IRC Logs for #circuits Tuesday, 2013-04-02

prologicheya all00:02
spaceonehi prologic00:10
spaceoneprologic: i am missing an event for ChildRegistered00:17
spaceonemaybe i am using registerChild directly00:23
prologicyou should not be calling registerChild00:27
prologicthat's an internal API00:27
prologicwhat you pasted above should work00:27
prologic-however-00:27
prologicif your handle conflicting with another proeprty or method of the same name?00:27
prologicand I need some kind of context00:28
prologicthere are some registered handlers internally in some components in the circuits library that are filtered00:28
spaceoneso i just need to set my priority higher?00:28
prologicdisregard that last statement - there are none :)00:28
prologicI grepped the codebase :)00:29
prologicno disregard00:29
spaceonehm00:29
prologicdef foo(...)00:29
prologicis that conflicting with an attribute or proeprty or another method of the same name?00:29
spaceoneno00:29
*** Osso has joined #circuits00:29
prologicdo you see the Registered event in the debug logs?00:29
prologichi Osso00:29
Ossohey00:30
spaceonewait, i have to add Debugger00:30
spaceonethen00:30
spaceoneprologic: btw, but overwriting registerChild is OK? (that is what i need otherwise my Registered handler must check 'if self is not parent: return'00:32
spaceone)00:32
prologicumm00:33
prologicyou're diving into internals there00:33
prologicI have absolutely no idea what will break if you override registerChild00:33
prologicI recommend you don't :)00:33
prologicand yes we do do things like:00:34
prologic@handler("registered")00:34
prologicdef _on_registered(self, component, manager):00:34
prologic   if component is self:00:34
prologic      ...00:34
spaceoneprologic: i am calling suprt of course00:34
spaceonesuper*00:34
prologiclook at the registered event handler in circuits.net.sockets00:35
prologicfor example00:35
prologicwell then I go back to:00:35
prologic"Does it show the Registered event"?00:35
spaceoneno00:36
spaceonea = CompWithHandlerForREgistered()00:36
spaceoneb = BaseComponent()00:36
spaceonea += Debugger(events=True)00:37
spaceoneb.register(a)00:37
spaceonenothing displayed00:37
prologicis it running?00:37
spaceonedefine 'running'?00:37
prologicb.run()00:37
spaceoneno00:37
prologicor a.run() sorry00:37
prologica.start()00:38
prologicthen there's your problem00:38
prologicit ain't running00:38
spaceoneah ok00:38
prologicor it isn't part of a running system00:38
spaceonedid not knew00:38
prologicit must be registered to something that's running00:38
prologici.e: a running Manager/Component00:38
prologicotherwise nothing will happen00:38
prologicyou just need to register this graph to something that's "running"00:38
prologicsomewhere else you have:00:39
prologic(BaseServer(8000) + ...).run()00:39
prologicyou need to register it inside that system somewhere00:39
spaceonenow i have to:00:39
spaceonef = Foo()00:39
spaceonef.run()00:39
spaceonef += bar00:39
spaceone(Server + f ).run()00:40
spaceone?00:40
spaceonef.start() *00:44
spaceoneseems so00:44
spaceoneor are those events also fired afterwards when i do server.run() ?00:44
spaceoneah yes they are... nice API!00:46
prologichmm00:49
prologicyou don't/can't run two things int he same thread00:50
prologicthis is what .start() is for00:50
prologic.run() runs in the main thread and blocks00:50
prologic.start() starts a new thread00:50
prologic.start(process=True) starts a new process00:50
spaceoneah ok00:50
prologicbut if f terminated quickly00:51
prologicyou could .run() it00:51
prologicwe do this for circuits.web.wsgi.Application00:51
prologicwe run the circuits.web app00:51
prologicand quickly terminate it00:51
prologicbecause wsgi is a non long-running process00:51
prologicit's basically just a callable00:51
prologicso you write your circuits.web web app as per normal00:52
prologicand swap out Server() with Application()00:52
prologicand voila you can serve your app under mod_wsgi or similar00:52
spaceoneah okay00:53
spaceoneprologic: there is no event like Started ?00:54
prologicthere _has_ been a method to our circuits.web madness00:54
