Camelia, the Perl 6 bug

IRC log for #mojo, 2013-01-19

| Channels | #mojo index | Today | | Search | Google Search | Plain-Text | summary

All times shown according to UTC.

Time Nick Message
00:00 jzawodn joined #mojo
00:12 Molaf_ joined #mojo
00:16 Caelum I just thought of an evil way to write a plugin for that :D
00:19 jnbek joined #mojo
00:46 rem_lex| joined #mojo
01:00 Molaf__ joined #mojo
01:11 Mike-PerlRecruiter_ joined #mojo
01:15 tempire Caelum: why would you want to end a request?
01:17 Caelum tempire: say the parameter is invalid and I render an error, stuff like that
01:20 Caelum ->detach is very useful in catalyst
01:21 xxtjaxx Any ideas how to make mojo_app.conf.d instead of a single file? My app may require configs that are a bit bigger
01:22 Caelum also, I don't mean "aborting" the request (it can still continue to render crap etc.) just not forcing the status code to 500 if it's that class of exception
01:24 Caelum xxtjaxx: override the bits that read the config file?
01:25 xxtjaxx Caelum: Hum? That'd be Mojolicious::Plugin::Config
01:25 good_news_everyone joined #mojo
01:25 good_news_everyone [mojo] kraih pushed 1 new commit to master: http://git.io/lyqLeA
01:25 good_news_everyone mojo/master f9d40de Sebastian Riedel: documentation tweaks
01:25 good_news_everyone left #mojo
01:27 sri Caelum: it's not particularly crazy, there's even a tested way to do it ;) https://github.com/kraih/mojo/blob/maste​r/t/mojolicious/exception_lite_app.t#L75
01:27 sri it's just not very mojolicious style, so it's not built in
01:28 sri exception traps don't work with evented code and all that...
01:29 * tempire thinks detach is a horrible idea
01:29 tempire it's a planned exception
01:29 * sri agrees with that
01:37 sri haha, so os x keeps a list of all your downloads in an sqlite database, fun
01:38 sri "sqlite3 ~/Library/Preferences/com.apple.L​aunchServices.QuarantineEventsV* 'select LSQuarantineDataURLString from LSQuarantineEvent'"
01:45 Caelum interesting
01:46 sri (all the quarantined files)
01:46 Caelum sri: that looks much simpler than what I was thinking off, do you mind if I make a detach plugin?
01:46 sri knock yourself out
02:09 tempire first facebook comment is the best part of the article
02:45 Caelum sri: what about loading plugins twice, would it make sense to have some sort of hash so that ->register would only be called the first time?
02:45 sri no
02:46 sri some plugins like Mount depend on it already
02:47 Caelum I see
02:51 Caelum I just did: return if exists $app->renderer->helpers->{foo};
02:52 Caelum though it would be nice if $app->helper('foo') returned the cb or undef
03:08 Caelum some legacy package I loaded is loading CGI::Carp and that's breaking the mojolicious error screen
03:11 Caelum added a check for $INC{'Mojolicious.pm'} and that fixed it, yay
03:12 jberger Caelum, if you are making your own plugin, your register method could detect that it has been loaded and just return
03:13 * jberger <3 bsg
03:13 Caelum yeah that's what I did
03:13 Caelum I suppose I could set a variable in the package instead of checking $app->renderer->helpers, duh
03:13 Caelum but w/e
03:15 Caelum actually it makes sense to check the $app, because like, what if you have the same mod_perl process with two apps
03:16 Caelum bsg was hard for me to watch, it's emotionally very intense, I only managed a couple of episodes
03:29 jberger Caelum, its not your usual "freak of the week" sci-fi, and that's what sets it apart
03:30 jberger not saying it has to be everyone's cup-of-tea
03:30 jberger but thats what I like about it :-)
03:33 Caelum also, I don't think super-intelligent robots would want to wipe out humans
03:33 Caelum sometimes I'd like to think they would, because humans fucking suck, but they really wouldn't
03:35 Caelum well, I had lots of fun writing tons of mojolicious plugins today
03:35 Caelum my API looks beautiful now compared to my first attempt
03:35 sri the story is pretty deep, i think it makes sense that they want to wipe out humanity after watching the prequel caprica
03:39 sri caprica was rather slow and boring, but the ending was really good
03:41 Caelum I think I saw the first couple of episodes, didn't it get cancelled?
03:42 sri yes, but they gave it a proper ending with a preview of the things to come, like two seasons of caprica in 10 minutes
03:50 ryozi joined #mojo
03:59 noganex_ joined #mojo
04:01 jberger jberger wishes Mojo::UA had a ->get_file() method
04:02 * jberger wonders if there are too many corner cases to make a consistent method
04:04 * Caelum just fixed all the $dbh->prepare_cached calls in the codebase, now it can be used in persistant apps
04:05 Caelum I wrote this insane DBI wrapper that uses DBIx::Connector
04:07 Caelum I'll probably clean it up over the weekend and release it as DBIx::PersistantDBH or something
04:08 jberger Caelum, try an insane subclass of DBIx::Class::DeploymentHandler: https://github.com/jberger/Galileo/b​lob/master/lib/Galileo/DB/Deploy.pm
