The web in a box - a next generation web framework for the Perl programming language

IRC log for #mojo, 2013-12-02

| Channels | #mojo index | Today | | Search | Google Search | Plain-Text | summary

All times shown according to UTC.

Time Nick Message
00:56 rem_lex joined #mojo
01:17 beyondcreed joined #mojo
01:19 zivester joined #mojo
01:21 mire_ joined #mojo
01:32 d4rkie joined #mojo
01:33 d4rkie joined #mojo
01:56 asarch joined #mojo
02:50 airdisa joined #mojo
03:00 zivester joined #mojo
03:38 russum joined #mojo
04:31 KindOne joined #mojo
04:35 russum joined #mojo
04:38 dbcooper joined #mojo
04:41 laouji joined #mojo
04:53 preflex_ joined #mojo
05:19 cfedde joined #mojo
05:38 zivester joined #mojo
06:16 Vandal joined #mojo
06:43 Adurah joined #mojo
07:32 ladnaV joined #mojo
07:53 laouji joined #mojo
08:08 highflying joined #mojo
08:10 Vandal joined #mojo
08:11 basiliscos joined #mojo
08:12 dod joined #mojo
08:23 ka2u joined #mojo
08:28 dod joined #mojo
08:38 trone joined #mojo
08:38 nicolaas joined #mojo
08:41 laouji joined #mojo
08:55 denisboyun joined #mojo
09:06 maxhq joined #mojo
09:08 laouji joined #mojo
09:12 denis_boyun joined #mojo
09:16 denis_boyun__ joined #mojo
09:16 themage joined #mojo
09:30 denisboyun joined #mojo
09:47 hummeleBop joined #mojo
09:51 denisboyun joined #mojo
09:55 fhelmber_ joined #mojo
09:58 ka2u joined #mojo
10:09 denis_boyun joined #mojo
10:19 laouji joined #mojo
10:42 punter joined #mojo
10:48 denis_boyun joined #mojo
10:51 ka2u joined #mojo
10:56 tba joined #mojo
11:07 d4rkie joined #mojo
11:22 d4rkie joined #mojo
11:26 denis_boyun joined #mojo
11:44 basiliscos joined #mojo
11:45 dvinciguerra joined #mojo
11:55 athenot joined #mojo
11:56 basiliscos joined #mojo
12:02 marcus good morning gentle-people
12:03 moritz good morning gentlebot
12:03 basiliscos joined #mojo
12:05 ver joined #mojo
12:06 crab good localtime, gentle-whatevers.
12:06 basiliscos joined #mojo
12:11 basiliscos joined #mojo
12:17 basiliscos joined #mojo
12:49 ryozi joined #mojo
12:53 basiliscos joined #mojo
13:00 mire_ joined #mojo
13:30 d4rkie_ joined #mojo
13:33 denisboyun joined #mojo
13:36 punter joined #mojo
13:51 bowtie joined #mojo
13:59 bowtie_ joined #mojo
14:03 asarch joined #mojo
14:04 good_news_everyone joined #mojo
14:04 good_news_everyone [mojo] kraih pushed 1 new commit to master: http://git.io/U92gBA
14:04 good_news_everyone mojo/master de229a5 Sebastian Riedel: Merge pull request #567 from kraih/fix_gender...
14:04 good_news_everyone left #mojo
14:04 marcus \o/
15:02 meshl joined #mojo
15:05 good_news_everyone joined #mojo
15:05 good_news_everyone [mojo] kraih deleted fix_gender at 0feef4f: http://git.io/e9wStw
15:05 good_news_everyone left #mojo
15:12 Dandre joined #mojo
15:16 sh4 joined #mojo
15:22 gryphon joined #mojo
15:30 btyler joined #mojo
15:38 webart joined #mojo
15:50 kej joined #mojo
15:53 russum left #mojo
15:55 beyondcreed joined #mojo
16:03 sri hmm, looks like the csrf brach isn't working out
16:04 sri at least i've seen nobody experiment with it
16:12 serious_chat i haven't had time yet annoyingly
16:12 serious_chat but thanks for reminding me, will pass it along
16:13 serious_chat not as many people are as efficient as you though, and it's been only 48 hours or so :)
16:13 mire_ joined #mojo
16:15 kwa joined #mojo
16:19 crab sri: i'm not you, i'm slow and plodding
16:19 sri puny humans
16:19 crab one day, when you least expect it... ! */me shakes fist weakly*
16:20 sri WHY NOT ZOIDBERG
16:20 purl (V) (;,,;) (V)
16:37 fhelmbe__ joined #mojo
16:39 r0b3rt joined #mojo
16:41 dod joined #mojo
16:44 hrupp joined #mojo
17:12 basiliscos joined #mojo
17:21 * bd backs out of the channel slowly slowly ...
17:30 serious_chat god i long to return to writing mojo
17:32 crab serious_chat: what made you stop?
17:33 serious_chat crab: oh i'm just dealing with other crap now, like CSS and LESS
17:33 serious_chat please shoot me
