The web in a box - a next generation web framework for the Perl programming language

IRC log for #mojo, 2013-12-03

| Channels | #mojo index | Today | | Search | Google Search | Plain-Text | summary

All times shown according to UTC.

Time Nick Message
00:33 thaljef joined #mojo
00:35 btyler joined #mojo
00:37 thaljef Quick question: Is there a hook I can use to run some code once just *after* the server forks?  For example, I might want to connect to a DB right away (rather than wait for the first request), seed a random number generator, or do some other work that has to done separately in each worker.  I'm using hynotoad, btw.
00:49 russum joined #mojo
00:49 russum left #mojo
00:51 d4rkie joined #mojo
00:52 d4rkie joined #mojo
00:55 sri thaljef: http://mojolicio.us/perldoc/Mojolicious/Guides/Cookbook#Built-in_web_server
00:55 nicomen thaljef: yes, in startup?
00:55 purl i guess in startup is MyApp::Model::CDBI::Bookmark loaded?
00:56 rem_lex joined #mojo
01:20 laouji joined #mojo
01:46 ka2u joined #mojo
01:47 Adurah You want me to send a pull request, sri? Or, just link the commits?
01:49 Adurah https://github.com/LaserMissle/mojo/compare/csrf?expand=1 Or, would this work for you?
01:50 btyler joined #mojo
01:52 sri Adurah: what's the advantage of that? why no test?
01:52 Adurah Can Mojo do JS?
01:52 sri so it's untestable?
01:53 Adurah Pretty much.
01:53 sri lol
01:54 Adurah Not sure of any other way that doesn't require JS that'd keep things cacheable.
01:58 Adurah Unless you gave everyone the same token, which'd kind of defeat the purpose.
02:01 Adurah As long as you get the gist of it.
02:08 thaljef sri: I'm not sure I see the connection.  Are you saying hook into the Mojo::IOLoop (like with timer => 0)?  That implies that the Loop starts running after forking (dunno myself, just saying).
02:10 good_news_everyone joined #mojo
02:10 good_news_everyone [mojo] kraih created csrf_again (+1 new commit): http://git.io/uosmAw
02:10 good_news_everyone mojo/csrf_again 9769dd7 Sebastian Riedel: added basic CSRF protection support
02:10 good_news_everyone left #mojo
02:11 sri jberger, crab, marcus, tempire: another try, this one always generates a hidden csrf_token field for forms and all the user has to do is call $validation->csrf_protect
02:13 sri breakage would be limited to tests that check the generated html character for character, which seems rather unwise in general
02:14 asarch joined #mojo
02:14 sri Adurah: a pure javascript solution has no chance whatsoever
02:22 Adurah Then, there'll always be caching issues... oh well.
02:28 laouji joined #mojo
02:28 thaljef sri: I see it in the docs now.  Thanks!
02:39 sri i don't have high hopes, but i've posted it to the list too https://groups.google.com/forum/#!topic/mojolicious/m92Y6lrlctA
02:46 dsteinbrunner joined #mojo
03:02 cooper joined #mojo
03:39 athenot joined #mojo
04:52 ka2u joined #mojo
04:52 preflex_ joined #mojo
04:54 laouji joined #mojo
04:55 laouji joined #mojo
06:25 Vandal joined #mojo
07:21 batman sri: so the csrf field is always included?
07:21 batman is that good going from *not having it at all* to *enforcing it in all forms* ?
07:37 marcus batman: It's not enforced, since you actually have to call csrf_protect
07:37 marcus batman: if you don't do that, the field is a noop
07:38 batman but the field is part of the html?
07:39 denisboyun joined #mojo
07:39 marcus batman: only if you use the form_for helper?
07:39 batman my $content = $self->csrf_field . pop->();
07:39 batman yes, but still...
07:39 marcus batman: what's the harm?
07:39 purl i heard the harm was that it takes a long time to build.
07:39 marcus you *should* be using csrf anyways
07:40 batman i would rather have it the other way around: do you include the %= csrf_field; then csrf_protect is called automatically
07:40 marcus batman: that won't work
07:40 marcus batman: that makes it useless
07:41 batman oh. then i'm missing out on something: why were you against having it in core in the first place then?
07:41 marcus batman: I was young and stupid and I needed the money.
07:41 marcus batman: I mean, it won't work as in how would you check that?
07:41 batman i thought this was "nice to have" if you where doing ajax
07:41 marcus batman: No. it's a security problem in any form posted with a session.
07:42 batman ok.
07:42 batman then i take it back.
07:43 maxhq joined #mojo
07:57 dod joined #mojo
08:00 crab it's not entirely clear to me what the correct response to a CSRF is
08:01 crab in my own implementation, which has been in production for >2 years now, there are a lot of false positives. some browsers just send the wrong token six times in a row and then work ok after that and such.
08:06 marcus crab: uhm what do you mean exactly by "correct response to a csrf" ?
08:06 marcus crab: are you persisting your token for the lifetime of the session?
08:12 crab marcus: what to do when a CSRF is detected
08:12 crab as in, an actual request with mismatched tokens
08:13 marcus crab: well, I would refuse to accept the form for sure.
08:13 crab yes, the csrf token persists for the lifetime of the session. changing it per-request doesn't seem sensible.
08:13 marcus crab: Most ruby implementations I've seen just serve a blank page or a 4** response
08:14 marcus crab: sounds bizarre to me that you would get false positives then. It's just a hidden input field in a form.
08:14 crab marcus: i have never managed to track it down and understand it. afaict, it's totally unpredictable, but it happens even now.
08:15 crab 403 is what i do, and it seems like a good start.
08:15 trone joined #mojo
08:22 dod joined #mojo
08:28 nicolaas joined #mojo
08:52 dotan joined #mojo
08:53 hummeleBop joined #mojo
09:08 highflying joined #mojo
09:22 hesperaux joined #mojo
09:24 ka2u joined #mojo
09:25 Lee https://github.com/kraih/mojo/blob/master/lib/Mojo/Transaction.pm#L66 # i belive there may be a bug here - this will return the right most ip rather than the left most - is that correct as the *left* most is the original client ip
09:30 crab is it really? is there consistent handling of those X-Forwarded-Blah headers between implementations?
