Wednesday, 2009-07-01

« Tuesday, 2009-06-30 Index Thursday, 2009-07-02 »
../irclogs/#mantishelp.2009-07-01.log
--- scribe started ---00:00
CIA-16Mantisbt: vboctor * ree1ac756fbb9 /config_defaults_inc.php: Fixes #5012: Comments relating to .01:49
dhx_mhi02:01
CIA-16Mantisbt: hickseydr * rc2ef5a6cdee3 / (api/soap/mc_issue_api.php bug_update.php): Fix #10647: check permissions before updating target_version02:23
CIA-16Mantisbt: hickseydr * r0cfb73e926a5 /core/bug_api.php: Don't require access check for fixed_in_version02:31
CIA-16Mantisbt: hickseydr * r881305a76f46 / (bug_change_status_page.php bug_report_advanced_page.php): Remove offtopic uses of handle_bug_threshold02:51
CIA-16Mantisbt: hickseydr master-1.2.x * rad56aaa803d1 / (api/soap/mc_issue_api.php bug_update.php): Fix #10647: check permissions before updating target_version02:54
CIA-16Mantisbt: hickseydr master-1.2.x * r87a5dc26d91d /core/bug_api.php: Don't require access check for fixed_in_version02:54
CIA-16Mantisbt: hickseydr master-1.2.x * r75b4f76a8919 / (bug_change_status_page.php bug_report_advanced_page.php): Remove offtopic uses of handle_bug_threshold02:54
CIA-16Mantisbt: hickseydr master-1.2.x * r941a82ccd8df / (3 files): Fix #10623: typo in $g_reminder_recipents_monitor_bug02:58
CIA-16Mantisbt: hickseydr * racbfce3bd3aa / (3 files): Fix #10623: typo in $g_reminder_recipents_monitor_bug02:59
CIA-16Mantisbt: hickseydr * rc564f4e97394 /manage_config_columns_set.php: Fix #10632: cannot update columns global defaults03:12
CIA-16Mantisbt: hickseydr master-1.2.x * raf99051860ac /manage_config_columns_set.php: Fix #10632: cannot update columns global defaults03:12
[KK]Kirillpaul_: hi06:11
brianstvHi06:11
[KK]Kirillbrianstv: lo06:11
[KK]Kirillpaul_:  check git.mantisforge.org06:12
[KK]Kirillnot sync with git.mantisbt.org06:12
* siebrand mumbles something about the fracking repo.06:43
[KK]Kirillgiallu: hi07:25
[KK]Kirillgiallu: whats repo address for mantisbt.git on git.mantisbt.org?07:26
gialludo you mean to clone the repo?07:27
[KK]Kirillyes07:29
[KK]Kirillin git.mantisforge.org show how I can clone07:29
[KK]Kirillin mantisbt.org - not07:29
gialluwe need to add the same info there...07:30
giallunuclear_eclipse, can you add those info?07:32
[KK]Kirillgiallu: For me I use PhpGit and they show this info07:33
dhx_mhi07:40
gialludhx_m, hi07:41
dhx_m[KK]Kirill: can you please try reproducing 10663 with $g_show_detailed_errors = ON07:42
dhx_mgiallu: hi07:42
[KK]Kirilldhx_m: lo07:45
[KK]Kirilldhx_m: I think no.07:50
[KK]Kirilldhx_m: sorry. can07:51
[KK]Kirillone sec07:51
[KK]Kirilldhx_m, giallu what link to clone repo?07:52
dhx_m[KK]Kirill: thanks07:52
[KK]Kirilldhx_m: I get07:54
[KK]Kirillone sec07:55
giallu[KK]Kirill, can't rememeber, chancesa re it's documented in the wiki07:56
[KK]Kirillhttps://sp.vester.ru/pastebin/pastebin.php?show=3007:56
[KK]Kirillgiallu: ok07:56
dhx_m[KK]Kirill: thanks07:58
dhx_m[KK]Kirill: http://docs.mantisbt.org/master/en/developers/dev.contrib.clone.html08:00
dhx_madd an extra argument to the end of those commands to specify the name of the directory to which the repository will be stored locally08:00
[KK]Kirilldhx_m: thanks08:01
CIA-16Mantisbt: hickseydr * r20b339b6c6c1 /core/obsolete.php: Update obsolete.php after rename of $g_reminder_recipents_monitor_bug rename08:08
[KK]KirillJohn git clone git://mantisbt.org/mantisbt.git ./08:13
[KK]Kirillmantisbt.org[0: 209.20.94.10]: errno=Invalid argument08:13
