IRC Logs for #circuits Sunday, 2013-03-10

*** ronny has joined #circuits00:00
*** ircnotifier has quit IRC00:07
*** ircnotifier has joined #circuits00:07
*** ircnotifier has quit IRC00:07
*** ircnotifier has joined #circuits00:08
*** ircnotifier has quit IRC00:08
*** ircnotifier has joined #circuits00:13
*** ircnotifier has quit IRC02:07
*** ircnotifier has joined #circuits02:09
*** ircnotifier has quit IRC02:15
*** ircnotifier has joined #circuits02:20
ircnotifierMessage from prologic@daisy: daisy02:29
*** ircnotifier has quit IRC02:29
*** ircnotifier has joined #circuits02:30
*** ircnotifier has quit IRC02:30
*** ircnotifier has joined #circuits02:30
ircnotifierMessage from prologic@daisy: This is a test from the command line :)02:31
*** ircnotifier has quit IRC02:33
*** ircnotifier has joined #circuits02:33
*** ircnotifier has quit IRC02:34
*** ircnotifier has joined #circuits02:34
*** ircnotifier has quit IRC02:36
*** ircnotifier has joined #circuits02:39
*** ircnotifier has quit IRC02:39
*** ircnotifier has joined #circuits02:40
ircnotifier1 commit(s) pushed to ircnotifier02:40
ircnotifierc697a15f5ab4 by prologic: Forgot to loads(...) the payload :)02:40
ircnotifier1 commit(s) pushed to test02:40
ircnotifier9e0d20cffc99 by prologic: Removed02:40
ircnotifierMessage from prologic@daisy: Test :)02:41
ircnotifier3 commit(s) pushed to ircnotifier02:43
ircnotifier7de1c677ae40 by prologic: Moved message script to scripts/02:43
ircnotifier500e3803195f by prologic: Switch to using CHANGES02:43
ircnotifierecdb50ae023b by prologic: Updated Change Log02:43
ircnotifier4 commit(s) pushed to ircnotifier02:46
ircnotifier7593fbcb13a3 by prologic: Updated description of project02:46
ircnotifier802e04c5f0ae by prologic: Preparing release 0.0.202:46
ircnotifier0c8eabd39691 by prologic: Tagging 0.0.202:46
ircnotifier375ac323109c by prologic: Back to development: 0.0.302:46
ircnotifier1 commit(s) pushed to ircnotifier02:47
ircnotifier4b158fb31b83 by prologic: Fixed version in __init__.py02:47
*** koobs_ has joined #circuits04:26
*** koobs_ has quit IRC04:29
*** koobs_ has joined #circuits04:29
*** ronny_ has joined #circuits09:11
*** ronny has quit IRC09:15
spaceoneprologic: re11:34
*** ronny_ has quit IRC12:39
*** christopher has joined #circuits12:43
spaceoneprologic: python3.3.0, without a traceback: ImportError: bad magic number in 'circuits': b'\x03\xf3\r\n'13:42
spaceonewhen python -c 'import circuits'13:43
*** ronny has joined #circuits14:08
*** ronny has quit IRC14:08
*** ronny has joined #circuits14:08
prologicspaceone:  yeah this happens when you try to run compiled byte code compiled with Python 2 and then try to run it with Python 315:29
prologicYou need to rm *.pyc15:29
prologicand Try again :)15:29
spaceoneah ok15:37
prologicspaceone:  until I get the github repos in order (still sorting this out) would you mind sending individual patches to circuits-dev@googlegroups.com?15:49
spaceoneprologic: pl15:49
spaceoneok*15:49
prologicThanks :)15:49
prologicfeel free to join the list15:49
prologicand circuits-users also on google groups15:49
spaceoneno, i hate google15:50
spaceonebtw do you have something to do with LogiTech ?15:50
prologicno15:50
prologicyou hate google?15:50
prologichmm15:50
prologicsorry but that's where our mailing lists are atm :)15:50
prologicit's free and works well15:50
prologicotherwise just post the patches here15:51
prologicI missed a few of them (sorry) :/15:51
prologiccircuits.codepad.org15:51
spaceonei will email them, but i will not join the list15:51
spaceonethem=patches15:51
prologicok15:54
spaceoneprologic: is the mailinglist (==my email) online visible15:55
spaceone?15:55
prologicit's a public mailing list15:55
prologicso yes - I assume so15:55
prologicyou'd best just paste them here then15:55
prologicuse circuits.codepad.org15:56
prologicat least I can collect them in the circuits namespace on codepad15:56
spaceoneok15:56
*** ronny has quit IRC15:57
spaceoneprologic: http://circuits.codepad.org/z6moF2dU15:58
prologicI get the errors.py fix16:03
prologicWhat's the rationale behind the query string regex fix?16:03
