this post was submitted on 18 Nov 2023
569 points (95.8% liked)

Piracy: ꜱᴀɪʟ ᴛʜᴇ ʜɪɢʜ ꜱᴇᴀꜱ

54500 readers
346 users here now

⚓ Dedicated to the discussion of digital piracy, including ethical problems and legal advancements.

Rules • Full Version

1. Posts must be related to the discussion of digital piracy

2. Don't request invites, trade, sell, or self-promote

3. Don't request or link to specific pirated titles, including DMs

4. Don't submit low-quality posts, be entitled, or harass others



Loot, Pillage, & Plunder

📜 c/Piracy Wiki (Community Edition):


💰 Please help cover server costs.

Ko-Fi Liberapay
Ko-fi Liberapay

founded 1 year ago
MODERATORS
 
you are viewing a single comment's thread
view the rest of the comments
[–] JoMiran@lemmy.ml 229 points 11 months ago* (last edited 11 months ago) (4 children)

Dealing with spaces while scripting or in terminal is such a pain in the ass. The true dark path of horror is using spaces indeed.

[–] skullgiver@popplesburger.hilciferous.nl 60 points 11 months ago* (last edited 11 months ago) (1 children)

[This comment has been deleted by an automated system]

[–] reverendsteveii@lemm.ee 22 points 11 months ago (1 children)

I work on a Web app and we recently decided that we're just not gonna support double quotes in free text fields because oh holy balls what a thing it is to try to deal with those in a way that doesn't open you up to multiple encoding vulnerabilities.

[–] FooBarrington@lemmy.world 36 points 11 months ago (1 children)

That's... Surprising. If you're doing things right, double quotes should be no trouble at all:

  • HTTP requests have simple, automatic encoding
  • SQL queries with prepared statements don't need any special handling for double quotes
  • Rendering the data should happen with proper escaping etc.

They are usually only trouble if you're doing SQL queries wrong (concatenation etc.) or if you're not escaping your output.

[–] reverendsteveii@lemm.ee 28 points 11 months ago* (last edited 11 months ago) (2 children)

The issue is the filter that we're using to avoid multiple encoding attacks de-escapes everything via multiple rounds, then tries to pass it to the next layer of filtering with the de-escaped request body as a json string. Your absolutely right that this is a silly way of doing it, but sometimes we have to live with decisions that were made before we were onboarded to a project. In this particular case, I pushed to improve the filters but all our PO heard was "spend development time weakening security" and at the end of the day they decide what to do and we do it.

[–] FooBarrington@lemmy.world 11 points 11 months ago

Ah, that's understandable. Sorry you have to go through that!

[–] WarmApplePieShrek@lemmy.dbzer0.com 1 points 11 months ago (1 children)

The filter you're using to avoid multiple encoding attacks creates multiple encoding attacks.

[–] reverendsteveii@lemm.ee 1 points 11 months ago* (last edited 11 months ago) (1 children)

You should tell that to OWASP then, they wrote it. org.owasp.esapi 2.5.2.0, class is Encoder, method is canonicalize(String, bool, bool)

[–] WarmApplePieShrek@lemmy.dbzer0.com 2 points 11 months ago

This method is a band-aid patch when your downstream code is all messed up and you can't fix it. Instead of treating the input string correctly, it just removes anything that might possibly trigger some vulnerability in wrong code.

[–] pete_the_cat@lemmy.world 27 points 11 months ago* (last edited 11 months ago) (1 children)

It's a way bigger pain in the ass than people think it is. I remember having to parse output from a tool for work that had tons of output in tabular format, mixed with normal sentence like strings. JSON, YAML, or XML outputs weren't available so I had to do a nasty mess of grep, awk, cut, and head/tail, to get what I wanted. My first attempt was literally counting the characters so I could cut out exactly what I needed, but as we all know, hardcoding values is a recipe for headaches later on.

[–] JoMiran@lemmy.ml 34 points 11 months ago* (last edited 11 months ago) (4 children)

Here's a horror story from literally yesterday. We have been fighting a system for a client for weeks and it has been a nightmare. Our clients just told us that they outsourced some of their work to an Indian outfit but that outfit is unfamiliar with Linux and doesn't know how to edit text files so they have been downloading the files to their Windows machines, editing them in Windows, then uploading the contaminated text files back into Linux. None of them, not our client nor the outfit they hired, understood why this was a problem. We have no idea what files are affected and we won't know until they fail because they obviously did not keep track of what they touched.

