The web in a box - a next generation web framework for the Perl programming language

IRC log for #mojo, 2014-10-07

| Channels | #mojo index | Today | | Search | Google Search | Plain-Text | summary

All times shown according to UTC.

Time Nick Message
00:11 zivester joined #mojo
00:11 neyasov____ joined #mojo
00:12 neyasov_____ joined #mojo
00:14 ua1 joined #mojo
00:20 Averna joined #mojo
00:21 dmanto joined #mojo
00:28 ua joined #mojo
00:29 ua1 joined #mojo
00:45 neyasov_____ joined #mojo
00:55 ua joined #mojo
01:07 jberger sri: yes, CNN is hilarious!
01:08 jberger I watch enough Jon Stewart to know
01:08 jberger and
01:08 jberger ZOMG! http://blog.gerv.net/2014/10/new-class-of-vulnerability-in-perl-web-applications/
01:08 jberger Mojolicious FTW!
01:12 sri hahaha
01:13 sri we still have no plan to finally get rid of list context btw. :o
01:13 sri although, i think we make correct use quite obvious
01:14 good_news_everyon joined #mojo
01:14 good_news_everyon [mojo] kraih pushed 1 new commit to master: http://git.io/vyUsMw
01:14 good_news_everyon mojo/master d456e68 Sebastian Riedel: use more precise script paths in examples
01:14 good_news_everyon left #mojo
01:15 sri i just stumbled over this issue https://github.com/kraih/mojo/issues/683
01:16 sri do() has this nasty *feature* where @INC has a higher precedence than the cwd... so do('Mojo.pm') will end up with the installed module instead of the one in the cwd...
01:16 jberger oh, damn, I thought we had completely removed it
01:17 sri i remember yelling a lot when we discussed it... but no solutions have been proposed :/
01:18 sri http://mojolicio.us/perldoc/Mojolicious/Controller#param
01:20 preaction joined #mojo
01:20 jberger well I think perhaps we ought to revisit it
01:21 jberger we have enough time now before 6.0
01:25 sri time won't help, someone has to actually come up with a solution
01:25 sri it hasn't happened yet, so odds are if we don't force the issue nothing will happen
01:26 jberger right, so lets force the issue
01:26 sri how?
01:27 jberger simple solution is just to have param only return one value and add another method that would return an arrayref of all values for that param (params?)
01:27 jberger $c->param('one') --> 'single'
01:27 jberger $c->param('two') -> 'first'
01:27 sri there's naming conflicts
01:28 jberger $c->param('one') -> ['single']
01:28 sri and the problem spans multiple layers
01:28 jberger $c->params('two') -> ['first', 'second', ...]
01:28 sri you'll see when you look at the code, it's a bit tricky
01:28 * jberger will look
01:28 sri https://github.com/kraih/mojo/blob/master/lib/Mojo/Parameters.pm#L71
01:29 sri there is one
01:29 jberger oh, there is already params that returns everything
01:29 jberger right
01:29 jberger so just remove list context from param
01:29 jberger done, you want more that one, go get it from params
01:30 sri https://github.com/kraih/mojo/blob/master/lib/Mojo/Message/Request.pm#L131
01:30 sri and another
01:30 sri and now it gets complicated
01:30 sri https://github.com/kraih/mojo/blob/master/lib/Mojolicious/Controller.pm#L121
01:31 sri we allow overriding values for form helper default values
01:31 jberger oh, there's the rub
01:31 sri $c->param(foo => qw(foo bar)) sets two default values for form helpers
01:32 sri and this is usually the time when people disappear :)
01:33 jberger argh, its tough, but it doesn't feel intractable
01:34 jberger can the param setter take an arrayref for setting multiple values?
01:36 jberger http://2.bp.blogspot.com/-yafWj7xUtII/UqyIXxhJBUI/AAAAAAAAAOo/wOjj92WoMks/s1600/pooh+bear+thinking.gif
01:37 sri we also need to get multiple values out
01:37 sri https://github.com/kraih/mojo/blob/master/lib/Mojolicious/Plugin/TagHelpers.pm#L79
01:38 sri oh look, catalyst did an emergency deprecation of the ->param api https://metacpan.org/pod/Catalyst::Request#req-param
01:39 sri it's kinda funny, we've been talking about that exploit for years
01:39 jberger well that is where my multi_param or whatever would come in
01:39 jberger something that would take one key name and always return an arrayref
01:39 sri if you want to give a patch a shot, be my guest
01:39 jberger or return one arrayref per key name
01:40 sri i guess bikeshedding about method names is the easy part
01:40 * jberger could care less about the names
01:41 Adurah How much less?
01:42 * jberger slaps Adurah with a fish
01:45 Adurah Supposedly it's an American thing to leave out the n't.
01:45 sri the catalyst solution btw. is $c->parameters->{foo}->[1]
01:45 sri -.-
01:45 sri just a hash with all parameters mashed together
01:45 sri fyi. we have 6 remaining wantarrays
01:45 jberger https://38.media.tumblr.com/tumblr_m87bnvywpZ1qdy8lno1_400.gif
01:45 sri the cookie and signed_cookie methods in Mojolicious::Controller are affected too
01:45 Adurah Is wantarray some sort of performance bottleneck?
01:45 jberger Adurah: did you read the linked story
01:45 jberger ?
