| --- Log opened Mon Nov 08 00:00:34 2010 |
| 00:12 | | Attilla [Some.Dude@Nightstar-cc5a875c.three.co.uk] has quit [[NS] Quit: ] |
| 00:26 | | gnolam [lenin@Nightstar-38637aa0.priv.bahnhof.se] has quit [[NS] Quit: Z?] |
| 00:26 | | You're now known as TheWatcher[T-2] |
| 00:29 | | You're now known as TheWatcher[zZzZ] |
| 00:47 | | Finerty is now known as Vornicus |
| 00:50 | | Tarinaky [Tarinaky@Nightstar-f349ca6d.plus.com] has quit [Client closed the connection] |
| 02:40 | < celticminstrel> | What precedence does 'd' normally have in a dice roller? |
| 02:40 | < McMartin> | Entirely nontransitive |
| 02:41 | < celticminstrel> | Huh? |
| 02:41 | < McMartin> | Hm, I misunderstood the question. |
| 02:41 | < McMartin> | I read it as "associativity" |
| 02:41 | < celticminstrel> | XD |
| 02:41 | < McMartin> | It tends to bind the tightest. |
| 02:42 | < McMartin> | 1d6+3 is never 1d9. |
| 02:42 | < celticminstrel> | Okay, that's what I thought. |
| 02:56 | | AnnoDomini [annodomini@Nightstar-5a895481.adsl.tpnet.pl] has quit [[NS] Quit: Way, way, way past my bedtime.] |
| 02:58 | <@Derakon> | Agreed with McM. |
| 02:58 | <@Derakon> | You'd do (x+2)d(y/6), not x+2dy/6 |
| 03:01 | <@Derakon> | "FORNICATION!" he screams, utterly enraged, "THOU'RT IN MY KILLFILE! NEXT, GODSPEED" |
| 03:01 | <@Derakon> | Mischan. |
| 03:02 | < celticminstrel> | I'm just going to treat 'd' as a literal former. |
| 03:16 | < celticminstrel> | Okay, regarding eval'ing a user-input string... it should be safe if I restrict them to using names in the math and random modules plus builtins cmp, min, max, bin, oct, hex, round, abs, ord, len, bool, int, chr, xrange, sum, long, all, any, divmod, and float... right? |
| 03:16 | <@Derakon> | Um... |
| 03:17 | <@Derakon> | As a general rule, if you don't trust your users you shouldn't use eval. |
| 03:17 | <@Derakon> | Trying to sanitize input yourself, particularly by enumerating badness, is a losing proposition. |
| 03:17 | < celticminstrel> | I'm not enumerating badness... |
| 03:17 | < celticminstrel> | I'm restricting the namespace, or something. |
| 03:17 | <@Derakon> | Oh, point. |
| 03:17 | <@Derakon> | Still. |
| 03:17 | < celticminstrel> | Using the eval's second argument. |
| 03:18 | < celticminstrel> | -the |
| 03:18 | < celticminstrel> | My question was if any of those functions could be dangerous (I don't see how they could be, though). |
| 03:19 | < celticminstrel> | I suppose if a very large number was passed it... |
| 03:19 | < celticminstrel> | ^ in |
| 03:20 | <@Vornicus> | Technically: many of those will except, some will allow DOS, and, uh... |
| 03:20 | < celticminstrel> | "except" means "throw exceptions"? And "DOS"...? "Denial of Service"? |
| 03:20 | <@Derakon> | Yeah. |
| 03:21 | < celticminstrel> | Okay, I'm not worried about exceptions, but which ones will allow DoS? |
| 03:21 | < celticminstrel> | And would it rely on very large parameters? |
| 03:22 | <@Derakon> | Try doing math.factorial(10**10) |
