#foswiki 2017-03-01,Wed

↑back Search ←Prev date Next date→ Show only urls(Click on time to select a line by its url)

WhoWhatWhen
Lynnwoodgac410 - excellent! [01:23]
......... (idle for 40mn)
GithubBot[distro] gac410 pushed 1 new commit to master: https://git.io/vyYQd
distro/master 5f77114 George Clark: Item9790: Fix HTML errors found by SafeWikiPlugin
[02:03]
***GithubBot has left [02:03]
FoswikiBothttps://foswiki.org/Tasks/Item9790 [ Item9790: Update and modernise the UI for BulkRegistration ] [02:03]
***ChanServ sets mode: +o Lynnwood__ [02:05]
.............. (idle for 1h8mn)
GithubBot[SafeWikiPlugin] gac410 pushed 1 new commit to master: https://git.io/vyYbF
SafeWikiPlugin/master 58a4f1e George Clark: Item14334: Add signatures for 2.1.3 / 2.2...
[03:13]
***GithubBot has left [03:13]
FoswikiBothttps://foswiki.org/Tasks/Item14334 [ Item14334: Add Foswiki 2.1.3 / 2.2.0 signatures to SafeWikiPlugin ] [03:13]
.............. (idle for 1h5mn)
GithubBot[distro] gac410 pushed 1 new commit to Release02x01: https://git.io/vyYp9
distro/Release02x01 61ca6a5 George Clark: Item14324: Fix some unescaped braces in regex
[04:18]
***GithubBot has left [04:18]
FoswikiBothttps://foswiki.org/Tasks/Item14324 [ Item14324: Unescaped left brace - Perl 5.25.10 in 2.1.3 tarball. ] [04:18]
GithubBot[distro] gac410 pushed 1 new commit to master: https://git.io/vyYph
distro/master dda049a George Clark: Merge branch 'Release02x01'
[04:20]
***GithubBot has left [04:20]
GithubBot[distro] gac410 pushed 1 new commit to Release02x01: https://git.io/vyYha
distro/Release02x01 32cfdf2 George Clark: Item14324: More regexes with unescaped braces....
[04:27]
***GithubBot has left [04:27]
GithubBot[distro] gac410 pushed 1 new commit to master: https://git.io/vyYhw
distro/master fed5491 George Clark: Merge branch 'Release02x01'
[04:27]
***GithubBot has left [04:27]
............. (idle for 1h0mn)
gac410 has left [05:27]
.............................. (idle for 2h26mn)
ChanServ sets mode: +o cdot [07:53]
................................. (idle for 2h43mn)
ChanServ sets mode: +o Lynnwood [10:36]
............................................... (idle for 3h50mn)
vrurgIt seems that complicated SSL wrapper for SMTP is not needed anymore. Net::SMTP has built-in SSL support... [14:26]
.... (idle for 18mn)
***ChanServ sets mode: +o gac410 [14:44]
.... (idle for 17mn)
gac410howdy cdot. SafeWikiPlugin seems to be working quite well. Found an encoding issue, and some missing signatures, but other than that it's looking good.
One thing I noticed though is that if there are any html errors, minor div ordering issues, etc. it totally screws up the page.
[15:01]
cdotNice one. I saw what you'd done, all seems to make sense. Need to add signing to the "things to do" list, I guess. [15:01]
jastthat problem is that SWP uses a pretty old HTML parser that likes XHTML to be actual XHTML
replacing it with a more forgiving parser should solve these page screw-ups
[15:02]
cdotthe page is processed through an HTML parser - the most tolerant one I could find - but still sharper than the browser parsers, which have a vested interest in rendering garbled HTML cleanly [15:02]
gac410y. The problem is that there is no easy way to find everything that needs to be signed. [15:02]
cdotjast: is there a more tolerant parser around, then? [15:02]
gac410that I've found anyway, other than viweing every page looking for warnings in the log [15:02]
cdotI tried several, but the one I used was the only one I could find that actually worked under fire.
gac410: yes. The world of SafeWIkiPlugin is - and should be - less tolerant of slapdash behaviours.
