AOLserver Chat Logs

2004/07/16

IRC [00:51] *** frodoroo1 joined the chat.
IRC [01:09] *** frodoroot parted the chat.
IRC [01:16] *** cd34 parted the chat.
IRC [04:57] *** ]Diablo[ joined the chat.
IRC [04:57] <]Diablo[> telp me
IRC [04:57] <]Diablo[> help m,e
IRC [05:00] <]Diablo[> help
IRC [05:00] <]Diablo[> me
IRC [05:00] <]Diablo[> AOL
IRC [05:15] *** tekbasse joined the chat.
IRC [05:36] <]Diablo[> help me
IRC [05:41] *** SuSe-LiNux-9 parted the chat.
AIM [05:54] *** POLearyUK joined the chat.
IRC [05:55] *** frankie joined the chat.
IRC [05:59] *** tekbasse parted the chat.
IRC [06:02] *** talli parted the chat.
IRC [06:06] *** talli joined the chat.
AIM [06:06] <POLearyUK> hey talli- did you do a tcl soap wrapper for aolserver in the past?
IRC [06:25] *** tekbasse joined the chat.
IRC [06:30] *** tekbasse parted the chat.
AIM [06:52] *** DossyNJ joined the chat.
IRC [06:54] <Dossy> /i
IRC [06:54] <Dossy> i
IRC [06:54] *** Dossy parted the chat.
IRC [06:55] *** Dossy joined the chat.
IRC [06:55] *** frankie parted the chat.
AIM [06:55] <POLearyUK> hey dossy
AIM [06:56] <POLearyUK> is someone planning on looking at nssoap?
IRC [07:08] <Dossy> nssoap? you want to? :)
AIM [07:09] <POLearyUK> hee hee- i wrote a nasty thing around tcl soap before, but have a few people who want something stable
AIM [07:10] <POLearyUK> and tcl soap uses tcl dom- which i don't like
IRC [07:23] *** frankie joined the chat.
AIM [07:23] <DossyNJ> morning.
AIM [07:24] <POLearyUK> afternoon
IRC [07:24] <Dossy> heh.
AIM [07:25] <POLearyUK> just looking at nssoap- think it actually uses tcl soap- calls to SOAP package, and has TclSoap SOAP-domain.tcl files in cvs
IRC [07:29] <Dossy> 642 non-spam 1517 spam
AIM [07:30] <POLearyUK> but you always read your spam first :-P
IRC [07:30] <Dossy> :)
IRC [07:30] <Dossy> wish i could monetize on the spam. :)
AIM [07:31] <POLearyUK> hee hee- spam reselling could be worth something? forward on spam that's interesting
AIM [07:33] <DossyNJ> you know, putting the google ads on the wiki has another benefit: free page impression tracking :)
AIM [07:33] <DossyNJ> google supposedly registered 240 page impressions for 7/14 :)
AIM [07:33] <POLearyUK> sweet- you get any cash for impressions or is it just click throughs?
AIM [07:34] <DossyNJ> just clicks.
AIM [07:34] <DossyNJ> and don't go click-spamming and get me shut down :)
AIM [07:34] <DossyNJ> 524 page impressions for 7/15. but that also includes my blog ...
AIM [07:34] <POLearyUK> haha! sorry i'll stop
IRC [08:23] <Dossy> think our bot needs an infobot module? :)
AIM [08:24] *** DossyNJ joined the chat.
AIM [08:24] *** DossyNJ joined the chat.
AIM [08:34] <DossyNJ> testing
AIM [08:34] <DossyNJ> testing
AIM [08:34] <POLearyUK> ouch, bright yellow
IRC [08:34] <Dossy> testing
AIM [08:34] <DossyNJ> testing
IRC [08:35] <Dossy> testing
IRC [08:35] <Dossy> OK. the madness starts, soon. :)
AIM [08:36] <POLearyUK> `expr 1 + 0; puts "hello world"`
AIM [08:52] *** POLearyUK joined the chat.
IRC [08:55] <Dossy> what is aolserver/
IRC [08:56] <Dossy> what is aolserver?
IRC [08:56] <Dossy> what is aolserver?
IRC [08:57] <Dossy> what is aolserver?
IRC [08:57] <Dossy> yay.
IRC [08:57] <Dossy> ROCK ON.
IRC [08:58] <rcrit> ~aolserver
IRC [08:58] <rcrit> bah, need the ~ commands :-)
IRC [09:00] <Dossy> whats ~?
IRC [09:00] <Dossy> short form query?
IRC [09:00] <Dossy> dossy is dossy@panoptic.com
IRC [09:00] <Dossy> who is dossy?
IRC [09:00] <rcrit> yes, I've used that in other channels
IRC [09:04] <Dossy> how do folks feel about namign variables with ? at the end for booleans, ala Ruby?
IRC [09:07] <Dossy> aolserver is duh
IRC [09:08] * leff is back (gone 15:31:27)
AIM [09:13] <DossyNJ> ack where'd pat go?
AIM [09:15] <DossyNJ> morning, leff :)
AIM [09:16] <DossyNJ> argh
AIM [09:16] <DossyNJ> welcome screen crashing my client again. grrr
IRC [09:17] <leff> Hey, Dossy!
