Perl 6 - the future is here, just unevenly distributed

IRC log for #webwork, 2012-10-11

| Channels | #webwork index | Today | | Search | Google Search | Plain-Text | summary

All times shown according to UTC.

Time Nick Message
00:06 aubreyja joined #webwork
00:55 Paul_Pearson joined #webwork
00:55 Paul_Pearson Hi jasonu
00:56 Paul_Pearson Did someone help you yet?
00:56 mgage I think he left
00:59 Paul_Pearson Oh...you're right.  He's not on the list of people logged in.
00:59 Paul_Pearson What's the main topic for Fitchburg?
01:00 mgage still a bit unorganized -- you can chime in  https://docs.google.com/document/d/1zxu8KQj1v7bchxCImfMH5GqaOqqqYH6RikMB_QG6eDM
01:01 Paul_Pearson Nandor emailed to me:
01:01 Paul_Pearson Paul, the problem is that switching to the OPL is not a real option. I have dozens of classes using dozens of existing problem sets. I am pretty sure that switching to the OPL would break many of these sets. Nandor
01:01 Paul_Pearson Once installed, the NPL to OPL switch shouldn't break any existing homework sets, right?
01:02 mgage I wouldn't risk it either -- although unless he has made local changes going from one to the other should be pretty transparent.  I would still expect a dozen or so problems to be out of sync -- even if he just upgraded to the most recent NPL
01:04 mgage One thing is that it is easy to switch back if you bring the OPL into a new directory and use aliases/pointers/links   I'm 99%  sure that the databases don't overwrite each other -- they both exist in the database until you delete one of them.  Jason would know for sure -- wrote the changeover script.   aubreyja: ?
01:10 Paul_Pearson Could Nandor just unpack a SDSU.tgz file I send him to his NationalProblemLibrary directory and then run his NPL-update script?
01:10 mgage yes
01:10 Paul_Pearson OK.  That seems easiest for me.
01:11 Paul_Pearson And probably for him, too.
01:11 mgage one nice thing about the current situation is that all of the info is maintained in the problems themeselves.  I'd like to keep that -- but perhaps use xml or jason encoding instead of the current version
01:12 rbeezer xml ;-)
01:12 mgage yes it's also safest.  He can test whether he can get the new library over thanksgiving  or christmas -- I'm betting he can
01:12 mgage yeah that's my preference also -- but we will need to build an editor front end -- for either option
01:13 mgage Rob will you be around this weekend in case I want to consult on use cases for sequential problems? (aka compound problems)
01:13 mgage you can also comment directly at https://docs.google.com/document/d/1zxu8KQj1v7bchxCImfMH5GqaOqqqYH6RikMB_QG6eDM
01:13 rbeezer mgage: yes, I'll be "around"
01:14 mgage do you have a gmail account ?  I can share the doc with you
01:14 rbeezer rabeezer@gmail.com (but I *never* read GMail)
01:14 mgage right -- just want an email to share the doc with you -- would you prefer another?
01:14 rbeezer (I should at least figure out how to forward it  ;-) )
01:15 rbeezer that's fine
01:15 mgage I never know in advance which way a code camp is going to go -- so we'll see what happens
01:15 mgage ok -- the doc is shared with you
01:18 rbeezer thanks - can't see it yet, I'll give it a bit
01:19 mgage I misspelled it -- hang on
01:20 rbeezer just about to suggest that  ;-)
01:20 mgage better?
01:20 rbeezer yup
01:21 rbeezer I see it, but dinner is coming out of the oven, I hear the timer (salivating), more later
01:21 mgage np  -- bon appetit
01:27 Paul_Pearson It would be very nice if you could get these projects completed while WPI people are there:  Simple input for problems and CompoundProblem/sequentialProblem
01:28 mgage yep -- that's my hope -- and I'll try to concentrate on that -- possibly I can get Davide to work on  the compound problem also
02:51 Paul_Pearson1 joined #webwork
12:44 goehle joined #webwork
13:49 aubreyja joined #webwork
13:49 aubreyja joined #webwork
13:52 aubreyja_ joined #webwork