EDIT: I'm being intentionally vague.

[–] porksoda@lemmy.world 16 points 11 months ago (1 children)

Haha this is up there with having to explain why opening a csv in Excel and then saving means that I don't want the file.

[–] ramblinguy@sh.itjust.works 8 points 11 months ago (1 children)

I will never forgive excel for automatically converting all of my dates to some weird ass format, or stripping single quotes randomly, or something other BS that they do for no reason

[–] DarkDarkHouse@lemmy.sdf.org 4 points 11 months ago

My absolute favourite is stripping leading zeroes from any text that looks like a number, then displaying it in scientific notation. But we get Copilot, so it balances out, right?

[–] murtaza64@programming.dev 9 points 11 months ago (2 children)

If this is about line endings, surely a simple shell or python script could correct them?

[–] m_randall@sh.itjust.works 9 points 11 months ago
[–] Astaroth@lemm.ee 3 points 11 months ago* (last edited 11 months ago) (1 children)

Does windows add an extra character at the end that gets converted to new line on linux? Because the other day I were copying a script and after pasting it an extra line was added after every single line, even the empty lines.

how it looked when I copied it:

bla
bla

bla

what it turned into:

bla

bla



bla
 
[–] candybrie@lemmy.world 11 points 11 months ago (1 children)

Windows uses CR LF (carriage return, line feed), whereas Unix just uses LF. For added fun, macs use CR.

[–] noughtnaut@lemmy.world 5 points 11 months ago (1 children)

For added fun, macs use CR.

This used to be true, for sure, but I thought this changed with OS X (which is essentially PrettyBSD) ?

[–] candybrie@lemmy.world 4 points 11 months ago

You're right. Notepad++ still lists macs as using CR for their EOL conversion tool, so I didn't realize.

[–] reverendsteveii@lemm.ee 8 points 11 months ago

The only reasonable response to this behavior is disproportionate violence

[–] elscallr@lemmy.world 7 points 11 months ago

You can just grep for carriage returns followed by newlines, grep -Pirn '\r\n$' /path/to/whatever. It'll identify all your problematic files.

[–] adespoton@lemmy.ca 20 points 11 months ago (2 children)

“\ “ and [tab] and * are your friends. I’ve been using spaces in Unix filesystems since the early 90s with no issues. Also, using terminal fonts that•put•a•faint•dot•in•each•space•character helps.

[–] ShaunaTheDead@kbin.social 9 points 11 months ago (2 children)

Yeah, either put quotes around it '/like this/you can incorporate/spaces/into your paths' or /just\ escape/your\ spaces/like\ this

[–] silasmariner@programming.dev 14 points 11 months ago

This is fine for the most basic of use cases but once you start looping through file names or what have you, you have to start writing robust correct bash and nobody does that

[–] gears@sh.itjust.works 11 points 11 months ago* (last edited 11 months ago) (2 children)

It gets real crazy when you're sending remote commands so you have to escape the escapes so that the remote keeps them and properly escapes the space

ssh -t remote "mv /home/me/folder\\\ with \\\ spaces /home/me/downloads/

[–] PoolloverNathan@programming.dev 1 points 11 months ago* (last edited 11 months ago) (1 children)

Does SSH require quoting commands?

[–] gears@sh.itjust.works 1 points 11 months ago (1 children)

It doesn't for commands without spaces (i.e reboot) You might be able to escape the spaces and not use quotes, I'm not sure

[–] PoolloverNathan@programming.dev 1 points 11 months ago

Might be client-dependent; I've regularly ran commands with spaces (e.g. ssh a@a.local ssh b@b.local) without a problem.

[–] LocustOfControl@reddthat.com 1 points 11 months ago

Yup, this is me with scp. Well, it would be if I didn't just use asterisks to avoid that PITA.

[–] cobra89@beehaw.org 4 points 11 months ago (1 children)

Yeah but at least with periods in the title tab complete will just complete the file name all the way while with a filename with spaces I have to escape the damn space with "\ " like you said. Why do more work when I don't have to?

[–] Euphoma@lemmy.ml 6 points 11 months ago

My shell seems to autocomplete filenames that have spaces with "\ " already.

[–] Amends1782@lemmy.ca 7 points 11 months ago

Yeah I was gonna say this is something anyone in tech knows, spaces are a plague