June 10th, 2014

Demons of stupidity

Metasyntatic directories

Today's random discovery is that, on Linux, carriage returns are valid characters in directory names.

How did I find this out? Because Bash is stupid and doesn't understand that a carriage return is a line delimiter. Instead it thinks the character is a literal character (like a letter or number), and so turns mkdir /foo/barCRLF into mkdir /foo/barCR. This creates a directory named "bar" followed by a carriage return. Which of course appears as merely "foo" in a web page, leading to all sorts of fun questions as to why a listing of /foo claims "bar" exists when listing /foo/bar returns an error.

But surely we can get around this with quoting? Surely mkdir "/foo/bar"CRLF will work?

Nope! See, Bash tries to be clever, and moves the CR inside the quote marks. Seriously. It then runs mkdir "/foo/barCR".

I eventually resorted to putting a comment at the end of every line to get this to work (and no, the obvious fix of using Linux line endings was not possible because this script was being entered in a web page, and line endings in web page forms are always normalised to CRLF). Sigh.

A bit of background for non-techies: computers these days generally use one of two sets of control characters to end a line of text. Windows uses a carriage-return/line-feed pair (CRLF), while Linux uses just a line-feed (LF). Most of the time this isn't an issue as any text editor smarter than Notepad understands either style.
  • Current Music
    VNV Nation - Saviour [Empires]
  • Tags
    ,
Demons of stupidity

HTTPS fail

Is HTTPS really so hard to achieve? Or is it just that, because Firefox and Chrome are less strict than Internet Explorer as to what counts as secure and what doesn't (Firefox until recently didn't even warn about non-HTTPS parts of HTTPS pages, let alone block them), no-one actually bothers to do HTTPS properly?

It's not as if it's a hard concept to understand. If your secure website loads any content from an insecure URL, then it's not your website anymore. And yes, this even applies to images - an attacker could replace a "Click here to submit" image with, I don't know, a "For security reasons enter http://evil.example.com/ in your address bar" image or something.

This mini-rant brought to you by being about to place an order online and wondering why there's no padlock symbol despite the site using a https: URL.
  • Current Mood
    disappointed disappointed