dr|z3d
ok, fixes for the create torrent file filter feature courtesy of snex, /dev/ update now available.
T3s|4
o/ dr|z3d - I saw several iterations of -13, but did I somehow miss -14? Running -15+ now
dr|z3d
hi T3s|4
dr|z3d
you may have missed 14, it was up for a brief time before I realized the file filtering wasn't working as intended.
T3s|4
np
dr|z3d
fortunately snex supplied a patch, and it should all be functional now.
dr|z3d
that is, assuming you're using either dark, ubergine or zilvero themes (in the latest build) - other themes to follow shortly.
dr|z3d
good call on the dune2 banner, zzz, was wondering when they were going to release the sequel.
zzz
if you're getting your movie news from me you're in trouble
dr|z3d
haha :)
zzz
did you have any comments or test results on the susimail search MR I put up for you a couple weeks back?
dr|z3d
haven't gotten around to looking at it yet, still somewhat distracted by "other things", but I'll get to it shortly and let you know.
zzz
ok, no rush ofc
dr|z3d
anything occupying your time at the moment you care to share with us, i2p-wise?
zzz
speaking of distraction, have you abandoned your master branch and are devving off into the sunset or?
dr|z3d
no, haven't abandoned it, just locked out of gitlab right now. in their wisdom they've decided to blacklist i2pmail.org
zzz
odd. so you can push to the dev branch but not the master branch?
dr|z3d
yeah, I configured it that way iirc. no direct pushes to master.
zzz
so the dev branch is now the official branch until they unlock you?
dr|z3d
I guess, it's where all the work's happening. master is, for the most part, just a feeder for dev unless there's code there that's volatile or otherwise incomplete.
T3s|4
thanks dr|z3d - and pleased to learn about the positive snex contribution; quite a departure from their normal rant(s) :)
dr|z3d
if there's code that's wip and needs more time, I'll create a local branch to work in.
dr|z3d
yeah, good collaboration and some good code, snex wanted filtering for torrent files on creation, I wanted more than just a text input. :)
zzz
annoying but there's plenty of other options for hosting if you give up on them
dr|z3d
yeah, annoying, I'll get around to finding who to communicate with at some point, hosting isn't an issue, already have github and of course git.skank.i2p, so no biggie.
zzz
not familiar with git.skank.i2p but just gives me an empty page
zzz
and an incognet title
zzz
do i have the wrong b32 or is this some stealth thing
dr|z3d
let me check that, should give you the full locally hosted git repo experience.
dr|z3d
works for me.
dr|z3d
and, no, not stealth :)
zzz
hmph
dr|z3d
let's see what b32 you should have.. 1 sec..
dr|z3d
yup, that's it. should work. can you check it works, T3s|4?
dr|z3d
oh, wait.
dr|z3d
that b32 takes me to, yeah, a blank incognet page. ok, something's screwed up somewhere.
zzz
The resource from “http://git.skank.i2p/assets/css/header.css” was blocked due to MIME type (“”) mismatch (X-Content-Type-Options: nosniff).
zzz
git.skank.i2p
zzz
The resource from “http://git.skank.i2p/assets/css/style.css” was blocked due to MIME type (“”) mismatch (X-Content-Type-Options: nosniff).
dr|z3d
yeah, that's basically telling you 404.
dr|z3d
just checking what notbob.i2p has on record.
zzz
a lot of svg and woff2 404s
dr|z3d
I must have fat fingered the B64 in my hosts file I guess.
dr|z3d
let me find the *correct* b32.
zzz
I have it in my pvt addr book so it must have been from notbob. Not registered on stats
dr|z3d
ok, thanks for pointing out the non-availability of git.skank.i2p, zzz, should be fixed now, no change to b32 required.
T3s|4
dr|z3d: as noted, dxlfhlrqd23exqwmjr6vmq5b5tn5lo2irwydhjvbiciolwq4auga.b32.i2p never loads here
dr|z3d
some work I was doing for incognet required a local cache, and that was being applied globally, so you were getting crud for cache. try now T3s|4
zzz
the Venn diagram intersection of i2p users and competent website admins is annoyingly small
dr|z3d
are you calling me incompetent on the sly? :)
zzz
nahhh, would never
T3s|4
dr|z3d: a hard refresh worked
dr|z3d
thanks, T3s|4.
zzz
yeah took a shift-reload
dr|z3d
well now you're there, you can assess the functionality and load times vs locally hosted gitlab.
