\[Kickstart\] Link - The File Sharing Blockchain Protocol
-
It is screwing with Magnet links. :(
That’s unfortunate. I’ll fix it tonight. Until then publishing is broken, so please don’t use it.
-
I can’t believe user input wasn’t sanitised. It’s kindergarten coding. :-\
-
[quote name=“UKMark” post=“47895” timestamp=“1388179885”]
I can’t believe user input wasn’t sanitised. It’s kindergarten coding. :-\
[/quote]It is. That’s what’s screwing with magnet links. Because I’m using the browser’s built in loveliness, it’s converting & to & when it shouldn’t. I’ve not decided what approach is best to take with regards to this yet, but I’ll figure something out.
-
[quote name=“Kevlar” post=“47897” timestamp=“1388180076”]
[quote author=UKMark link=topic=5663.msg47895#msg47895 date=1388179885]
I can’t believe user input wasn’t sanitised. It’s kindergarten coding. :-\
[/quote]It is. That’s what’s screwing with magnet links. Because I’m using the browser’s built in loveliness, it’s converting & to & when it shouldn’t. I’ve not decided what approach is best to take with regards to this yet, but I’ll figure something out.
[/quote]ctype_alnum, It’s all I trust tbh.
-
Nah, the browser has this built into it. It’s cross platform (not PHP specific), it’s future proof without ever updating the code, and it’s 4 lines of code (in coffeescript):
[code]
escapeHtml = (str) ->
div = document.createElement(“div”)
div.appendChild document.createTextNode(str)
div.innerHTML
[/code]Since anyone can encode anything into the blockchain, it just makes sense to sanitize any output before displaying it, since you can’t ever trust the server to do the right thing. Since all output is appended to the DOM via client side templates, there’s a single point which all data must pass through before being rendered. This makes the whole design trivial and idiot-proof. You just need to handle the special cases of things that should be allowed but normally aren’t.
-
I doubt you could truthfully santise at DOM level. You are giving ball back, surely?.
-
[quote name=“UKMark” post=“47907” timestamp=“1388181492”]
I doubt you could truthfully santise at DOM level. You are giving ball back, surely?.
[/quote]In fact that’s exactly what it’s doing. Specifically document.createTextNode() is a native function that will escape ANYTHING that the browser considers a DOM element. That’s why it’s future proof: As new tags are added, and supported on the browser, this native function will escape them.
It doesn’t work for PHP code, because PHP is rife with xss possibilities.
Consider the following example:
[code]
document.createTextNode(‘’);
[/code]The browser will leave that intact, because it’s perfectly safe to render in the DOM. The XSS happens on the server side, which is why mixing code and templates in HTML documents is inherently dangerous, and should be avoided.
-
Show me one xss possibilities that can evade ctype_alnum?..I am anal about sever side security, call me out, but honesty prevails…
-
[quote name=“UKMark” post=“47918” timestamp=“1388183032”]
Show me one xss possibilities that can evade ctype_alnum?..I am anal about sever side security, call me out, but honesty prevails…
[/quote]I’m sure it’s a solid package that address a huge problem with PHP, namely the intermingling of server side code and client side HTML. In the security world, we call that particular feature “Broken By Design”.
Since I’m not using PHP, and I’m not rendering anything server side except JSON, it’s a non issue for this project. I’m not vulnerable to server side attacks, because business logic is kept well clear of client templates, and I’m not vulnerable to client side attacks because the browser sanitizes any output before appending it to the DOM.
The client HTML is static html files that can be served up off the filesystem with no execution, pushing all the work of rendering onto the client. This means they can be e-tagged and cached client side trivially, since they don’t change when data changes. That means the server has less load because no execution is required, and the client page loads faster because it always comes out of local cache, and only the data need be queried, reducing the amount of bandwidth required. Those queries can be e-taged and cached as well, making the entire experience as optimal as possible. Since the template need only be transferred once, and the data is all that has to go over the wire, the bandwidth is even further reduced, since you don’t need to transfer the HTML each time with the data.
