this post was submitted on 18 Nov 2023
560 points (95.8% liked)

Piracy: ꜱᴀɪʟ ᴛʜᴇ ʜɪɢʜ ꜱᴇᴀꜱ

54819 readers
342 users here now

⚓ Dedicated to the discussion of digital piracy, including ethical problems and legal advancements.

Rules • Full Version

1. Posts must be related to the discussion of digital piracy

2. Don't request invites, trade, sell, or self-promote

3. Don't request or link to specific pirated titles, including DMs

4. Don't submit low-quality posts, be entitled, or harass others



Loot, Pillage, & Plunder

📜 c/Piracy Wiki (Community Edition):


💰 Please help cover server costs.

Ko-Fi Liberapay
Ko-fi Liberapay

founded 2 years ago
MODERATORS
 
you are viewing a single comment's thread
view the rest of the comments
[–] [email protected] 223 points 1 year ago* (last edited 1 year ago) (4 children)

Dealing with spaces while scripting or in terminal is such a pain in the ass. The true dark path of horror is using spaces indeed.

[–] [email protected] 59 points 1 year ago* (last edited 1 year ago) (1 children)

[This comment has been deleted by an automated system]

[–] [email protected] 21 points 1 year ago (1 children)

I work on a Web app and we recently decided that we're just not gonna support double quotes in free text fields because oh holy balls what a thing it is to try to deal with those in a way that doesn't open you up to multiple encoding vulnerabilities.

[–] [email protected] 36 points 1 year ago (1 children)

That's... Surprising. If you're doing things right, double quotes should be no trouble at all:

  • HTTP requests have simple, automatic encoding
  • SQL queries with prepared statements don't need any special handling for double quotes
  • Rendering the data should happen with proper escaping etc.

They are usually only trouble if you're doing SQL queries wrong (concatenation etc.) or if you're not escaping your output.

[–] [email protected] 28 points 1 year ago* (last edited 1 year ago) (2 children)

The issue is the filter that we're using to avoid multiple encoding attacks de-escapes everything via multiple rounds, then tries to pass it to the next layer of filtering with the de-escaped request body as a json string. Your absolutely right that this is a silly way of doing it, but sometimes we have to live with decisions that were made before we were onboarded to a project. In this particular case, I pushed to improve the filters but all our PO heard was "spend development time weakening security" and at the end of the day they decide what to do and we do it.

[–] [email protected] 11 points 1 year ago

Ah, that's understandable. Sorry you have to go through that!

[–] [email protected] 1 points 1 year ago (1 children)

The filter you're using to avoid multiple encoding attacks creates multiple encoding attacks.

[–] [email protected] 1 points 1 year ago* (last edited 1 year ago) (1 children)

You should tell that to OWASP then, they wrote it. org.owasp.esapi 2.5.2.0, class is Encoder, method is canonicalize(String, bool, bool)

[–] [email protected] 2 points 1 year ago

This method is a band-aid patch when your downstream code is all messed up and you can't fix it. Instead of treating the input string correctly, it just removes anything that might possibly trigger some vulnerability in wrong code.

[–] [email protected] 27 points 1 year ago* (last edited 1 year ago) (1 children)

It's a way bigger pain in the ass than people think it is. I remember having to parse output from a tool for work that had tons of output in tabular format, mixed with normal sentence like strings. JSON, YAML, or XML outputs weren't available so I had to do a nasty mess of grep, awk, cut, and head/tail, to get what I wanted. My first attempt was literally counting the characters so I could cut out exactly what I needed, but as we all know, hardcoding values is a recipe for headaches later on.

[–] [email protected] 33 points 1 year ago* (last edited 1 year ago) (4 children)

Here's a horror story from literally yesterday. We have been fighting a system for a client for weeks and it has been a nightmare. Our clients just told us that they outsourced some of their work to an Indian outfit but that outfit is unfamiliar with Linux and doesn't know how to edit text files so they have been downloading the files to their Windows machines, editing them in Windows, then uploading the contaminated text files back into Linux. None of them, not our client nor the outfit they hired, understood why this was a problem. We have no idea what files are affected and we won't know until they fail because they obviously did not keep track of what they touched.

EDIT: I'm being intentionally vague.

[–] [email protected] 16 points 1 year ago (1 children)

Haha this is up there with having to explain why opening a csv in Excel and then saving means that I don't want the file.

[–] ramblinguy 8 points 1 year ago (1 children)

I will never forgive excel for automatically converting all of my dates to some weird ass format, or stripping single quotes randomly, or something other BS that they do for no reason

[–] [email protected] 4 points 1 year ago

My absolute favourite is stripping leading zeroes from any text that looks like a number, then displaying it in scientific notation. But we get Copilot, so it balances out, right?

[–] [email protected] 9 points 1 year ago (2 children)

If this is about line endings, surely a simple shell or python script could correct them?

[–] m_randall 9 points 1 year ago
[–] [email protected] 3 points 1 year ago* (last edited 1 year ago) (1 children)

Does windows add an extra character at the end that gets converted to new line on linux? Because the other day I were copying a script and after pasting it an extra line was added after every single line, even the empty lines.

how it looked when I copied it:

bla
bla

bla

what it turned into:

bla

bla



bla
 
[–] [email protected] 11 points 1 year ago (1 children)

Windows uses CR LF (carriage return, line feed), whereas Unix just uses LF. For added fun, macs use CR.

[–] [email protected] 5 points 1 year ago (1 children)

For added fun, macs use CR.

This used to be true, for sure, but I thought this changed with OS X (which is essentially PrettyBSD) ?

[–] [email protected] 4 points 1 year ago

You're right. Notepad++ still lists macs as using CR for their EOL conversion tool, so I didn't realize.

[–] [email protected] 8 points 1 year ago

The only reasonable response to this behavior is disproportionate violence

[–] [email protected] 7 points 1 year ago

You can just grep for carriage returns followed by newlines, grep -Pirn '\r\n$' /path/to/whatever. It'll identify all your problematic files.

[–] [email protected] 18 points 1 year ago (1 children)

“\ “ and [tab] and * are your friends. I’ve been using spaces in Unix filesystems since the early 90s with no issues. Also, using terminal fonts that•put•a•faint•dot•in•each•space•character helps.

[–] [email protected] 9 points 1 year ago (2 children)

Yeah, either put quotes around it '/like this/you can incorporate/spaces/into your paths' or /just\ escape/your\ spaces/like\ this

[–] [email protected] 13 points 1 year ago

This is fine for the most basic of use cases but once you start looping through file names or what have you, you have to start writing robust correct bash and nobody does that

[–] gears 11 points 1 year ago* (last edited 1 year ago) (2 children)

It gets real crazy when you're sending remote commands so you have to escape the escapes so that the remote keeps them and properly escapes the space

ssh -t remote "mv /home/me/folder\\\ with \\\ spaces /home/me/downloads/

[–] [email protected] 1 points 1 year ago* (last edited 1 year ago) (1 children)

Does SSH require quoting commands?

[–] gears 1 points 1 year ago (1 children)

It doesn't for commands without spaces (i.e reboot) You might be able to escape the spaces and not use quotes, I'm not sure

[–] [email protected] 1 points 1 year ago

Might be client-dependent; I've regularly ran commands with spaces (e.g. ssh [email protected] ssh [email protected]) without a problem.

[–] [email protected] 1 points 1 year ago

Yup, this is me with scp. Well, it would be if I didn't just use asterisks to avoid that PITA.

[–] [email protected] 6 points 1 year ago

Yeah I was gonna say this is something anyone in tech knows, spaces are a plague