AIM [09:18] <DossyNJ> someone pooched the welcome screen today?
AIM [09:18] <DossyNJ> what is dossy?
AIM [09:18] <DossyNJ> dossy is also http://dossy.org/
AIM [09:18] <DossyNJ> what is dossy?
IRC [09:19] <frankie> Dossy: any due date for 4.0.6?
IRC [09:21] <Dossy> frankie: *eyeballs rcrit* yeah, any idea?
IRC [09:21] <frankie> Dossy: no, just to program my debian activities
IRC [09:22] <Dossy> frankie: I want to see 4.0.6 go out today.
IRC [09:22] <Dossy> whatever bugs I'm working on, can go out in 4.0.7
IRC [09:22] <rcrit> but "what is cvswinex" returns nothing.
IRC [09:22] <Dossy> latest release is 4.0.5
IRC [09:23] <rcrit> Are you going to tag 4.0.6 or shall I?
IRC [09:23] <Dossy> I will, if you've reviewed Tim's commit
IRC [09:23] <Dossy> I looked at it and it looked fine, although he only made it to the 4.0 branch - does the change need to go into HEAD as well, or will we just regress this bug when 4.1 is released? :P
IRC [09:24] <rcrit> yes, needs to go in head
IRC [09:24] <rcrit> changed looked ok to me.
IRC [09:29] <frankie> Dossy: any final decision on #640754? but for the fact I'd patch anyway our source...
IRC [09:30] <Dossy> refresh my memory - what is 640754? RPATH issue?
IRC [09:30] <frankie> Dossy: yep
IRC [09:31] <Dossy> frankie: going to leave it as-is for now, but yeah, I think I will fix it upstream for 4.0.7
IRC [09:32] <Dossy> as in, no fix for it went into 4.0.6
IRC [09:32] <frankie> ok
IRC [09:32] <Dossy> OK, 4.0.6 is tagged, and tip of aolserver_v40_bp branch is now 4.0.7a
IRC [09:32] <Dossy> rcrit- are you going to do the file release to SF?
IRC [09:33] <Dossy> latest release is 4.0.6
IRC [09:33] <Dossy> no, latest release is 4.0.6
IRC [09:34] <Dossy> no, latest release is 4.0.6
IRC [09:34] <Dossy> latest release?
IRC [09:34] <Dossy> what is the latest release?
IRC [09:35] <Dossy> what is the latest release?
IRC [09:35] <Dossy> yay.
IRC [09:35] <Dossy> where can I get aolserver?
IRC [09:35] <Dossy> aolserver ?
IRC [09:36] <Dossy> hmm. parsing those are going to be annoying.
IRC [09:36] <Dossy> what is aolserver?
IRC [09:37] <Dossy> what is aolserver?
IRC [09:37] <Dossy> what is aolserver?
IRC [09:38] <Dossy> aolserver is also http://aolserver.com/ or KW: AOLserver
IRC [09:38] <Dossy> what is aolserver?
IRC [09:38] <rcrit> Dossy, sure, I can push it to SF if you want.
IRC [09:38] <rcrit> Elizabeth has a great file on all the things we need to do to release, helps to prevent forgetting things :-)
IRC [09:38] <Dossy> rcrit - I'll do SF, if you'll do the CMbuilds and push to aolserver.office :P
IRC [09:39] <rcrit> bleh, CM. Ok, sure.
IRC [09:39] <Dossy> :P :P
IRC [09:39] <Dossy> i guess you got the short end of the stick.
IRC [09:40] <rcrit> as usual.
AIM [09:40] *** POLearyUK joined the chat.
IRC [09:41] <rcrit> what is the air speed velocity of a fully laden swallow?
IRC [09:41] <rcrit> Dossy: the bot needs work.
IRC [09:41] <Dossy> :P
AIM [09:41] <POLearyUK> african or european swallow?
IRC [09:41] <Dossy> air speed velocity of a fully laden swallow is <reply>african or european?
IRC [09:43] <Dossy> what is the air speed velocity of a fully laden swallow?
IRC [09:43] <Dossy> no, air speed velocity of a fully laden swallow is <reply>african or european??
IRC [09:44] <Dossy> what is the air speed velocity of a fully laden swallow?
IRC [09:44] <Dossy> There.
IRC [09:44] <leff> Hey Dossy?
IRC [09:44] <Dossy> it's not a BAD bot, it's just a dumb one.
IRC [09:44] <Dossy> Yes, leff?
IRC [09:44] <leff> DO WORK.
IRC [09:44] <leff> :)
IRC [09:44] <leff> If you're that bored, there's a memory leak in the dcihome module you can be fixing. :)
IRC [09:44] <Dossy> Just tagged 4.0.6.
IRC [09:45] <Dossy> true ...
IRC [09:45] <Dossy> i'm actually fixing other bugs in a vmware window on my machine.
IRC [09:45] <Dossy> vmware isn't exactly the fastest env to build in :)
AIM [09:46] <POLearyUK> <reply>neither is mac</reply>
IRC [09:46] <Dossy> that, and i'm waiting for welcome screen to be fixed so i can log into the client. grr.
IRC [09:46] <Dossy> time for a smoke, anyway :)
IRC [09:56] <rcrit> Dossy: what is 4.07a?
