George V. Reilly

Path Traversal Attacks

I was surprised to read this evening that the Apache Web Server just fixed an actively exploited path traversal flaw.

🚨 Apache has disclosed an *actively exploited* Path traversal flaw in the #open­source "httpd" server. Over 112,000 exposed Apache servers run version 2.4.49, and should be upgraded now!
New fix checks for encoded path traversal characters e.g. /../.%2E/https://t.co/1tLNc3LAul pic.twitter.com/mDHLEU3k9N
— Ax Sharma (@Ax_Sharma) October 5, 2021

Apparently, it was introduced over a year ago.

I’m gobsmacked that Apache didn’t have a robust suite of tests for this.

Directory Traversal attacks have been a problem for web servers since the beginning. OWASP, PortSwig­ger, and Spanning all have ex­pla­na­tions that you can read. The essence is that you make a request continue.

Accidentally Quadratic: Python List Membership

We had a per­for­mance regression in a test suite recently when the median test time jumped by two minutes.

We tracked it down to this (simplified) code fragment:

task_inclusions = [ some_collection_of_tasks() ]
invalid_tasks = [t.task_id() for t in airflow_tasks
                 if t.task_id() not in task_inclusions]

This looks fairly in­nocu­ous—and it was—until the size of the result returned from some_­col­lec­tion_of_­tasks() jumped from a few hundred to a few thousand.

The in comparison operator con­ve­nient­ly works with all of Python’s standard sequences and col­lec­tions, but its efficiency varies. For a list and other sequences, in must search linearly through all continue.

Passphrase Generators

I’ve been using password managers for at least 15 years to keep track of all my passwords. I have separate, distinct, strong passwords for hundreds of sites, and I’ve only memorized the handful that I need to actually type regularly.

I started out with the KeePass desktop app originally, but I switched to the online LastPass app about a decade ago. At work, we use 1Password.

When I register for a site, LastPass generates a random password for me, such as:

tV%5joS$U6^uY5xU
T2oEUY!g70Iv1b&I
8kNHg9*A5GMR9%8D

LastPass securely syncs my passwords between machines and devices. Its browser in­te­gra­tion and its Android and iPhone apps mean that I rarely ever have to actually type any of those ugly messes in.

But when continue.

Punctuating James Joyce

In The Punc­tu­a­tion Marks Loved (and Hated) by Famous Writers, Emily Temple relays a range of opinions from writers such as Tom Wolfe, Elmore Leonard, and Ursula K. Le Guin on periods, semicolons, hyphens and more.

On commas:

Listens to the sound of the sentence, and is always right, Bob: Toni Morrison

[On her editor, Bob Gottlieb, who famously “was always inserting commas into Morrison’s sentences and she was always taking them out”] We read the same way. We think the same way. He is over­whelm­ing­ly aggressive about commas and all sorts of things. He does not understand that commas are for pauses and breath. He thinks commas are for gram­mat­i­cal things. We have come to an continue.

Now You Have 32 Problems

Some people, when confronted with a problem, think “I know, I’ll use regular ex­pres­sions.” Now they have two problems.

— Jaime Zawinksi

A Twitter thread about very long regexes reminded me of the longest regex that I ever ran afoul of, a par­tic­u­lar­ly horrible multilevel mess that had worked acceptably on the 32-bit .NET CLR, but brought the 64-bit CLR to its knees.

Whenever I ran our ASP.NET web ap­pli­ca­tion [on Win64], it would go berserk, eat up all 4GB of my physical RAM, push the working set of IIS’s w3wp.exe to 12GB, and max out one of my 4 cores! The only way to maintain any sanity was to run iisreset every 20 minutes to gently continue.

Weirdest Birthday Ever

When I said that Emma and I would be spending 2020 in Dublin, I could not possibly have an­tic­i­pat­ed what would be happening in Seattle while we were gone.

Today is my 55th birthday and it’s the weirdest birthday ever, in what must be the weirdest week that most of us have lived through. (So far.)

COVID-19 is all that anyone can talk about: where it’s spreading, how it’s being handled, what comes next.

I started working from home on Tuesday, March 10th. Emma’s general health and immune system are not good. My parents, who live nearby, are now both 80 years old and neither is in great health. It seemed prudent to minimize my continue.

Dublin for 2020

I left in the Eighties; I’m going back in the Twenties.

I am trans­fer­ring to a Dublin-based team at Stripe for a one-year rotation. Emma and I will be moving to Dublin just before Christmas. Emma has never lived in Ireland and I haven’t lived there since January 1989. After 30 years in the US, I’m about to spend a year in my hometown.

I grew up in Dublin, earned a Bachelor’s degree in Computer Science at Trinity College Dublin in 1987, and moved to the US in 1989 to get a Master’s degree in Comp Sci at Brown University in Providence, RI. Microsoft moved me to Seattle, WA in 1992, where I’ve continue.

A Use for Octal: Calculating Modulo 36 from Modulo 9

(I posted an earlier version of this in December 2004 on my old technical blog. A discussion at work last week about 36-bit computers at the Living Computers Museum prompted me to write an updated post with improved ex­pla­na­tions and much better typography.)

I’ve been pro­gram­ming in C since 1985 and C++ since 1991, but I’ve never found a use for octal rep­re­sen­ta­tion until [2004], aside from the per­mis­sions argument for chmod. Octal has always seemed as vestigial as a human appendix, a leftover from the early days of computers, when word sizes were often a multiple of three: 6-, 12-, 24-, or 36-bits wide. All modern computers use word continue.

Decrypting Blackbox secrets at build time with Paperkey

“Security is 1% technology plus 99% following the procedures correctly” — Tom Limoncelli

Having dealt with GPG last week at work, I remembered that I had intended to write a blog post about how we used GPG, Blackbox, and Paperkey to store secrets in Git at my previous job.

We used Blackbox to manage secrets that were needed during de­vel­op­ment, build, deployment, and runtime. These secrets included AWS cre­den­tials, Docker registry cre­den­tials, our private PyPI cre­den­tials, database cre­den­tials, and cer­tifi­cates. We wanted these secrets to be under version control, but also to be secure.

For example, we had a cre­den­tials.sh that exported en­vi­ron­ment variables, which was managed by Blackbox:

# Save current value of xtrace 
continue.

Review: Fire and Blood

Title: Fire and Blood
Author: George R.R. Martin
Rating: ★ ★ ★ ½
Publisher: Bantam
Copyright: 2018
Pages: 736
Keywords: fantasy
Reading period: 28 December, 2018–1 January, 2019

I’ve been waiting longer than most for George R.R. Martin to finish the A Song of Fire and Ice series: I read the first book when it was newly published in paperback in 1997. Fire and Blood is a new addition to the series, but it is a prequel and does not advance the plot at all. This book is a history of the first half of the three hun­dred–year reign of the Targaryen dynasty, the dragon riders who conquered Westeros with their fire­breath­ing dragons. The Game of continue.

Previous »