and binary representations and are all treated as equivalent. |
| 01:27 | <@celticminstrel> | So RSS is not a good example in your estimation, huh. |
| 01:27 | <&McMartin> | The XML is so close to JSON it is almost safe to regex it. |
| 01:27 | <@celticminstrel> | "almost" heh |
| 01:27 | <&McMartin> | Regexing JSON is a slightly less bad idea than regexing HTML but it's still a very bad idea~ |
| 01:28 | <@celticminstrel> | I've probably done both many times. |
| 01:28 | <&McMartin> | I've been poking at the extended RSS format that Wordpress uses when you export a site and it seems like an entirely reasonable XML application, though it's one with some extremely sharp corners if you wanted dumb parsing to actually work. |
| 01:29 | <&McMartin> | (In part because a thing you find yourself doing in this case is encoding SGML within XML, which means you have to use the ![[CDATA]] parts of XML to represent it sanely without breaking the validity of the document) |
| 01:30 | <&ToxicFrog> | In fairness, all the RSS examples I've looked at have been for podcasts with one-sentence content descriptions and could be replaced with literally any format that supports string-string maps |
| 01:31 | <&ToxicFrog> | If there are RSS feeds that contain actual content rather than just links to content that sounds like a better use |
| 01:31 | <@celticminstrel> | I've seen RSS feeds that contain the entire post. |
| 01:32 | <@celticminstrel> | Though I think more often they just contain the first few paragraphs or something and a link. |
| 01:32 | <&McMartin> | Yeah, if I export Bumbershoot Software it is "an RSS feed" with the full content of every post I've made and links to every image, and which posts link which images, etc. |
| 01:32 | <&[R]> | thedailywtf.com has most of the HTML |
| 01:32 | <@celticminstrel> | I've seen RSS feeds for webcomics that actually embed the comic page, and others that don't. |
| 01:32 | <&[R]> | But even then, you don't want the XML reader parsing the HTML... |
| 01:32 | <&McMartin> | Right, which is why RSS uses CDATA for those. |
| 01:32 | <&[R]> | Well, you might, but not in the same step as the rest of it |
| 01:32 | <&McMartin> | Right |
| 01:33 | <&McMartin> | One of my projects I haven't really started yet is taking my blog archive and getting enough autoparsing of that RSS to get a bunch of SGML in docbook format for turning certain series of essays into PDFs or the like. |
| 01:36 | <@celticminstrel> | (I wonder, is HTML5 still valid SGML? I don't think the SGML schema language can fully encode it, but an HTML5 document might still be well-formed SGML...) |
| 01:37 | <&McMartin> | "The HTML 5 syntax is no longer based on SGML despite the similarity of its markup. It has, however, been designed to be backward-compatible with common parsing of older versions of HTML. It comes with a new introductory line that looks like an SGML document type declaration, <!DOCTYPE html>, which triggers the standards-compliant rendering mode." |
| 03:41 | | Emmy [Emmy@Nightstar-9p7hb1.direct-adsl.nl] has joined #code |
| 03:47 | | Emmy [Emmy@Nightstar-9p7hb1.direct-adsl.nl] has quit [Ping timeout: 121 seconds] |
| 04:01 | | celticminstrel is now known as celmin|sleep |
| 04:23 | <&[R]> | WTF |
| 04:23 | <&[R]> | Can I not update a variable inside a while read loop? |
| 04:23 | <&[R]> | (Bash) |
| 04:30 | <&[R]> | Found a work-around! |
| 04:30 | <&[R]> | :) |
| 04:35 | <&[R]> | http://pkg.nobl.ca/intake.sh.txt |
| 04:35 | <&[R]> | Behold, my beautiful work |
| 04:39 | <~Vornicus> | ;_; |
| 04:40 | <&[R]> | Do you like my workaround to the no-update-variable issue? |
| 04:41 | <~Vornicus> | I can't read it. |
| 04:42 | <&[R]> | Okay, so instead of updating the variable (files), I output the values it would have with echo -n, then command substitution them into a really long string. |
| 04:42 | <&[R]> | Then I string-slice-loop through to get all the values out |
| 04:53 | <&[R]> | Added some comments to make it a bit more clear what the string slices are for |
| 05:07 | | Derakon is now known as Derakon[AFK] |
| 05:11 | | Vornicus [Vorn@ServerAdministrator.Nightstar.Net] has quit [Ping timeout: 121 seconds] |
| 06:18 | | Vornicus [Vorn@ServerAdministrator.Nightstar.Net] has joined #code |
| 06:18 | | mode/#code [+qo Vornicus Vornicus] by ChanServ |
| 06:23 | | Vornicus [Vorn@ServerAdministrator.Nightstar.Net] has quit [Ping timeout: 121 seconds] |