[KK]Kirillfatal: unable to connect a socket (Invalid argument)08:13
[KK]Kirillnuclear_eclipse: it's from http://docs.mantisbt.org/master/en/developers/dev.contrib.clone.html08:14
konnertz_hi all. I setup ldap auth yesterday. That's fine but of course the former user accounts are not available now. Specially i need the admin account. How ist this done?08:15
[KK]KirillYou must set for one accaunt admins right :)08:16
dhx_m[KK]Kirill: lose the trailing slash?08:16
konnertz_are the ldap accounts mapped to user table, so the permission nums are available?08:16
dhx_m[KK]Kirill: also any idea how I can reproduce that error?08:16
[KK]Kirilldhx_m: yes08:17
dhx_m[KK]Kirill: select a few issues, and perform an action on all of them?08:17
[KK]Kirillsee private08:18
konnertz_[KK]Kirill, set the admin rights ... in LDAP?08:19
konnertz_brb08:20
brianstvSeems the git service at git://mantisbt.org/mantisbt.git is down.08:20
brianstvdoing a 'git pull' returns08:20
brianstvgit.mantisbt.org[0: 209.20.94.10]: errno=Connection refused08:20
brianstvfatal: unable to connect a socket (Connection refused)08:20
vb1231brianstv: doesn git clone work?08:21
[KK]Kirillkonnertz_: not. log in mantis08:21
brianstvI get the same error.08:21
[KK]Kirillchange auth to default08:21
[KK]Kirillvb1231: hi Victor08:22
vb1231Hi Kirill08:22
dhx_mvb1231: hi08:22
vb1231brianstv: I got the same error earlier today.  I tried the git@mantisbt.org  which is for devs and it worked fine.  You might want to ping nuclear_eclipse08:23
vb1231hi dhx_m08:23
[KK]Kirillnuclear_eclipse sleap08:23
[KK]Kirillsleep08:23
brianstvI'll try again tomorrow, Thanks.08:24
vb1231good luck08:24
[KK]KirillVictor, git@mantisbt.org may be work08:24
[KK]Kirillbut git://mantisbt.org/mantisbt.git not work08:25
[KK]Kirillvb1231: for git@mantisbt.org:mantisbt.git I must be developer08:25
vb1231yes08:26
vb1231checkout the developers manual for details.08:26
vb1231John has documented the use of both options.08:26
[KK]Kirillvb1231: http://docs.mantisbt.org/master/en/developers/dev.contrib.clone.html08:26
vb1231yep, that's it.08:28
vb1231any mac user around?08:29
vb1231I can't compile MantisBT docbook...   tells me "jw" command not found.08:29
vb1231I've installed docbook toolset + openjade via macports08:29
konnertz_brb08:42
dhx_mvb1231: I haven't tried compiling docbook yet myself08:44
konnertz_re08:50
[KK]Kirillkonnertz_: ro08:51
konnertz_pls how did you mean...?  you said sth like "not. log in to mantis"08:52
konnertz_Can a  usertable-based account with own credentials beside ldap exist  or not?08:53
[KK]Kirillkonnertz_: When you login throu ldap created accaunt08:54
[KK]Kirillchange auth to default and login as administartor08:54
konnertz_yep, then?08:54
[KK]Kirillset admins right to this accaunt08:54
konnertz_ah ok08:54
konnertz_ok i logged in again via md5 as admin and now i've seen that user management ui09:02
konnertz_i have set an account to have admin rights.09:02
konnertz_This admin has to be in ldap right?09:03
[KK]Kirillkonnertz_: not09:05
* [KK]Kirill slaps paul_ around a bit with a large trout09:35
* [KK]Kirill slaps nuclear_eclipse around a bit with a large trout12:16
nuclear_eclipsemorning all12:48
nuclear_eclipse[KK]Kirill: I just kicked the git-daemon, so you should be able to clone now12:49
dhx_mnuclear_eclipse: hi12:53
[KK]Kirillnuclear_eclipse: hi12:54
[KK]KirillThanks12:54
[KK]Kirillnuclear_eclipse: what's about sync to mantisforge.org?12:55
nuclear_eclipseask paul_ :P12:55
[KK]Kirillok12:55