09:30 crab let alone in chains of forwarders
09:34 Lee crab: http://tools.ietf.org/html/draft-ietf-appsawg-http-forwarded-10#section-5.2
09:36 crab that appears to be a proposal for a different new header
09:38 Lee oh, well i guess there *isn't* an RFC yet then
09:39 Lee though it seem the "general" format is: client, proxy1, proxy2, proxyN
09:40 crab Lee: maybe you could write a patch with tests and show that it works with a couple of well-known proxy servers...
09:41 Lee yes, when i get time
09:42 themage joined #mojo
09:59 d4rkie joined #mojo
10:14 laouji joined #mojo
10:16 d4rkie joined #mojo
10:26 uffti joined #mojo
10:37 hummeleBop Hello there :) Does Mojo::DOM provide a charset?
10:37 hummeleBop When I call $dom->to_xml
10:41 fhelmber_ joined #mojo
10:48 abra joined #mojo
10:57 batman hummeleBop: i don't get your question. charset as in xml attribute or do you want the stream of characters to be utf8 or not?
10:58 batman either way - mojo don't care iirc
10:59 hummeleBop I use encode('UTF-8', $dom->to_xml);
10:59 hummeleBop It works, so thanks
11:03 batman cool. are you using Mojo::Util::encode() ?
11:04 hummeleBop Yes
11:05 hummeleBop But first, I call my $dom = Mojo::DOM->new( join('','<?xml version="1.0" enconding="UTF-8"?>','<tree>♦étoile♦</tree>') );
11:06 hummeleBop It seems encoding="UTF-8" is ignored
11:09 batman hummeleBop: that's because mojo don't care :)
11:09 batman is that in a unittest or something?
11:09 batman in that case you need to "use utf8;"
11:09 batman unless perl will read the source code as..uhm...latin..? not quite sure, but at least not utf8
11:12 hummeleBop My sources are UTF-8
11:15 nicomen if you are including literal strings with utf-8, you need to add use utf8;
11:15 nicomen also, it's "encoding", not "enconding"
11:16 hummeleBop Oh, I see, thanks :)
11:16 hummeleBop my header contains "use utf8;"
11:18 nicomen ♦étoile♦ <-- what is this suppose to say btw?
11:18 nicomen and what is actually wrong?
11:19 hummeleBop nothing just a test "étoile" with accented characters
11:19 hummeleBop It works now, when I use encode('utf-8',$dom->to_xml);
11:20 hummeleBop I'm working on a simple TCP server with Mojo::IOLoop->server
11:20 nicomen $ perl -MMojo::DOM -wle 'use Encode; use utf8; my $dom = Mojo::DOM->new( join("",q{<?xml version="1.0" encoding="UTF-8"?>},q{<tree>étoile</tree>}) ); print Encode::encode_utf8($dom->content_xml);'
11:20 nicomen <?xml version="1.0" encoding="UTF-8"?><tree>étoile</tree>
11:20 nicomen you need to encode when printing out something, always decode on input and encode on input, but luckily Mojo::DOM decodes on input
11:20 nicomen you need to encode when printing out something, always decode on input and encode on OUTput, but luckily Mojo::DOM decodes on input
11:21 moritz http://perlgeek.de/en/article/encodings-and-unicode might be of interest.
11:21 hummeleBop ok thanks for all
11:22 nicomen also, unfortunately, using latin-1 compatible characters in tests don't always show issues with utf8, I tend to use ←↓→ (alt+y,u,i on linux) to check that wide characters are working throughout the system
12:02 ver joined #mojo
12:08 Mad_Dud joined #mojo
12:09 bc547 whats the equivalent of "get '/hello';" in a full app?
12:11 moritz sub startup { my $self = shift; my $r = $self->routes; $r->get('/hello')->to(sub { ... }); }
12:11 moritz iirc
12:12 batman is it? i thought you needed to(cb => sub {})
12:12 batman but you can also just to $r->get('/hello' => sub {});
12:13 batman bc547: but you probably want to put your code in controller classes... ->to('controller_name#method_name');
12:14 bc547 batman: for a few files that's overkill in my case
12:14 bc547 batman: so I was hoping there was an equally short and elegant solution in a full app compared to a simple get '/hello';
12:15 batman why not keep the lite app if a full app is overkill..?
12:20 bc547 batman: only a part of the app is mostly static files (with some simple embedded perl)
12:21 preflex_ joined #mojo
12:21 bc547 batman: seems overkill and needless complex to go the full controller way
12:22 moritz sounds like a lite app is the proper way then
12:23 bc547 moritz: only a part of it is that simple... another part of the app is much more complex
12:24 dvinciguerra joined #mojo
12:28 sri Lee: you're wrong
12:30 sri marcus/crab: so, you like the csrf_again branch?
12:37 sri Lee: why would we care if the users original ip address was 192.168.0.1? we want the peer of our reverse proxy
12:41 batman why do you want the peer of our reverse proxy?
12:43 sri look at the first sentence and think about it for a moment
12:46 batman i care about the ip of a lot of the visitors. i want to log the visitor's ip and not the proxy address it came through.
12:46 sri what kind of address is 192.168.0.1?
12:46 Adurah Someone with an annoying x-forwarded-for header.
12:47 batman sri: not an internet address
12:47 batman though it was just an example
12:47 sri ding ding ding
12:47 sri it is *not* just an example
12:48 sri x-forwarded-for is whatever the user sends you!!!
12:48 basiliscos joined #mojo
12:48 sri only the address your own proxy added is reliable
12:49 sri $ua->get('http://mojolicio.us' => {'X-Forwarded-For' => '127.0.0.1'} => form {lulz => 'gotcha!'});
12:50 sri batman: congrats, you just built the mother of all security flaws!
12:50 batman sri: i'm pretty sure i misread your sentence above
12:56 sri suppose "sub is_forged { shift->has_error('csrf_token') }" and "return $self->render(data => '', status => 403) if $validation->is_forged;" might make for a better csrf protection example
12:57 basiliscos joined #mojo
12:58 sri although is_forged makes it look a little more complicated
12:59 basiliscos joined #mojo
13:10 denisboyun joined #mojo
13:18 marcus sri: yes, I like the new branch.
13:18 denisboyun joined #mojo
13:26 athenot joined #mojo
13:44 mire_ joined #mojo
13:45 btyler joined #mojo
13:46 serious_chat sri: the only concern i have with csrf is in the ajax conducted POST request
13:46 serious_chat ideally after each POST the csrf token would be changed
13:46 serious_chat but because mojo uses a signed cookie, the client can't parse it
13:47 serious_chat so the question would be do you keep the same token so the client can reuse it
13:47 serious_chat or do you store it as a separate cookie so the client can read it
13:47 serious_chat i know you want a minimal implementation
13:47 sri WHY SO SERIOUS
13:47 purl ...