AIM [10:16] <DossyNJ> rcrit: the tip of the aolserver_v40_bp branch now -
IRC [10:16] <Dossy> this way, we can distinguish between people running the 4.0.6 tagged release vs. the tip of aolserver_v40_bp ...
IRC [10:16] <rcrit> that's what I thought, just checking.
IRC [10:16] <Dossy> and I marked it "a" so when 4.0.7 is released, again, you can distinguish.
IRC [10:17] <rcrit> CM build submitted.
IRC [10:17] <Dossy> yay
IRC [10:17] <Dossy> rcrit - can you send me those release docs you were referring to?
IRC [10:17] <rcrit> sure, I'll email em
IRC [10:18] <Dossy> thanks.
IRC [10:27] <rcrit> bah, can't do the CM build until we sync up
AIM [10:27] <DossyNJ> aha
AIM [10:27] <DossyNJ> dohh!
AIM [10:27] <DossyNJ> that's lame.
AIM [10:29] *** RSeeger00 joined the chat.
IRC [10:30] <leff> mmmm... daily CVS syncs.... yummy.
AIM [10:32] <POLearyUK> hey Dossy, now would be a great time to bring in automated ant builds ;-)
AIM [10:33] *** DossyNJ joined the chat.
IRC [10:33] <leff> Way to scare off Dossy, Patrick.
IRC [10:33] <leff> :)
AIM [10:34] <POLearyUK> hee hee
IRC [10:47] *** frankie parted the chat.
IRC [10:48] <Dossy> :)
IRC [10:49] <Dossy> what about tinderbox? :)
AIM [10:49] *** DossyNJ joined the chat.
IRC [10:52] <frodoroo1> don't forget maven
IRC [10:55] <jhavard> where's that 4.0.6 release, eh?
IRC [10:55] <jhavard> not that it matters to my cvs-happy self.
IRC [10:56] <frodoroo1> speaking of which how do you get stuff out of cvs. nsopenssl for example
IRC [10:57] <jhavard> cvs co nsopenssl
IRC [10:57] <jhavard> instead of 'aolserver'
IRC [10:57] <frodoroo1> yeah what's the login command
AIM [10:57] <POLearyUK>
http://sourceforge.net/cvs/?group_id=3152
IRC [10:57] <jhavard> http://sourceforge.net/cvs/?group_id=3152
IRC [10:57] <frodoroo1> ok
AIM [10:58] *** RichardDiMartino joined the chat.
AIM [10:58] <RichardDiMartino> does it finally work..?
AIM [10:58] <DossyNJ> hehe
AIM [10:59] <POLearyUK> yep
AIM [10:59] <RichardDiMartino> you just have to im the bot "invite" ..?
AIM [10:59] <DossyNJ> yeah
AIM [10:59] <RichardDiMartino> ok .. cool..
AIM [11:00] <DossyNJ> still writing up the release notes for 4.0.6
AIM [11:00] <DossyNJ> :P
AIM [11:00] <POLearyUK> hey dossy are you going to extend the bot to allow MSN chat now as well ? :-)
AIM [11:00] <DossyNJ> pat: maybe - thought about that
AIM [11:01] <RichardDiMartino> you know.. the internet services guys are running an irc server.. i wonder if there is an internal aol irc net..
AIM [11:01] <DossyNJ> of course there must be.
AIM [11:02] <DossyNJ> irc.aol.com got delinked off efnet i thought
AIM [11:02] <RichardDiMartino> thats what i thought..
AIM [11:02] <RichardDiMartino> but i dont know if they use the public net.. or if they have an internal set of machines..
AIM [11:02] <DossyNJ> yeah, they wouldn't give O lines to anyone who cared
AIM [11:03] <DossyNJ> and the people who did get O lines pretty much ignored irc
AIM [11:03] <DossyNJ> irc.office.aol.com? :)
AIM [11:03] <DossyNJ> just guesing :)
AIM [11:03] <RichardDiMartino> leff says they run it on a green network host..
IRC [11:03] <leff> yes, I say that.
AIM [11:03] <DossyNJ> haha
AIM [11:03] <DossyNJ> rich, this chat is connected to irc
AIM [11:03] <DossyNJ> IM the bot "who" to see who's on the other side
IRC [11:04] * Dossy waves
AIM [11:04] <RichardDiMartino> haha..
IRC [11:11] *** rcrit parted the chat.
IRC [11:27] <Dossy> ah crap. sourceforge shell farm can't access the sourceforge CVS farm! laaame.
IRC [11:31] <Dossy> where'd frankie go? argh
IRC [11:41] * jhavard installs oacs for the first time
IRC [11:41] <jhavard> scary stuff.
IRC [11:41] <Dossy> good luck :)
IRC [11:47] <jhavard> and naturally, it doesn't work.
IRC [11:47] <jhavard> After I complete the install, it won't let me log in.
IRC [11:47] <jhavard> wtf.
IRC [11:49] <jhavard> there we go, just a little manual change in the database.
IRC [11:52] <jhavard> apparently I didn't read.
IRC [12:09] *** jader joined the chat.
IRC [12:15] <Dossy> OK, release announcement mail has just gone out.
IRC [12:19] *** cd34 joined the chat.