[KK]Kirillnuclear_eclipse: did you know python?12:56
nuclear_eclipseyep12:56
dhx_mnuclear_eclipse: so what did we decide with CSRF tokens (because my CSRF branch is causing my PHP session file to grow very quickly with unused tokens :D)12:57
[KK]KirillNot, forget12:57
dhx_mnuclear_eclipse: create a random hash stored in SESSION12:57
dhx_mnuclear_eclipse: and then hash that with the form name to produce a form token?12:58
nuclear_eclipsedhx_m: I was going to work on it, and then I spent the last day or in a meeting and filling out paperwork to buy a home12:58
dhx_mnuclear_eclipse: ah ok, no pressure :)12:58
dhx_mnuclear_eclipse: and congratulations on the new home!12:58
nuclear_eclipsethanks12:59
dhx_mdoes it have turrets?12:59
dhx_m(stupid question of the day :p)12:59
nuclear_eclipsejust got to finish the mortgage paperwork now, wait a couple weeks, travel two states over to close on the mortgage, return, and then move everything that following weekend :P13:00
nuclear_eclipseno, it's a townhouse, so no turrets... yet ;)13:00
nuclear_eclipsemy favorite part is that it's a condo, so I can continue to not do any yard work :P13:01
dhx_mpaperwork fun13:01
dhx_mhaha13:01
paul_14:07 < [KK]Kirill> nuclear_eclipse: what's about sync to mantisforge.org?13:09
paul_14:07 < nuclear_eclipse> ask paul_ :P13:09
paul_git daemon wasn't running on git.mantisbt.org13:09
nuclear_eclipseright13:10
nuclear_eclipseI fixed that13:10
nuclear_eclipseor at least until the next restart...13:10
paul_I might add mantisbt.org to my server monitoring13:10
nuclear_eclipseok, I think I got the git-daemon setup with init/rc correctly now, so it *should* start on server boot13:14
[KK]Kirilldhx_m, nuclear_eclipse, paul_: anyone can see bug 10494?13:14
paul_bug 1049413:14
dhx_mmantisbot died a few days ago :p13:14
paul_bug 1049413:15
[KK]Kirillhttp://www.mantisbt.org/bugs/view.php?id=1049413:15
paul_bug 1049413:15
paul_:(13:15
dhx_mI did see that13:15
[KK]Kirillwho kill mantisbot13:15
nuclear_eclipseR.I.P. MantisBot, 2008-2009... :'(13:15
[KK]Kirilldhx_m: what do you think?13:15
* nuclear_eclipse yells at giallu 13:15
[KK]KirillIn FF 3.5 this problem too13:16
paul_the problem is just the last screenshot right?13:16
[KK]KirillI can create new screenshot13:16
[KK]Kirillyes13:16
dhx_mI'll attach a sample file13:16
dhx_mfile icon 海納百川.海納百川 [^] (13 bytes) 2009-07-01 09:17 [Delete]13:17
[KK]Kirill%E6%B5%B7%E7%B4%8D%E7%99%BE%E5%B7%9D.%E6%B5%B7%E7%B4%8D%E7%99%BE%E5%B7%9D13:18
dhx_mfile_download.php:10413:18
dhx_mheader( 'Content-Disposition:' . $t_disposition . ' filename="' . urlencode( $t_filename ) . '"' );13:18
dhx_murlencode is doing that13:18
dhx_mnot sure how safe it is to remove, but I imagine that will fix your problem13:19
dhx_mRFC2045 Section 6.4 prohibits anything other than 7bit, 8bit or binary13:21
dhx_mwhatever that means13:21
[KK]Kirillone sec13:22
[KK]KirillI just search site with correect work13:22
dhx_mcan you also test with internet explorer (assuming you use Windows)?13:25
[KK]Kirillyour attach in IE ????.%E6%B5%B7%E7%B4%8D%E7%99%BE%E5%B7%9D13:26
[KK]Kirillsquare is ierogliph13:26
dhx_mis this with or without urlencode at file_download.php:104?13:26
[KK]KirillI don't change yet. one sec13:27
dhx_mok13:27
[KK]Kirillwhen I remove urlencode - filename show correct13:28
dhx_m[KK]Kirill: I'm not sure that is correct though, I'm reading some RFCs now to double check13:33
nuclear_eclipseRFC's?!  wth type of developer are you?13:34