13:47 serious_chat but i believe that javascript POSTS w/X-CSRF-Token are quite basic
13:47 serious_chat wait damnit i had a joker smiley somewhere
13:48 sri but seriously, we've established that changing the token is bad and we won't do it
13:48 serious_chat right, so then your first csrf branch i think is almost perfection, i will do my best to go over it later
13:49 sri header and meta tag handling are something for the future
13:49 serious_chat but still have a list of work to do that's quite long
13:49 sri most seem to like the csrf_again branch
13:49 serious_chat yeah, i like purely opt in, i don't even think form_for should generate one automatically
13:49 serious_chat as i don't like the idea of the user being unaware that csrf is employed
13:49 serious_chat i prefer the developer to be forced to understand csrf, rather than just know 'oh i put this in here to make it work'
13:50 serious_chat but then again i'm typically an admin, not a developer, so i see things slightly differently
13:51 gryphon joined #mojo
14:02 asarch joined #mojo
14:04 Lee sri: sorry, been busy
14:04 Lee we're sat behind an AWS ELB, apache proxy to hypnotoad. X-Forward-For set by the ELB is: client-ip, load-balancer-ip
14:04 Lee obv we want the client-ip
14:06 inokenty joined #mojo
14:06 sri so you have a setup that's impossible to handle automatically
14:07 Lee hey, we're in transition ;)
14:13 cosimo Lee: this might help, http://stackoverflow.com/a/10347644/11303 obviously you need to know your lb ips, otherwise X-Forwarder-For is just untrustable
14:17 ka2u joined #mojo
14:25 dbcooper Hello, all.  I have a question about using Mojo in Perl to write a websocket client.  Is this the right place?
14:27 moritz yes
14:28 dbcooper I'll just ask.  So I'm trying to write a Perl websocket client that interfaces w/ a Ruby on Rails Websocket-Rails server.  I'm trying to use the Mojo::IOLoop as an event handler (w/ a websocket object) but either it's a poor fit or my understanding of things is lacking (more likely).  Suggestions?
14:28 dbcooper moritz: ty
14:29 dbcooper Essentially (I hope/plan) that the websocket client will connect to the server and log a consistent stream of data as well as reply to the server pings as appropriate
14:29 russum joined #mojo
14:29 dbcooper I've had difficulty finding relevant (AFAIK) Mojo websocket client examples on the web
14:30 batman dbcooper: why not just use Mojo::UserAgent?
14:30 serious_chat oh damnit batman was about to link https://metacpan.org/pod/Mojo::UserAgent#websocket
14:30 dbcooper batman: even though it's all websockets?
14:31 serious_chat dbcooper: literally full working example there for you
14:31 batman dbcooper: uhm...yes? why not?
14:31 dbcooper Yeah, that's the approach I'm using
14:32 dbcooper My understanding is that once the loop starts, any websocket messages received will trigger calls to the subs/methods I hook into
14:32 batman dbcooper: i think you're asking the wrong question :(
14:32 batman yes.
14:32 dbcooper Isn't that how these things usually start? :)
14:33 batman unfortunately: yes
14:33 dbcooper I assume my implementation is messed up but it seems my understanding is mostly correct
14:34 batman dbcooper: often it is... can you pastebin some code?
14:34 dbcooper Sure
14:34 russum left #mojo
14:39 dbcooper batman: http://pastebin.com/dxPxmgvn
14:39 serious_chat it's weird to see batman and dbcooper just chatting
14:40 dbcooper The init just reads a General::Config file and (potentially) sets up a log4perl object
14:40 batman serious_chat: why?
14:40 dbcooper I assume b/c of the stolen money
14:41 serious_chat yeah this should be some sort of modern dark take on batman
14:41 serious_chat where it turns out db cooper was alfred
14:41 batman dbcooper: are you sure you want to do $tx->finish; ?
14:41 dbcooper Nope
14:41 batman i don't think you want.
14:41 dbcooper The IOLoop / sub calls inside the websocket() [anonymous?] sub contain much magic/cargo-culting for me
14:42 batman dbcooper: does any of the events (message,json,...) ever fire?
14:42 dbcooper I get the connect and [I think] send the  subscription requests and then it just finishes
14:43 dbcooper Oh Cheesus
14:43 dbcooper I call finish inside the json hook, right?
14:43 bluescreen joined #mojo
14:43 batman so neither of the "say" or "warn" ever appear on screen?
14:43 dbcooper Which one(s), in particular?
14:43 batman any
14:44 dbcooper Oh yeah, I get a dump of some data
14:44 batman do you know which event that dump that data?
14:44 dbcooper I connect to the server correctly, receive the client_connected Websocket Rails message and then send off my subscribe requests (I think)
14:44 dbcooper The only even that fires (AFAICT) is the Finish event
14:45 batman then it seems like you're sending the wrong message to the rails server
14:45 batman but the code is a complete /"&%%#&/ messing, so i'm not bothered to try to decode it further
14:45 sri what a mess
14:45 purl PLEASE DO NOT MAKE A MESS IN HERE
14:45 batman s/messing/mess/
14:45 sri MOJO_WEBSOCKET_DEBUG=1 and MOJO_USERAGENT_DEBUG=1 might be of help
14:46 dbcooper Hmm.  I took out the $tx->finish call and I get the same output/problem
14:46 dbcooper sri: I'm using MOJO_WEBSOCKET_DEBUG.  Should I add the USERAGENT_DEBUG env variable as well?
14:46 batman dbcooper: JUST TRY!
14:46 sri moment i saw $tx->client_challenge i knew i didn't event want to look any further
14:46 batman hahahhahah
14:47 batman true that. but i'm batman. i like the dark alleys ;)
14:47 dbcooper Why do you say my code is a mess?  B/c of all the dump output?
14:48 batman dbcooper: because you're trying to do -everything- in the code, not just what you want
14:48 batman and the comments makes it hard to read
14:48 batman and the indentation is messed up
14:48 batman and the callback to websocket() is way to long
14:48 btyler joined #mojo
14:49 batman looks like it's written with emacs :(
14:49 dbcooper Well if I knew how to do exactly what I wanted then I likely wouldn't be here :)
14:49 dbcooper Vi
14:49 dbcooper Vim, specifically
14:49 batman that's true.