prologicyou might think 90% of the code is BS00:55
prologicbut it's not :)00:55
spaceoneBS?00:55
prologicbS - short for Bull Shit :)00:55
spaceoneah ok00:55
prologicthere is a Started event also00:55
prologicfired when the system initially starts00:55
spaceoneokay, i did not see it00:55
spaceoneis it in Manager ?00:55
prologicyeap00:56
prologicstart anything with Debugger attached00:56
prologicand you'll see a Started event00:56
spaceoneah now i see00:56
spaceonethanks very much00:56
prologichttp://codepad.org/4wkODHAK00:56
prologicno problems! :)00:57
spaceoneprologic: you are online? i think i found another security issue02:42
*** Osso has quit IRC02:49
*** Osso has joined #circuits02:57
prologicspaceone, oh?03:04
spaceoneprologic: i currently did not test, but:03:06
spaceonetry to send something like this:03:07
spaceoneGET /foo/bar/../%0d%0aX-Foo:+owned/muha HTTP/1.103:07
prologichttp://codepad.org/sjkfdQo003:11
spaceoneprologic: okay, but was valuable to try03:15
spaceoneprologic: this can be dangerous if someone does uri.unquote; Redirect(join(otherdomain, request.uri))03:16
prologichmm03:17
prologicyou're talking about a developer there03:17
prologicnot a user of a web app03:17
prologicgotta draw a line somewhere in the sand03:17
prologicif a developer is that stupid03:17
prologichow can we stop theM?03:17
spaceoneprologic: we can stop them by validating what is set to response.headers03:21
spaceoneprologic: but this is currently not of priority03:21
spaceonecurrently a developper must not be foolish03:22
prologicwell03:25
prologicto be honest03:25
prologicI'd prefer we don't "hand hold" developers03:25
prologicit just makes for more complex code in the framework03:25
prologicframework/server03:26
spaceonehmm, in my opinion this is what a framework must do03:31
spaceonea HTTP framework must achieve that users of it can speak valid http fluently03:32
spaceonea framework must achieve security standards03:32
prologicwell I don't quite agree03:32
prologiclike I said03:32
prologicif a developer "wants" to do something stupid03:33
prologicthen why we should writes 10s of lines of code to stop him/her?03:33
prologicthat's like saying a language should stop you from writing:03:33
spaceonein python a developper can do everything03:33
prologicwhile True:03:33
prologic   os.fork()03:33
prologicbut it doesn't03:33
spaceonebut we are speaking about our example: a HTTP header field is set which contains \r\n03:34
prologicwhat because of %0d%0a ?03:34
spaceoneno developper would do this, instead a developper would add its second header field03:34
prologicthat's not unquoted though03:34
prologicso it doesn't matter03:34
spaceonejeah but this can happen03:35
prologicyes but as I showed you03:35
prologicwe don't do anything about it03:35
prologicso where's the security problem?03:35
spaceonethe security problem is:03:35
spaceoneresponse.headers['X-Foo'] = some_user_input_containing_str('\r\n')03:36
spaceoneit should be impossible to have 2 headers in one field03:36
spaceone2 fields*03:36
prologicin the response?03:37
spaceoneyes03:37
prologicwhy/how would that matter?03:38
spaceoneoh one example security whole i found:03:38
spaceone(email headers are also mime)03:38
spaceonei was able to insert: '\r\nContent-Type: text/html\r\n\r\n<script src="evil"/>\0'03:39
spaceoneso i defined the header values and the body03:39
spaceonebecause of an wheak implementation of a so called 'framework'03:39
prologicdude seriously03:41
prologicyou are still talking about a developer developing evil code03:41
prologicon the web application side03:41
prologicserver-side03:41
prologicI don't get it03:41
prologicwhy would a developer be so stupid?03:41
prologicI'm not prepared to write code that "tries" to stop a developer from shooting himself in the foot03:42
prologicit just doesn't make sense03:42
spaceonebecause developpers rely on frameworks03:42
prologici.e: it's not worth the effort03:42
prologicif a developer is going to be stupid03:42
prologicI really couldn't care less03:42
spaceonewhat is stupid there?03:42
spaceonethis can happen03:42
