Hello,
On Sun, May 04, 2014 at 06:52:25PM +0800, Chris Down wrote:
> FRIGN writes:
> > A configuration can look like this:
> >
> > { "\.mp3","st -e mplayer %s" },
> > { "\.(jpg|png|tiff)$","feh %s"},
> > { "\.gif","wget -O /tmp/tmp.gif %s && gifview -a
On 5/4/14, 3:25 PM, Manolo Martínez wrote:
> Video calls are nice, though.
Don't feed the troll, please.
yeah, in rural america with the next brothel a 5 hour flight away,
that might be an alternative to some people.
On 5/4/14, Manolo Martínez wrote:
>> telephone
>
> Video calls are nice, though.
>
>
> telephone
Video calls are nice, though.
telephone
On Sun, 4 May 2014 18:55:25 +0100
Chris Down wrote:
> You appear to have not understood my concern -- this has nothing to do
> with writing an obviously insecure config.h; to anyone writing one, the
> following seems perfectly reasonable because there is no documented
> reason that it should not
FRIGN writes:
> If you mess up your damn soap-config.h, you almost deserve to get your
> bloody hard drive wiped.
> I designed soap to handle user input safely in the manner of that the
> person who configures the program knows what he is dealing with.
>
> There's no denying you can exploit this b
Thanks everyone.
M
On Sun, 04 May 2014 18:01:22 +0200
7heo <7...@mail.com> wrote:
> That's something any suckless software should never do. User
> hand-holding is contrary to the suckless philosophy, as far as I know,
> and any command that can execute other commands (such as watch(1),
> sudo(8), exec (shell buil
Quoth Chris Down:
> I'm not really interested in engaging in some Google soapboxing
> when we are discussing something entirely unrelated.
I am, a bit ;)
> 7heo writes:
> > I don't trust Google, and I'm not going to take any definition from them.
>
> Google does not define this word, this word
On Sun, 4 May 2014 16:41:49 +0100
Chris Down wrote:
> I'm not really interested in engaging in some Google soapboxing when we
> are discussing something entirely unrelated.
Nice pun, Chris.
I'm glad you are at least self-aware: The topic we are discussing is
completely unrelated to the security
On 5/4/2014 5:25 PM, FRIGN wrote:
What Chris is concerned about is making a mistake in the config.h,
calling a program like watch(1), which accepts arguments like this:
watch 'ls -l /tmp | grep tmp'
Now, Chris' concern is, if you put watch like this in your config.h,
which means:
7heo writes:
> I don't trust Google, and I'm not going to take any definition from them.
Google does not define this word, this word is defined by those who
speak English. If you want to believe they are trying to undermine the
course of language, or something, you are nuts.
> Ever read 1984? You
On 5/4/2014 4:58 PM, Chris Down wrote:
That's a rather convoluted way of putting it, I meant what Google gives
as definition 1 for "instance": "an example".
I don't trust Google, and I'm not going to take any definition from
them. Ever read 1984? You should. https://en.wikipedia.org/wiki/Newsp
On Sun, 4 May 2014 17:06:51 +0200
Markus Wichmann wrote:
> Did you even read the code? Of course it does: Every existing single
> quote within the string argument is replaced by a single quote, followed
> by a backslash, followed by two single quotes. No way for that to turn
> out to be wrong as
Markus Wichmann writes:
> Did you even read the code?
Uh, yes.
> Of course it does: Every existing single quote within the string
> argument is replaced by a single quote, followed by a backslash,
> followed by two single quotes. No way for that to turn out to be wrong
> as far as I can see!
You
On Sun, May 04, 2014 at 03:58:39PM +0100, Chris Down wrote:
> My seconds use is perhaps a little unclear, sorry. I meant "the shell
> quoting [method used in soap] does not handle existing instances [of
> single quotes] inside single quotes".
>
Did you even read the code? Of course it does: Every
7heo writes:
> Your first use of the word 'instance' in your answer is very probably
> intended to have the sense 4 in this definition:
> http://www.merriam-webster.com/dictionary/instance.
That's a rather convoluted way of putting it, I meant what Google gives
as definition 1 for "instance": "an
Quoth Manolo Martínez:
> > Yes, I educated my family and most of my friends.
>
> And what's the protocol/client you educate them in? My family is
> Windows-only. Tox, perhaps?
FYI for me it's Jitsi with https://ostel.co/ (SIP) or
https://jit.si/ (XMPP). It's java, so not pretty, but it works
pr
Your first use of the word 'instance' in your answer is very probably
intended to have the sense 4 in this definition:
http://www.merriam-webster.com/dictionary/instance. However, I can't
understand what the second "instance" means. Especially due to the
presence of the word "existing" prior to
7heo writes:
> open "; rm -rf /; .jpg" would be translated as `feh '; rm -rf /; .jpg'`
> which would open the `; .jpg` in the `; rm -rf ` directory. I'm not sure I
> see the problem here.