IRC [12:22] <AndyPiskorski> Dossy, you tagged 4.0.6? Does SourceForge do some kind of CVS repository lag or something? Because I don't see any tag for 4.0.6 via anonymous CVS.
AIM [12:23] <DossyNJ> yes
AIM [12:23] <DossyNJ> sadly
AIM [12:23] <DossyNJ> anonymous cvs lags behidn project cvs
AIM [12:23] <DossyNJ> this way anonymous users don't impact project developers trying to check in/out code
AIM [12:23] <DossyNJ> tarrball is out there too, but SF mirrors are slow to pick it up :(
IRC [12:24] <AndyPiskorski> Oh, ok. I can wait till tomorrow. :)
AIM [12:24] <DossyNJ> it's only supposed to lag by an hour or two
IRC [12:48] <jader> Are you guys aware of this security vulnerability in Aolserver:
IRC [12:48] <jader> http://openacs.org/bugtracker/openacs/bug?bug_number=2011
IRC [12:49] <jader> It seems like it would be a really easy fix.
IRC [12:49] <Dossy> um -- how is that a vulnerability?
IRC [12:49] <cd34> it allows IE to be directed to wacky invalid urls... so, think of it as a patch for IE in aolserver
IRC [12:50] <Dossy> if you allow folks to run code on your server, you're wide-open
IRC [12:50] <Dossy> if someone can write a ns_returnredirect on you, they can just [exec rm -rf /] on you, too.
IRC [12:51] <jader> Well, perhaps you can call this an application error.
IRC [12:52] <jader> But lots of applications (OpenACS for one) have URLs that have a return_url in the URL. These go to ad_returnredirect, which call ns_returnredirect, and then they can do quite a bit with your site.
IRC [12:53] <jader> We can patch it on OpenACS, but isn't this a pretty common thing to do with websites?
IRC [12:53] *** daveb joined the chat.
IRC [12:54] <cd34> I wonder if php patched it
IRC [12:54] <cd34> or perl...
AIM [12:54] <DossyNJ> oh
IRC [12:55] <jader> It seems to me an easy fix, one that takes little resources, and one that provides an added level of security. But I'm not an Aolserver hacker.
IRC [12:55] <cd34> no, you can do the same in php or perl
IRC [12:55] <jader> And I might misunderstand the issues involved.
AIM [12:55] <DossyNJ> yeah, if you allow unchecked data to be passed in from the url and sent diretcly to an HTTP response header ... yeah, that's kinda dangerous.
IRC [12:56] <cd34> jader: how about in tcl if someone writes ns_puts "Location: http://url.com\nhttp://phishingurl.com\n\n"
IRC [12:56] <Dossy> that really won't do it
IRC [12:56] <cd34> well, needs to be a \0 in ther
IRC [12:56] <cd34> there
IRC [12:56] <Dossy> the point here is that (for HTTP keepalive sessions, I think) ...
IRC [12:57] <cd34> right, but its the same issue
IRC [12:57] <Dossy> if you do a "Location: url\nContent-Length: 0\n\n200 OK\n\nSome malicious page body here!"
IRC [12:57] <daveb> aha! hey that is a good explanation.
IRC [12:57] <Dossy> so, using the Location: header, you inject an "empty" HTTP response, followed by a SECOND HTTP response.
IRC [12:57] <cd34> right
IRC [12:57] <Dossy> if the client or caching proxy is doing keep-alive and is sending multiple requests in, one of the "responses" it gets back will be the attacker-controlled response.
IRC [12:58] <Dossy> that's how this "vulnerability" works. it's, yet again, another deficiency in HTTP keep-alive not using a sequence number.
IRC [12:58] <Dossy> HTTP is a broken protocol. Period.
IRC [12:58] <daveb> yeah it really seems like its more of a problem in HTTP, but easy to fix on the server end.
AIM [12:59] <POLearyUK> but the location has to be written by someone with access to the host? as in untrusted users?
AIM [12:59] <DossyNJ> and a non-issue if you don't support keep-alives
IRC [12:59] <Dossy> redir.adp comes to mind :)
IRC [13:00] <Dossy> rule #1: properly sanitize user-supplied input!
IRC [13:00] <Dossy> rule #2: see rule #1.
IRC [13:00] <daveb> yep.
IRC [13:00] <Dossy> brb, smoke.
IRC [13:00] <daveb> addendum to rule #1 URL variables ARE user-supplied input
IRC [13:02] <Dossy> daveb: right.
IRC [13:03] <daveb> wow you are fast!
IRC [13:03] <Dossy> who
IRC [13:03] <Dossy> oh, i didn't smoke yet :P
IRC [13:03] <jader> POLearyUK: yes untrusted users can write out the forged request.
IRC [13:03] <Dossy> jader, send something to the aolserver list about it - or, I can ...
IRC [13:04] <daveb> good idea.
IRC [13:04] <jader> okay. I will.
AIM [13:04] <POLearyUK> man technology would be so much easier without users
IRC [13:04] <Dossy> but I think the right answer is to not limit what you can legitimately do with ns_returnredirect or ns_set [ns_conn outputheaders] etc.
IRC [13:04] <daveb> Good point.
IRC [13:04] <daveb> but at least remind people to cehck if they accept a "return_url" in a url.
IRC [13:05] <Dossy> or ns_queryget by default should strip \r \n ...