prologicwell that's where we disagree03:42
prologiccircuits.web isn't (or wasn't) ever going to be a full framework03:43
spaceonebecause someone does not bring into context that a value can contain evil things03:43
prologiclike Django03:43
prologicor Turbo Gears03:43
prologicor even Ruby on Rails03:43
prologicif you're using circuits.web03:43
prologicit means you want something "light"03:43
prologic"fast"03:43
prologicand "scalable"03:43
prologicand we're constantly working on those things03:43
prologicnot a batteries included03:43
prologicand all bells and whistles03:43
prologicand you can't shoot yourself in the foot03:43
prologickind of framework03:44
prologicI _understand_ Django, cherrypy, (for example) comes with all sorts of security considerations to prevent developers from doing stupid things03:44
prologicas they should03:44
prologicbecause the developers they target just want to "copy 'n paste" some code03:44
prologicget some app up and running quickly03:44
prologicwithout thinking too hard03:44
prologicI'm not disagreeing that it can't happen03:45
prologicI'm questioning the how/whow it could happen03:45
prologicstupid developer == a developer that needs to be taught better skills03:45
spaceoneyes03:45
spaceonebut it is also a design question?03:45
prologicif someone from the PHP community comes over to circuits.web03:46
prologicand wants to whip up something03:46
prologicand starts doing stupid crap03:46
spaceonei mean, you have to think about things on every place instead on one place03:46
prologicwell I'm just either going to show him "what not do to"03:46
prologicor say this isn't the framework for you :)03:46
prologic*nods* I agree03:46
spaceoneokay03:46
prologic-but- design considerations and all03:46
prologicI don't think stopping a developer from doing stupid things with circuits.web is one of our goals03:47
spaceonei am aware that we don't want a django  thing; we want simplicity03:47
prologicexactly03:47
prologicsimplicity that can be built on top of03:47
prologicperhaps there might be a bells 'n whistles web framework03:47
prologicbuilt on top of circuits.web03:47
prologicone day03:47
prologicbut I don't plan for circuits.web (at it's core) to be that03:47
prologicotherwise it becomes too much code to maintain03:47
prologicand you start to forget and make mistakes03:48
prologiclook at what happened with Ruby on Rails and it's huge security flaw03:48
spaceonehm03:48
prologicI appreciate your "security hole" finding :) it's great03:48
prologicfortunately you'd only been able to find a hole in request paths03:48
prologicwhich is now gone03:48
prologicI'm more interested (personally) in attack vectors in the direction of circuits.web03:49
prologicbrowser -> circuits.web03:49
prologicnor circuits.web -> browser03:49
prologicif you get what I mean?03:49
spaceone'nor' ?03:50
prologicarguably we should not display python tracebacks by default03:50
prologics/nor/not03:50
spaceoneoh i don't think so03:50
spaceonetracebacks are great for users03:50
spaceonei mean, it is open source03:50
spaceonewe are setting the Server header03:50
spaceoneso a traceback is not useful for a hacker03:51
spaceonebut useful for a developper, etc.03:51
prologicnot even the lines of code?03:51
prologican modules, etc?03:51
spaceonenot really03:51
prologicok03:51
spaceonethat aren't much information03:51
prologicsee I don't particularly see Server header as an attack vector either03:51
spaceonei never hacked something because i got the traceback03:51
prologicnot unless there are known vulnreabilities with the server03:51
prologicand the version in question03:51
spaceonei hacked things by seeing there is an error (status=5xx) and trying then03:52
spaceonejeah but this is the same in apache, lighttpd03:52
spaceone...03:52
prologicexactly03:52
prologicwe probably should provide an option of turning it off?03:52
spaceonethe difference is that in apache you can disable the server header03:52
prologicfor those paranoid devs03:52
spaceone(or the version ...)03:52
spaceoneprologic: we don't need to add this possibility03:53