01:45 Adurah Nope...
01:46 Adurah I watched the linked gif.
01:46 jberger its a bug we have seen many times and warned people about, but they just keep getting it wrong
01:46 Adurah People just not getting Perl contexts?
01:46 sri oh, and uploads too
01:46 jberger ok, well those are funny, but I am so serial!
01:46 jberger http://blog.gerv.net/2014/10/new-class-of-vulnerability-in-perl-web-applications/
01:46 sri jberger: just ignore Adurah
01:46 sri he's gonna troll and derail any sensible discussion
01:46 jberger I can't ignore him, he has a fish mark on his face!
01:47 Adurah I'm asking an honest question.
01:47 Adurah Interesting link.
01:47 sri Adurah: i don't believe you
01:47 sri you've brought this upon yourself
01:47 jberger performance is not at issue
01:47 jberger usage patterns are, and this one is not going away
01:48 Adurah I'll maintain a sense of humour along with inquisitiveness.
01:50 jberger I can tell you one thing, I would hate to see what a deprecation path would look like for this :(
01:52 Adurah I usually just assign param names to scalars.
01:52 jberger Adurah: yes that is the recommended mechanism
01:53 Adurah You can't stop people from doing insecure things with Mojo, heh.
01:53 jberger Adurah: perhaps not, but we can try
01:54 jberger like removing usage patterns that we see getting used incorrectly (and insecurely)
01:54 neyasov_____ joined #mojo
01:55 Adurah Your efforts to compensate for user deficiency... honourable.
01:55 sri jberger: considering this is now becoming a big issue, i think some breakage for security would be acceptable
01:56 jberger sri: I agree
01:56 sri it only took me a few seconds to spot the first vulnerable plugin on cpan http://grep.cpan.me/?q=%5C%24c%5C-%5C%3Eparam%5C%28%5C%27
01:57 sri so if plugins on cpan are affected, emergency breakage is warranted, considering people will now exploit this
01:59 sri omg
01:59 sri OMG
02:00 sri even marcus has a vulnerable plugin
02:00 sri holy shit
02:00 purl only in the Vatican, my friend.
02:00 Adurah You're fired!
02:00 Flying_Squirrel Oo
02:00 sri https://metacpan.org/source/MRAMBERG/Mojolicious-Plugin-OAuth2-1.2/lib/Mojolicious/Plugin/OAuth2.pm#L72
02:00 sri in an oauth plugin no less
02:02 sri jberger: seriously, you have my +1 to break all the things
02:04 jberger Argh, I wish I had more time tonight!
02:05 jberger I didn't budget time for emergency breaking changes
02:05 sri :S
02:05 sri if we don't do something this may come back to hurt us really bad
02:06 Adurah A PHP level of blame, even.
02:10 sri tempire, batman, marcus, crab: you might want to get involved too
02:13 jberger sri: this is the direction I would go
02:13 jberger http://pastie.org/9626676
02:13 jberger unfortunately, I have to step out for a bit (my time budget problem)
02:13 jberger but I will be back on this tonight
02:14 jberger and no, that is not in method name order, sue me
02:30 voegelas joined #mojo
02:31 Trelane jberger: that breaks: my ($foo) = $m->param("foo");
02:32 Trelane I'd add a param_list method etc
02:33 sri breakage is acceptable
02:33 sri this is an emergency
02:35 Eke- joined #mojo
02:36 sri should anyone object that this is against the rules, i'll add a security clause
02:38 Adurah At least you can use wantarray to issue a loud deprecation warning, hah.
02:43 good_news_everyon joined #mojo
02:43 good_news_everyon [mojo] kraih pushed 1 new commit to master: http://git.io/OApnyA
02:43 good_news_everyon mojo/master 193541f Sebastian Riedel: security issues may result in breaking changes
02:43 good_news_everyon left #mojo
02:43 sri better formalize it
02:46 woz joined #mojo
02:48 Adurah If there's only a single named parameter as the argument, assume they only want the first as a scalar.
02:49 Adurah If there are multiple copies of the same named parameter as the argument, assume they want a list.
02:53 Adurah If they want all of the copies, let them use $params->param.
02:53 sri patch or get out
02:55 neyasov_____ joined #mojo
02:56 Adurah Oi, you're much too... direct. But, I can give it a shot.
02:57 noganex joined #mojo
03:03 good_news_everyon joined #mojo
03:03 good_news_everyon [mojo] kraih created wantarray_security_fix (+1 new commit): http://git.io/j1wvvQ
03:03 good_news_everyon mojo/wantarray_security_fix 45a65a6 Sebastian Riedel: added multi_signed_cookie method
03:03 good_news_everyon left #mojo
03:03 sri jberger, batman, marcus, tempire, crab: i'm creating a branch, since i can't fix it all myself
03:03 * jberger is working too
03:03 sri it's easier starting from the top
03:04 sri oh, i assumed you were gone :o
03:04 jberger I was, I am back, but working quietly (its easier)
03:05 sri i see, feel free to merge your changes
03:06 sri funny how things go sometimes... we wanted less methods in Mojolicious::Controller... then boom... big security issue and there's 3 new ones
03:09 sri i can't continue for a bit btw.