zzz
? I don't have a locally hosted gitlab
dr|z3d
you don't, eyedeekay does :)
zzz
it's not local to me
dr|z3d
let me rephrase. you can assses the functionality and load times for both git.skank.i2p and idk.gitlab.i2p
zzz
so far I assess that both work ))
dr|z3d
I did a brief one page test yesterday, just looking at the master branch page on both sites. gitlab is a lot heavier.
dr|z3d
just mentioning in light of eyedeekay's ongoing tribulations with gitlab.
dr|z3d
what gitea lacks vs gitlab is the CI stuff, though it's not that hard to provide something similar.
zzz
if it were me I'd turn off all the CI stuff and leave it to github. Not worth the hassle
dr|z3d
yeah, right.
dr|z3d
got a question for you, zzz. snex was having an issue getting various regex characters processed on form submit. is there any special sauce required? we probably only want * $ and ^.
zzz
dr|z3d, please elaborate?
dr|z3d
ok. basically snex was attempting to process some input strings that contained regex chars, and on submission they were filtered out. I _think_ * was one of them, possibly others.
snex
when submitting a form, it was eating special chars. so for example if i typed in "/^.*.nfo$/" this wouldnt arrive at the server
snex
it would just say null for that param
dr|z3d
I'm looking at the slashes in that string, possibly part of the issue?
snex
i tested many variants, im pretty sure anything with a * in it got eaten while things with only slashes worked
dr|z3d
anyways, we decided we only need to support * ^ and $.
zzz
right, that's the XSS filter, you should see it in the logs
zzz
if you don't want it, name the form param with the prefix nofilter_ or nf_
zzz
but then it's your problem to escape it if you output that string out again
snex
why would * present an issue
zzz
dunno, but the regex is in XSSRequestWrapper
snex
this is some real jank shit, why doesnt the java class handle all this for us
zzz
for any sort of search form you definitely have to use nofilter_xxx and then be super careful with escaping on output
zzz
it's safe by default, with a way to bypass if you know what you're doing, might be annoying but it's not jank ))
snex
safety would mean it does its own internal escaping, not it disallows certain characters
zzz
not really because you don't want to operate interally on escaped chars, or else you'd never be able to search for < because it would become <
zzz
you have to escape on output, not input
snex
sorry but modern web frameworks ALL do this for you and they all work flawlessly
zzz
java doesn't magically save you from escaping issues
snex
the idea that java cant is absurd
zzz
our "framework" is jsp and jetty. we don't have some fancy framework
snex
you need one
dr|z3d
we've done pretty well without one for the last 20 years :)
snex
this stuff is unmaintanable over the long term
snex
snark has thousand-line methods. unacceptable
zzz
I'm explaining how it works now, take a minute to be cranky but then slap a nf_ prefix and then start testing with <alert>xxx and emojis and everything
snex
theres no automated testing. you have to know every little corner case
zzz
it is what it is, take a deep breath and test test test because anything with nf_ could be a problem
snex
assuming that will fix the input problem, it seems like its going to present even worse problems if the user starts getting clever and typing other nonsense in there
dr|z3d
we can handle that with limits on the input.
zzz
that's what I'm saying. There is no framework. It's your responsibility to strip or escape if you're going to write it back out. test test test. Stick <foo> into every form input
dr|z3d
obviously we also want server-side validation, but that's a good start.
zzz
"limits on input" doesn't really explain it. You either have to strip or escape or send an error, and you might have to escape the error message
zzz
you can't do "%s contains an illegal char"
zzz
but now you know why the snark search param is nf_s
dr|z3d
sure, I get that, but I'm suggesting that as a preventative measure to mitigate against cleverness, that's a good start.
dr|z3d
of course it doesn't handle processing, escaping etc.
dr|z3d
anyways, thanks for the insight on form processing, that gets us somewhere :)
zzz
yup. Our XSS filter _is_ the preventative measure. That's as much of a "framework" as we have.
zzz
Yes some languages/frameworks have a concept of safe and unsafe strings, and some magic to escape/unescape.
zzz
nothing like that in Java iirc and it would be a real pain because String is final
zzz
you can't do public class SafeString extends String { ... }
dr|z3d
yeah, the closest you'd come to a framework in Java is probably apache's StringEscapeUtils
dr|z3d
which of course is an external dependency we've managed to live without.
dr|z3d
commons.apache.org/proper/commons-lang/apidocs/org/apache/commons/lang3/StringEscapeUtils.html
zzz
ofc we have equivalents already - DataHelper.escapeHTML(), .stripHTML(), plus some URL encode/decode methods rattling around
snex
at some point we should consider ditching snark
zzz
again there's no magic, because each escaping regime is different. Is it HTML? js? URLs? filenames? properties? hostnames?
dr|z3d
big bag o' worms.