spaceonei commented it16:07
spaceoneprologic: access http://circuitsframework.com/?123,456x16:07
prologicSo that 2nd patch fixes that?16:11
prologicAhh sorry16:11
prologicI did not see the comment :)16:11
prologicOk I'll apply both now16:11
prologicHmm16:15
prologicOk both applied and pushed to https://bitbucket.org/circuits/circuits-dev16:15
prologicProblem:16:15
prologicI cannot get git repos working16:15
prologicOr syncing16:15
prologicThey are unrelated16:15
prologicAnd will always be unrelated :/16:15
prologicNot good16:16
spaceonehm16:16
spaceoneisn't bitbucket able to provide git?16:17
prologicI would like it if you signed up for an account on bitbucket and learned mercurial :)16:17
spaceonea friend of mine has a git repo there16:17
prologicIt's almost the same as git really16:17
prologicno new concepts16:17
spaceonejah ok, so i will use hg16:17
prologicbitbucket does provide git - this is true16:17
prologichowever I cannot convert the mercurial repos16:17
prologicwithout loosing the relationships16:17
prologicIt's either we move to git16:17
prologicor stay with mercurial16:17
spaceoneoh hmm16:17
prologicI tried for the past week16:18
prologicand ran into many road blocks16:18
prologicand this is the final one16:18
prologic"no relationship"16:18
prologicif I can't keep them in sync16:18
prologicthere's no point16:18
spaceoneof course16:18
prologicI'll inform the other devs when I see them next16:18
prologicmehere: hey dude, if you see this. We can't maintain git repos as well as they become unrelated making syncing impossible and useless really. Going to remove the repos on github16:19
prologicSo if you fork https://bitbucket.org/circuits/circuits-dev into your own account and submit pull requests for any patches, new features, etc that would be great16:23
prologicWe do all our dev work in circuits-dev and merge into stable after every sprint and release a new version/package16:24
prologicWe're in Sprint #4 atm Ending 17th March16:25
prologichttps://www.pivotaltracker.com/projects/69562116:25
spaceoneprologic: which is the latest stable version?16:29
spaceone2.1.0 ?16:29
prologicright now - yes16:29
prologicbut please do work against circuits-dev16:29
prologicwe always ensure all tests pass before releasing a new version16:30
spaceoneprologic: i found a security hole16:31
prologichmm?16:33
spaceoneecho -en 'GET /css/../css/../../../../../../../../etc/passwd HTTP/1.1\r\nHost: circuitsframework.com\r\nConnection: close\r\n\r\n' | nc circuitsframework.com 8016:33
spaceoneprologic: ^^16:33
spaceonehappily you do not run as root16:33
prologichmm16:35
prologicescaping the request path isn't enough?16:35
spaceonewhat do you mean by escaping?16:35
spaceoneyou have to do:16:36
prologichttps://bitbucket.org/circuits/circuits-dev/src/616fadb076f0bf21ebd4c0fbd80c02e45fd44756/circuits/web/dispatchers/static.py?at=default#cl-6016:36
spaceoneLOL16:36
spaceoneof course not16:36
prologichmm16:36
prologicThis is not good :)16:37
prologicSorry you were saying, you have to do: ?16:37
spaceoneyep, wait i will write it16:37
prologicI'll write a unit test for this too16:38
prologicso we never ever break that :)16:38
spaceoneprologic: http://circuits.codepad.org/OpjT4Gmt16:40
spaceonesomething like this in the area where the HTTP path is parsed16:41
spaceonealso check for /.. and /.16:41
spaceonei am to tired to really think about it16:42
spaceoneit is 01:40 AM and i have work tomorrow16:42
prologicSo in general16:42
prologicjust replace all ../ .. and // ?16:42
prologicwith empty strings16:42
prologicCan't I just replace all .. with an empty string?16:42
prologicand then all // with an empty string16:42
spaceoneyes16:43
prologicthat should cover all cases no?16:43
spaceonebut also replace things like /./16:43
prologicthat won't do anything?16:43
spaceonethat is ugly16:43
prologicso get rid of it anyway :)16:43
prologicwel ...16:43
prologicI could just replace all . with ""16:44
spaceoneno16:44
prologic. in the path is useful for something?16:44
spaceone'foo.html'.replace('.', '')16:44
prologicagh yes of course :)16:44
