| ../irclogs/#mantishelp.2009-12-08.log | ||
| --- scribe started --- | 00:00 | |
| paul__ | we also need to look at MS guidelines | 00:00 |
|---|---|---|
| dhx_m | paul__: we can't... as I showed the other day, sometimes we specifically disable plugins | 00:00 |
| paul__ | for their web platform | 00:00 |
| paul__ | sure we can | 00:01 |
| dhx_m | MS = Microsoft? | 00:01 |
| paul__ | revert that fix and work on error api :) | 00:01 |
| dhx_m | paul__: but we can't use string_display_* | 00:01 |
| dhx_m | paul__: but in the interests of decoupling the error API, we should be removing them anyway | 00:01 |
| paul__ | i still think we should use string_display when not in error api within html api | 00:01 |
| dhx_m | maybe... although manage_plugin_install.php and the other plugin management pages disable plugins | 00:02 |
| dhx_m | so it'd be possible to launch an XSS attack against Mantis administrators | 00:02 |
| dhx_m | and besides, why would you ever want to make html escaping optional in an API that is all about HTML output? | 00:02 |
| nuclear_eclipse | dhx_m: I'd rather revert html api and make plugins not get disabled | 00:40 |
| dhx_m | I'm still unclear as to what the point of MantisCoreFormatting is | 00:41 |
| dhx_m | I know you explained it to me a while ago | 00:41 |
| nuclear_eclipse | (talking from myphone btw) | 00:41 |
| dhx_m | ah ok, I'm not worried if you'd rather talk about this later when you have a real keyboard ;) | 00:42 |
| nuclear_eclipse | the point is to allow plugins to replace core formatting methods with something like markdown, bbcode, etc | 00:42 |
| dhx_m | but the output is always going to be HTTP in these cases | 00:43 |
| nuclear_eclipse | i have a real keyboard on ym g1, just not a real internet connection :=P | 00:43 |
| nuclear_eclipse | edge connection sucks... | 00:43 |
| dhx_m | IMO the purpose of MantisCoreFormatting should be to convert tags like <strong> and <li> and so forth into a format that is applicable for the output type | 00:44 |
| dhx_m | and we have numerous output types... email, SOAP and HTTP | 00:44 |
| dhx_m | each one needs different formatting outputs | 00:44 |
| nuclear_eclipse | well, that could be an eventual goal... | 00:44 |
| dhx_m | ah ok so if you disappear suddenly, I'll know where you went :) | 00:44 |
| dhx_m | I just think it's really silly to have code like <html><title><?php string_display_line( $t_page_title )?></title></html> | 00:45 |
| dhx_m | in those cases we know 100% of the time that we want to escape $t_page_title for safe output into only HTML format | 00:46 |
| dhx_m | I'd actually argue that using MantisCoreFormatting is wrong on the basis that you don't want to reintroduce safe HTML tags in many of these cases | 00:46 |
| dhx_m | otherwise you get text fields filled with <ul><li>SPAM</li><li>SPAM2</li></ul> | 00:47 |
| dhx_m | that break the formatting of the page | 00:47 |
| nuclear_eclipse | well, id argue that in that case we need a better separation of sanitizing output vs formatting output | 00:48 |
| nuclear_eclipse | ie, more api functions, and only make some of them hookable by plugins | 00:49 |
| dhx_m | yep | 00:51 |
| nuclear_eclipse | the original design implementation focused only on an immediate replacement of the existing string_display functions | 00:51 |
| dhx_m | although I still think that everything internally should be treated as unsafe | 00:51 |
| dhx_m | and it is only at output time that we escape the output | 00:51 |
| nuclear_eclipse | s/replace/reimpiment/ | 00:51 |
| dhx_m | ah ok | 00:52 |
| nuclear_eclipse | ie, my primary goal in the current implementation was to allow other plugins to hook into formatting methods to add new abilities, like sister site hotlinking | 00:54 |
| nuclear_eclipse | and tbh, i'd be fine with extracting string sanitization into separate api calls, and perhaps repurpose string_display* as formatting output only | 00:56 |
| dhx_m | I'd like that too | 00:56 |
| dhx_m | well we already have string_html_specialchars() | 00:57 |