14:50 dbcooper Anyway, the MOJO_USERAGENT_DEBUG variable helps some, so thanks sri
14:50 jaiballistic joined #mojo
14:50 batman you should start with something simple: make a connection, and nothing more.
14:50 batman you should start with something simple:
14:50 batman 1) make a connection, and nothing more
14:50 batman 2) send some data
14:50 batman 3) attach the basic events (probabley just "message")
14:50 dbcooper I did that and it works.  I'm sending some data (the subscription requests), but then it just hangs--I get the finish event
14:50 batman 4) see if it fire
14:50 btyler_ joined #mojo
14:51 sri hmm.... dbcooper, a saltmine and batman... is this some kind of heist?
14:51 batman dbcooper: probably the server that doesn't like what you're sending
14:51 dbcooper I also used a test client and a simple echo server to verify my understanding
14:51 batman sri: i don't get it (still don't know any more memes)
14:52 dbcooper So if the finish hook is triggered inside the websocket() sub then it's being triggered by the server?
14:52 batman not sure what else could...
14:52 dbcooper Is it possible that the server is triggering some other event on the websocket that I'm not capturing?
14:52 batman no.
14:52 batman you're capturing too much :P
14:53 dbcooper Too much for programmer sanity or too much for the websocket object?
14:53 batman first.
14:53 batman excellent question.
14:54 dbcooper Here's one thing that's puzzled me but not strictly related to this issue (AFAIK)
14:55 dbcooper The initial server response "client_connected" message was visible in the response buffer when I dumped it but it didn't seem to trigger any of the websocket hooks
14:56 dbcooper I had to use the kluge $res->content->{buffer} and parse_frame in order to read the initial response--at least that's the way I got it to work after trying and failing w/ other methods
14:57 dbcooper AHA
14:57 dbcooper batman: you were correct--I was capturing too much
14:58 dbcooper By commenting out my json and text handles, my client suddenly stays connected and starts dumping out server responses
14:58 batman you probably did too much stuff before attaching the hooks
14:58 batman that is super weird.
14:58 mire_ joined #mojo
14:59 dbcooper I haven't  modified the stuff I did before attaching the hooks between tests.  I ran it before, it failed.  I commented out my json and text event handlers, ran it again, and suddenly I'm receiving server traffic
14:59 dbcooper In any case, you've moved me past a stumbling block I've been at for a day or so.  Thank you very much
15:00 dbcooper You've also furthered my general understanding of the IOLoop
15:00 batman next time: please to as little as possible. i mean...if i had the problem you're explaining i would probably kill 100 lines in your script
15:00 dbcooper I understand.  I've built it up over time as necessary to get the next piece working
15:01 batman dbcooper: glad you made it work
15:01 sh4 joined #mojo
15:01 dbcooper Whereas I'm comfortable w/ the extraneous parts of my code it's unreasonable to expect other people to trust it
15:01 dbcooper At least w/o additional information, tests, etc.
15:06 meshl joined #mojo
15:10 cooper joined #mojo
15:12 athenot joined #mojo
15:12 dbcooper Huh, that also fixed my issue w/ the client_connected message.  Sweet
15:20 btyler joined #mojo
15:30 russum joined #mojo
15:37 themage joined #mojo
15:40 Adurah_ joined #mojo
15:44 russum joined #mojo
15:51 stephan48 75
15:51 serious_chat 76, i win
15:58 sri marcus, crab, jberger, tempire: so, do we agree on all the csrf primitives (helpers, validation methods), and all that's still to be decided is how will happen automatically?
15:59 sri if that's the case, i think adding the helpers and methods would be pretty safe, making it entirely pt-in for a start
15:59 sri *opt-in
16:00 sri (basically csrf_again without the form_for integration)
16:00 sri or are there more fundamental points still controversial?
16:01 serious_chat sri: if you've decided the csrf token won't change, then helpers and validation methods seem universally required
16:01 sri it won't change
16:01 sri that's decided
16:01 serious_chat could it be generated on session start? you seemed to check it in validation or generate it there
16:01 serious_chat but i haven't had the time to go through your branches i'm afraid
16:01 serious_chat just a very brief read
16:01 serious_chat so ignore me if i'm talking total crap
16:01 * sri ignores
16:02 serious_chat rgr that
16:02 sri (the session may only be created for the token, so it can't be any other way)
16:03 serious_chat yeah no that makes sense, i was thinking forms that don't require a session wouldn't be csrf protected, but the facility should still be available there
16:04 sri hmm.... although that reminds me... now that we use compression pretty much everywhere, i wonder if compressing the session after json serialization would make sense
16:05 serious_chat you've said the client should never parse the session cookie and the server can decompress trivially enough
16:05 serious_chat the problem would be the inconsistent sizing, you could gain some capacity, but if a single character change can blow that up to above 4k
16:05 serious_chat is that really a sane thing to be doing?
16:06 sri that's not a problem i'm trying to address with this
16:06 sri point is to make the request and response smaller
16:07 serious_chat there's certainly potential to save a couple of k at least
16:14 sri or maybe not
16:14 sri perl -MIO::Compress::Gzip=gzip -Mojo -E 'my $uncompressed = j({user => 'sebastian_riedel'}); say b($uncompressed)->b64_encode->size; gzip \$uncompressed, \my $compressed; say b($compressed)->b64_encode->size'
16:14 sri 37
16:14 sri 65
16:16 sri even with a csrf token gzip doesn't work out
16:16 sri perl -MIO::Compress::Gzip=gzip -Mojo -E 'my $uncompressed = j({user => 'sebastian_riedel', 'mojo.csrf' => b('whatever')->sha1_sum}); say b($uncompressed)->b64_encode->size; gzip \$uncompressed, \my $compressed; say b($compressed)->b64_encode->size'
16:16 sri 110
16:16 sri 130
16:18 serious_chat what about with a more significantly sized cookie?
16:19 serious_chat is it even worth it if it approaches 4k in size?
16:19 serious_chat guess i should answer that myself
16:19 sri i consider these cases the most common ones
16:28 dsteinbrunner joined #mojo
16:31 human39_ joined #mojo
16:45 hrupp joined #mojo
16:53 jaiballistic joined #mojo
17:08 denisboyun joined #mojo
17:26 tempire I don't know why j should die on decoding errors.