| 03:22 | <@Vornicus> | ANything that gets you large numbers. And it's really, really easy to get large numbers. |
| 03:22 | <@Derakon> | Just as an example. |
| 03:22 | <@Namegduf> | This is security-wise a bad idea because it's very, very hard to verify reliably that there's no tricks avaiable. |
| 03:22 | < celticminstrel> | Okay, so just large numbers. I don't suppose there's a way to prevent it from automatically upgrading to long? |
| 03:22 | <@Derakon> | Yeah, generally speaking, avoid eval when the input comes from an untrusted source. |
| 03:23 | <@Derakon> | What are you trying to do here? |
| 03:23 | <@Derakon> | Write a dicebot? |
| 03:23 | < celticminstrel> | Dice. |
| 03:23 | <@Namegduf> | Write a proper math parser |
| 03:23 | < celticminstrel> | Well, partly. |
| 03:23 | <@Namegduf> | Don't use eval() |
| 03:23 | <@Derakon> | Limit 'em to the characters 1234567890+-/*d |
| 03:23 | < celticminstrel> | Yeah, but that's more work. :P |
| 03:24 | < celticminstrel> | Limit them to what now? |
| 03:24 | <@Derakon> | If they try to use anything that involves a character not in that list, then refuse. |
| 03:24 | < celticminstrel> | Oh, right. |
| 03:24 | <@Derakon> | But really, don't use eval. |
| 03:24 | <@Derakon> | Even with that list, you can get things like 10**10**10. |
| 03:25 | <@Namegduf> | This is one of those times where doing the lazy way has you come back to a compromised (or at least crashed) system. |
| 03:26 | <@Namegduf> | Because someone thought of something you didn't. |
| 03:26 | <@Derakon> | Besides, this is an opportunity to write your own arithmetic parser~ |
| 03:26 | <@Vornicus> | (it's not all that hard) |
| 03:27 | < celticminstrel> | I've actually already done it. |
| 03:27 | < celticminstrel> | But in Java, a few years ago. |
| 03:28 | < celticminstrel> | I think I could force them to use a nerfed int type... |
| 03:28 | <@Derakon> | Don't use eval. Don't use eval. Don't use eval. Don't use eval. Don't use eval. |
| 03:29 | < celticminstrel> | ...but that'd be somewhat complicated when considering the functions. |
| 03:30 | <@Vornicus> | Not that hard. |
| 03:30 | < celticminstrel> | Which isn't that hard? The arithmetic parser, or the nerfed int? |
| 03:32 | <@Vornicus> | Both. |
| 03:33 | <@Vornicus> | And while we're at it a library of functions. |
| 03:33 | < celticminstrel> | I have a "library" of functions in the form of a dictionary. |
| 03:33 | < celticminstrel> | Which is passed to eval. |
| 05:25 | | celticminstrel [celticminst@Nightstar-f8b608eb.cable.rogers.com] has quit [[NS] Quit: And lo! The computer falls into a deep sleep, to awake again some other day!] |
| 05:43 | | cpux is now known as shade_of_cpux |
| 05:59 | | Stalker [Z@2C3C9C.B2A300.F245DE.859909] has quit [Ping timeout: 121 seconds] |
| 06:24 | | Derakon is now known as Derakon[AFK] |
| 06:52 | | Rhamphoryncus [rhamph@Nightstar-473f8685.abhsia.telus.net] has joined #code |
| 07:21 | | Stalker [Z@3A600C.A966FF.5BF32D.8E7ABA] has joined #code |
| 07:25 | | PinkFreud [WhyNot@NetworkAdministrator.Nightstar.Net] has quit [Ping timeout: 121 seconds] |
