How can an automated system recognize whether an input is "not what the user meant to type"? As long as an input is syntactically correct, it's not up to the system... granted, the double colon might not fall under the "syntactically correct" inputs, though it would have to be checked whether it may indeed be allowed or not...
Pretty stupid thing to say. If the person who inputs the garbage is the admin (which is the case here, since only an admin can create rewrite rules) then it's not surprising that security might be compromised. There's no way you can make software safe from incompetent people with admin privileges.
I do not agree.
Software should prevent people, including even the most experienced admins, from making such mistakes. The fact that it's possible to make such a mistake is a flaw in the software.
Software should prevent people, including even the most experienced admins, from making such mistakes. The fact that it's possible to make such a mistake is a flaw in the software.
Beware, you're one step away from advocating iOS here. At least on iOS, it's harder for users to break things by typing nonsense in the configuration section.
What if the admin wants to do this intentionally to make internal resources available? Do you propose to limit the abilities of the regex in question to only make certain things possible? That doesn't seem like an improvement.
Like korgitser mentions in this comment [slashdot.org], exceptions can be made, but by default it shouldn't be possible. I'm not saying it should be absolutely impossible to do this, but add another layer of protection which prevents admins from accidentally doing something like this. If an admin intentionally wants to do this and sets a specific configuration flag which allows him to do so, then that's a different story.
Software should prevent people, including even the most experienced admins, from making such mistakes. The fact that it's possible to make such a mistake is a flaw in the software.
Thin ice here... The unix world seems to think, and usually it is the case, that by preventing the user from doing stupid things, you also prevent him from doing clever things. Yes there are exceptions, but it is important on which side you default.
by Anonymous Coward writes:
on Monday November 28, 2011 @07:05AM (#38188600)
Garbage out. What else is new?
GI/GO is bullshit, you should never output garbage no matter how fucked up the input is. If you can't process it normally, you kick out an error condition of some sort you don't just throw up your hands and say "Oh well, the user entered the wrong password so we'll just have to give him access to everything".
GI/GO is bullshit, you should never output garbage no matter how fucked up the input is
*whoooosh*
No, the computer has no way of reading your mind to know that the garbage isn't the perfectly processed output expected from the given input. The computer doesn't understand intent or context, and thankfully it just does what it's told instead of deciding to give you some stupid error, "The output wouldn't have looked pretty to computers. Error."
Before tossing out grampa's words of wisdom, at least try to understand them. And if you can't, the get off my lawn!!!
To the systems programmer, users and applications serve only to provide a
test load.
Garbage in, (Score:1)
Garbage out. What else is new?
Re: (Score:1, Funny)
Apache is garbage! Upgrade to IIS!
Re:Garbage in, (Score:5, Insightful)
Re: (Score:3)
How can an automated system recognize whether an input is "not what the user meant to type"? As long as an input is syntactically correct, it's not up to the system ... granted, the double colon might not fall under the "syntactically correct" inputs, though it would have to be checked whether it may indeed be allowed or not ...
Re:Garbage in, (Score:5, Insightful)
Pretty stupid thing to say. If the person who inputs the garbage is the admin (which is the case here, since only an admin can create rewrite rules) then it's not surprising that security might be compromised. There's no way you can make software safe from incompetent people with admin privileges.
Re: (Score:3)
Software should prevent people, including even the most experienced admins, from making such mistakes. The fact that it's possible to make such a mistake is a flaw in the software.
Re: (Score:2)
I do not agree.
Software should prevent people, including even the most experienced admins, from making such mistakes. The fact that it's possible to make such a mistake is a flaw in the software.
Beware, you're one step away from advocating iOS here. At least on iOS, it's harder for users to break things by typing nonsense in the configuration section.
Re: (Score:2)
Re: (Score:2)
Re: (Score:1)
Software should prevent people, including even the most experienced admins, from making such mistakes. The fact that it's possible to make such a mistake is a flaw in the software.
Thin ice here... The unix world seems to think, and usually it is the case, that by preventing the user from doing stupid things, you also prevent him from doing clever things. Yes there are exceptions, but it is important on which side you default.
Re:Garbage in, (Score:5, Interesting)
Garbage out. What else is new?
GI/GO is bullshit, you should never output garbage no matter how fucked up the input is. If you can't process it normally, you kick out an error condition of some sort you don't just throw up your hands and say "Oh well, the user entered the wrong password so we'll just have to give him access to everything".
Re: (Score:2)
GI/GO is bullshit, you should never output garbage no matter how fucked up the input is
*whoooosh*
No, the computer has no way of reading your mind to know that the garbage isn't the perfectly processed output expected from the given input. The computer doesn't understand intent or context, and thankfully it just does what it's told instead of deciding to give you some stupid error, "The output wouldn't have looked pretty to computers. Error."
Before tossing out grampa's words of wisdom, at least try to understand them. And if you can't, the get off my lawn!!!