dhx_mhaha13:35
nuclear_eclipsethe RFC is the CODE!13:35
dhx_mI'm sure whatever RFC we follow, Internet Explorer doesn't support :p13:35
nuclear_eclipseprobably13:35
dhx_mhttp://greenbytes.de/tech/tc2231/13:38
giallunuclear_eclipse, yo13:58
nuclear_eclipsehi giallu13:58
gialluhi13:58
nuclear_eclipsemantisbot died :(13:58
gialluyeah sorry13:59
gialluI restarted the machine yesterday fror a kernel update13:59
gialluand forgot it :)13:59
nuclear_eclipseexcuses...13:59
dhx_mnot good enough! :p13:59
gialluit's not an excuse, I'm saying it's my fault...14:00
giallu:P14:00
nuclear_eclipselies!14:00
dhx_mI think what nuclear_eclipse is hinting at is a blood sacrifice14:00
nuclear_eclipseexactly!14:00
giallunuclear_eclipse, go find a virgin then14:00
giallulet's see bug 428614:02
mantisbotBug 4286 - indy - open - assigned14:02
mantisbotSolution for reporting via E-Mail - http://www.mantisbt.org/bugs/view.php?id=428614:02
nuclear_eclipseyay!14:02
* nuclear_eclipse hugs mantisbot 14:02
dhx_mthat'd be the world's largest Mantis issue? :p14:03
gialludhx_m, probably14:05
dhx_m[KK]Kirill: ok I might have a patch ready in a moment14:11
CIA-16Mantisbt: hickseydr * r3b39c3452b8a /file_download.php: Fix #10494: support UTF-8 attachment filenames14:20
[KK]Kirilldhx_m: nice14:22
CIA-16Mantisbt: hickseydr master-1.2.x * r726bf4288326 /core/obsolete.php: Update obsolete.php after rename of $g_reminder_recipents_monitor_bug rename14:22
CIA-16Mantisbt: hickseydr master-1.2.x * r4807ed6de31e /file_download.php: Fix #10494: support UTF-8 attachment filenames14:22
dhx_m[KK]Kirill: are you able to test on IE?14:22
[KK]Kirilldhx_m: one sec14:23
dhx_m[KK]Kirill: thanks14:23
[KK]Kirillin one file - work14:23
[KK]Kirillbut other - not14:23
dhx_mhmm14:23
dhx_mI only tested with random Chinese characters from zh.wikipedia.org14:23
dhx_mwith Firefox 3.514:23
[KK]Kirill...14:25
[KK]Kirillhttp://www.kaliningrad.ru/news/incidents/k870128.html14:25
[KK]Kirilllook my street14:25
[KK]Kirilldhx_m: for pict not work14:26
dhx_m[KK]Kirill: ah I see, inline pictures I guess14:26
dhx_m[KK]Kirill: wow...the flooding looks bad!14:28
dhx_m[KK]Kirill: are you talking about trying to save an inline image by right clicking on it and choosing "save image"?14:29
[KK]Kirilland right click on thumb and right click on full image - all such before update14:31
[KK]Kirillbut other documents, like Word, Excel - nice work14:31
dhx_mIE7 works too?14:31
dhx_mwell I take back "works" and replace that with "fails in a favourable way" :p14:32
dhx_m[KK]Kirill: I suspect it might be a Firefox bug?14:40
[KK]Kirilldhx_m: I use IEView in FF14:40
dhx_mok14:40
dhx_mdoes it use the IE download window?14:41
[KK]Kirilldhx_m: picture saved as file_donwload14:41
dhx_mthe name was "file_download"?14:42
[KK]Kirillyes14:43
dhx_mugh that's not good14:43
[KK]Kirilldhx_m: in IE14:43
dhx_mbut word documents are OK?14:43
[KK]Kirillthat's normal for IE14:43
dhx_mand other binary files?14:43
dhx_moh.. :)14:43
dhx_mso it must ignore content-disposition?14:44
[KK]Kirilldhx_m: this for save as14:45
dhx_mhmm14:49
dhx_mI'm not sure if this is fixable14:49
dhx_mthey seem to treat image file names differently from download file names14:49
[KK]Kirilldhx_m: why pictures name different from other filenames?14:52
dhx_m[KK]Kirill: looks like a bug within the browser?14:52
[KK]Kirillmay be.14:53
paul_dhx_m: isn't that an unspported header in IE?14:54
brad__hi, sorry for the intrusion, are there any upgrade docs for 1.1.x -> 1.2.x?14:54