prologicok16:44
prologicpath.replace("..", "")16:44
prologicpath.replace("//", "")16:44
prologicpath.replace("./", "")16:44
prologiccover all cases?16:44
spaceoneno16:45
spaceoneyou have to think about the encoding of the string16:45
spaceoneis it 7bit ASCII, UTF-8, iso*, etc ?16:46
prologicwe do UTF-8 by default16:46
spaceoneif it is fixed UTF-8 the replacements are enough16:48
prologicI propose this:16:49
prologichttp://codepad.org/a4puAlj116:49
spaceoneprologic: again hacked16:50
prologicyeah fixed now16:54
prologichttp://codepad.org/05wOSlDf16:54
prologicI realized there wed some path manipulations that were not being used16:54
prologicwtf16:54
prologicThis fixes it16:54
spaceoneprologic: also there is a wrong handling16:55
spaceoneyou have to redirect the request16:55
prologicsorry redirect what where?16:57
prologicall the tests pass16:58
prologicshall I commit this fix?16:58
spaceoneprologic: you are not allowed to strip something out of the request path, if you do this you have to send '301 Moved permanently\r\nLocation: %s' % newpath16:58
prologicReally?16:59
prologicOh that sucks :)16:59
spaceoneno that does not suck16:59
prologicMakes the fix a little more complicated16:59
spaceonethat is the power of HTTP16:59
prologicSo hence the check for16:59
prologicif path != request.path:16:59
spaceoneyep17:00
prologickk17:00
prologicI'll add that in then17:00
prologicdoesn't suck so much now :)17:00
spaceonewell17:00
spaceone2AM17:00
spaceonei am not tired :(17:00
prologicactually hmm17:00
spaceonebut i have to work tomottow17:00
prologiclol17:00
prologicgo to bed :)17:00
prologicI'll fix this :)17:00
spaceoneprologic: your patch is sucking again17:13
spaceone>>> def sanitize(path): return path.replace("..", "").replace("//", "").replace("./", "")17:13
spaceone...17:13
spaceone>>> print sanitize('.....//.....//\0///'*5)17:13
spaceone../../../../../17:13
spaceoneprologic: you also must replace /./ not ./ because it is possible to have /foo/bar./baz17:21
prologicok17:21
prologicomg17:22
prologicthe rules are getting more and more complicated ;)17:22
spaceonethey are easy17:22
spaceoneyou can do this:17:22
spaceonepath = os.path.abspath(request.path)17:23
spaceoneprologic: sorry, s/abspath/realpath/g17:25
prologichmm?17:26
spaceonepath = os.path.realpath(request.path)17:26
*** christopher has joined #circuits17:35
prologicAre you saying os.path.realpath might be an easier solution?17:36
prologicYou'd simply end up with "/etc/password in that case17:36
spaceoneprologic: os.path.realpath will do the correct sanitization17:37
prologicin all the cases you want?17:38
spaceoneyes17:38
spaceoneyou can add '(thx spaceone)' in your commit messages :D (in my projects i am parsing those and putting links into the autochangelog)17:43
prologichttp://codepad.org/DJE2RSwr17:45
prologicThis works17:45
prologicheh :)17:51
prologicpersonal style preference17:51
prologicI prefer not x == y17:51
prologic:)17:51
prologicbut I don't care either way :)17:52
spaceonebut not x == y are two checks17:53
spaceoneso it is slower17:53
spaceoneu understand?17:56
prologicis it?17:59
prologicwe could find out with byte play :)17:59
spaceoneyep17:59
prologicI suspect it should compile to the same bytecode17:59
prologicI could be wrong :)17:59
prologicalso I can't use os.path.realpath(...)17:59
prologicit breaks jsonrpc and xmlrpc tests17:59
spaceonewhy?17:59
spaceoneLANG=C diff 1.cpython-33.pyc 2.cpython-33.pyc18:06
spaceoneBinary files 1.cpython-33.pyc and 2.cpython-33.pyc differ18:06
spaceonewc -c 1.cpython-33.pyc 2.cpython-33.pyc18:06
spaceone122 1.cpython-33.pyc18:07
spaceone121 2.cpython-33.pyc18:07
spaceonecat ../1.py ../2.py18:07
spaceonenot '1' == '2'18:07
spaceone'1' == '2'18:07
spaceonearg, mistake18:07
spaceonebut doesn't change anything18:09
spaceonei will test with pdb tomorrow18:09
spaceonegn818:09
prologichttp://codepad.org/Sx59xb6b18:09
prologicspaceone:  you are right :)18:09
prologicIt's 1 less bytecode instruction18:09
prologichaha18:09

Generated by irclog2html.py 2.11.0 by Marius Gedminas - find it at mg.pov.lt!