IRC [13:05] <Dossy> but then, what about form submissions from textareas with real embedded \r\n
IRC [13:06] <daveb> yeah
IRC [13:06] <daveb> they are valid, just not a a redirect target.
IRC [13:06] <daveb> generally.
IRC [13:06] <daveb> unless your application is doing something I could not imagine.
IRC [13:09] *** rcrit joined the chat.
IRC [13:09] <rcrit> Dossy: I'll do the CM builds on Monday, just FYI.
IRC [13:16] <Dossy> rcrit: OK. I'll put that into my status report, then.
IRC [13:23] * rcrit is gone
IRC [13:23] <Dossy> freshmeat is http://freshmeat.net/projects/aolserver/
IRC [13:23] <Dossy> OH
IRC [13:24] <Dossy> gah, IRC /me's trigger the infobot.
IRC [13:24] <Dossy> gotta fix that.
IRC [13:24] * Dossy is gone
IRC [13:28] * Dossy is gone
IRC [13:29] <Dossy> forget ACTION
IRC [13:36] <Dossy> hey everyone - go to the AOLserver project at freshmeat and vote! it's only got 2 votes now: http://freshmeat.net/projects/aolserver/
IRC [13:39] <frodoroo1> hmm still says only two votes
IRC [13:39] <jader> The rating is meaningless, because it doesn't say if 10 is good or bad :)
IRC [13:44] <Dossy> jader: true ...
IRC [13:44] <Dossy> but generally, higher is better :)
AIM [13:46] <RSeeger00> Grr...hate this stupid laptop keyboard
IRC [13:48] <Dossy> don't hate. it's not good for your soul.
AIM [13:55] <POLearyUK> Invalid project ID. when i try to vote :(
IRC [13:55] <Dossy> lame. freshmeat broken?
IRC [13:55] <Dossy> grr.
AIM [13:56] <POLearyUK> finally got it, had to search for aolserver and go from the results page to vote
IRC [13:56] <Dossy> weird.
IRC [13:56] <Dossy> same URL, isn't it?
AIM [13:56] <POLearyUK> yep
IRC [13:56] <Dossy> yay, 3 votes.
AIM [13:56] <POLearyUK> think their session stuff is nackerd
AIM [13:58] <RSeeger00> Looking at the security issue posted to the mailing list... is there ever a valid reason to have a \n or \r in a header?
IRC [13:59] * rcrit is back
AIM [14:00] <POLearyUK> yeah vinilla versions of IE on win me don't encode URL's so could have a get request with returns
AIM [14:00] <POLearyUK> correction, don't encode urls completely
IRC [14:00] <Dossy> rob: you mean as the value part of the header?
AIM [14:01] <RSeeger00> The http spec doesn't indicate that oel = end-of-header ?
AIM [14:01] <RSeeger00> Aye, I mean in the value of a header
AIM [14:01] <RSeeger00> err oel=eol
IRC [14:02] <Dossy> yes
AIM [14:03] <POLearyUK> *leary guy leaves, making up his own funky exit sign o_0
IRC [14:03] <Dossy> HAHA
IRC [14:03] <Dossy> what's that? a potato??/
AIM [14:03] <POLearyUK> OI
AIM [14:03] <DossyNJ> :P
AIM [14:03] <POLearyUK> i'll give you potatoes the next time i see you! :-P
IRC [14:04] <Dossy> haha
IRC [14:04] <Dossy> an' hit me wit' yar big shillelagh stick?
AIM [14:05] <POLearyUK> haha
AIM [14:05] <POLearyUK> nah i've got a baseball bat instead :-)
IRC [14:05] <Dossy> :)
AIM [14:06] <POLearyUK> self promotion for those who don't know what Dossy's on about =>http://www.pjaol.com/modules.php?op=modload&name=PostWrap&file=index&page=ill_movie
AIM [14:07] <POLearyUK> on that note g-nite :-)
AIM [14:07] *** POLearyUK joined the chat.
AIM [14:07] <RSeeger00> You can't have a newline in an http header without some whitespace on the start of the next line. Wouldn't having the http handler for the server, when adding headers, make sure that any header with a newline in it has a space after it fix the security issue?
IRC [14:08] <rcrit> or just do "c=strchr(header, "\n"); *c='\0';
AIM [14:08] <RSeeger00> That implies you don't want to ever allow headers to span multiple lines... the spec says they can
IRC [14:09] <rcrit> since when does AOLserver strictly comply with the spec?
AIM [14:09] <RSeeger00> But it says lines 2+ must start with whitespace
AIM [14:09] <DossyNJ> self-promotion?
AIM [14:09] <DossyNJ> heh
AIM [14:09] <RSeeger00> Well, when there's no reason not to comply with the spec...
IRC [14:09] <rcrit> well, that's true, no point in making matters worse.
AIM [14:09] <DossyNJ> rcrit: haha
IRC [14:09] *** cnk joined the chat.
IRC [14:10] <Dossy> true.
IRC [14:10] <rcrit> it's just so much easier to be rude.
IRC [14:10] <Dossy> hi cnk!
AIM [14:10] <RSeeger00> hehe
IRC [14:10] <rcrit> and lop off anything that might be evil.
IRC [14:10] <Dossy> rcrit: but that FIRST time when you want to actually send a header with an embedded newline, you'll be cursing.