dhx_mpaul_: yep, which is why it falls back to using the second filename=""14:55
dhx_mpaul_: not sure about IE8...14:55
[KK]Kirilldhx_m: I have IE714:55
dhx_m[KK]Kirill: IE7 is actually doing it wrong if you don't see urlencoded filenames14:56
dhx_m[KK]Kirill: it doesn't support RFC2231 and therefore shouldn't assume urlencoded filenames are UTF-814:56
nuclear_eclipsebrad__: not officially -- should be a matter of a) backup your exisitng install/database, b) extract the new files, c) copy over your old config_inc.php and custom_*.php, and d) visit mantisbt/admin/install.php from your browser14:57
dhx_m[KK]Kirill: but I guess in this case it is kind of OK that it it broken... unless you have filenames that actually do contain percentage symbols!14:57
brad__nuclear_eclipse: thanks. it looks like there were some db changes, i might just try and adjust the schemas manually.14:58
nuclear_eclipsebrad__: I highly recommend against that14:59
nuclear_eclipseadmin/install.php will handle the schema upgrade for you14:59
brad__nuclear_eclipse: yeah? swank.14:59
nuclear_eclipsewe try :)15:00
dhx_mbrad__: backup first!15:00
nuclear_eclipsedhx_m: that would be the "a) backup your exisitng install/database" step :P15:01
dhx_mnuclear_eclipse: yep, just emphasising :p15:01
brad__what is this "backup" of which you speak?15:01
[KK]Kirillpaul_: mantisforge not sync15:01
brad__worked like a charm, thanks!15:05
dhx_mhmmm explode() isn't UTF-8 safe and I used it for getting file extensions from a file name (and elsewhere)15:08
dhx_mnot so good15:08
nuclear_eclipsehmm, afaik, explode is utf-8 safe as long as you are exploding on ascii characters only15:09
nuclear_eclipseeg, exploding a utf-8 string on ',' is safe15:09
dhx_mthe problem is that if your delimiter is '.' - that character might be bye 2 within the middle of a 4 byte character15:09
nuclear_eclipseeg, exploding a utf-8 string on russian character is not safe..15:10
dhx_mso explode() would split the string in the middle of a character15:10
dhx_mAFAIK the only safe character to split/explode on is 0x0015:10
nuclear_eclipsedhx_m: I was under the impression that UTF-* used byte encodings that could not be interpreted as ASCII-127...15:10
nuclear_eclipseI could be wrong15:11
dhx_mnuclear_eclipse: maybe you're right and the second and subsequent bytes must be non-ASCII-12715:11
dhx_mI'll check15:11
nuclear_eclipseI mean, I still don't completely understand how Unicode and UTF* encodings work15:11
dhx_mah you're right :)15:11
dhx_mthe first bit in every byte of a multibyte character is always true15:12
nuclear_eclipseholy crap, I actually *knew* something about UTF!15:12
dhx_mand is false when it is a single byte character (ASCII)15:12
dhx_mhaha15:12
dhx_mit'd be safe to explode on UTF-8 chars as well I imagine15:13
dhx_mhmmm wait, maybe not15:13
dhx_mno15:13
nuclear_eclipseno, because a UTF-8 char would potentially be multi-byte15:15
nuclear_eclipseand explode only works on a single byte15:15
dhx_myou can have a multi character delimeter for explode15:16
dhx_mthe problem is that explode will cut the string mid way through multibyte characters15:16
nuclear_eclipseah15:16
paul_correct15:16
paul_we need to review our use/handling of utf8 properly15:17
dhx_myep15:17
dhx_mis there even a utf8 version of explode?15:17
paul_unknown15:17
nuclear_eclipseor we could just continue to use utf8-safe functions everywhere so that it won't matter...15:17