| nuclear_eclipse | that way we could ensure that any call to string_display will sanitize output, regardless of of what plugins are installed | 00:57 |
| nuclear_eclipse | however priority #1 in that IMO is ensuring that sanitization wont get in the way of formatting methods beyond the core methods found in coreformattingplugin | 00:58 |
| nuclear_eclipse | ie, markdown and bbcode plugins need to be able to allow/output any html output they need, short of scriptw | 01:01 |
| dhx_m | I wouldn't recommend those plugins to anyone at the moment because they're full of XSS flaws | 01:01 |
| dhx_m | they're not yet ready | 01:01 |
| dhx_m | yep, you're right | 01:02 |
| dhx_m | that is a problem we really need to look into | 01:02 |
| nuclear_eclipse | well, in a closed mantis environment where users can be trusted, eg where i work, xss is a non-issue | 01:03 |
| nuclear_eclipse | ie, id not use markdown on my public tracker, but its a must-have for my employer's internal tracker | 01:04 |
| dhx_m | true, but Mantis is also used widely by developers (and open source projects) where the public is invited to use the bug tracker | 01:04 |
| dhx_m | ah I see what you mean | 01:04 |
| dhx_m | I haven't looked at Markdown but I assume it would be OK | 01:05 |
| nuclear_eclipse | right, anfdthis is where i say that mantis shouldnt preclude either option and rely on the admins to be smart before selecting markdown if need be | 01:05 |
| dhx_m | bbcode on the other hand... not so OK | 01:05 |
| dhx_m | these formatting plugins only strike me as being useful in full text fields | 01:07 |
| nuclear_eclipse | well, markdown in particular does no sanitization at all because it assumes a trusted author/publisher | 01:07 |
| dhx_m | for single line "spans", if we really do need customisation of things like username colour, I'd argue CSS is a better approach | 01:07 |
| nuclear_eclipse | and yes, they're mostly usefil in multiline fields | 01:07 |
| dhx_m | ah ok | 01:07 |
| nuclear_eclipse | but yes, there are times where formatting is useful in single line fields, like making "*text*" bold | 01:09 |
| dhx_m | hmm | 01:10 |
| dhx_m | I guess it's optional :) | 01:12 |
| nuclear_eclipse | dhx_m: still there? | 01:46 |
| nuclear_eclipse | sorry, my data connection dropped out | 01:46 |
| dhx_m | yep | 01:46 |
| dhx_m | last message seen: I guess it's optional :) | 01:46 |
| nuclear_eclipse | yep, thank god for `screen` :P | 01:47 |
| dhx_m | :) | 01:47 |
| kenguest | yup | 01:47 |
| kenguest | screen's very handy ;-) | 01:47 |
| * nuclear_eclipse runs irssi inside a screne session on server, and attaches to that from home pc, work pc, phone, laptop, family's pcs.... :P | 01:48 | |
| nuclear_eclipse | so anywho | 01:48 |
| nuclear_eclipse | I think it would be best if we could extract the sanitization routines in a way that string_display* can call them regardless of plugins installed, and just need to make sure that it doesn't disrupt various needs of formatting plugins | 01:50 |
| kenguest | I know I've asked this before - but how mature is the soap api for mantis? | 01:50 |
| nuclear_eclipse | either way, if we think we really need to change string api or the way plugins interact with it, we *really* need to make those decisions and changes *before* 1.2 makes a final release... | 01:51 |
| nuclear_eclipse | kenguest: it seems pretty mature -- Eclipse Mylyn uses it rather succesfully | 01:51 |
| dhx_m | before? | 01:51 |
| dhx_m | it's a pretty large change | 01:51 |
| dhx_m | but I guess it's fairly easy | 01:51 |
| kenguest | I'm thinking of [at some stage] developing a email parser that would utilise it for adding items to the tracker that would be mailed to a given address | 01:51 |
| kenguest | nuclear_eclipse: thanks ;-) | 01:51 |
| nuclear_eclipse | dhx_m: I say "before" because I don't want to make a habit of breaking apis and teh way plugins use them on a regular basis | 01:52 |
| nuclear_eclipse | dhx_m: ie, I'd rather make big api changes *before* plugins hit primetime useage | 01:52 |
| nuclear_eclipse | kenguest: talk to giallu, he's alraedy implemented this | 01:52 |