17:27 tempire oh. I was thinking ojo.
17:27 tempire nevermind
17:32 fhelmbe__ joined #mojo
17:33 ladnaV joined #mojo
17:37 dod joined #mojo
17:40 sri a wild tempire appears
17:52 * tempire huffs
18:13 beyondcreed joined #mojo
18:19 tianon it's super effective
18:29 abra_ joined #mojo
18:40 batman i got a hard time wrapping my head around hypnotoad running an installed app. how will it find the correct app.conf file?
18:41 batman or should you always have a startup script which sets MOJO_CONFIG and then run hypnotoad?
18:57 * marcus puffs
19:16 sri marcus: what do you say? csrf_again without form_for integration a good first step?
19:29 dsteinbrunner joined #mojo
19:36 sri hmmm
19:37 * sri wonders if the flash should get a mojo. prefix in the session
19:37 mire_ joined #mojo
19:37 denisboyun joined #mojo
19:52 AirDisa joined #mojo
20:01 sri well, you know what i do when nobody says anything ;)
20:01 batman i don't think flash should get a mojo. prefix
20:01 batman and i would like if csrf did not have form_for integration
20:02 sri batman: why would you like it if there was no form_for integration?
20:02 batman because i don't expect form_for() to add an <input>
20:04 sri that's not a particularly good argument, you're expecting that because it did not do that so far
20:05 batman no, that's not the case
20:05 batman (more is coming)
20:05 batman if i didn't know what csrf was and i had no interest in having it, i would be annoyed that i couldn't get all the nifty parts from form_for without having csrf as well
20:06 bluescreen_ joined #mojo
20:06 batman the only upside might be that i would google it and figure out that i should have it :P
20:08 marty joined #mojo
20:10 groundnuty sri: ok, I hoped to write a .t test
20:10 groundnuty were I would in few lines. define simple routers of mojo app. start a simple server
20:11 groundnuty perform tests of my app with supplied address of simple server
20:11 groundnuty and in the end of test kill mojo app
20:11 batman groundnuty: perldoc Test::Mojo ?
20:11 sri seriously, just look at the mojolicious tests, there's literally thousands of those
20:12 sri https://github.com/kraih/mojo/blob/master/t/mojolicious/charset_lite_app.t
20:13 sri that uses a real web server
20:18 marcus sri: who's against putting it in form_for?
20:18 sri batman, serious_chat and crab don't seem to like that
20:18 batman can't take serious_chat seriously...?
20:18 batman :)
20:18 * marcus tries to figure out how to put a chrome page on the android home screen
20:19 sri you and rolan lammel (on the list) are in favor
20:19 sri *roland
20:19 sri it's at least a controversial point
20:19 basiliscos joined #mojo
20:19 trone joined #mojo
20:19 sri the upside is that it's the only controversial point
20:19 marcus crab seemed worried about false positives in his own  implementation
20:20 sri would be nice to have an opinion from jberger and tempire
20:20 marcus agree.
20:21 sri in any case, i'm preparing a quality patch for the non-controversial bits
20:21 marcus I would be happy to let them settle it!
20:21 batman sri: i would have it automatically than not have it at all :)
20:21 sri form_for integration is a two line patch
20:21 sri jberger, tempire: it's all up to you now!!!1
20:21 sri NO PRESSURE
20:21 marcus I guess an option to disable would suck?
20:21 serious_chat i'm very slightly against making it automatic in form_for
20:22 serious_chat and there would need to be a way to exempt it, for things like ajax logins
20:22 serious_chat so i figure opt in with a simple hidden_field is the least-impact solution
20:22 marcus ajax forms needs it too?
20:22 serious_chat ajax forms do, but usually not login
20:23 sri imo we can always make stuff more automatic later, primitives stay the same
20:23 serious_chat exactly, and i argue that it's better to have the developer understand why they are adding a csrf token
20:23 serious_chat instead of abdicating that responsibility
20:23 batman +1
20:23 purl 1
20:23 marcus maybe automatically if you have a session?
20:23 sri that's a bit tricky, even those that think they understand csrf may not actually
20:24 sri we've seen that before ;p
20:24 serious_chat yeah no argument here, but i don't know if that's something that can be solved automatically
20:24 sri heck... i'm certain i don't get all the different csrf cases yet!
20:25 marcus security is hard, lets go shopping
20:25 serious_chat it's tricky because with the advent of json APIs they get used both by independent clients with no CSRF risk and javascript web browsers with CSRF risk
20:25 serious_chat and they're supposed to behave identically to both
20:25 serious_chat my solution is to have a /login that's csrf exempt which returns a csrf token that must be included as a header in every subsequent request
20:25 serious_chat the javascript bootstrap for that is like 3 lines
20:26 serious_chat same for any client app
20:26 sri although i've read the book :D
20:26 serious_chat i wish i had time to read more books, i can barely keep up with the pace of development in here
20:26 sri and i recommend it http://www.amazon.com/The-Tangled-Web-Securing-Applications/dp/1593273886/
20:26 sri another one from no starch press
20:27 serious_chat damnit i'd love to buy that but i hate paying $30 for an ebook
20:27 batman https://github.com/jhthorsen/mojo/commit/c1d0e9bd970cd829b0789b8086dd1f5ebee36708 # can't you do this?
20:27 sri all ebooks are always 50% off at o'reilly
20:28 serious_chat $45 for the paperback here
20:28 batman sri: ^ care to have a look?
20:29 sri batman: schroedingers csrf protction? :D
20:29 rem_lex joined #mojo
20:29 batman sri: haha
20:29 batman well not quite.
20:30 batman you could just call the csrf helper in your controller method and it would be true?
20:30 batman it would be *almost* automatic, and you would be in control.
20:31 sri serious_chat: $16 at o'reilly with discount code
20:32 serious_chat sri: stop tempting me D:
20:33 sri batman: you just move where you have to call an extra helper
20:33 sri controller or template
20:34 batman hm... true...
20:34 batman sri: i tried to fool you but...
20:34 batman YOU'RE TO CLEVER!!!!!
20:34 batman ;)
20:34 Adurah_ From dumb.
20:36 athenot joined #mojo
20:37 sri batman: YOUR to clever!!!