paul_I plan to compare php6 with unicode + php5 with mbstring/intl/whatever else + php5 without15:17
nuclear_eclipsewell, php6 changes everything with native support anyways...15:18
dhx_mMantis supporting UTF-8 correctly will be a big boost to the project, as most other bug trackers wouldn't know what the U in UTF-8 stands for :p15:18
* dhx_m can't wait for PHP615:19
paul_nuclear_eclipse: the problem is the utf8php functions + the mbstring functions don't give the same result if you put in all utf8 chars15:19
paul_the obvious proof therefore is to prove if php6 + php5wmbstring give the same result15:19
paul_and then look at the compat functions15:20
paul_if they don't give the same result15:20
paul_the obvious proof is to compare php6 with the compat functions15:20
dhx_mI imagine there will be a TON of bugs in PHP6 relating to Unicode when it is released15:20
paul_also if it's realised I guess15:20
paul_i'm trying to get my head around php internals a bit more atm15:21
* dhx_m fears the repercussions in the form of "why did you connect an anonymous public member object to a magic class attribute?" :p15:24
dhx_mor something else I have no idea about hah15:24
paul_mm?15:24
dhx_mjust saying that if you become a PHP expert, you can't go back :p15:24
dhx_mevery time to read PHP scripts you'll shudder in fear at the low quality15:25
dhx_m:p15:25
* giallu just read the namespace docs from php 5.315:25
dhx_mI tried to read about anonymous somethings in 5.3 but gave up heh15:26
giallunow I think I'll leave php for python15:27
dhx_mthe problem is we won't be able to use many of these new PHP features until ~2-3 years after release15:28
dhx_motherwise we won't be compatible with distro versions of PHP and all the shared web hosts still running PHP415:28
dhx_mgiallu: how is it performance wise?15:31
gialludhx_m, 1.2 is not compatible with php415:31
dhx_mgiallu: yep I know, but if you want to use namespaces from 5.3... how long do we wait?15:32
gialluif you ask me, until the first RHEL releases with it...15:32
nuclear_eclipseIMO, never :P15:33
dhx_mlol15:34
dhx_mok different topic... did you understand stephane's patch for CSV (bug #9338)15:34
mantisbotBug 9338 - sveyret - open - acknowledged15:34
mantisbotCSV export does not escape all characters - http://www.mantisbt.org/bugs/view.php?id=933815:34
dhx_mwas there something wrong with str_replace?15:34
nuclear_eclipsegenerally, I would always say namespaces are an absolute must, but unless things have changed, PHP's namespacing just seems insane...15:34
dhx_mah yeah there would be15:35
dhx_mwhat about exploding the string on quotation marks, prepending a quotation mark to all exploded array elements from 1 to the end15:35
dhx_mand then imploding again into the final string15:36
dhx_mseems simpler than his method of looping through characters in the string and using strpos15:36
nuclear_eclipseI'm not sure I'm grasping what the point of either method is...15:36
dhx_mactually yeah... neither15:37
dhx_mI'm still completely confused at Stephanes patch (even after his latest message)... HELP!? :p15:58
paul_dhx_m: i'll look tonight16:47
dhx_mpaul_: thanks... see if you can work out why we can't just use a single str_replace with arrays :p16:55
nuclear_eclipsedhx_m: two things I've come up against with the session security changes that you've mentioned17:47