IRC [14:10] <cnk> hi dossy
IRC [14:10] <rcrit> that would have to be one pretty darned long header
IRC [14:10] <Dossy> ooh, there's an official "Upgrade:" response header.
AIM [14:11] <RSeeger00> Upgrade: Your browser sucks, get a new one?
IRC [14:11] <rcrit> something new for IE users :-)
AIM [14:11] <RSeeger00> True, that should be "Upgrade: Your browser sucks, use Netscape"
IRC [14:13] <Dossy> OK, it does look as though the RFC for HTTP/1.1 doesn't allow header-continuation.
IRC [14:13] <Dossy> So, newlines ARE illegal.
AIM [14:14] <RSeeger00> rfc2616-sec4: Header fields can be extended over multiple lines by preceding each extra line with at least one SP or HT
IRC [14:14] <Dossy> oh no
IRC [14:14] <Dossy> i'm wrong!
IRC [14:14] <Dossy> HTTP/1.1 header field values can be folded onto multiple lines if the continuation line begins with a space or horizontal tab. All linear white space, including folding, has the same semantics as SP. A recipient MAY replace any linear white space with a single SP before interpreting the field value or forwarding the message downstream.
IRC [14:15] <Dossy> So, if we see an \n not followed by \s or \t, it's bogus.
AIM [14:15] <RSeeger00> That sounds accurate
IRC [14:16] <Dossy> Do we even support requests with continuation-line headers?
IRC [14:16] <daveb> wait that is not it!
IRC [14:16] <daveb> :)
IRC [14:16] <daveb> oh wait yes it is
IRC [14:16] <daveb> nm
IRC [14:16] * daveb shuts up
IRC [14:16] <Dossy> It appears we don't. Just tested against 4.0.6
AIM [14:16] <RSeeger00> If you can specify a header with a \n, then its obviously possible to create a multiline header... Now, whether its "supported" or not;)
IRC [14:17] <Dossy> So: two bugs to open.
IRC [14:17] <Dossy> First: programmatically generated response headers must comply with spec.
IRC [14:18] <Dossy> Second: continuation-line headers not supported on requests
IRC [14:18] <Dossy> Agreed?
AIM [14:18] <RSeeger00> Its a bug that they're not supported? Or you want them to not be supported
IRC [14:19] <Dossy> no, it's a bug that they're not supported.
AIM [14:19] <RSeeger00> And, the "must comply with spec" one should probly indicate a preferred approach when a header has a newline w/o whitespace... should it error, insert a space, or cut off the rest of the line
AIM [14:19] <RSeeger00> Then I agree
IRC [14:20] <Dossy> Good question: what's the desired behavior? Truncate after and including the newline?
AIM [14:20] <RSeeger00> I tend to think truncate + log a warning
IRC [14:20] <Dossy> Fixing up the response by adding a space may open the door for other vulnerability type things (and, DoS attacks)
AIM [14:21] <RSeeger00> I agree, and it could wind up being the source of "hard to find" bugs... truncating would be easier to notice
IRC [14:21] <Dossy> Anyone else want to weigh in?
IRC [14:22] <cd34> I think apache truncates at a certain length and logs
IRC [14:23] <cd34> however, the intention is to make the person think they went to the site that is listed before the \0\n right? so, what if it just truncates the url at the first \0 or \n and sends them to the right place anyhow?
IRC [14:25] <Dossy> no \0 is necessary.
IRC [14:25] <Dossy> no, the attack is to send back a complete HTTP response that the attacker controls, but the client believes came from the server they are requesting from.
AIM [14:26] <RSeeger00> Well, it does come back from the server they are requesting from... it just so happens the server doesn't know it ;)
IRC [14:30] <Dossy> yeah.
IRC [14:30] <Dossy> So, are we all agreed on truncation?
IRC [14:30] <Dossy> I'm in the middle of crafting up an email to the list now -- hopefully it might elicit some responses there, if people feel strongly about against the truncation.
IRC [14:30] <Dossy> and should the logging seem benign, or raise flags
IRC [14:31] <Dossy> should it be logged at Warning or Notice leve?
IRC [14:31] <Dossy> brb, smoke.
IRC [14:32] <daveb> so the request should complete, just chop off the bogus header bit.
IRC [14:32] <daveb> ?
AIM [14:34] <RSeeger00> I'm inclined to say it should log a warning, since what its handling should not be happening in the first place... so someone is doing something wrong
IRC [14:34] <cd34> my feeling is that it should truncate and log... as for Notice versus Warning, I think Warning is more appropriate since it is possibly breaking some behavior
IRC [14:35] <cd34> yeah, what Rseeger00 said haha
IRC [14:37] *** cd34 parted the chat.
IRC [14:37] *** cd34 joined the chat.
AIM [14:37] <RSeeger00> hehe
IRC [15:01] <Dossy> OK, cool.
IRC [15:01] <Dossy> So, everyone happy with the solution ...
IRC [15:05] *** tekbasse joined the chat.
AIM [15:06] <RSeeger00> Works for me
AIM [15:12] *** DossyNJ joined the chat.
AIM [15:12] *** DossyNJ joined the chat.
IRC [15:13] <cnk> Is there a good high level document of what changed from AOLServer 3 to 4?