20:38 batman another meme? :(
20:38 Adurah_ perl -MCompress::Zlib=deflateInit -Mojo -E 'my $uncompressed = j({user => 'sebastian_riedel', 'mojo.csrf' => b('whatever')->sha1_sum}); say b($uncompressed)->b64_encode->size; my $d = Compress::Zlib::deflateInit(-Level => 1, -memLevel => 1, Bufsize => 128, WindowBits => 8); my $compressed = $d->deflate($uncompressed); $compressed .= $d->flush; say b($compressed)->b64_encode->size;'
20:38 Adurah_ 110
20:38 Adurah_ 114
20:38 Adurah_ Savings!
20:38 purl I have almost 100,000 factoids in savings!
20:38 * sri pats purl
20:38 * purl bites!
20:43 Adurah_ Add user_id => 1 and it reaches parity.
20:45 Adurah_ If you do compress things within Mojolicious like the session cookie, allow for custom compressors. I'd probably use LZ4.
20:48 sri yea, lets not do that instead
20:48 dsteinbrunner joined #mojo
20:49 Adurah_ Then... make it opt-in.
20:50 tianon isn't the whole session store pluggable already?
20:51 Adurah_ I'm talking about possible future compression.
20:52 sri what tianon said
20:52 tianon indeed, and I'm saying that you could implement session compression today if you want it by replacing your $app->sessions object with something compatible
20:53 lukep joined #mojo
20:53 jberger_ joined #mojo
20:53 Adurah_ I don't particularly need it, he just talked about session compression earlier.
20:53 * jberger_ is catching up on the log
20:53 * tianon sets himself on fire, to help ease sri's burden of having to do it
20:53 * sri needs a minimal example for a csrf recipe
20:54 * sri nudges jberger
20:57 jberger_ You see, the problem with me voting on or preparing an example of csrf is that I know nothing about it :'(
20:58 * jberger_ likes real-time things
20:58 sri the nudge was about catching up, not the example :)
20:59 serious_chat jberger_: here's a gift for you if you're into it: http://spacestationlive.nasa.gov/displays/spartanDisplay1.html
20:59 serious_chat also sri what sort of example are you after? you mean a pull request or a client example?
20:59 jberger_ I can look at the branch, is there a good summary of the arguments?
21:00 sri serious_chat: got something now
21:00 serious_chat right, you're all far too quick and efficient for me
21:00 sri just an example to get the point across that csrf attacks might be dangerous
21:00 serious_chat the bank transfer one you used a couple of days ago is particularly good i think
21:00 serious_chat especially with REST APIs now allowing /transfer/15000/to/whoever
21:01 serious_chat anyhow jberger_ one of my many things i want to do at some point is make a toy ISS read those realtime stats
21:01 serious_chat and orient itself appropriately
21:01 jberger_ serious_chat thanks that's cool
21:01 serious_chat yeah it really is
21:02 serious_chat there's a few other consoles there too to look at
21:02 serious_chat http://spacestationlive.nasa.gov/displays/ethosDisplay3.html is the funniest
21:03 jberger_ Hahaha
21:05 jberger_ I can say this: seeing as I know nothing about this, I am in favor of something that helps protect me, even in my ignorance
21:06 jberger_ I'm ok having to opt-in, but in that case I think the work to do so should be easy and the process well documented
21:07 jberger_ And what the heck ...
21:07 purl Unimplemented.
21:08 * jberger_ sets tianon on fire
21:08 * tianon double burns
21:08 jberger_ Just for the fun of it
21:08 jberger_ :-)
21:13 meshl joined #mojo
21:16 marcus serious_chat: who are you anyways? =)
21:16 serious_chat marcus: nobody, i don't usually hang out much on irc
21:16 serious_chat but added #mojo to my autojoin because i love using it
21:16 serious_chat and i want to be of some use
21:16 marcus I bet you're not nobody.
21:16 serious_chat pretty much
21:16 serious_chat the only person on this irc who knows me is dhoss if you know him
21:16 marcus sure :)
21:16 serious_chat and everyone hates him :D
21:17 marcus so you're an american I guess.
21:17 serious_chat nope, Brit
21:17 marcus serious_chat: nice. We're short on brits in #mojo :)
21:18 good_news_everyone joined #mojo
21:18 good_news_everyone [mojo] kraih pushed 1 new commit to master: http://git.io/pVVWMQ
21:18 good_news_everyone mojo/master 66221e2 Sebastian Riedel: added CSRF protection support
21:18 good_news_everyone left #mojo
21:18 serious_chat correct spelling is always important
21:18 sri well, that was that \o/
21:18 serious_chat sri: has anyone ever told you that you should have a curfew so everyone else can keep up?
21:18 sri serious_chat: yes
21:19 serious_chat ok then, so what made you choose steady_time?
21:19 marcus (his mother)
21:19 serious_chat skimmed through the diff, that's the only part that slightly confuses me
21:19 sri less predictable than just hires time
21:19 serious_chat but is it? surely to be steady it must average out any peaks
21:20 serious_chat anyway it's academic because nobody's going to brute force someone's csrf token
21:20 serious_chat but i just wondered what the rationale was
21:20 sri it may or may not use a monotonic clock
21:22 sri it was also convenient ;p
21:23 serious_chat well it's an academic question, so convenience is a reasonable justification
21:23 serious_chat anyhow, so i guess i'll try and put together an X-CSRF-Token addendum at some point
21:23 sri i did not put much thought into it
21:24 sri anyway, hope the recipe is not too silly http://mojolicio.us/perldoc/Mojolicious/Guides/Rendering#Cross-site_request_forgery
21:24 serious_chat although at this rate you'll be grey and using a walking stick
21:24 marcus I think sri is secretly a pensioner.
21:24 marcus It's my only explanation for all his time.
21:24 serious_chat we can make subtle jokes about his bus pass that he won't get
21:25 marcus purl: Hot grits!
21:25 purl marcus: what?
21:25 sri GET OFF MY LAWN
21:25 marcus purl: jerk it?
21:25 purl marcus: I reckon I like dick.
21:26 serious_chat you kids and yer damn socialism
21:27 sri but you're right, i should put a little more effort into my commercial endeavours
21:27 marcus serious_chat longs for the days of Thatcherism.
21:27 serious_chat ouch don't even joke about that :(
21:28 serious_chat i'm from a northern town
21:28 serious_chat americans looking at us funny saying 'isn't thatcher a type of roof?'
21:30 jberger_ No I believe a thatcher is the one who makes the roof
21:30 serious_chat good joke, would listen to again
21:30 jberger_ Did I get it right???
