I just fixed it. It was a change I did last night to fix a save bug. My apologies about that, it wasn't a good bug, but hopefully it's the last security-related one. Probably goes without saying, but this is definitely a beta project. I'm doing a lot of other things to protect this kind of attack (filename scrubbing, bcrypt passwords), so I'm pretty red in the face about how dumb this one was.
If you find any other bad bugs, please let me know (@kyledrake on Twitter) instead of, you know, trashing other people's work. I'm finding the duplicate sites right now and taking care of it. Thanks, and again my apologies.
This is not an email phishing expedition. I don't even require you to enter your email address to make a site.
You are right, I should have reached out to you directly with this issue. I took the easy route and didn't put in any effort to track you down, for that I am sorry. However, I take exception to you categorizing my post as "trashing other people's work."
I feel that I also have a responsibility to publicize such a glaring security hole in your site. This is the number 1 link on HN at the moment. Thousands of people are going to be signing up. I think they have the right to know that a bug like this exists. Like I said in my initial post, a bug this big seemed to be a sign of a bigger problems. I had suspicions the site was malicious and at that point my priority was to point out those suspicions to the HN community.
Here, I'll do one better: If anyone is concerned about the nature/security of the site, here is the source code to NeoCities, ready for anyone to do a full security audit: https://github.com/kyledrake/neocities-web
I can't believe what I just witnessed. Something expressing a valid concern in a somewhat uncivilized manner, the developer answering in a nice way, the original poster apologizing and the developer linking to the source code to quench other similar concerns. WHAT HAS THE INTERNET COME TO?
Hey, I'll try to hunt this down for you but just to give you a heads up, the server gives me a 500 internal server error when I use characters like "ğ" or "ü".
great response. the bug's existence alone made me question the project intent and viability. even though i probably won't read your code, just making the source available mitigated my biggest concerns.
I think it's a pure joy to read the ruby source. Allthough ruby is not fast, it's got some of the simplest most elegant frameworks out there. Sinatra is not much more than a router config file with some logic. Sequel is the simplest database orm and migration tool around. And slim makes very readable templates. All frameworks perfect for the first minimum viable product. If this site takes off, I would perhaps pay someone to rewrite some bottlenecks of it in java.
I don't mean to pick on this project in particular. In fact, this project as a whole is quite possibly the cleanest Ruby code I've ever seen.
That being said, Ruby's syntax makes me want to gouge my eyes out. There's equal signs, unquoted regular expressions, exclamation points, absolute value bars, and at signs all over the above code. You can't even sort-of follow what this code is doing without searching through the manual every third character. Ruby syntax is worse than C++ and almost as bad as Perl.
Someone tried to explain Ruby syntax to me last week [2], and I'm not sure if I understood it more, or less, as a result, because my conclusion was that Ruby's syntax is so bad, the language shouldn't even be able to exist! I.e., there are a large number of syntactical ambiguities, so writing a parser for it should be completely impossible!
I fail to see how using equal signs for assignment (or for defining assignment methods) is a problem with syntax, rather than an enhancement to clarity.
> unquoted regular expressions
What's wrong with that? Regexes are a different type than strings. Why should they look like strings?
> exclamation points
...again, so, what?
> absolute value bars
vertical bars used to set off block argument lists aren't absolute value bars. (Neither are vertical bars used for logical-or.)
> at signs
Again, so?
> You can't even sort-of follow what this code is doing without searching through the manual every third character.
Yes, I can, and not just "sort-of follow" it.
> Ruby syntax is worse than C++ and almost as bad as Perl.
There's no accounting for taste, I suppose.
> there are a large number of syntactical ambiguities, so writing a parser for it should be completely impossible
As Ruby does exist, and is parsed, this is clearly not the case. That said, ruby's syntax is not optimized for machine parsing, its designed to be ruby-developer-friendly rather than ruby-parser-developer-friendly.
If you want something optimized for the developer of the language's parser, look to Lisp.
// Parse tags string.
// Example:
// "tag1, tag2" => {"tag1", "tag2"}
// "tag1, very long tag" => {"tag1", "very long"}
string[] NewTags(string tags_string)
{
//Allow only letters, numbers and spaces in tag.
tags_string = new string(tags_string.Where(c => char.IsLetter(c)
|| char.IsNumber(c) || c == ' ' || c == ',').ToArray());
//Separate multiple tags with commas.
string[] tags = tags_string.Split(',').Select(s => s.Trim()).ToArray();
//Two word per tag maximum (extra words in a tag will be removed).
for (int i = 0; i < tags.Length; i++)
{
List<string> validWords = new List<string>();
string[] wordsInTag = tags[i].Split(' ');
if (wordsInTag.Length > 2)
{
tags[i] = wordsInTag[0] + " " + wordsInTag[1];
}
}
return tags;
}
> there are a large number of syntactical ambiguities, so writing a parser for it should be completely impossible
Keep in mind that while your protest does sound intuitive - e.g. that Ruby can be syntactically ambiguous, ergo it is unparseable, it turns out that that doesn't stop us from writing a parser. We can parse most things even if we can't parse the "general case." When we DO encounter something unparseable, the compiler can a) guess or b) fail, hopefully with a message that will help us investigate and rectify the failure.