03:14 woz joined #mojo
03:15 basic6 joined #mojo
03:26 jberger down to only two failing test files
03:27 * jberger still has to write doc
03:37 fhelmber_ joined #mojo
03:42 firnsy jberger++
03:42 firnsy sri++
03:42 irq joined #mojo
03:45 woz joined #mojo
03:53 jberger argh, I can't fix this last test!
03:56 neyasov_____ joined #mojo
03:56 jberger oh I see it
03:56 jberger hmmmmm
04:05 woz_ joined #mojo
04:06 sri hmmmm
04:06 preaction hmmmmmmmmmmmmm
04:06 jberger hmmmmmmmmmmmmmmmmmmmmmmmmm
04:15 jberger YAY! ALL PASSING!
04:15 Flying_Squirrel %%
04:15 Flying_Squirrel *^^
04:15 jberger current diff: http://pastie.org/9626803
04:16 sri jberger++
04:17 sri somehow i figured you had it all fixed though ;p
04:17 jberger all? you have high expectations!
04:17 jberger mojo.captures was messing me up
04:18 jberger I was delegating $c->multi_param to $c->req->multi_param
04:18 jberger but that doesn't cut it
04:19 sri don't use private method calls in Mojolicious::Controller
04:19 jberger oh, fear of stomping eh?
04:19 jberger makes sense
04:19 sri ye
04:19 jberger copy-paste then?
04:19 sri just make it a function
04:20 sri see my branch
04:20 sri https://github.com/kraih/mojo/compare/wantarray_security_fix
04:20 jberger ah ok
04:21 sri multi_signed_cookie sounds kinda bad though</bikeshedding>
04:22 * jberger has already deferred on naming
04:22 jberger let those who will not patch bikeshed
04:22 sri yea
04:22 sri btw. the other wantarray cases should be trivial in comparison
04:24 sri don't try too hard with the docs, i'll rewrite it to be consistent anyway :)
04:24 * sri has to go soon... but will review and join the bikeshedding later
04:25 jberger so I hadn't read your patch before and I'm very happy to see we came up with essentially the same patches
04:25 sri mine was based on your idea
04:25 jberger yeah, I will only do a cursory cleanup of the docs
04:25 * jberger has to sleep
04:25 jberger then again, its morning in germany by now right?
04:26 sri right, where is the day shift?
04:26 sri my hours are totally messed up atm
04:26 jberger TEMPIRE!
04:26 purl rumour has it tempire is a ponycorn and always high on coffee and http://www.youtube.com/watch?v=7mZZd4gQrrg
04:27 jberger I had a roommate in college get a full 12 hours off her sleep schedule
04:29 sri i think the solution is not so bad, if we find decent method names it should be fine
04:29 sri and breakage is limited to the rare cases
04:30 jberger and easy enough to fix
04:30 * sri nods
04:30 sri SO LISTEN UP EVERYONE!
04:31 sri when i get back i expect an elegant name for multi_signed_cookie()
04:34 jberger I guess I need to add multi_param to DefaultHelpers too yeah?
04:36 jberger AAAAAAA, perltidy hates that!
04:37 woz joined #mojo
04:37 woz_ joined #mojo
04:38 sri make an array on the line before
04:40 sri if you do it right you end up with one line less :)
04:56 neyasov_____ joined #mojo
04:59 good_news_everyon joined #mojo
04:59 good_news_everyon [mojo] jberger pushed 1 new commit to wantarray_security_fix: http://git.io/GLbCzw
04:59 good_news_everyon mojo/wantarray_security_fix a815d47 Joel Berger: Added multi_param, made param no longer context sensitive
04:59 good_news_everyon left #mojo
05:01 jberger ok well my work here is done
05:01 * jberger goes to bed
05:08 woz joined #mojo
05:09 woz_ joined #mojo
05:16 cpan_mojo Net-LeanKit 0.4 by ADAMJS - http://metacpan.org/release/ADAMJS/Net-LeanKit-0.4 (depends on Mojolicious)
05:21 KCL_ joined #mojo
05:25 neyasov_____ joined #mojo
05:37 Adurah Though too late, here's that patch sri: http://pastie.org/9626950
05:37 marcus sri: you were the one that proposed inlining it. But we load it into memory no matter what? I'm sure Perl is as efficient at it as we are?
05:37 marcus Also, I have a vulnerable wantarray plugin? #wat
05:40 woz joined #mojo
05:41 woz_ joined #mojo
05:48 sujithm joined #mojo
05:49 cpan_mojo Mojolicious-Plugin-OAuth2 1.3 by Marcus Ramberg - http://metacpan.org/release/MRAMBERG/Mojolicious-Plugin-OAuth2-1.3
05:58 Eke- joined #mojo
06:01 doublelel joined #mojo
06:12 woz joined #mojo
06:13 woz_ joined #mojo
06:13 anon2422 joined #mojo
06:16 neyasov_____ joined #mojo
06:22 dod joined #mojo
06:24 dp_ joined #mojo
06:28 rawler joined #mojo
06:34 sujithm joined #mojo
06:44 woz joined #mojo
06:45 woz_ joined #mojo
06:59 denis_boyun joined #mojo
07:02 woz joined #mojo
07:19 Vandal joined #mojo
07:21 sujithm joined #mojo
07:24 vytas joined #mojo
07:38 fhelmber_ joined #mojo
07:41 aleksey joined #mojo
07:50 basiliscos joined #mojo
08:13 doublelel joined #mojo
08:13 preaction joined #mojo
08:24 Flying_Squirrel left #mojo
08:37 odc didn't someone made a url shortening service with mojo?