I'm not talking about that specific instance, but in general. The shell
quoting does not handle existing insta
On Sun, May 04, 2014 at 02:09:58PM +0200, Manolo Martínez wrote:
> And what's the protocol/client you educate them in? My family is
> Windows-only. Tox, perhaps?
For group chats IRC, for private conversations XMPP with OTR. I am not
so much concerned about cryptographic details of OTR, but the TO
open "; rm -rf /; .jpg" would be translated as `feh '; rm -rf /; .jpg'`
which would open the `; .jpg` in the `; rm -rf ` directory. I'm not sure
I see the problem here.
On 5/4/2014 12:52 PM, Chris Down wrote:
FRIGN writes:
A configuration can look like this:
{ "\.mp3","st -e
On Sun, 4 May 2014 14:09:58 +0200
Manolo Martínez wrote:
> And what's the protocol/client you educate them in? My family is
> Windows-only. Tox, perhaps?
I'd recommend Tox in 6 months to 1 year, when the clients received some
more polishing. It's so promising, I wouldn't waste it by recommending
> > > You are not using Skype really, right? I hope I am just unable to
> > > properly decode the sarcasm here.
> >
> > Alex, don't you have relatives or friends who don't know better? Or do
> > you succeed in educating them to use better solutions? No sarcasm, I'm
> > really curious :)
>
> Yes,
On Sun, 4 May 2014 12:48:38 +0100
Chris Down wrote:
> I did not see that, however that still doesn't really resolve the
> problem. You don't know which shell the user is using.
I suppose taking care of a properly-fortified regex + the included
security from the shell-escapes is sufficient.
Can y
On Sun, May 04, 2014 at 01:41:08PM +0200, Manolo Martínez wrote:
> On 05/04/14 at 01:04pm, Alexander Huemer wrote:
>
> > You are not using Skype really, right? I hope I am just unable to
> > properly decode the sarcasm here.
>
> Alex, don't you have relatives or friends who don't know better? O
FRIGN writes:
> Wait a second: Don't forget I also do a shell-escape of the incoming
> string.
I did not see that, however that still doesn't really resolve the
problem. You don't know which shell the user is using.
This does not resolve all problems, anyway. Consider `foo 'bar %s'`.
pgpk4AuMrC
On 05/04/14 at 01:04pm, Alexander Huemer wrote:
> You are not using Skype really, right? I hope I am just unable to
> properly decode the sarcasm here.
Alex, don't you have relatives or friends who don't know better? Or do
you succeed in educating them to use better solutions? No sarcasm, I'm
r
On Sun, 4 May 2014 12:23:11 +0100
Chris Down wrote:
> That also doesn't really work, as a basic example, "&" is a perfectly
> valid character in a URI without encoding, but it has other meaning to
> most shells (it is a backgrounding operator).
>
> I just think there are too many potential pitf
On Sun, 4 May 2014 13:04:00 +0200
Alexander Huemer wrote:
> You are not using Skype really, right? I hope I am just unable to
> properly decode the sarcasm here.
Unfortunately, this is true. I'm switching over to IRC and XMPP, but
like the Ubuntu sysadmin, I'm forced to use what my colleagues u
FRIGN writes:
> That's definitely a good point. However, fortifying the regexes to
> strictly match URIs solves this problem instantly (Hell, just check for
> spaces!).
That also doesn't really work, as a basic example, "&" is a perfectly
valid character in a URI without encoding, but it has other
On Sun, 4 May 2014 18:52:25 +0800
Chris Down wrote:
> FRIGN writes:
> > A configuration can look like this:
> >
> > { "\.mp3","st -e mplayer %s" },
> > { "\.(jpg|png|tiff)$","feh %s"},
> > { "\.gif","wget -O /tmp/tmp.gif %s && gifview -a
> > /tmp/tmp.
On Sat, May 03, 2014 at 05:18:59PM +0200, FRIGN wrote:
> […]
> I thought that it would be awesome to press a youtube-link in Skype
> […]
You are not using Skype really, right? I hope I am just unable to
properly decode the sarcasm here.
Kind regards,
-Alex
FRIGN writes:
> A configuration can look like this:
>
> { "\.mp3","st -e mplayer %s" },
> { "\.(jpg|png|tiff)$","feh %s"},
> { "\.gif","wget -O /tmp/tmp.gif %s && gifview -a
> /tmp/tmp.gif" },
> { "^(http://|https://)?(www\.)?(youtube.com/watch\?|youtu\
35 matches
Mail list logo