| 07:58 | | Kaura is now known as Kaura|zzz |
| 08:07 | | kwsn [kwsn@Nightstar-ca9721ae.dyn.centurytel.net] has quit [[NS] Quit: BEEP BEEP IMMA JEEP] |
| 08:27 | | Stalker [Z@3A600C.A966FF.5BF32D.8E7ABA] has quit [Ping timeout: 121 seconds] |
| 09:11 | | You're now known as TheWatcher |
| 10:15 | | Thaqui [Thaqui@27B34E.D54D49.F53FA1.6A113C] has quit [Client closed the connection] |
| 10:30 | | Vornicus is now known as Vornicus-Latens |
| 10:46 | | Anno[Laptop] [annodomini@F67919.F326B3.98D923.BDA7B6] has joined #code |
| 10:46 | | Anno[Laptop] [annodomini@F67919.F326B3.98D923.BDA7B6] has quit [[NS] Quit: leaving] |
| 11:30 | | Tarinaky [Tarinaky@Nightstar-f349ca6d.plus.com] has joined #code |
| 13:11 | | gnolam [lenin@Nightstar-38637aa0.priv.bahnhof.se] has joined #code |
| 13:50 | | Anno[Laptop] [annodomini@Nightstar-16f60a07.adsl.tpnet.pl] has joined #code |
| 14:14 | | PinkFreud [WhyNot@NetworkAdministrator.Nightstar.Net] has joined #code |
| 14:26 | | TarinakyKai [Tarinaky@Nightstar-f349ca6d.plus.com] has joined #code |
| 14:29 | | Tarinaky [Tarinaky@Nightstar-f349ca6d.plus.com] has quit [Operation timed out] |
| 15:52 | | Rhamphoryncus [rhamph@Nightstar-473f8685.abhsia.telus.net] has quit [Client exited] |
| 17:22 | | Stalker [Z@26ECB6.A4B64C.298B52.D80DA0] has joined #code |
| 17:46 | | Attilla [Some.Dude@Nightstar-cc5a875c.three.co.uk] has joined #code |
| 17:46 | | mode/#code [+o Attilla] by Reiver |
| 18:15 | | celticminstrel [celticminstre@Nightstar-f8b608eb.cable.rogers.com] has joined #code |
| 18:49 | | Attilla [Some.Dude@Nightstar-cc5a875c.three.co.uk] has quit [Client closed the connection] |
| 21:10 | | McMartin [mcmartin@Nightstar-f8dd28a0.pltn13.sbcglobal.net] has quit [Ping timeout: 121 seconds] |
| 21:23 | | Stalker [Z@26ECB6.A4B64C.298B52.D80DA0] has quit [Ping timeout: 121 seconds] |
| 21:24 | | McMartin [mcmartin@Nightstar-fc63ab0e.pltn13.sbcglobal.net] has joined #code |
| 21:24 | | mode/#code [+o McMartin] by Reiver |
| 21:47 | | Stalker [Z@3A600C.A966FF.5BF32D.8E7ABA] has joined #code |
| 22:50 | | kwsn [kwsn@Nightstar-ca9721ae.dyn.centurytel.net] has joined #code |
| 22:56 | | TarinakyKai [Tarinaky@Nightstar-f349ca6d.plus.com] has quit [Client closed the connection] |
| 23:06 | < gnolam> | Note to self: vertex indices work much better as unsigned ints than floats. |
| 23:08 | < celticminstrel> | Indices of anything should not be floats. |
| 23:08 | < celticminstrel> | Generally speaking. |
| 23:20 | | Attilla [Some.Dude@Nightstar-cc5a875c.three.co.uk] has joined #code |
| 23:20 | | mode/#code [+o Attilla] by Reiver |
| 23:21 | | Attilla [Some.Dude@Nightstar-cc5a875c.three.co.uk] has quit [[NS] Quit: ] |
| 23:21 | | Attilla [Some.Dude@Nightstar-cc5a875c.three.co.uk] has joined #code |
| 23:21 | | mode/#code [+o Attilla] by Reiver |
| 23:47 | < celticminstrel> | Okay, so a basic arithmetic parser isn't that hard, but I also want to allow for function calls and the . operator... will that complicate it too much? |
| --- Log closed Tue Nov 09 00:00:35 2010 |