08:40 trone joined #mojo
08:42 * mishantil waves at the core team
08:42 mishantil sri , jberger and the rest of you: Thanks for being super-dilligent about fixing stuff!
08:45 trone joined #mojo
08:58 Insane can I somehow flash data in controller and access it from another controller on next request?
08:59 moritz yes, using the flash or the session
09:25 punter joined #mojo
09:39 woz joined #mojo
09:47 cpan_mojo Clustericious-Config 0.30 by PLICEASE - http://metacpan.org/release/PLICEASE/Clustericious-Config-0.30 (depends on Mojolicious)
09:53 sujithm joined #mojo
09:55 ver joined #mojo
09:56 d4rkie_ joined #mojo
09:59 basiliscos joined #mojo
10:01 fhelmber_ joined #mojo
10:09 basiliscos joined #mojo
10:09 woz joined #mojo
10:16 irq joined #mojo
10:41 woz joined #mojo
10:49 woz joined #mojo
10:57 denis_boyun joined #mojo
11:20 woz joined #mojo
11:41 neilhwatson joined #mojo
11:51 woz joined #mojo
11:53 batman <3 remove wantarray
11:59 batman mudler: can you test the new version of assetpack and bootstrap3?
12:00 jberger I'm gonna need someone to put on an extra put of coffee for me
12:03 jberger s/extra \Kput/pot/
12:03 jberger <3 \K
12:06 Kripton joined #mojo
12:07 mudler batman: it seems to be fixed, but now i have the same error with FontAwesome4
12:12 doublelel how do I proxy requests to other servers. Eg if I have an api server and I want to just forward requests to /api/stuff to http://otherserver.com/api/stuff
12:12 doublelel I tried something along the lines of http://larig.wordpress.com/2012/08/01/a-mini-proxy-via-mojolicious/
12:14 doublelel but using a any route and then cloning the req...but not matter how much I change the host it never reqs the remote server just does a request to localhost
12:15 d4rkie joined #mojo
12:16 doublelel I guess the correct answer is to use a proper proxy! But I don't see why it shouldn't work
12:21 _eugen joined #mojo
12:24 woz joined #mojo
12:25 yourname left #mojo
12:26 mishantil Anyone here been though ISO27001:20XX certification?
12:26 mishantil s/though/through/
12:33 ver Hello! I have Mojo application and two servers - 1st with Mojolicious 4.90, 2nd with 5.47. When I started my application on 2nd server I've got an error (You should init module first at...). What different between 4.90 and 5.47 version?
12:35 lipizzan joined #mojo
12:48 D4RK-PH0ENiX joined #mojo
12:59 dotan_ok ver: there are more than 300 changes listed here: https://github.com/kraih/mojo/blob/master/Changes
12:59 zivester joined #mojo
12:59 dotan_ok Maybe if you use a pastebin to show the complete error someone could be more helpful.
13:04 ver I have read all changes from 4.90 but did not see anything what may break my application.
13:05 ver I can try run my application with different versions of Mojo.
13:05 Adurah You'd assume it's 5.00.
13:06 ver I have wrote my application core with version ~0.3 and many code is too old :(
13:06 ver Yes, for first I do it.
13:07 Lee ver: i don't see that error anywhere in the mojo source
13:08 hernan Clustericious coryright by NASA ?
13:12 woz joined #mojo
13:16 batman mudler: which version of FontAwesome4?
13:23 doublelel joined #mojo
13:27 mudler batman: last one Mojolicious::Plugin::FontAwesome4 is up to date. (4.2001)
13:29 batman ok. could you re-install it?
13:29 batman i think the actual install messed things up :(
13:30 mudler batman: i have to retry it too? the installation went finge
13:30 mudler s/finge/fine/
13:30 batman oh. that's worse :(
13:30 batman i will look into it
13:31 alanminter chansen: There's a build problem with Time::Moment
13:31 alanminter Test::Requires, Test::Fatal
13:31 alanminter won't build in an env where those don't preexist (on perl 5.20.1 using cpanm)
13:32 alanminter They're mentioned in the Makefile.PL, but I'm guessing the problem is they're not mentioned as being required at build-time (rather than run-time)
13:33 batman mudler: i misread what you wrote... yes, please retry it and tell me what's wrong afterwards :)
13:44 jberger_ the arguments here convince me all the more that we have to remove (read: kill with fire) list context behavior
13:44 jberger_ http://www.reddit.com/r/perl/comments/2iht5o/new_class_of_vulnerability_in_perl_web/
13:45 Nei word of parameter pollution finally arriving in mojo?