nuclear_eclipsethe fact that the security hash would no longer change between different views/submissions of a form a) prevents us from using the form security to also handle double-submissions, and b) means that someone eavesdropping on traffic can pick up the token and use it for any number of future CSRF attacks against a specific user/session17:50
nuclear_eclipsehonestly, just how big is your session store getting under the existing implementation?17:50
* paul_ has missed session changes17:51
nuclear_eclipsepaul_: haven't gotten past concepts/ideas really17:52
nuclear_eclipsedhx_m: even on the server for mantisbt.org, the php session store is only ~6MB...17:53
paul_we should fix that17:53
* nuclear_eclipse is not sure what to "fix"17:53
paul_dunno but Ithink it needs fixing17:53
nuclear_eclipse6MB really isn't that much...17:53
nuclear_eclipsebut paul_, we are considering a method that would no longer store more than a single hash in the user's session17:54
nuclear_eclipsebut I'm concerned about how much of a security issue that reopens17:54
nuclear_eclipseeg, our current system does not "reuse" hashes, because it can generate and keep track of them in the user's session store17:55
dhx_mback17:55
dhx_mnuclear_eclipse: double posting is a real problem, I agree17:56
nuclear_eclipsebut using a stateless security hash means that the same hash would have to be used everytime for each type of form, which increases the vector of possible attack17:56
dhx_mnuclear_eclipse: unless we have two tokens per form... one is for double posting (short timeout) and one for CSRF (timeout = end of session)17:56
nuclear_eclipsegranted, it would still be extremely small...17:56
dhx_mnuclear_eclipse: I was also thinking of using base64 for the hashes to reduce space used17:57
nuclear_eclipsedhx_m: that removes the ability for a form submission to happen over a long time span though...17:57
dhx_mnuclear_eclipse: if you had 100 people browsing it'd get noticeable I think17:57
nuclear_eclipsebase64 won't give you much17:58
dhx_mnuclear_eclipse: hmmm not too sure about how we handle double posting nicely17:58
dhx_mnuclear_eclipse: I can push my branch to mantisforge if you'd like to test the space used?17:58
nuclear_eclipseI'm not worried about file space17:58
dhx_mnuclear_eclipse: every html button on the bug view page gets a token though17:59
dhx_mnuclear_eclipse: but we have to parse through 1000's of tokens to find the one we're interested in...17:59
nuclear_eclipselike I said, even 6MB for a session store seems rather manageable, considering mantisbt.org gets a very good amount of traffic17:59
dhx_mnuclear_eclipse: true... if it's a hash map it'd be fast17:59
dhx_mnuclear_eclipse: even a 512MB hashmap wouldn't be the end of the world18:00
nuclear_eclipseright18:00
nuclear_eclipsegranted, the current method of storage and searching is not the most efficient18:00
dhx_mnuclear_eclipse: (if worst came to worst)... the session files would be cached in memory anyway18:00
dhx_mnuclear_eclipse: yep if we can remove the loops and implement an O(n) lookup I'd be happy (hashmap?)18:01
nuclear_eclipsewe could simply improve the current method of storing/searching for security tokens, if it's performance you're worried about...18:01
dhx_myeah performance is my concern18:01
nuclear_eclipseok18:01
dhx_min particular, lots of small disk I/O18:01
nuclear_eclipseyeah18:01
dhx_mok just pushed branch 10627-csrf to mantisforge18:02
nuclear_eclipseI'll look into a more efficient storage and retrieval, but after pondering and such, I don't like the idea of removing one-time hashes altogether....18:03