IRC [15:14] <Dossy> Not sure - there really needs to be ...
AIM [15:14] *** DossyNJ joined the chat.
AIM [15:14] *** DossyNJ joined the chat.
IRC [15:14] <Dossy> I think Mark and Elizabeth put one together a while back. I'll look for it ...
IRC [15:15] <Dossy> here's the module porting guide: http://aolserver.sourceforge.net/docs/devel/c/as4_moduleportingguide.html
IRC [15:15] <Dossy> module porting guide is http://aolserver.sourceforge.net/docs/devel/c/as4_moduleportingguide.html
IRC [15:15] <cnk> Yes I saw that - some of that is a little more detailed than I was looking for.
IRC [15:16] <daveb> #1) you had to specify -b on the command line to run on port 80
IRC [15:16] <daveb> #2) you need to load nsdb as a module
IRC [15:17] <cnk> I am about to reinstall OS and wondering if I should try out AOLServer 4. Wondered if there were changes that would matter.
IRC [15:17] <cnk> there were MAJOR changes between 2 and 3 so ....
IRC [15:17] <daveb> #3) virtual hosting is totally different
IRC [15:17] <daveb> forgot that one.
IRC [15:18] <daveb> if you use nsvhr then you need to do something different, its not supported on aolserver 4
IRC [15:19] <cnk> Thanks. I am not doing any virtual hosting so that is OK.
IRC [15:20] <cnk> Does the Oracle driver compile and work OK ?
AIM [15:21] *** DossyNJ joined the chat.
IRC [15:22] *** daveb parted the chat.
IRC [15:28] <Dossy> cnk: apparently there are people using oracle + aolserver 4.
IRC [15:29] <cnk> Dossy: grand. I was wondering if any of the OACS crowd still dabbled in Oracle
IRC [15:30] <cnk> well when I get the OS installed, I'll have to compile AOLServer 4 and see if it runs my old code with minimal changes
IRC [15:30] <cnk> thanks
IRC [15:30] <Dossy> :)
IRC [15:30] <Dossy> if you need help getting anything working, just come back here.
IRC [15:30] <Dossy> or, feel free to idle and hang out :)
IRC [15:32] *** cd34 parted the chat.
IRC [15:32] <cnk> Hanging out sounds good. **back to lurking**
IRC [15:37] <Dossy> :)
IRC [15:37] <Dossy> ugh.
IRC [15:37] <Dossy> AUGHGHH
IRC [15:38] <Dossy> stephen deasey points out the crash bug to the list .. urgh
IRC [15:38] <Dossy> well, lets tag a 4.0.7? :)
IRC [15:42] <rcrit> have you reproduce it yet?
IRC [15:42] <Dossy> yeah.
IRC [15:42] <Dossy> hey, i'll just re-tag 4.0.6 and re-release the .tar.gz :)
IRC [15:42] <Dossy> it'll "officially" be in 4.0.7 :)
IRC [15:51] <Dossy> ok, fix to the crash bug is committed.
IRC [15:51] <Dossy> i'm going to not fiddle with 4.0.6
IRC [15:53] <frodoroo1> does that also kill 4.0.5?
IRC [15:54] <Dossy> no
IRC [15:54] <Dossy> it's all my fault. sorry.
IRC [15:55] <frodoroo1> really?
AIM [15:58] *** murtycvs joined the chat.
IRC [15:58] <leff> Hi, murty :)
AIM [15:58] <murtycvs> :)
AIM [15:59] <murtycvs> so I know 3 people here
IRC [15:59] <frodoroo1> hi murtycvs
AIM [15:59] <murtycvs> Hey
IRC [16:00] <Dossy> hey murty :)
AIM [16:01] <murtycvs> Hi, Heard about this chat today and leff showed me how to join
IRC [16:04] <leff> murty is in our AOL operations group. :)
AIM [16:06] *** LeffAdamB joined the chat.
IRC [16:07] <Dossy> cool, murty - welcome aboard
IRC [16:08] <jcollins> this place is just filling up
IRC [16:08] <Dossy> jcollins: yup!
IRC [16:08] <Dossy> murty, come to laugh at me for f@#%'ing up the 4.0.6 release, too? :)
IRC [16:08] <jcollins> i like that
IRC [16:08] <Dossy> jcollins: me too. it's a very good sign.
IRC [16:09] <Dossy> we've got nearly ~20 people on, now.
IRC [16:09] <frodoroo1> wow this place used to be pretty dead
IRC [16:10] <Dossy> BRB, smoke.
IRC [16:13] *** thecodemill|aol joined the chat.
IRC [16:13] * thecodemill|aol is logging
IRC [16:14] * bartt wonders why this bot keeps losing its connection
AIM [16:14] *** LeffAdamB joined the chat.
AIM [16:15] <murtycvs> dossy: no , just want to learn more
IRC [16:16] * rcrit is gone
IRC [16:25] <Dossy> leff - I think the next thing I'm going to do is find any kind of HTTP compliance test out there, and run it against AOLserver
IRC [16:26] <Dossy> if it works, it'll serve at least as a ghetto regression test :)
IRC [16:26] <leff> Dossy: that's great.
IRC [16:26] <Dossy> then, start working up automated cases for the edges that's not covered.