21:30 marcus serious_chat: are you part of north west england pm?
21:31 serious_chat marcus: no i'm far too lazy, i really should join at some point
21:31 * marcus suspects serious_chat of secretly being mst
21:31 serious_chat there's occasional networking events too, but they all sound so far outside
21:31 marcus :)
21:31 serious_chat nah i'd like to take credit for his work though
21:32 serious_chat i'm really nobody, i don't contribute and i should, and i feel guilty about it
21:32 jberger_ I wish serious_chat would lighten to,  laugh a little!
21:32 jovial_chat o7
21:33 cfedde 66741=21
21:33 marcus cfedde: lies!
21:33 jovial_chat anyhow so my co-worker is doing a bunch of mojo recently
21:33 jberger_ (s)he can't be mst, not a rant or profanity even once! Mst is much improved of late, but that would be astonishing
21:33 marcus jberger_: best cover ever.
21:33 jovial_chat and i've been trying to get back into doing modern perl and not being lazy
21:34 jovial_chat also i have a filthy mouth so i'm sure that mask will slip soon enough
21:34 jberger_ marcus good point
21:34 jovial_chat but yeah i figured i'd join, stick my nose in wherever it's wanted and see if i can learn a bit at the same time
21:34 marcus jovial_chat: you're certainly very welcome.
21:34 rem_lex|pivo joined #mojo
21:34 jberger_ I have learned a ton on this board
21:34 jovial_chat thanks kindly
21:35 marcus I wish we could move this room to AOL.
21:35 jberger_ My in laws just got smart phones
21:36 jberger_ We had to convince them that it was ok to not use aol for their home page
21:36 jberger_ :-X
21:36 sri oh, reason against form_for always adding a csrf_token... forms targetting external URLs.... those would leak the token!
21:36 jovial_chat post commit justification
21:37 marcus sri: we could handle that automagically tho
21:37 jovial_chat always a good sign
21:37 marcus but.. more code..
21:37 jovial_chat nah i think he made the right choice ;)
21:38 * marcus throws his clogs at jovial_chat.
21:38 jovial_chat ok so, lets chat json cruft
21:38 jovial_chat i'm assuming that i am ok to just add a hook
21:38 jovial_chat and prepend some crap to the json response
21:38 jovial_chat and $format will be 'json' or similar
21:39 jberger_ ?
21:39 jovial_chat oh, just for older browsers where you can override array constructors
21:39 jovial_chat so nobody can <script> include a JSON url on our site and then read returned data via this
21:40 jovial_chat it's a fairly obscure attack and fixed in newer browsers i understand
21:40 jovial_chat but the javascript boilerplate to ignore the first line of a JSON response is trivial, so seems pointless not to add it
21:40 * jberger_ doesn't care about old browsers :-)
21:40 jovial_chat same but clients have the annoying tendency to use them forever
21:43 marcus I think my wife is very close to spending money on candy crush saga.
21:43 marcus "I have to wait another 25 minutes, reading the paper"...
21:43 Adurah_ Odd fetish, crushing candy...
21:49 good_news_everyone joined #mojo
21:49 good_news_everyone [mojo] kraih pushed 1 new commit to master: http://git.io/xKVRAA
21:49 good_news_everyone mojo/master 59f7038 Sebastian Riedel: documentation tweaks
21:49 good_news_everyone left #mojo
21:50 * sri hopes moving csrf_token validation into the form validator was the right choice
21:53 jovial_chat why does it have to be a 'form' validator? it's a parameter validator surely
21:53 jovial_chat and csrf is a parameter requiring verification
21:54 sri i'm using those terms interchangeably atm
21:54 jovial_chat my point being, it seems to be the right place to put it
21:54 sri although, the Mojolicious::Validator description says "validate form data
21:56 sri anyway, my worry is how it will look with json ajax requests
21:56 jberger_ Stop calling me Shirley
21:57 marcus jshirley, is that you?
21:57 jovial_chat sri: does the validator have access to the request?
21:57 sri nope
21:57 jovial_chat then you'd just have to pass the header to it
21:57 sri that's no problem
21:57 jovial_chat so potentially a helper could be useful, i'm not sure there
21:58 sri the connection is Mojolicious::Controller::validation
21:58 sri can pass in the token there
22:00 jovial_chat so sri, how much would you vomit if i put something online that uses perl attributes to handle role based authentication in mojo?
22:00 jovial_chat because really i quite like it
22:00 good_news_everyone joined #mojo
22:00 good_news_everyone [mojo] kraih pushed 1 new commit to master: http://git.io/_kfwXg
22:00 good_news_everyone mojo/master 649c3a3 Sebastian Riedel: we validate parameters and not form data
22:00 good_news_everyone left #mojo
22:01 jovial_chat i really need to just send pull reqs instead of chatting in here so i can bulk up my github activity, otherwise sri just firehoses :D
22:01 sri jovial_chat: i welcome all plugins no matter how shitty they are :D
22:02 jovial_chat yeah haven't made it into a plugin yet, but wrote it for my coworker and it's surprisingly succinct
22:02 marcus If it uses attributes it's probably rather shitty :p
22:03 jovial_chat it uses Attribute::Handler, and they have to be stuffed into UNIVERSAL so that's quite shitty
22:03 sri btw. in django you have to insert the token field into the form yourself too
22:03 jovial_chat that's not always true i don't think
22:03 jovial_chat i've been doing some django
22:03 jovial_chat its CSRF is a pain
22:03 jovial_chat it is a pain in generla
22:03 marcus rails and padrino adds it automatically with form_for, and requires it for all posts by default
22:03 jovial_chat anyhow marcus i can't think of a nicer way to add a small amount of metdata to a function, sub action : UserRole(role_list goes_here) {
22:04 marcus they have options to turn it of globally/per request tho
22:04 jovial_chat yeah django has @csrf_exempt for example
22:04 jovial_chat but django uses an additional cookie
22:04 jovial_chat so there are different concerns, it can't be marked httponly for example
22:04 marcus looks like django doesn't have a form helper?
22:04 marcus https://docs.djangoproject.com/en/dev/ref/contrib/csrf/
22:05 jovial_chat marcus: typically you use something like a ModelForm
22:05 jovial_chat but django is not a model to emulate really
22:05 * marcus is actually intending to learn a small amount of python this week.