dhx_mthat is my WIP in getting CSRF tokens everywhere they need to be18:03
nuclear_eclipseok18:03
nuclear_eclipsethe nice part about the current list storage method is that it makes purging old tokens a trivial addition to the current lookup18:04
dhx_myep18:04
dhx_mI do very much prefer single use tokens too18:04
nuclear_eclipsemaybe a multi-dimensional array would be better: $tokens[ $date ][ $hash ] = true18:05
nuclear_eclipsethat would let us easily purge an entire days worth of tokens without iterating through each one18:05
dhx_mnuclear_eclipse: then we have an accuracy of 23hrs59min for the expiry?18:05
dhx_mcan we store it per hour?18:06
nuclear_eclipseand it would allow O(n) retrieval too (assuming an efficient hashing algorithm on PHP's end18:06
dhx_myep18:06
nuclear_eclipsethe current accuracy is ~24hrs anyways, specifically to err on the side of allowing slightly older tokens...18:06
dhx_mI guess we're talking about accuracy per-session, so no real big deal :)18:07
nuclear_eclipseright18:09
nuclear_eclipsedhx_m: able to test?18:36
nuclear_eclipsedhx_m: http://git.mantisforge.org/w/mantisbt/jreese.git?a=shortlog;h=refs/heads/formperf18:37
dhx_msure18:39
nuclear_eclipseinitial tests seem to show it as "working", but I would like more validation before I push that to master and/or port to 1.1 and 1.218:39
nuclear_eclipsemy test box is not good for verifying any performance increase though, as it's got terriblly poor and random I/O performance anyways18:41
dhx_mmy main concern at the moment is mt_rand and how it is seeded18:41
nuclear_eclipsemt_rand is seeded automatically by PHP18:41
nuclear_eclipseiirc, that is18:42
dhx_mif anything, that'd be our weak point... but it is more a theoretical thing I guess18:42
nuclear_eclipseoops, we're seeding it in core.php18:42
nuclear_eclipselist( $usec, $sec ) = explode( ' ', microtime() );18:42
nuclear_eclipsemt_srand( $sec*$usec );18:42
dhx_mnot so random then :p18:43
nuclear_eclipsewell, iirc, that's considered the "good" method of seeding it18:43
dhx_mI guess we have to build our own entropy somehow18:43
dhx_mhmm ok18:43
nuclear_eclipsehmm18:44
nuclear_eclipsefrom PHP:     Note: As of PHP 4.2.0, there is no need to seed the random number generator with srand() or mt_srand() as this is now done automatically.18:44
dhx_mI'd rather trust PHP to pull it from a more random place like /dev/random18:44
dhx_mif it can do that18:44
nuclear_eclipsethe real question is how does PHP seed it?18:45
paul_refs/heads/formperf18:46
paul_?18:46
nuclear_eclipseyes paul_18:46
paul_hmm?18:46
paul_whats this18:46
nuclear_eclipsea branch....18:46
paul_doing?18:46
dhx_mit'll eat you alive18:46
nuclear_eclipsepaul_: go back to sleep18:46
dhx_mpaul_: improved performance for storing/retrieving single use form tokens18:47
paul_hmmmm18:47
paul_sounds dangerous18:47
nuclear_eclipsenot really18:47
* paul_ makes note to look at this branch18:47
dhx_mit's cleaner than it was before :)18:48
dhx_mpaul_: also see refs/heads/10627-csrf18:49
dhx_mpaul_: still WIP, but it is my progress towards making Mantis bulletproof to CSRF :p18:50
* nuclear_eclipse updated the branch to also remove the mt_srand() call, because PHP seeds with a better algorithm18:50
paul_right20:17
* paul_ pokes dhx_m 20:17
phl4kxhi all21:39
phl4kxmantis cand Send email when and informated or developer update and IMAGE?21:40
« Tuesday, 2009-06-30 Index Thursday, 2009-07-02 »

Generated by irclog2html.py