IRC [16:28] <Dossy> HTTP Compliance and W3C QA: http://www.w3.org/2001/01/qa-ws/pp/alex-rousskov-measfact
IRC [16:29] <Dossy> no dates on that page, though :(
IRC [16:29] *** tekbasse parted the chat.
IRC [16:30] <cnk> a compliance test would be great! hope you can find one already out there
IRC [16:31] *** tekbasse joined the chat.
IRC [16:38] <Dossy> Apache HTTP Test Project: http://httpd.apache.org/test/
IRC [16:38] <Dossy> there's also the SPECweb99 benchmark.
IRC [16:39] <Dossy> it might be nice to do some SPECweb99 benchmarking anyhow.
IRC [16:41] <leff> aahh, good ol' specweb.
IRC [16:41] <Dossy> presumably, it'll do some basic load testing and a minimal regression test :)
IRC [16:47] <Dossy> ooh
IRC [16:53] <Dossy> ok, TMF has this "Co-Advisor" product that does HTTP compliance testing ...
IRC [16:53] <Dossy> single-shot online test is $3! haha
IRC [16:54] <Dossy> one single test with full logs is $375.
IRC [16:54] <Dossy> 12 months of tests with logs is $5,750. time to ask AOL to come up with some money.
IRC [16:54] <Dossy> source code for $18,450. yikes.
IRC [16:54] <Dossy> heh
IRC [16:54] <Dossy> time for a smoke.
IRC [16:55] <Dossy> Co-Advisor by The Measurement Factory: http://coad.measurement-factory.com/
IRC [17:06] <frodoroo1> ok I have to ask-- hey Dossy, what are you smoking?
IRC [17:10] *** tekbasse parted the chat.
IRC [17:16] <jhavard> bah. I'm in need of a snack, yet I'm all out of snackstuffs.
IRC [17:32] <leff> have a good weekend, all.
IRC [17:32] * leff -> home
IRC [17:32] * leff is away: home
AIM [17:36] *** RichardDiMartino joined the chat.
AIM [17:49] *** murtycvs joined the chat.
IRC [19:14] <Dossy> hmm.
IRC [19:16] <bartt> ?
IRC [19:16] <Dossy> playing with Co-Advisor online
IRC [19:16] <Dossy> won't connect to my server. hmm.
IRC [19:20] <bartt> Co-Advisor?
IRC [19:20] <Dossy> Co-Advisor: http://www.measurement-factory.com/products.html
IRC [19:20] <Dossy> http://coad.measurement-factory.com/
IRC [19:21] <Dossy> Sadly, it looks like a cache/proxy testing suite.
IRC [19:24] <Dossy> I think I'm just going to code my own tests for AOLserver. Fiddlesticks.
IRC [19:31] *** rcrit parted the chat.
IRC [19:55] *** dimartin joined the chat.
IRC [20:00] *** jader parted the chat.
IRC [20:04] *** dimartin parted the chat.
IRC [20:05] <Dossy> hey rich :)
IRC [20:05] <Dossy> oops
IRC [20:06] <Dossy> ouch: Requests per second: 4.60 [#/sec] (mean)
IRC [20:06] <Dossy> that's for the wiki with 25 concurrent requests out of apachebench.
IRC [20:06] <Dossy> for plain ADP, this same machine can serve at least 300 req/sec.
IRC [20:06] <Dossy> CGI. Big pig.
IRC [20:12] <martinh> which wiki is that?
IRC [20:16] <Dossy> aolserver wiiki.
IRC [20:16] <Dossy> it's adequately fast now considering how low-traffic it is, but i might just re-implement it as an ADP
IRC [20:16] <Dossy> i could easily rip most of it since it is implemented in Tcl
IRC [20:17] <martinh> yea. what wiki software?
IRC [20:18] <Dossy> wikit.
IRC [20:18] <Dossy> WiKit: http://equi4.com/wikit.html
IRC [20:18] <Dossy> WiKit is http://equi4.com/wikit.html
IRC [20:19] <martinh> ah. . .
IRC [20:21] <Dossy> wikit?
IRC [20:21] <Dossy> hmm.
IRC [20:24] <Dossy> wikit?
IRC [20:24] <martinh> it looks like it should be relatively easy to run under aolserver.
IRC [20:24] <Dossy> wikit?
IRC [20:24] <Dossy> yes, it should be.
IRC [20:25] <Dossy> it's especially easy in CGI mode. sourcing the code in and running it directly in AOLserver ... may be easy, but probably involve some work
IRC [20:29] <martinh> will cgi mode allow it to only be sourced & byte compiled once?
IRC [20:35] *** cnk parted the chat.
IRC [20:38] *** tekbasse joined the chat.
IRC [21:10] *** Crusader01A joined the chat.
IRC [21:16] *** Crusader01A parted the chat.
IRC [21:17] *** Crusader01A joined the chat.
IRC [21:19] *** Crusader01A parted the chat.
IRC [21:24] *** Crusader01A joined the chat.
IRC [21:25] *** Crusader01A parted the chat.
IRC [21:27] *** tekbasse parted the chat.
IRC [22:06] *** cd34 joined the chat.
IRC [23:46] *** tekbasse joined the chat.
IRC [23:53] *** cd34 parted the chat.