HTTPS for dev.clojure.org?
Could we get HTTPS for dev.clojure.org? It's great that we have TLS on clojure.org (although not by default -- issue filed!) but dev.clojure.org takes passwords and involves exchanges of code patches, which makes it a moderately juicy target. (Some of those passwords may also be used for github or other sensitive places.) - Tim McCormack -- You received this message because you are subscribed to the Google Groups "Clojure" group. To post to this group, send email to clojure@googlegroups.com Note that posts from new members are moderated - please be patient with your first post. To unsubscribe from this group, send email to clojure+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/clojure?hl=en --- You received this message because you are subscribed to the Google Groups "Clojure" group. To unsubscribe from this group and stop receiving emails from it, send an email to clojure+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
Re: Clojure 1.6.0-RC1 - LAST CHANCE, PLEASE TEST
On Wednesday, March 19, 2014 4:14:38 PM UTC-4, Alex Miller wrote: > Rich just pushed a change to the String hashing to address this. We're going to grab the string hashcode (which is cached after first call) and murmur the result of that. This gives us constant time hashcode after first call with better distribution for combinations in nested collections. Will be in presumed RC2. (Discussion continued from IRC and Github.) This does make PHM vulnerable to "hashDoS" attacks again -- ["AaAa" "" "AaBB" "BBAa"] will all hash to the same value, so an attacker can pass a ton of these colliding strings to a webapp as a querystring or POST body and really bog down the machine. Best article I could find on this attack: http://cryptanalysis.eu/blog/2011/12/28/effective-dos-attacks-against-web-application-plattforms-hashdos/ Is there some compromise we can make between caching and good hashing? My naïve thought would be to combine the native String hashCode with a Murmur hash of a fixed chunk of the string, then possibly run that combination through Murmur. This avoids hashing unbounded data more than once, and would be effective against basic hashDoS. (Intelligently picking the fixed chunk of the string would be essential for protecting against an adaptive hashDoS attack.) - Tim McCormack -- You received this message because you are subscribed to the Google Groups "Clojure" group. To post to this group, send email to clojure@googlegroups.com Note that posts from new members are moderated - please be patient with your first post. To unsubscribe from this group, send email to clojure+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/clojure?hl=en --- You received this message because you are subscribed to the Google Groups "Clojure" group. To unsubscribe from this group and stop receiving emails from it, send an email to clojure+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
Re: RC 16: Last chance to test against Clojure 1.5 before it ships
On Wednesday, February 13, 2013 10:33:42 PM UTC-5, Stuart Halloway wrote: > > If you care about Clojure 1.5 compatibility for your codebase, please test > it against RC 16 as soon as possible. > (I mistakenly posted this already to the *read-eval* thread, but it really belongs here... apologies for the double-post.) The command-line eval feature is broken under -Dclojure.read.eval=unknown in beta13 and RC16 (not sure which is newer): $ java -Dclojure.read.eval=unknown -jar ~/.m2/repository/org/clojure/clojure/1.5.0-RC16/clojure-1.5.0-RC16.jar -e "(+ 1 2)" Exception in thread "main" java.lang.RuntimeException: Reading disallowed - *read-eval* bound to :unknown - timmc -- -- You received this message because you are subscribed to the Google Groups "Clojure" group. To post to this group, send email to clojure@googlegroups.com Note that posts from new members are moderated - please be patient with your first post. To unsubscribe from this group, send email to clojure+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/clojure?hl=en --- You received this message because you are subscribed to the Google Groups "Clojure" group. To unsubscribe from this group and stop receiving emails from it, send an email to clojure+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/groups/opt_out.
Re: clojure.contrib.sql does not protect table names?
On Jul 14, 11:56 am, Michael Wood wrote: > AFAIK backticks are MySQL-specific. PostgreSQL uses double quotes. I > imagine there is a proper JDBC way of handing this, though. OK, so there is enough variation between RDBMSs that a simple solution won't work. Seems like clojure.contrib.sql's job should be to even out those differences by quoting and escaping as appropriate to the chosen database. :-/ - TimMc -- You received this message because you are subscribed to the Google Groups "Clojure" group. To post to this group, send email to clojure@googlegroups.com Note that posts from new members are moderated - please be patient with your first post. To unsubscribe from this group, send email to clojure+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/clojure?hl=en
clojure.contrib.sql does not protect table names?
It looks like all the clojure.contrib.sql functions that interact with
tables fail to wrap table names in backticks. As a result, any table
names that are reserved words (like "order") or contain non-
alphanumeric characters (like "foo-bar") will cause SQL errors:
(require '[clojure.contrib.sql :as sql])
(def db {:classname "com.mysql.jdbc.Driver" :subprotocol
"mysql" :subname "//localhost/db" :user "user" :password "secret"})
(sql/with-connection db (sql/drop-table "foo-bar")) ; throws error [1]
(sql/with-connection db (sql/do-commands "DROP TABLE `foo-bar`")) ;
succeeds and returns (0)
Here's the source code:
http://github.com/richhickey/clojure-contrib/blob/master/src/main/clojure/clojure/contrib/sql.clj
Example: #L124: (format "DROP TABLE %s" (as-str name)) should use
"DROP TABLE `%s`"
Is there some kind of JDBC nonsense that I'm not aware of? Are
backticks a special feature of MySQL that can't be read by all JDBC-
compatible RDBMSs? I'm not a database person, but it seems to me that
either backticks should be placed around all table, database, and
column names, or a warning should be added to the docs about only
using non-reserved alphabetic table names.
The workaround is to build one's own prepared statements.
- TimMc
[1] Here is the error I see:
Update counts:
Statement 0: EXECUTE_FAILED
BatchUpdateException:
Message: You have an error in your SQL syntax; check the manual that
corresponds to your MySQL server version for the right syntax to use
near '-bar' at line 1
SQLState: 42000
Error Code: 1064
java.lang.Exception: transaction rolled back: You have an error in
your SQL syntax; check the manual that corresponds to your MySQL
server version for the right syntax to use near '-bar' at line 1
(NO_SOURCE_FILE:0)
--
You received this message because you are subscribed to the Google
Groups "Clojure" group.
To post to this group, send email to clojure@googlegroups.com
Note that posts from new members are moderated - please be patient with your
first post.
To unsubscribe from this group, send email to
clojure+unsubscr...@googlegroups.com
For more options, visit this group at
http://groups.google.com/group/clojure?hl=en