[15:03]
jastI think a few new ones were developed, but probably after you started development of SWP [15:03]
cdotThat's my excuse, and I'm sticking to it ;-) [15:03]
gac410I wonder if we still need that If IE test that adds the </base> closing element. It seems to get that one messed up too. [15:04]
jastMojo::DOM is pretty forgiving, for instance, but it's part of a full web framework [15:04]
cdotthat was an IE bug, IIRC [15:04]
gac410probably a very old IE bug [15:04]
jastand it's not particularly knowledgeable about browser quirks [15:04]
cdotanyway, you could add SWP as a step in validation of a new release
if a page can't get past it cleanly, then it's a borked page
[15:04]
gac410With the results I'm seeing, I wonder if we should install it on foswiki.org for our own protection. [15:05]
jastI believe HTML::HTML5::Parser can be made to be fairly forgiving, too [15:05]
cdotgac410: I suggested that a long time ago, but got bounced, because of the perceived extra load it brings.
jast: I think it's unlikely anyone will recode SWP just to use a different parser, now.
[15:06]
gac410I've got a fix for the HMAC utf8 encoding, but right now it's unconditional Need to figure the best way to only use it on UNICODE platforms. [15:06]
jastthe extra load is a drop in the ocean IMO [15:07]
gac410y. Especially since we use the page cache. I assume if the HTML is cached we don't have to check it. [15:07]
GithubBot[PublishPlugin] cdot pushed 2 new commits to master: https://git.io/vyOjT
PublishPlugin/master 479e3c8 CDot: Item14319: must URL decode encoded URLs when copying resources
PublishPlugin/master 65ff3b9 CDot: Item12374: validation is^Cot needed for these options, they are dynamically checked, and the empty string has a valid meaning.
[15:08]
***GithubBot has left [15:08]
FoswikiBothttps://foswiki.org/Tasks/Item14319 [ Item14319: PublishPlugin needs to encode output ]
https://foswiki.org/Tasks/Item12374 [ Item12374: 'ftp' backend fails due to call to non-existent sub PublishPlugin::Publisher::validateNonEmpty ]
[15:08]
cdotI would assume so, though I don't fully understand how dirty areas are handled [15:08]
jastI don't actually know how this interacts. is completePageHandler bypassed if we server from page cache? [15:08]
cdotjast: snap ;--) [15:08]
jastmight be fixable with some extra magic
the way I implemented the ADDTOZONE stuff is pretty magical already, so it would be in good company
[15:08]
gac410y. I hate monkey patching. Seems like something we always manage to clobber at some point.
I was wondering if that is a call that we could add to the core as a hook to support signing.
[15:09]
jastI did have to change the monkey patch for Foswiki 2 [15:10]
gac410Is it still backwards compat for 1.x? [15:11]
jastI think so [15:12]
***ChanServ sets mode: +o Lynnwood [15:12]
jastoh, no, it's actually not
I thought I committed the patch, but some other guy did and he basically changed it from 1.x to 2.x instead of branching
[15:13]
gac410ugh. Well we could always mark the new release Foswiki 2.x only [15:13]
jastthis is the change: https://github.com/foswiki/SafeWikiPlugin/commit/12ade9ee733a685e313c1c4048b3ecb697739b6e [15:13]
gac410Yeah that's right, we relocated the Zones code.
Oh. good Right answer :D
[15:14]
jast:) [15:15]
gac410for searching for missing sigs, grep for onclick, onmouse ... anything else to look for?
If I had a list of topics to visit, that would help in checking for signatures. I suppose it could even be a search results to click through in TestCases
[15:19]
............ (idle for 57mn)
jmk0didn't see a response to my query, so re-asking... how can you link from one subweb to a sibling sub-web? [16:17]
***ChanServ sets mode: +o cdot [16:27]
.... (idle for 19mn)
ChanServ sets mode: +o cdot [16:46]
....... (idle for 34mn)
gac410jmk0: I saw your last question but I really didn't understand what you were trying to do.
If it's via an %INCLUDE macro, iirc it does some funky stuff to relocate links into the including web. It might be getting something wrong I suppose.
cdot: One thing to think about with SWP, Installing the signatures into Foswiki/Plugins/SafeWikiPlugin/Signatures/SomePlugin.pm doesn't feel right.
For ex, it would be nice to ship the core sigs with Foswiki rather than embedded into the plugin.