spaceoneas it is already there03:53
prologicwell I agree03:53
prologicyou can write a response filter03:53
prologicit's too easy to add to any web app03:53
prologic@handler("response")03:53
prologicdef _on_response(self, response):03:53
prologic   del response.headers["Server"]03:53
spaceoneyeah03:53
prologicdone03:53
prologictoo easy indeed03:53
spaceonekiss03:54
prologicanyway03:54
prologicappreciate your efforts03:54
prologicas I said03:54
prologicI'm more interested in attack vectors of:03:54
prologicmalicious client -> circuits.web03:54
spaceoneso you like to see attack vectors which exists in circuit.web which can be afforded by browser?03:54
prologiclike is buffer overun possible03:54
prologicis filling up the server hard disk possible03:54
prologicis getting root priveleges possible03:55
spaceoneoh i think it is but i am currently not into this03:55
prologicis getting a python interpreter possible03:55
prologicis evaluating python possible03:55
prologicthese are the things (if possible) I want to close up tight03:55
spaceonethe first i found was getting root access03:55
spaceonefirst whole*03:55
prologichow?03:55
spaceonei was able to get the content of /etc/shadow or any other file in filesystem (/proc/*)03:56
spaceonethe server runned as root03:56
spaceone(behind a lighttpd which prevented it)03:56
spaceoneand /etc/shadow as you know contains the passwords of all users03:57
spaceonejust as example03:57
spaceonethere are much more files with information03:57
prologicbut you weren't able to view it?03:58
prologiclighttpd runs as it's own user03:58
spaceoneof course i were03:58
prologicas does my web apps03:58
spaceoneyes03:58
prologichmm03:58
prologicodd03:58
spaceonebut if you did only use circuits it would be03:58
prologic/etc/shadow is not world readable03:58
prologicnot even then03:59
spaceonebut if you run circuits as root03:59
prologicunless you ran as root03:59
prologicoh yes of course03:59
prologicthen03:59
prologicd'uh :)03:59
spaceonewhich you MUST if you want port 8003:59
prologicbut what good sysadmin does that?03:59
prologicsure I agree03:59
prologicwhich is why I have DropPriveleges on my radar of things to add to circuits.app :)03:59
spaceoneso time for DropPribiledges03:59
prologiccoming soon!03:59
spaceoneyes03:59
spaceone:D03:59
prologicanyway this kind of path manipulation is closed now04:00
spaceonebut think of:04:00
prologicwhat's next?04:00
spaceoneif there are still similar things and we can't get files owned by root, we can get files from the user04:00
spaceonee.g. config.cfg which contains SQL password04:00
spaceoneso we are able to connect to the sql databse04:01
spaceonethat is why i think that specific things must be solved by the framework04:01
spaceonethat is my goal with SF04:01
spaceonebecause i have seen so much wheak implementations04:01
prologichaha04:10
prologicso in circuits.web04:10
prologica config.cfg would never be exposed - ever04:10
prologicit would be part of application code04:10
prologicand never under the Static dispatcher's root04:11
spaceonei did not mean to get it via the default dispatcher04:12
spaceonei meant to get it through an similar whole to the ../ thing04:12
spaceonebut i am afk now04:13
prologickk04:16
*** Ossoleil has joined #circuits06:03
*** Osso has quit IRC06:03
*** Ossoleil has joined #circuits06:43
*** Ossoleil has joined #circuits06:53
*** ronny has joined #circuits06:59
*** ronny has quit IRC06:59
*** ronny has joined #circuits06:59
*** Osso has joined #circuits07:29
*** Osso has quit IRC07:38
*** Osso has joined #circuits07:45
*** Osso has quit IRC08:52
*** koobs has quit IRC10:36
*** koobs has joined #circuits10:37
prologicmorning all13:31
prologickoobs: If i gave you an account on my new server and setup a blank kvm guest... Would you be able to install FreeBSD? ;)13:35
*** circuits has joined #circuits18:11
*** irclogger_ has joined #circuits18:52
*** yeik has joined #circuits19:44
*** koobs has joined #circuits22:00
*** koobs has quit IRC22:18
*** Osso has joined #circuits23:54

Generated by irclog2html.py 2.11.0 by Marius Gedminas - find it at mg.pov.lt!