14:03 Paul_Pearson joined #webwork
14:25 rbeezer joined #webwork
15:50 Andras joined #webwork
15:50 Andras Hello!
15:51 Andras Our server is identified for vulnerability "Login Redirect - [OWASP 2010 A 3]"
15:51 Andras "302 redirection not found after valid login"
15:51 Andras Anybody knows a fix for this?
15:52 Andras I have a corresponding page describing what to do with this : http://doc.cenzic.com/sadoc9x14ba847/CPL0001464.htm
15:53 Andras There should be 302 redirect right after login credentials are passed.
15:54 Andras To make a redirection you can use the header () function. This function sends a raw HTTP header   to the browser. As result the browser will be redirected to the page defined in this new HTTP               header.
15:54 Andras header('Location:http://<host>');
15:54 Andras I don't know where and what exactly to include.
16:02 goehle I've no idea
16:02 goehle maybe mgage or aubreyja does
16:03 aubreyja Hi
16:03 Andras Hi
16:03 aubreyja hmm…let me have a look at this
16:05 aubreyja So, the login page needs to specifically do a redirect?
16:06 aubreyja the logout page I believe does call reply_with_redirect ….
16:07 Andras I am a little confused myself.
16:08 aubreyja yes, have a look around line 87 of ContentGenerator/Logout.pm
16:08 Andras How can the determine "302 redirection not found AFTER valid login"
16:09 Andras I don't think the security scan has access what happens after login.
16:09 aubreyja I think it just wants the returned http header to have this status code...
16:12 Andras So what should I tell to the IT guys?
16:14 aubreyja so, my guess is that in Login.pm, we have to tweak the -action=>$r->uri bits to do something like reply_with_redirect
16:16 aubreyja that method should be available to Login.pm; actually it's do_reply_with_redirect, defined in ContentGenerator.pm
16:20 aubreyja ok, so in Login.pm, you can use $self->do_reply_with_redirect(…url…), but unfortunately the dumb thing of just doing -action=>$self->do_reply_with_redirect($r->uri) doesn't work
16:24 rbeezer joined #webwork
16:26 Andras Isn't it because it is supposed to go to the next page, not the present one?
16:30 aubreyja yeah, but the next page has the same url, it's just that it's generated from ProblemSetList when authenticated and Login.pm when not authenticated
16:31 aubreyja I'll bet we need to look up in ContentGenerator.pm actually
16:44 aubreyja ok, actually, maybe it's the dispatch subroutine in WeBWorK.pm...
16:44 aubreyja Here's how I think it currently works: User issues request. Request is handled by WeBWorK.pm
16:45 aubreyja dispatch() does $authen->verify
16:45 aubreyja if that's = 1, and you're authorized to go where you want to go, great, go there
16:45 aubreyja if not, then go to Login.pm
16:45 aubreyja i.e. if $authen->verify is not = 1
16:47 aubreyja and it's not actually "go to Login.pm" instead $displayModule = Login.pm
16:47 aubreyja that's why -action=>$r->uri works over in Login.pm.
16:48 aubreyja if $authenOK = 1 $r->uri gets the display module it normally gets, but if $authenOK = 0 then it gets Login.pm
16:49 aubreyja so, I think the strategy to fix this will be roughly this:
16:50 aubreyja in dispatch() in WeBWorK.pm, if $authenOK = 0, then instead of setting $displayModule = LOGIN_MODULE, reply with redirect to Login.pm
16:52 aubreyja that *should* preserve a referrer url in the request object $r, then in Login.pm we could use -action =$self->reply_with_redirect($r->referrer) (if $r->referrer is how you get the referrer url)
16:53 aubreyja might have to create a new URLPath of the form /$courseID/login
16:54 Andras I thought we need redirect after successful login ($authenOK = 1)
16:54 aubreyja yes, but the problem is we can't redirect back to the same url - at least firefox complained that this was an error