13:45 Nei I see you guys already fixed it yesterday
13:48 Nei funny how everyone copied the CGI.pm api dont you think
13:48 Nei or maybe it was already like that in cgilib
13:48 doublelel joined #mojo
13:49 Lee Vars was cgi-lib IIRC
13:49 Lee with the whole \0 char thing
13:49 jberger_ Nei: our breaking release isn't out yet, but I suspect that it will be soon
13:49 jberger_ we have had warnings in the doc and safer mechanism for a long time
13:50 jberger_ but it's time to kill it with fire
13:50 Nei as we all suddenly agree warnings in docs are worse then only a secure api :)
13:51 Nei had to take down bugzilla first I guess
13:51 jberger_ it's a misuse of an api really, but a very easy misuse to make, especially if you don't understand
13:51 Nei =>scalar in code everywhere would be just too ugly
13:52 Nei wrath of perl's wantarray
13:52 jberger_ ugly doesn't factor into it
13:52 jberger_ you have to know about it to do it
13:52 sh4 joined #mojo
13:52 jberger_ And that's what has to be fixed
13:52 Nei it's easy to forget when the api is context sensitive in this way
13:52 Nei wantarray ? @list : \@list this one causes no issues
13:53 Nei wantarray ? @list : $list[0] mhmmmmm
13:54 Nei or even better, explicitly returning undef even in list context when the list is empty :))))
13:56 ignacio_ joined #mojo
13:56 Adurah jberger_, http://pastie.org/9626950 not sure if sri looked.
13:56 Lee return undef; # code smell IMO
13:57 Adurah Perhaps pointless now, but that was the patch.
13:57 Lee no matter what the context
14:09 Trelane So, I have a question
14:10 Trelane It's now safe to write { bob => $m->param("bob"} }
14:10 Trelane That's the new API, right?
14:10 Trelane ...except that generates a warning, which I can't disable
14:12 sri hey, where has the bikeshedding gone?
14:12 woz joined #mojo
14:12 sri we need a better name for multi_signed_cookie
14:13 sri if there are no suggestions i might just pick something silly, like multiple_signed_cookies() or so
14:13 sri and multiple_params()
14:13 mudler batman: still errors :(
14:15 Trelane all?
14:15 purl all is mainly for introspection, but you can use Foo :ALL
14:17 Trelane as in all_param("foo") and all_signed_cookies("bar")
14:18 sri all_signed_cookie(), doesn't exactly sound better
14:18 sri all_signed_cookies() is not too bad
14:19 sri goes to the top of my list
14:21 batman mudler: the css error in the browser?
14:22 marcus all_the_single_cookies
14:25 marty just signed_cookies()  could imply the "all_"
14:25 Trelane it'd be nice if it was consistent with param
14:26 alanminter now have images of marcus dancing around with a glove singing "uh-oh-uh-oh-uh-oh-oh-oh"
14:27 marcus alanminter: that's not a pretty picture you're painting.
14:27 mudler batman: says the same as yesterday, exiting -1
14:28 batman thanks
14:28 batman mudler: sorry for bugging you, but it wouldn't be the first time someone was inaccurate in their bug report ;-)
14:28 mudler batman: don't worry, i totally understand :)
14:28 batman mudler++
14:28 mudler no problem at all :)
14:28 * mudler blushes
14:29 mudler batman: i'm really enjoying using plugins for js/css
14:30 batman cool :)
14:30 Adurah http://pastie.org/9627871 Alright, that's a less buggy version of the param replacement idea I had.
14:30 mudler batman++
14:31 batman mudler: got any more ideas for frameworks that should be a assetpack module?
14:32 marty hmmm, could do all_cookies() and all_params() for consitency.
14:32 mudler well, the gsoc student made the ::JQuery, a nice tought would be also Angular and company
14:34 Nei too bad params is already takn
14:34 Adurah Mind the extra if defined $_[0]
14:36 mudler batman: JQueryUI maybe? but personally i don't use it
14:36 batman neither du i :)
14:38 sri problem with all_params() is that it's not really consistent with param() :/
14:39 sri and theres params() which usually returns a Mojolicious::Parameters object or an array reference with *all* key/value pairs
14:40 Trelane each_param("foo")
14:40 Trelane hmm, that would be a callback if consistent
14:40 Trelane every_param("foo") ?
14:42 sri not bad
14:42 sri every_signed_cookie('foo')
14:43 dmanto joined #mojo
14:48 Nei or could param always return a collection which happens to stringify identically if only 1 param in the request
14:52 sri that conflicts with this issue https://github.com/kraih/mojo/issues/684
14:53 good_news_everyon joined #mojo
14:53 good_news_everyon [mojo] kraih pushed 1 new commit to wantarray_security_fix: http://git.io/gDPjMw
14:53 good_news_everyon mojo/wantarray_security_fix 371f116 Sebastian Riedel: added multi_cookie method to Mojolicious::Controller
14:53 good_news_everyon left #mojo
14:54 garu hey guys, sorry for jumping on the wagon right in the middle of a conversation, and apologies in advance if this has already been discussed, but why not just returning an array reference in param() if it's a list of values?
14:55 sri that makes parameters very hard to use
14:55 sri you'd have ref $value eq 'ARRAY' everywhere in your code
14:58 garu but isn't the same for regular arrays? I mean, if you are expecting an array or a scalar (as it is now) you would have to my @p = $c->param('p') all the time, then check if (@p > 1), etc
14:59 garu that said, are you thinking of making it return just the first (or last) element, and have a separate method for getting them all? That sounds reasonable as well, I think
15:04 disputin joined #mojo
15:06 sujithm joined #mojo
15:12 Rallias joined #mojo
15:12 abhishekisnot1 joined #mojo
15:12 woz joined #mojo
15:17 garu sri: does param() now gives us the first value? It was written on the docs but you replaced it with just "check and replace parameter values" and the "normalize" note. Can we make it a bit more explicit?