That’s server side security: No execution path whatsoever for the most common case, while significantly reducing the amount of work that must be done server side, significantly reducing the bandwidth required, and significantly reducing the load times while keeping a trivially simple cache model.
-
[quote name=“Kevlar” post=“47923” timestamp=“1388184280”]
That’s server side security: No execution path whatsoever for the most common case.
[/quote]I am so unlearning PHP from watching this project. Also: [url=http://forum.feathercoin.com/index.php/topic,6422]http://forum.feathercoin.com/index.php/topic,6422[/url]
-
[quote name=“zerodrama” post=“47924” timestamp=“1388184502”]
I am so unlearning PHP from watching this project.
[/quote]For once, I feel like I’m ahead of you. I never learned PHP. ;)
-
Ok, unleash the hounds on it!
Turns out the xss scare was all for not: the templating engine was doing it by default, and my paranoia had me writing code for nothing.
Publishing is fixed. Please test it out.
For those of you who notice the major change… please don’t spoil the surprise for the rest! I’ll be making a big announcement about it soon.
-
[quote name=“Kevlar” post=“47989” timestamp=“1388210183”]
For those of you who notice the major change… please don’t spoil the surprise for the rest! I’ll be making a big announcement about it soon.
[/quote]that’s a great idea
-
thank you for the link and i wish you an Happy new year and successful year 2014
-
Alright ladies and germs,
We’re about a day away from go time.
Sessions are being written to disk. The server is in production mode. Publishing has been tested and is working again. iawgoM’s css fix is in place. New goals are also in place.
A firewall is in place. For the hackers: You have access to port 22 and 80. The root account can’t log in. Good luck guessing my user and pass phrase. Do your worst!
I’d still like to do a little SEO before we start sending the link around, maybe I’ll get to that later today.
As of this post, all known bugs are fixed. Please test publishing and searching, because if there’s anything else wrong I’d rather know sooner rather than later!
Thanks for all your support! :)
-
[quote name=“Kevlar” post=“48102” timestamp=“1388263047”]For the hackers: You have access to port 22 and 80. The root account can’t log in. Good luck guessing my user and pass phrase. Do your worst!
[/quote]admin/hunter2 -
[quote name=“HopeStillFlies” post=“48107” timestamp=“1388265738”]
[quote author=Kevlar link=topic=5663.msg48102#msg48102 date=1388263047]For the hackers: You have access to port 22 and 80. The root account can’t log in. Good luck guessing my user and pass phrase. Do your worst!
[/quote]admin/hunter2
[/quote]Close.
It was spaceballs/12345, but I figured that was the kind of password an idiot would have on his luggage.
So I changed it to realultimatepower/The purpose of the ninja is to flip out and kill people.
But then I thought someone might actually guess that, so I changed it to Murray/I am a talking voodoo skull! Fear me!
But I kept forgetting the punctuation. So finally I went to correcthorsestaplebattery.net and had it generate a > 10 word passphrase, and the account name is from random.org.
Estimated time to brute force that: Longer than the heat death of the universe.
-
[quote name=“Kevlar” post=“48102” timestamp=“1388263047”]
For the hackers: You have access to port 22 and 80. The root account can’t log in. Good luck guessing my user and pass phrase. Do your worst!
[/quote]
[code]
Username : 1337TS
Password : Link Beer Pizza Cryptocurrency[/code]I’m in!
-
Dammit, Kevlar took all my fun away and banned anything other than magnet links. I was about to submit a link to Link inside Link and really f@ck this world up!
-
Scary thought. What if [url=http://correcthorsebatterystaple.net/]http://correcthorsebatterystaple.net/[/url] was actually just producing passwords from a dictionary of a couple of thousand phrases so they could steal the internet? :o
I’m sticking to using my cat’s name for everything. ;)