17:33 * moritz shoots serious_chat
17:33 serious_chat merci
17:33 serious_chat the entire front end of web stuff is horrible
17:33 serious_chat i mostly shy away from it and hate it, but i took the plunge and tried to write some bootstrap and similar
17:33 serious_chat and oh god i just want it to end
17:36 crab moritz: now you're responsible for the death of serious chat in this channel
17:36 * serious_chat falls by the wayside
17:36 serious_chat i was going through some django too
17:37 serious_chat don't even need to say anymore to share the pain do i?
17:38 crab time to write a django-style admin interface plugin for mojo
17:39 serious_chat crab: you know i think the django debug toolbar would be a good fit for mojo too
17:39 serious_chat but it's a bit useless in django
17:39 crab i haven't seen that
17:39 serious_chat https://github.com/django-debug-toolbar/django-debug-toolbar
17:39 serious_chat this is on my list of 'things to try in mojo'
17:44 AirDisa joined #mojo
18:04 sri serious_chat: plackup -Mojo -e 'enable "InteractiveDebugger"; app->plugins->unsubscribe("around_dispatch"); a(sub { die  })->start'
18:04 sri oops, wrong one
18:04 sri but the django toolbar has been ported as a plack middleware too
18:05 sri this one was the werkzeug debugger i believe
18:07 serious_chat sri: oh nice, i am not shocked at all about that
18:08 serious_chat it's amazing how concise perl can be made, and i love the fact that people still try and ensure it reads well
18:09 mire_ joined #mojo
18:10 trone joined #mojo
18:22 sh4 joined #mojo
18:22 tianon joined #mojo
18:25 serious_chat sri: when you said 'wrong one', do you mean there's another debugger you prefer?
18:25 serious_chat couldn't find much in the way of it
18:25 sri wrong oneliner
18:25 sri i meant to show the toolbar
18:25 sri but can't find it anymore
18:25 serious_chat aah
18:25 serious_chat well that debugger is frankly magic
18:26 athenot joined #mojo
18:33 ashleydev joined #mojo
18:39 denisboyun joined #mojo
18:45 sri jberger: if you plan on buying more books, oreilly has a sale on everything today
18:46 sri 60% if you spend more than $100
18:47 sri happy cyber monday ;p
18:52 AirDisa :)
18:53 AirDisa I started reading Linux Programming Interface last night
18:59 punter joined #mojo
19:11 Mike-PerlRecruiter_ joined #mojo
19:20 meshl joined #mojo
19:21 sri http://shop.oreilly.com/product/9781118505373.do # OMG!
19:21 * sri pokes marcus
19:22 AirDisa lol
19:40 AirDisa classy louts with a K, that is
19:53 mire_ joined #mojo
20:20 sri :)
20:47 trone joined #mojo
20:47 gryphon joined #mojo
21:19 basiliscos joined #mojo
21:31 lukep joined #mojo
21:42 aeos joined #mojo
21:45 aeos for Mojo::DOM, Is there some reason why when I feed a simple div with a class, id and text into Mojo::DOM and then try calling attr on the DOM object it returns nothing, but if I access the class through the hash key it returns the class
21:53 sri aeos: use the documentation appropriate for your version of mojolicious
21:57 aeos ah joy
21:57 aeos thanks
22:03 AirDisa joined #mojo
22:05 AirDisa_ joined #mojo
22:11 rem_lex|pivo joined #mojo
22:14 sri crab: re csrf protection, i think there might be something you've missed... it can't ever "just work"
22:14 rem_lex| joined #mojo
22:17 Adurah Make the token last as long as the session and be based on hash(secret+time/interval)
22:19 sri crab: or you have to accept that pretty much everything in your app starts a session and makes responses uncacheable
22:21 Adurah But, that'd make it site-wide... hmm...
22:22 sri i'm sure everyone has noticed that Mojolicious::Plugin::CSRFProtect is an all or nothing solution
22:23 AirDisa_ i'm new to all this but glad to know it's there
22:23 sri crab: i bring this up because you seemed the most disappointed with opt-in, and i've been waiting for a proposal from you
22:23 AirDisa_ does it work the same as rails?
22:23 AirDisa_ hidden field token?
22:23 sri it's not really "there"