15:17 garu I'm asking because english is not my native tongue :(
15:17 davido___ joined #mojo
15:20 Nei there's currently a huge security issue topic because if you use param inside a hash
15:20 Nei it can expand to a list
15:20 chansen alanminter: strange, they are listed in 'test_requires' in Makefile.PL and in build_requires in META.yms
15:20 * chansen s/yms/yml/
15:21 * chansen installs a fresh 5.20.1
15:25 garu Nei: oh, I know about that :) I meant we should be more clear as to "what happens to my $p = $c->param('p') when there is more than one 'p'", and point the user to multi_param
15:37 chansen alanminter: I can reproduce it
15:41 garu sri: sinatra uses the last value for param[] it seems
15:50 cpan_mojo Net-LeanKit 0.5 by ADAMJS - http://metacpan.org/release/ADAMJS/Net-LeanKit-0.5 (depends on Mojolicious)
15:52 disputin joined #mojo
15:54 mst http://seclists.org/vulnwatch/2006/q4/6
15:54 mst sri: I've been using the last one rather than the first in Web::Simple so naive '$URL&foo=bar' DTRT
15:57 sri jberger, tempire, batman, marcus, crab: anyone cares if we use the first or last value?
15:58 batman i think the first makes sense
15:58 mst why?>
15:58 batman mst: why the last?
15:58 mst for the reason I already said
15:58 mst read the words before commenting please
15:59 Nei or make param return join " " of all parameters and another method that always returns list?
15:59 good_news_everyon joined #mojo
15:59 good_news_everyon [mojo] kraih pushed 1 new commit to wantarray_security_fix: http://git.io/m70Ltg
15:59 good_news_everyon mojo/wantarray_security_fix 2125428 Sebastian Riedel: added more multi methods
15:59 good_news_everyon left #mojo
15:59 * batman googles DTRT
15:59 Nei I just read that this is how google does it
16:00 sri allright, all wantarrays are gone now https://github.com/kraih/mojo/compare/wantarray_security_fix
16:00 odc does someone know a good OAuth2 server in perl?
16:00 batman odc: i want it as well :)
16:01 sri where do we stand on the naming? multi_param/multi_signed_cookie vs all_param/all_signed_cookies?
16:01 batman mst: am i supposed to read http://seclists.org/vulnwatch/2006/q4/6 to understand it or was the message hidden somewhere else?
16:01 sri s/all_param/all_params/
16:01 mst batman: no, my one line on IRC gave the use case
16:02 batman either my irc client ate your comment or i simply don't understand
16:02 mst odc: CatalystX::OAuth2
16:02 batman sri: I've been using the last one rather than the first in Web::Simple so naive '$URL&foo=bar' DTRT
16:02 batman ^ that one?
16:02 purl ^ that one is the actually working sql
16:02 mst batman: yes
16:02 odc catalyst? :/
16:02 mst odc: my team built that for a customer who's been using it in production since
16:03 odc thanks, i'll look at the code
16:04 batman not sure if i'm supposed to feel stupid or just simply irritated.
16:04 Adurah You are to feel irritatarded.
16:05 mst odc: it's not my fault that the Catalyst ecosystem is bigger and more mature :)
16:05 batman not sure if i should dare to suggest params() and param()
16:06 batman aka "fatter and more stubborn"
16:06 tempire #ohsnap
16:07 mst batman: that as well
16:07 good_news_everyon joined #mojo
16:07 good_news_everyon [mojo] kraih pushed 1 new commit to wantarray_security_fix: http://git.io/0p2y6A
16:07 good_news_everyon mojo/wantarray_security_fix c96b549 Sebastian Riedel: this param method always gets overloaded
16:07 good_news_everyon left #mojo
16:07 Adurah Well, did anyone look at my patch?
16:08 mst I just regard framework hate as retarded
16:08 sri batman: you wouldn't if you had followed the discussion
16:08 batman sri: sorry. been occupied banging my head against assetpack :(
16:09 sri please no opinions without researching the topic... it only costs me time looking into stuff that won't work
16:10 Adurah Did you attempt CSS spritification in assetpack, batman?
16:10 batman then i won't say more than: wantarray--
16:10 batman Adurah: huh?
16:10 aleksey joined #mojo
16:11 Adurah Automating the process of sprite sheet CSS.
16:11 dod joined #mojo
16:11 Adurah I remember that being discussed, perhaps it was not serious.
16:11 batman Adurah: i mentioned it could be possible. no idea how :)
16:12 Adurah Hah, yeah.
16:12 woz joined #mojo
16:15 sri seeing ->all_cookies next to ->cookie and ->cookies kinda bugs me
16:16 sri but ->multi_cookie is not any better
16:16 Adurah cookies_of_name
16:16 mst ->cookie and ->cookie_list ?
16:16 batman cookie_list()
16:16 * batman is too slow
16:16 sri it doesn't return a list
16:17 mst you're returning an arrayref?
16:17 sri yes
16:18 mst I can't think of a reasonable name either
16:21 disputin joined #mojo
16:22 marty ->cooked()   :P
16:23 marty ->cookied()
16:24 batman i wonder if anyone use the expanded list in AssetPack in production.
16:34 tempire hmm
16:34 * tempire currently has no ideas
16:34 tempire HOWEVER
16:34 tempire I do have an announcement that I'm rather excited about.