zzz
sure, snark has grown unwieldy, as is susimail, both could use a refactor
dr|z3d
yeah, both could probably use some jsps to make things a little less unwieldy.
zzz
but every other torrent app code I've looked at is 10x worse.
dr|z3d
snark isn't bad, it's just the servlet's a bit of a monster, especially when you first look at the code.
zzz
I'm sure you've contributed to the monster. As have I. That's the way it goes
zzz
coders gonna code
dr|z3d
I hold my hand up. Guilty as charged.
zzz
you asked what I'm up to
zzz
mostly little stuff
zzz
looks like we're back to a 4/8 release which is 5 weeks, so I'm going thru my lists and promises
zzz
also talking to a couple folks about research ideas
zzz
finished my PoW rant which you saw
snex
could probably rewrite snark in ruby without TOO much effort, but would it even be worth it
dr|z3d
oh, rant? I'm not sure I caught that, or I wasn't paying enough attention.
zzz
stuck again on secureDNS
dr|z3d
yeah, about that. what's wrong with DoH that you're aiming to fix?
zzz
I thought the tl;dr made it clear it was pretty ranty
zzz
if thats a word
dr|z3d
ah, missed that, just reading now.
dr|z3d
"the wildest code" .. yeah, that's signature zzz rant mode <on>
zzz
SDNS is more secure than DoH, it fills in some holes. DoH is kindof a hack. The DNSCrypt site has some explainers about why SDNS is better
dr|z3d
remind me what we're using DNS lookups for again? time servers I recall. anything else?
zzz
reseed
dr|z3d
ok, I guess you think it deserves attention, otherwise you wouldn't be spending time on it.
zzz
it's a dalliance, another implementation-as-research project, like jequix
zzz
but it grew out of trying to maintain the DoH server list, which got me to sdns "stamps", which got me to maybe this would all be easier if we switched to sdns
dr|z3d
fair enough. if it's motivating you, that's sufficient :)
dr|z3d
just finished your take on PoW in Tor. amusing stuff, mostly over my head, but amusing nonetheless.
dr|z3d
If ever you get into the t-shirt business, "It's very very tiny baby bananas." will surely sell well.
dr|z3d
On I2P, PoW is a solution looking for a problem we don't have right now.
zzz
its over my head too. I started on it over Christmas and really fell down the rabbit hole
zzz
I'm probably 100 hours invested in it
dr|z3d
whatever PoW fixes in Tor-land, mostly inter-darknet market DDOS attacks afaict, throttling and tunnel filtering, perhaps with modifications, has us covered.
zzz
but still can't get over the 'this code is doing WHAT?!?!?!?" feeling
zzz
disagree though, I'm not as comfortable that we're sitting pretty
zzz
I'd like to answer the question 'if we have to put in PoW where would we put it'
zzz
i.e. get started on top-down design. Playing around with equix in java is interesting research but is backwards bottom-up approach to doing anything in i2p
not_bob
Is ban.i2p some sort of gag?
snex
i sure hope not
not_bob
"I2P - internet for terrorists"
not_bob
It just screams satire, or something.
dr|z3d
where would we put PoW? if we were going down that route, maybe the obvious place would be on server tunnels to handle requests, but I can't see that doing much other than introducing latency where we don't want it right now.
dr|z3d
same problem if we put it on floodfills to handle lookups.
dr|z3d
unlike Tor, we can identify the source of incoming requests via dests, Tor doesn't have that luxury with hidden services.
zzz
think sooner. much sooner.
zzz
streaming. or ratchet. or even the IBGW
snex
what kind of PoW can you do that wont destroy sbpcs or mobile
dr|z3d
that's a valid question, even if it's missing a suffixed ? :)
snex
i aint got time for punctuation
dr|z3d
put that on a t-shirt :)
snex
anyone looked at proof of uptime before? would be nice if we could reward nodes that are online for longer
dr|z3d
we do already assess routers based on uptime to some degree, floodfills at least, insofar as too new floodfills are downrated.
dr|z3d
uptime as a metric could be something to consider, though.
dr|z3d
not_bob: yeah, safe to assume it's irony.
not_bob
I think it would be a useful metric.
not_bob
dr|z3d: Thank you for your input.
dr|z3d
that's ok, ai_not_nob.
dr|z3d
*bleep bloop*
dr|z3d
I'm still firmly of the belief some beefing up of tunnel throttling / filters could be handy, regardless of any future threats.
dr|z3d
not least because keep-alive connections make request throttling less viable.
dr|z3d
and also because we could use some defences against hostile/exploit-oriented requests on the http server tunnel.
zzz
p
not_bob
Got it!