04:08 jberger :-P
04:08 jberger which is insane to begin with btw
04:10 Caelum I don't know much about DH, but I know the author (frew) pretty well from when I worked on DBIC stuff
04:12 jberger it has "dispatch roles" or something, which they claim is to be flexible or something
04:12 jberger but it basically makes it so that you cannot override a method
04:12 Caelum jberger: this is my "persistant" DBI wrapper, if you're interested: https://gist.github.com/4570699
04:12 jberger which would be ok, except it spits out all this debug info, and you cannot stop it
04:12 * jberger looks
04:14 Caelum $db is a DBIx::Connector instance
04:15 jberger nice
04:35 ObseLeTe joined #mojo
04:47 ObseLeTe joined #mojo
05:39 ka2u joined #mojo
06:00 crab i've never quite gotten along with DBIx::Connector
06:00 crab maybe i should try a bit harder
07:13 dod joined #mojo
07:21 Vandal joined #mojo
07:29 xaka joined #mojo
07:37 dod joined #mojo
07:44 d4rkie joined #mojo
07:45 d4rkie joined #mojo
09:03 Gedge joined #mojo
09:49 ObseLeTe joined #mojo
11:11 ryozi joined #mojo
11:21 yakudza joined #mojo
11:36 d4rkie joined #mojo
11:51 inokenty joined #mojo
13:08 Mike-PerlRecruiter_ joined #mojo
13:23 keedi joined #mojo
13:24 keedi joined #mojo
13:31 TitanOfOld joined #mojo
13:50 ladnaV joined #mojo
14:15 rem_lex|pivo joined #mojo
14:38 xxtjaxx sri: I wrote a Config Plugin for to split files up in a directory you want it? https://github.com/andreas-marschke/​mojo/blob/feature/Config/dir-option/​lib/Mojolicious/Plugin/ConfigDir.pm
14:41 Miked joined #mojo
14:45 mattastrophe joined #mojo
14:53 sri xxtjaxx: for core? nope, but it seems like a sensible module to release to cpan
15:09 sri but you're reminding me of something
15:09 good_news_everyone joined #mojo
15:09 good_news_everyone [mojo] kraih pushed 1 new commit to master: http://git.io/TTeypA
15:09 good_news_everyone mojo/master eb3014f Sebastian Riedel: slurp more consistently
15:09 good_news_everyone left #mojo
15:16 Britzel joined #mojo
15:18 mattastrophe joined #mojo
15:46 xxtjaxx sri: Okay.
15:49 * xxtjaxx .o(Yay my 30th repository)
15:57 * marty is heading up to his cabin in the snow. o/  Got WiFi via 3G up there now, will check in from there.
16:30 KindOne joined #mojo
16:31 asarch joined #mojo
16:32 basic6 joined #mojo
16:53 Nom- joined #mojo
17:00 dod joined #mojo
17:39 d4rkie joined #mojo
17:40 xaka joined #mojo
17:52 basic6 i'm trying to serve a static file, but my browser only receives an empty file: die "not found" unless -f $path; my $static = Mojolicious::Static->new(); $static->serve($self, $path); $self->rendered;
17:52 basic6 if i use render_static instead, it logs "File $path not found, public directory missing?". i've tried to declare the parent directory 'public': push @($static->paths), $pathparent;
18:05 sh4 joined #mojo
18:07 Nom- joined #mojo
18:20 inokenty basic6: Just create a directory called 'public' and put your file there. Mojolicious will serve this file automatically
18:22 basic6 inokenty thanks but unfortunately this doesn't work in my setup. i've written a webapp which works with many different directories (depending on configuration). none of them is called 'public'. so i do have a list of (currently) valid parent directories. but i need to be able to serve any file within one of those directories.
18:33 gryphon joined #mojo
18:36 inokenty basic6: Maybe you have to look at Mojolicious::Plugin::RenderFile?
18:36 GabrielVieira joined #mojo
18:41 buu basic6: Have you tried using my $static = $ap->static; and serving it via that?
18:41 buu app->static
18:41 zeke joined #mojo
18:41 Nom- joined #mojo
18:42 basic6 buu no haven't thought of that (from the docs i thought i have to create that new static object, hang on i'll try
18:42 buu Also controllers have a methjod, ->render_static
18:42 buu Render a static file using "serve" in Mojolicious::Static, usually from the "public" directories or "DATA" sections of your application. Note that this method does not protect from traversing to parent directories.
18:43 basic6 buu yes i've tried $self->render_static but it said "File $path not found, public directory missing?". i've tried to declare the parent directory 'public': push @($static->paths), $pathparent; no luck
18:44 buu Hrm
18:44 buu I'd have to dig through the code to figure that out
18:46 basic6 buu i've just tried my $static = $self->app->static; $static->serve($self, $path) or die "Error rendering static file"; and it dies with that error
18:47 buu I assume it doesn't actually serve the file and return false?
18:48 basic6 if i remove the "or die" it will send an empty file to the browser. oh and i have $self->rendered right after that.
18:49 buu basic6: Have you tried the snippet that the documentation mentions for ->renderered?
18:49 buu Specifically the one:          # Stream content directly from file