You point out that Perl's syntax may be worse than Ruby's, and I assume that implies that it is more syntactically ambiguous, ergo, writing a parser should also be impossible for Perl. It turns out that Perl is provably unparseable in the general case - in fact, it's been done rather rigorously: http://www.jeffreykegler.com/Home/perl-and-undecidability
Regardless of Perl's general unparseability, we have compilers for Perl and even large projects manage to compile to what appear to be functional executables. The same is true for Ruby.
I wrote this comment mostly a reminder that while something may appear to be insoluble, we may be able to solve for sufficient cases that we don't care about the rest, particularly if we have an oracle to fix the number of cases that we can't solve. (In this case, the oracle is the developer.)
Ruby's syntax is beautiful once you've realized two things:
1. How blocks work, and how their minimalist syntax is beautiful. You see absolute value bars but believe me, getting used to that barebones function syntax is a gift. (No other programming language that I know of has an absolute value operator with vertical bars so it is not as hard as you think.)
2. Every time you see a dot, do NOT think attribute access. Think message sending a la Smalltalk.
Suddenly then, things like the tags.collect! line become pretty for encapsulating a callback on one line unlike the ugly function() {} crud of JavaScript, and things like defining a newtags= method become sensible, because everything including traditional attribute getting and setting reduces to message passing.
What's difficult about that function? It's terse, but very understandable.
Oh, the inability to parse Ruby shouldn't be held against it. It has (at the least) a context-sensitive grammar. So do lots of languages, including HTML and perl.
Not being able to parse it doesn't really mean what you think it means. It just means that in order to figure out what it does programmatically, you have to evaluate it. Its unparseability makes certain things impossible, like writing a perfect syntax highlighter. Also makes building certain tools you'd normally see in an IDE difficult.
I don't know if this works for everyone, (and I hate to appeal to magic), but I'm pretty sure it was http://mislav.uniqpath.com/poignant-guide/book/chapter-3.htm... that gave me a visceral understanding of Ruby's syntax. For example, the slashes surrounding the Regexp are like pins that you stick the Regexp onto the paper with, and it lights up if the pattern matches. The at signs stand for "ATtribute". Exclamation/question marks have meanings analogous to their natural language counterparts. And the vertical bars form a little chute that the block variables slide down into the block through. It's really fun.
This is on the same league with arguing against Esperanto in favor of Interlingua. You'll never get anywhere with people with the "so what?" or "no it's just you" mindset as in their capacity, they're not capable of (or unwilling?) to entertain perspectives beyond their own.
That said, I do really enjoy reading this code. It's indeed very, very clean!
I don't think it's a smart idea to publish the source code to your site (especially while on the front page of Hacker News) until you've spent a significant amount of money on auditing the security internally to the point that others are comfortable with a public release.
Now it looks like something happened, and you've got no site, and thousands of people trying to access it!
That wasn't directed at you, it was a general comment. I was referring to the person(s) that defaced other people's sites. Sorry if it came off any other way. :)
I read the "trashing other people's work" comment as referencing smashing someone's site by registering an account over theirs, not publishing the bug on hacker news.
Responsible security disclosure would say you've got a responsibility to make the bug known. Making it public should only happen after you've made the creator aware.
I can understand why the developer viewed you as 'trashing' his work, you claimed it as a phishing expedition. That'd make the best of us upset. I see you've sorted it out between you which is great, and I hope others look at this exchange and get some good takeaway from it.
> I feel that I also have a responsibility to publicize such a glaring security hole in your site.
It's a static web site hosting, exactly what "security holes" could we be talking about? Not theoretical holes, that you could technically exploit on the 45th blue moon of the century, things that might actually happen.
I'd just like to point out that when he said "trashing other people's work," he was likely referring to people overwriting others' pages, not your comment.
If you find any other bad bugs, please let me know (@kyledrake on Twitter) instead of, you know, trashing other people's work. I'm finding the duplicate sites right now and taking care of it. Thanks, and again my apologies.
This is not an email phishing expedition. I don't even require you to enter your email address to make a site.