16:34 tempire I now have an app in the app store.
16:34 tempire WOO
16:41 doublelel joined #mojo
16:46 mst \o/
16:50 hernan604 joined #mojo
16:52 chankey joined #mojo
16:53 batman tempire: cool :) which app?
16:53 tempire It's no grumpify :)
16:53 tempire https://itunes.apple.com/us/app/west-coast-points/id872958966?ls=1&amp;mt=8
16:54 tempire er, I guess that won't work for you
16:54 tempire http://westcoastpoints.com/
16:55 batman tempire: nice :)
17:11 good_news_everyon joined #mojo
17:11 good_news_everyon [mojo] kraih pushed 1 new commit to wantarray_security_fix: http://git.io/nV460g
17:11 good_news_everyon mojo/wantarray_security_fix c05afdd Sebastian Riedel: replaced multi_* prefix with all_*
17:11 good_news_everyon left #mojo
17:11 sri ok, i think the branch is now mostly ready https://github.com/kraih/mojo/compare/wantarray_security_fix
17:12 woz joined #mojo
17:18 ignacio_ joined #mojo
17:21 KCL joined #mojo
17:23 irq joined #mojo
17:24 good_news_everyon joined #mojo
17:24 good_news_everyon [mojo] kraih pushed 1 new commit to wantarray_security_fix: http://git.io/iJTyoQ
17:24 good_news_everyon mojo/wantarray_security_fix e312dce Sebastian Riedel: explain the breaking changes
17:24 good_news_everyon left #mojo
17:24 sri jberger, marcus, batman, tempire, crab: review https://github.com/kraih/mojo/compare/wantarray_security_fix
17:25 sri i'll also write a little mail explaining it in more detail to the list
17:36 tempire looks fine to me
17:36 tempire going to make some people sad
17:36 tempire but that's the way it goes
17:38 azawawi joined #mojo
17:39 irq joined #mojo
17:46 bobkare joined #mojo
17:47 disputin joined #mojo
17:51 basiliscos joined #mojo
17:55 good_news_everyon joined #mojo
17:55 good_news_everyon [mojo] kraih pushed 1 new commit to wantarray_security_fix: http://git.io/hK-vWQ
17:55 good_news_everyon mojo/wantarray_security_fix bdcc96a Sebastian Riedel: a few small optimizations
17:55 good_news_everyon left #mojo
17:57 good_news_everyon joined #mojo
17:57 good_news_everyon [mojo] kraih merged wantarray_security_fix into master: http://git.io/b16feQ
17:57 good_news_everyon left #mojo
17:57 sri allright, merged into master
18:02 dotandimet joined #mojo
18:02 Eke- joined #mojo
18:04 woz joined #mojo
18:08 dotandimet joined #mojo
18:16 disputin joined #mojo
18:22 denis_boyun joined #mojo
18:28 _eugen joined #mojo
18:29 disputin joined #mojo
18:33 fhelmber_ joined #mojo
18:34 sri and did i see someone say "return undef" is a code smell?
18:35 sri yes, indeed i did! http://irclog.perlgeek.de/mojo/2014-10-07#i_9469073
18:35 sri http://www.hadafewbeers.com/wp-content/uploads/2014/05/thats-a-paddlin-30027.jpg
18:35 genio what's the problem with return undef?
18:36 genio I'm screwed if that's a problem
18:37 Trelane my @foo = function_call();
18:37 Trelane if (@foo) { ... }
18:42 sri and then you do other_function_call(function_call(), 'foo');
18:44 mst Lee: return undef is only a code smell if you like writing shitty, buggy, easily exploitable code
18:44 sri this is the exact same scalar/list context mixing garbage we've just been fighting
18:44 mst Lee: please never say something that stupid again
18:45 sri really, the only sensible thing to do is pick one, and be consistent
18:45 mst Lee: if your code is meant to be called with a scalar return, you MUST do 'return undef;'
18:45 mst Lee: plain 'return;' introduces context sensitivity, is a bad code smell, and almost always a bug
18:46 mst genio: ^^ see above. 'return undef;' is often essential
18:47 genio Good to know
18:48 mst esp. for e.g. hash construction
18:48 mst (foo => $foo_rs->find($foo_id)), for example
18:48 mst if DBIC didn't explicitly 'return undef', you'd be all sorts of fuckeed
18:48 mst (somebody tried changing this once; they rapidly discovered that, indeed, they were all sorts of fucked)
18:48 mst (I can't remember if said somebody was me or not :)
18:49 genio on a completely different topic, it seems that my travels will not be taking me through Oslo due to time constraints. :(  I'm off straight to Paris next week
18:49 Trelane why are you returning undef anyway?
18:50 Trelane <insert rant here about structure exceptions>
18:54 mst Trelane: what?
19:07 hernan joined #mojo
19:23 berov joined #mojo
19:29 sri oh, i forgot about ->every_param()
19:29 sri ->every_signed_cookie('foo')
19:29 sri ->all_signed_cookies('foo')
19:29 sri ->every_param('foo')
19:30 sri ->all_params('foo')
19:30 sri opinions?
19:30 purl Everybody is entitled to their opinion. Even if it's wrong.