18:49 basic6 i've basically copy&pasted the code from the Mojolicious::Static docs (which also said to create a new Static object)
18:49 basic6 where does it say that?
18:50 basic6 mojolici.us/perldoc/Mojolicious/Static
18:50 buu In the perldoc for Mojolicious Controller
18:50 buu In the 'rendered' method section
18:51 basic6 there's just one line, one sentence, "Finalize response and emit after_dispatch..."
18:52 basic6 mojolici.us/perldoc/Mojoli​cious/Controller#rendered
18:53 basic6 oh on cpan Mojolicious::Controller::Rendering there's something mentioning special headers, maybe that's what you mean
18:54 basic6 i'll try that code
18:54 buu "rendered"
18:54 buu $c = $c->rendered;
18:54 buu $c = $c->rendered(302);
18:54 buu Finalize response and emit "after_dispatch" plugin hook, defaults to using a 200 response code.
18:54 buu # Stream content directly from file
18:54 buu was kicked by sri: buu
18:55 basic6 kicked? is there a 5 lines maximum limit in this channel?
18:56 sri it's automatic (works sometimes)
18:56 basic6 didn't know that, hasn't happened to me yet
18:56 sri no pasting into the channel
18:56 buu joined #mojo
18:56 basic6 well that's what pastebins are for
18:56 buu oh
18:56 basic6 :-)
18:56 buu That's what the channel is named
18:57 basic6 oh hi, you're back
18:57 buu I couldn't remember what the channel was named
18:57 buu Kept trying to join mojolicious, heh
18:57 basic6 buu so i've tried that other code and it also logs "public directory missing?"
18:57 buu And that's it?
18:58 sri http://mojolicio.us/perldoc/Mojolicio​us/Guides/Rendering#Custom_responses
18:58 sri btw.
18:58 basic6 the exact error is "File $path not found, public directory missing?", which is exactly what happened with render_static
18:59 sri or just use the RenderFile plugin as mention way above
19:01 basic6 ok that 3line code does actually work, but the content-type text/plain is not what i'm looking for, as i want to force a download. what's the proper content-type for that?
19:02 sri i hope you're aware of the risks of that approach
19:03 sri absolute paths make your app non-portable and can become a huge attack vector
19:03 sri (that's why the recipe is in the advanced section)
19:03 basic6 you mean because any file from anywhere on the server filesystem could be downloaded that way, in theory?
19:04 sri yes, and because there are many ways to fool any checks you might run on the paths
19:05 buu basic6: content-type: application/octet-stream will probably force a download..
19:05 buu But why don't you give it the content type that it actually is?
19:06 sri force download is actually shown in the recipe before...
19:06 basic6 well i've only taken care of that issue by only letting 2 users (people i trust) use my application. but i can only think of ".." in the path and symlinks pointing somewhere outside for ways to "break out" of the area a user should download files from
19:06 sri http://mojolicio.us/perldoc/Mojolicious/​Guides/Rendering#Rendering_static_files
19:14 basic6 sri thanks it works. i'd be still interested if you have some more advice for me (except ".."/symlink to break out)
19:14 sri http://en.wikipedia.org/wiki​/Directory_traversal_attack
19:15 sri it's not just *one* attack, it's a category of attacks
19:15 dod joined #mojo
19:15 sri if you don't know exactly what you're doing it's very risky
19:16 sri to put it in perspective, in the 1.x days Mojolicious::Static was actually vulnerable to one variant of those
19:18 Nom- joined #mojo
19:22 sri and i bet you never checked how Mojo::Asset::File actually opened the file to make sure nothing can be injected there
19:24 good_news_everyone joined #mojo
19:24 good_news_everyone [mojo] kraih pushed 1 new commit to master: http://git.io/ZNNcsQ
19:24 good_news_everyone mojo/master 54df770 Sebastian Riedel: made Mojo::Asset::File slightly more secure
19:24 good_news_everyone left #mojo
19:25 sri those layers are not designed to be resilient towards attacks, *you* take full responsibility
19:36 basic6 thanks for the link. i'm already detecting "../" in the path, but i will double-check to see what it does if the input is encoded. also, i'm using Cwd::abs_path in order to get the "actual" absolute file path (without "..") and i then check if that resulting file path begins with one of the valid/allowed parent paths.
19:42 ka2u joined #mojo
19:54 basic6 sri if you think my approach (use abs_path and then check if that's inside an explicitly valid parent directory) is bad, please let me know. i'm thankful for any advice.
20:00 dpetrov- joined #mojo
20:00 marty joined #mojo
21:34 ka2u joined #mojo
21:41 basic6 how do i generate an url relative to the current controller? url_for 'feature' will make a url relative to the app root only
22:17 gtodd joined #mojo
22:19 TitanOfOld joined #mojo
22:38 BeDa joined #mojo
22:45 basic6 nevermind i've written my own helper
22:46 rem_lex| joined #mojo

| Channels | #mojo index | Today | | Search | Google Search | Plain-Text | summary