| 08:16 | <@macdjord> | [R]: I'm not a BASH expert, but I think the variable assigment problem you're having is because of... subshells? Maybe try adding 'export $files' after the assignment? |
| 09:51 | | Alek [Alek@Nightstar-o723m2.cicril.sbcglobal.net] has quit [[NS] Quit: ] |
| 09:53 | | Alek [Alek@Nightstar-o723m2.cicril.sbcglobal.net] has joined #code |
| 09:53 | | mode/#code [+o Alek] by ChanServ |
| 09:56 | <&[R]> | macdjord: no go |
| 10:57 | | Kindamoody[zZz] is now known as Kindamoody |
| 11:38 | <&ToxicFrog> | [R] macdjord : it's because each process in the pipeline runs in a subshell, and subshells don't communicate changes in their environment back to their parents. |
| 11:38 | <&[R]> | That's what I figgured |
| 11:38 | <&ToxicFrog> | [R]: the setting you were looking for is "shopt -s lastpipe" which makes the last command a pipeline run in the invoking shell rather than in a subshell. |
| 11:39 | <&[R]> | Just annoying that `while read` makes a subshell |
| 11:39 | <&[R]> | Oh it's the piping that's causing it? |
| 11:39 | <&ToxicFrog> | Yes. |
| 11:41 | <&[R]> | http://pkg.nobl.ca/intake2.sh.txt |
| 11:41 | <&[R]> | Or I could do that :p |
| 11:43 | <&ToxicFrog> | $ (shopt -u lastpipe; i=0; printf '%d\n' 1 2 3 4 5 | while read n; do ((++i)); done; echo $i) |
| 11:43 | <&ToxicFrog> | 0 |
| 11:43 | <&ToxicFrog> | $ (shopt -s lastpipe; i=0; printf '%d\n' 1 2 3 4 5 | while read n; do ((++i)); done; echo $i) |
| 11:43 | <&ToxicFrog> | 5 |
| 11:44 | <&[R]> | Still good to know |
| 14:02 | | celmin|sleep is now known as celmin|away |
| 14:35 | | macdjord is now known as macdjord|wurk |
| 15:30 | | Vornicus [Vorn@ServerAdministrator.Nightstar.Net] has joined #code |
| 15:30 | | mode/#code [+qo Vornicus Vornicus] by ChanServ |
| 16:45 | | Emmy [Emmy@Nightstar-9p7hb1.direct-adsl.nl] has joined #code |
| 19:43 | <@ErikMesoy> | Today in the database mines: a thingy which overrides scroll/select, so that if I select lines 12-14, then scroll down a bit, the selection is now also scrolled down and highlighting lines 18-20. |
| 19:43 | | Reiv [NSkiwiirc@Nightstar-ih0uis.global-gateway.net.nz] has quit [[NS] Quit: http://www.kiwiirc.com/ - A hand crafted IRC client] |
| 19:43 | <@ErikMesoy> | I would have considered this merely unusual in a dedicated database viewing application. But in the _browser interface_ it strikes me as rather WTF. |
| 19:44 | <@ErikMesoy> | It has hilarious interaction with the semi-select/highlight of Control-F, too. |
| 19:46 | <@ErikMesoy> | Also, terrible terrible naming. Database A has two varieties of fizzy drink called "BrandCorp bottle 1,5L" and "BrandCorp bottle 1,50L". Database B has corresponding names of "BrandCorp bottle" and "BrandCorp bottle 1,5L" for these objects. |
| 19:48 | <@ErikMesoy> | There's a different brand of fizzy drink which uses "1,5L" as its size in one, and "1,5 L" in the other. |
| 19:48 | <@ErikMesoy> | Thank God for many-digit global IDs to differentiate this shit. |
| 20:16 | | Degi [Degi@Nightstar-u7h08o.dyn.telefonica.de] has joined #code |
| 20:17 | | Degi [Degi@Nightstar-u7h08o.dyn.telefonica.de] has quit [Connection closed] |
| 20:29 | | Degi [Degi@Nightstar-u7h08o.dyn.telefonica.de] has joined #code |
| 20:32 | | Degi [Degi@Nightstar-u7h08o.dyn.telefonica.de] has quit [Connection closed] |
| 20:32 | | Degi [Degi@Nightstar-u7h08o.dyn.telefonica.de] has joined #code |
| 20:51 | | Degi [Degi@Nightstar-u7h08o.dyn.telefonica.de] has quit [Connection reset by peer] |
| 21:22 | | Degi [Degi@Nightstar-u7h08o.dyn.telefonica.de] has joined #code |
| 21:49 | | Vornicus [Vorn@ServerAdministrator.Nightstar.Net] has quit [Ping timeout: 121 seconds] |
| 22:38 | | Vorntastic [uid293981@Nightstar-6br85t.irccloud.com] has quit [Connection closed] |
| 22:38 | | jeroud [sid10043@Nightstar-6br85t.irccloud.com] has quit [Connection closed] |
| 22:38 | | jeroud [sid10043@Nightstar-6br85t.irccloud.com] has joined #code |
| 22:38 | | mode/#code [+ao jeroud jeroud] by ChanServ |
| 22:40 | | Vorntastic [uid293981@Nightstar-6br85t.irccloud.com] has joined #code |
| 22:40 | | mode/#code [+qo Vorntastic Vorntastic] by ChanServ |
| 22:52 | | Emmy [Emmy@Nightstar-9p7hb1.direct-adsl.nl] has quit [Ping timeout: 121 seconds] |
| 23:49 | | Degi- [Degi@Nightstar-u7h08o.dyn.telefonica.de] has joined #code |
| 23:52 | | Degi [Degi@Nightstar-u7h08o.dyn.telefonica.de] has quit [Connection closed] |
| --- Log closed Tue Nov 20 00:00:22 2018 |