22:24 sri we were considering the addition of a solution for mojolicious core
22:24 sri there are like 3 or more plugins on cpan though
22:24 AirDisa_ interesting
22:24 AirDisa_ any of them worth inclusion or make unique, I imagine that's the question
22:25 sri this was my opt-in experiment https://github.com/kraih/mojo/commit/18f4e1208a34207b94b58dabffff930abf080159
22:25 Adurah If you wanted cacheable pages you'd need an ajax request per-post, I guess.
22:27 AirDisa_ that looks like it's doing what rails does
22:27 AirDisa_ add secure token to hidden field, make sure POST data matches or else die
22:28 Adurah If you had a non-http cookie you could JS it to every post. I mean, if the attacker could read your cookies the UA is doing something wrong.
22:28 AirDisa_ something like that is good enough, they also have "strong params" to go along with it in rails 4
22:30 Adurah If they could read your cookies, you'd think they could read a post param.
22:32 AirDisa_ that sounds like man-in-the-middle attack, which is why csrf is used (session token into hidden field, HTML form POST must match session)
22:32 AirDisa_ the way to attack csrf is session hijacking
22:33 sri csrf is not for man-in-the-middle attacks, man-in-the-middle could just read your token
22:34 Adurah Guess my solution would live in the tag helper.'
22:34 sri Adurah: fork my branch
22:34 Adurah Not that I know how to do that, hah .
22:35 sri what i'm saying is, i have no clue what you're talking about and would rather like to see code
22:36 Adurah I'll see what I can figure out to illustrate.
22:36 sri no seriously, modify the branch for a complete example
22:36 Adurah Yes, I'll give it a shot, I'm just not gitirate.
22:36 Adurah This'll take a bit of time.
22:36 sri that's the whole reason i made it, so we don't have to put up with gibberish in the channel
22:37 Adurah Talking out ideas is nice, though.
22:39 meshl joined #mojo
22:40 AirDisa_ man-in-the-middle can read csrf, I see
22:41 Adurah Yeah, what it's trying to prevent is tricking the user/UA.
22:41 AirDisa_ yeah
22:41 AirDisa_ sql injection, mainly
22:41 Adurah Uh...
22:42 Adurah They're quite different.
22:42 AirDisa_ well, the attack to get scrf token allows POST action, which can allow injection
22:42 asarch joined #mojo
22:42 sri <a href="http://yoursite.com/you-have-an-active-session-for/delete?everything">AirDisa should click on this.</a>
22:42 Adurah Well, any request could inject...
22:47 AirDisa_ hence: $app->helper(csrf_token    => \&_csrf);
22:47 punter joined #mojo
22:47 AirDisa_ rendering: %= 'Wrong or missing CSRF token!' if validation->has_error('csrf_token')
22:59 AirDisa_ as much as I like JS I know it's not always running on the client, would not be in favor of using it for infosec
23:00 AirDisa_ csrf has that going for it, that it's not JS
23:09 AirDisa_ while a GET method called delete in controller that would take everything is pretty risky coding, there's other protections could be borrowed or enhanced upon I would think
23:12 serious_chat sri: that's an interesting point about cache
23:12 serious_chat i will fork your branch shortly, but you keep giving me more to think about
23:13 serious_chat still, the proportion of sites where a form is used without an established session is bound to be quite low
23:17 sri of course breakage of existing code is a big problem too, we may have to wait until 5.0 in late 2014 if we decide to introduce csrf protection for all forms
23:20 Adurah My solution shouldn't, but requires JS and you may want to make it prettier.
23:21 meshl joined #mojo
23:23 serious_chat well there'd need to be a succinct way to either enable or disable it, i'm a fan of putting it in the validator to be honest, opt-in
23:23 serious_chat that would reduce the impact on existing code to a slight cookie lengthening

| Channels | #mojo index | Today | | Search | Google Search | Plain-Text | summary