16:57 aubreyja For example, if you go to webwork2/math01/<anything> then if you are not logged in and $authenOK = 0, then $displayModule = LOGIN_MODULE , but if you are logged in and so $authenOK = 1, then $displayModule is set as defined in URLPath.pm
16:57 aubreyja but in both cases $r->uri = .../webwork2/math01/<anything>
16:59 aubreyja maybe there is a way to tell browsers to allow the page to redirect to itself - that would be easiest since it would come back to the right page in any case.
17:00 aubreyja Then we really could just do the dumb thing of -action=>$self->reply_with_redirect($r->uri)
17:00 aubreyja in Login.pm
17:01 Andras How would this not create an infinite loop?
17:02 aubreyja well, I think anyway, since the point of the redirect is to clear out post data maybe we would lose information needed to make that work...
17:02 Andras (self redirect)
17:02 aubreyja it would not create an infinite loop since the $displayModule would not be Login.pm if $authenOK = 1
17:03 Andras By the way, I already removed autocomplete at log in:   print CGI::startform({-method=>"POST", -autocomplete=>"OFF", -action=>$r->uri, -id=>"login_form"});
17:03 aubreyja if $authenOK = 0, then it *would* give back Login.pm, but that's what we want.
17:03 Andras So it seems to me that it should clear stuff out.
17:04 aubreyja Great - are you on github? You could issue pull requests to get your security fixes into the main code base for everyone
17:04 Andras I am not sure everybody would want these "fixes".
17:05 aubreyja mgage: ping! (He could say for sure if I'm on the right track with this)
17:05 aubreyja Sure, but some of these you could make switches in the config files with some security related environment variables that admins could set if they need to
17:06 Andras OK. I will try to work on these.
17:06 Andras I wanted to ask what to do with these fixes, anyway.
17:07 aubreyja I've got a meeting coming up at 12:30, but I'll see if I can get this redirecting login implemented too
17:07 Andras Probably we should not be posting security issues on the main forum
17:07 Andras Ok.
17:07 Andras How is this irc working?
17:07 Andras Are there set times.
17:08 Andras Or people are just hanging around.
17:08 aubreyja No, people just get on as they can.  For example, I have mine set to open when I login to my computer
17:08 aubreyja So, I'm pretty much always logged in, but not necessarily here.
17:09 aubreyja You can ping someone by just mentioning their username.  So my saying Andras would make your client go to the foreground if it wasn't already
17:09 aubreyja That's how I knew when goehle mentioned me
17:10 aubreyja (I probably just woke him up from a nap)
17:11 Andras cool
17:12 aubreyja Regarding security issues on the forum, I don't think it's much of a risk talking about general vulnerabilities.  If someone was actively exploiting something we would probably want to take it private, but in principle hackers could just scan webwork themselves and discover potentially exploitable weaknesses, so I think of that information as public knowledge
17:18 Andras_ joined #webwork
17:18 Andras left #webwork
17:34 aubreyja_ joined #webwork
17:55 aubreyja_ joined #webwork
18:27 ftilley joined #webwork
18:54 Paul_Pearson joined #webwork
19:10 djun joined #webwork
19:10 djun hi all
19:15 djun ping aubreyja
19:33 aubreyja Hi djun
19:33 aubreyja_ joined #webwork
19:33 djun Hi Jason - pm?
19:34 aubreyja Huh?
19:34 aubreyja oh, sure, pm
20:44 Andras joined #webwork
21:03 aubreyja left #webwork
22:01 Andras aubryja, I wanted to ask about login redirect question. What can I do?  I lost our irc discussion when I switched from browser to irc client.
22:02 Andras aubreyja : I wanted to ask about login redirect question. What can I do?  I lost our irc discussion when I switched from browser to irc client.
22:08 djun joined #webwork
22:11 djun_ joined #webwork
22:23 Andras mgage Michael:
22:49 djun joined #webwork
23:30 aubreyja joined #webwork

| Channels | #webwork index | Today | | Search | Google Search | Plain-Text | summary