22:05 sri marcus: we can automate more in 5.0, and try what we have now with opt-in until then
22:06 marcus To write a workflow for Editorial.
22:06 marcus sri: I am fine with that
22:06 jovial_chat marcus: python as a language is quite nice, just as long as you don't buy into the smugness
22:06 jovial_chat i wish perl had some of the syntax right there, but use Moo or one of the many options and it essentially does :D
22:06 marcus jovial_chat: I hate the significant whitespace. But I don't have a choice if I want to script this ipad editor.
22:06 sri at first i wanted to make csrf protection experimental for now... but that seems pretty shitty for a security feature
22:06 jovial_chat marcus: i'm a tab + space fanatic
22:06 jberger__ joined #mojo
22:06 jovial_chat i like aligning assignments etc
22:07 marcus jovial_chat: I like perltidy.
22:07 jovial_chat so PEP8 is really grinding
22:07 jovial_chat 'do these things because we say so!'
22:07 marcus you can't have that with python.
22:07 jovial_chat 'yes your code is ugly but it is better because a document says!'
22:07 jovial_chat ugh
22:07 beyondcreed joined #mojo
22:07 marcus I finally found something halfway decent for tidying ruby code tho. 'rubocop'.
22:08 jovial_chat marcus: what would be your biggest cocnern with role syntax like i highlighted above?
22:08 jovial_chat attributes are slightly hacky
22:08 jovial_chat but they are also slightly awesome
22:08 marcus jovial_chat: I don't like attributes because they are globs, I guess.
22:08 sri <3 perltidy
22:08 marcus I think using attributes was one of the bigger mistakes we did with catalyst.
22:08 jovial_chat marcus: i'm not sure what you mean
22:09 jovial_chat i never wrote much catalyst so i can't reflect on that
22:09 jovial_chat but i can't think of a nicer way to add that metadata and wrap the function
22:09 * sri avoids talking about attributes
22:09 * marcus pushes sri in front of jovial_chat
22:10 jovial_chat haha it's fine
22:10 * sri vanishes in a cloud of smoke
22:10 jovial_chat i understand the view
22:10 jovial_chat i guess i'll hang myself with my own rope
22:10 jovial_chat and come back cap in hand when i realise my errors
22:10 marcus jovial_chat: if you want to invent perl syntax, I think there are nicer tools for that now.
22:11 jovial_chat marcus: que? something i can google? :D
22:12 marcus There was something recently like Devel::Declare but more sane...
22:12 jovial_chat oh i thought that was attributes haha
22:12 jovial_chat i know i saw it on some blog but i couldn't find much else
22:13 meshl joined #mojo
22:13 marcus jovial_chat: https://metacpan.org/pod/Moops ?
22:14 jovial_chat marcus: i swear there's something more lightweight too, my coworker hates Moo/Moose etc so i did it without that
22:14 Adurah_ https://metacpan.org/pod/Mo https://metacpan.org/pod/M ?
22:15 Adurah_ Hey, Mountain made the latter one.
22:15 jovial_chat ok well i guess that teaches me for not expecting it :D
22:16 good_news_everyone joined #mojo
22:16 good_news_everyone [mojo] kraih pushed 1 new commit to master: http://git.io/NziUdw
22:16 good_news_everyone mojo/master 72d5f1e Sebastian Riedel: more links
22:16 good_news_everyone left #mojo
22:20 marcus Parse::Keyword was the one I was thinking of, but it seems it's deprecated already :)
22:22 jovial_chat hmmm
22:22 jovial_chat i guess i'll just keep googling
22:22 jovial_chat the attributes do work, but i would like to make them nicer and importable
22:30 marcus jovial_chat: I would probably just use a bridge in the routing instead, btw
22:30 marcus jovial_chat: to enforce roles or whatever
22:31 jovial_chat marcus: how would you find which role to enforce?
22:31 marcus jovial write a bridge for each rule?
22:31 marcus and then hook the relevant actions up to it.
22:31 jovial_chat i think that's quite an ugly solution really, i don't like having a super complex set of routes
22:31 jovial_chat no offence intended (not mst)
22:32 jovial_chat i don't like splitting the role from the actual action sub
22:32 marcus I like having my controllers as plain old perl classes
22:32 marcus and all the logic to what gets executed collected in the routing
22:33 marcus but then I've never had more than a few roles to enforce in a system.
22:33 jovial_chat i guess it's just a different approach, i'm still very new
22:33 jovial_chat well i've written a bit of python / django recently
22:33 jovial_chat and keeping roles inside the class there is particularly nice
22:33 jovial_chat we'll see just how badly i get burned by attributes i guess
22:34 jovial_chat it's good to know there's a viable alternate solution if this does fail
22:34 marcus jovial_chat: http://mojolicio.us/perldoc/Mojolicious/Guides/Routing#Bridges btw
22:35 jovial_chat i've read that page quite a few times now, but i still can't claim to understand it
22:35 jovial_chat i need to experiment a bunch more with bridges or just read the source
22:42 sri good site about csrf https://www.owasp.org/index.php/Cross-Site_Request_Forgery_%28CSRF%29_Prevention_Cheat_Sheet
22:48 good_news_everyone joined #mojo
22:48 good_news_everyone [mojo] kraih pushed 1 new commit to master: http://git.io/ctumgw
22:48 good_news_everyone mojo/master 1f5d479 Sebastian Riedel: use POST for CSRF protection example
22:48 good_news_everyone left #mojo
22:48 sri someone is bound to cargo cult it
22:49 sri GET is better to illustrate it... but POST is correct
22:51 good_news_everyone joined #mojo
22:51 good_news_everyone [mojo] kraih pushed 1 new commit to master: http://git.io/HXeCrw
22:51 good_news_everyone mojo/master 71738ba Sebastian Riedel: better rendering example
22:51 good_news_everyone left #mojo
23:21 davido joined #mojo
23:25 davido I have a recollection, which could be wrong, about the last time someone asked for Mojo::JSON to die on encoding errors.  I *think* the response back then was something along the lines of, "It's not a desirable feature for a web framework to die if someone feeds it malformed input."
23:27 davido But that was before "j" was implemented.
23:29 davido Hmm, or *may* have been before 'j' was implemented.  I think there was some discussion in June of 13.
23:38 davido My recollection is probably wrong.  Here's a link: http://irclog.perlgeek.de/mojo/2013-06-22

| Channels | #mojo index | Today | | Search | Google Search | Plain-Text | summary