| nuclear_eclipse | I've encouraged him to put it on github/mantisforge, but iirc it's in a rather proprietary state atm | 01:53 |
| dhx_m | nuclear_eclipse: I take back that "easy" part... because we need to send a raw feed to the formatting plugins | 01:53 |
| kenguest | interesting - thanks again | 01:53 |
| dhx_m | nuclear_eclipse: and then we need to preserve HTML tags that the formatting plugins add | 01:53 |
| nuclear_eclipse | dhx_m: right, it gets more complex the deeper you look at it | 01:54 |
| dhx_m | yep | 01:55 |
| nuclear_eclipse | anywho, I gotta run, anything else you need to mention/discuss dhx_m ? | 02:00 |
| dhx_m | not at the moment, I think I have a better understanding now of where things need to move towards :) | 02:00 |
| nuclear_eclipse | ok | 02:00 |
| nuclear_eclipse | cheers | 02:00 |
| dhx_m | although text parsing isn't going to be fun to implement :p | 02:00 |
| dhx_m | cya later then | 02:00 |
| nuclear_eclipse | hehe | 02:01 |
| nuclear_eclipse | just ping me here anytime, I'll respond when I'm next attached :P | 02:01 |
| dhx_m | ok :) | 02:02 |
| nuclear_eclipse | paul__: you get a virus or something? | 13:00 |
| dirtyal | hello, has someone used the mantis-> email integration? | 16:12 |
| dirtyal | It seems the plugins can not be dowloaded from mantisforge. | 16:13 |
| paul__ | 13:01 < nuclear_eclipse> paul__: you get a virus or something? | 18:07 |
| paul__ | hmm? | 18:07 |
| nuclear_eclipse | I got a random, spammy email from your address | 18:07 |
| paul__ | oh? | 18:08 |
| paul__ | what address? | 18:08 |
| nuclear_eclipse | grangeway@hotmail.com | 18:09 |
| paul__ | probably not me then | 18:09 |
| paul__ | what were headers | 18:09 |
| nuclear_eclipse | http://pastebin.com/d514be43 | 18:10 |
| paul__ | probably someone guessed password | 18:23 |
| paul__ | i'd guess | 18:23 |
| paul__ | 8am I was @ work | 18:24 |
| paul__ | and ip is in korea | 18:24 |
| paul__ | and i wonder why I dont find time to do mantis | 18:45 |
| paul__ | fs | 18:45 |
| paul__ | :P | 18:45 |
| dirtyal1 | has anone integrated mantis to open tickets via email? | 19:52 |
| nuclear_eclipse | dirtyal1: there have been a few various attempts; giallu I think has something for that, but you'll need to talk to him about getting access to the source code | 19:53 |
| dirtyal1 | tks, there is a email.git on mantisforge | 19:56 |
| dirtyal1 | but there is nothing there | 19:56 |
| paul__ | nuclear_eclipse: pingpong | 20:59 |
| nuclear_eclipse | howdy | 21:02 |
| paul__ | did you fix the plugin issue? | 21:04 |
| nuclear_eclipse | what plugin issue/ | 21:04 |
| paul__ | installer | 21:04 |
| nuclear_eclipse | not yet -- I'm not sure it's really a security issue though atm | 21:04 |
| nuclear_eclipse | at least not an extremely pressing one | 21:05 |
| paul__ | it's an issue. | 21:05 |
| paul__ | but yes, granted | 21:05 |
| nuclear_eclipse | it requires a valid form token to execute that page | 21:05 |
| nuclear_eclipse | basically, the only way that page will ever execute properly is a) when the admin clicks on a link from manage_plugins_page, or b) the admin clicks on a link from a malicious plugin that he's already installed, at which point he's hosed no matter what that page does | 21:07 |
| nuclear_eclipse | granted, it doesn't make sense, and yes, there should be some protections on that page, which I'll eventually get to, but it's not a security issue IMO | 21:08 |
| * paul__ needs to get work project out way | 21:09 | |
| paul__ | i'm trying to clear my desk to focus on mantis | 21:09 |
| nuclear_eclipse | paul__: do you agree with my reasoning above, or am I missing something? | 21:11 |
| nuclear_eclipse | ie, if it's a real security problem, it'll warrant a higher priority on my stack | 21:12 |
| paul__ | yea, I agree i think | 21:28 |
| nuclear_eclipse | ok | 21:32 |
| paul__ | tbh, it's also not that hard to fix | 21:32 |
| paul__ | [a-zA-Z0-9] | 21:32 |
| paul__ | done! | 21:32 |
| nuclear_eclipse | lol | 21:32 |
Generated by irclog2html.py