19:30 mst I *like* every
19:30 marty +1  Those ready very well
19:31 marty s/ready/read/
19:31 genio every is better than all, IMO.  all_params() just reads like it shouldn't take an argument... in my defense, I suck at naming
19:32 mst right, and most things called all_something return an array
19:32 mst whereas every doesn't have that connotation in my head
19:32 genio same here
19:32 mst so its returning an arrayref would feel nice
19:32 * mst memorises for future API designs of his own
19:35 sri Trelane++
19:47 moritz .oO( ->much_signed_cookie('foo') )
19:53 neyasov joined #mojo
19:59 genio might as well go full-on MS and give it a 150-character long name, CamelCased.  ->GetAllParametersNamedAsTheStringImPassingInNowAndReturnThemAsAnArray("foo")
19:59 marty joined #mojo
19:59 good_news_everyon joined #mojo
19:59 good_news_everyon [mojo] kraih pushed 1 new commit to master: http://git.io/_8jWZQ
19:59 good_news_everyon mojo/master 60a1072 Sebastian Riedel: switched from all_* prefix to every_*
19:59 good_news_everyon left #mojo
20:03 mst nooo, don't go full wintard
20:04 good_news_everyon joined #mojo
20:04 good_news_everyon [mojo] kraih pushed 1 new commit to master: http://git.io/Tt2luQ
20:04 good_news_everyon mojo/master f7e2f59 Sebastian Riedel: fixed typo in example
20:04 good_news_everyon left #mojo
20:04 sri about the first vs last parameters thing... i really have no opinion on that
20:04 sri s/s//
20:05 sri "$URL&foo=bar" is not a particularly strong argument
20:06 sri i've looked through the docs, it appears we currently make no guarantees on which one you get
20:07 genio My natural assumption would be that you get the last
20:07 mst sri: it isn't, the other argument I have is "it tends to make mistakes where you forgot it was multiple obvious"
20:08 sri i've looked into sinatra, it seems there it's more a coincidence of using a hash for storage than intentional
20:08 sri somehow i always assumed you get the first ;p
20:10 sri also tried looking into the rails code... but got lost after the first few thousand files :S
20:12 dotandimet joined #mojo
20:12 sri if it's basically what everybody else does, least surprise would seem like a good enough reason to use the last value
20:14 sri looks like rails uses the last value as well
20:31 good_news_everyon joined #mojo
20:31 good_news_everyon [mojo] kraih pushed 1 new commit to master: http://git.io/IJG-MA
20:31 good_news_everyon mojo/master e58b2c4 Sebastian Riedel: the last value has a higher precedence
20:31 good_news_everyon left #mojo
20:37 two_tired joined #mojo
20:38 good_news_everyon joined #mojo
20:38 good_news_everyon [mojo] kraih pushed 1 new commit to master: http://git.io/KtBsKA
20:38 good_news_everyon mojo/master c5ad9b7 Sebastian Riedel: fixed a few more typos in examples
20:38 good_news_everyon left #mojo
20:39 * genio wonders if every_param() or each_param() makes him happier
20:40 sri we already use each in a different context
20:40 * sri likes every
21:04 woz joined #mojo
21:05 batman +1
21:05 purl 1
21:29 basiliscos joined #mojo
21:31 neyasov joined #mojo
21:46 good_news_everyon joined #mojo
21:46 good_news_everyon [mojo] kraih pushed 1 new commit to master: http://git.io/BUd7gw
21:46 good_news_everyon mojo/master e704f47 Sebastian Riedel: use a less dramatic log message
21:46 good_news_everyon left #mojo
22:01 neyasov joined #mojo
22:04 cpan_mojo Mojolicious-Plugin-AssetPack 0.28 by Jan Henning Thorsen - http://metacpan.org/release/JHTHORSEN/Mojolicious-Plugin-AssetPack-0.28
22:04 batman BOOM! %= asset 'foo.css', { inline => 1 }; # hope that's not the worst syntax in the universe
22:07 disputin joined #mojo
22:24 good_news_everyon joined #mojo
22:24 good_news_everyon [mojo] kraih pushed 1 new commit to master: http://git.io/0PREdg
22:24 good_news_everyon mojo/master 788449e Sebastian Riedel: use more concise method descriptions
22:24 good_news_everyon left #mojo
22:34 fhelmber_ joined #mojo
22:39 disputin joined #mojo
22:41 basiliscos joined #mojo
22:58 disputin joined #mojo
23:06 good_news_everyon joined #mojo
23:06 good_news_everyon [mojo] kraih tagged v5.48 at 7eb5358: http://git.io/8XPr1w
23:06 good_news_everyon left #mojo
23:08 good_news_everyon joined #mojo
23:08 good_news_everyon [mojo] kraih pushed 1 new commit to master: http://git.io/8uJNUg
23:08 good_news_everyon mojo/master ae135de Sebastian Riedel: bump version
23:08 good_news_everyon left #mojo
23:08 cpan_mojo Mojolicious 5.48 by Sebastian Riedel - http://metacpan.org/release/SRI/Mojolicious-5.48
23:25 davido__ joined #mojo
23:31 neyasov joined #mojo
23:38 bc547 joined #mojo
23:52 sri my attempt at a summary https://groups.google.com/forum/#!topic/mojolicious/aJTYjRCPjOE

| Channels | #mojo index | Today | | Search | Google Search | Plain-Text | summary