[17:20]
cdotgac410: I have no idea what that means. I'm a user of signatures only; never got involved in impl. :-(
but it doesn't *sound* sensible
I'd a thought sigs would be in a file stored somewhere separate and verifiable by MD5
[17:25]
gac410The SWP allows other extensions to drop their signatures into a submodule of the SWP/Signatures It's a nice idea, but seems like that there would be a better location.
it's an "executable" that just has an array that's returned
[17:26]
cdotbleagh [17:26]
gac410For ex: Foswiki/Plugins/SafeWikiPlugin/Signatures/Foswiki.pm are the "core" sigs [17:27]
cdoty, I get the picture
and these are shipped with SWP?
[17:27]
gac410yes [17:27]
cdotshouldn't they be shipped with FW?
as in, be somwehere in working?
[17:27]
gac410That's exactly my point :D Thanks [17:28]
cdote.g. working/work_areas/SafeWikiPlugin [17:28]
gac410well we never ship anything there at all .. that's for dynamic data [17:28]
cdoty, but it was the first place I thought of
I'm sure you can do better ;-)
[17:29]
gac410I was thinking about that as well. (not doing better... just pondering working). I was wondering about either data, or someplace else in lib. In theory, working can be recreated anytime IIRC. Most of the data is transitive, though important. [17:30]
cdoty, I'm looking at lib too. Perhaps even a way of installing sig packages
./pseudo-install.pl CoreSignatures
CoreSignaturesContrib
if yo uget my drift
[17:31]
gac410Allowing core + any plugin to drop in signatures is good. ie JQueryPlugin should drop in all the JQ related sigs.
So updating a plugin gets the latest sigs.
[17:32]
cdotyup
so should sigs come from the plugin install? as in, be part of the MANIFEST for the plugin?
[17:32]
gac410Right now I'm adding them all to the SWP/Signatures/Foswiki.pm just to get foswiki working. [17:33]
cdotmessy [17:33]
gac410hm There are still cases where install has to be an unzip, so that one is indeed messy.
Maybe a separate SIGNATURES file?
[17:33]
cdotdon't you need to *build* the sigs somehow? How does that happen?
i.e. perl build.pl release should build all the sigs for that code
[17:33]
gac410Well I'm just running in WARN mode and visiting every topic I found with grep [17:34]
cdotgrief. Gotta be a betetr way than that. [17:34]
gac410indeed build.pl release would be ideal. but I don't know how to do it. [17:34]
cdothow do you build a sig? [17:35]
gac410I think you can paste code into tools/safewiki-sign? Not sure. It's not particularly clear on how to use it.
grep -Rl onclick|onmouse and visit each listed topic is what I'm doing to get a SWP that will work with 2.1.3
[17:35]
cdotthat gives you a list of handler calls, but what's the next step? [17:37]
gac410View the page, and get the reported sig from the error.log
SafeWikiPlugin: WARN: Disarmed on* on /System/JQueryButton (SHA: zRv6MG518cGe+OgeXt3faED8LlL7jeovaK/wwJvfvKI, MAC: J5ANfkHu5iIddpl7z2oUNTZS
mAQ
[17:37]
cdotaha, ok, so there's some magic that is generating a unique sig for each handler call on a page
then you somehow connect the page and the sig?
[17:38]
gac410Then paste zRv6MG518cGe+OgeXt3faED8LlL7jeovaK/wwJvfvKI into the Foswiki.pm array.
no. purely a code sig, not page dependent
[17:38]
cdotjust that?
ok, that makes it simpler
how is the sig generated?
cdot apologies for the questions, deep in a VPN without access to code ATM
[17:38]
gac410Not sure. I think it just takes a SHA1 of the on*=
It also uses a secret key to generate a HMAC ... but I have not figured out how to make use of that yet. It doesn't need it for basic checks.
As the key is "site specific" it's not something we could ship anyway
For now I'm planning on just adding all the 2.1.3 sigs to the Foswiki.pm, and not deal with per-extension. Just to get a running SWP.
[17:39]
cdotlet's stick to the simple case. So there are tewo approaches (1) build.pl and (2) configure [17:41]
gac410Dont' want to fall into the adage of "No job is too small to make a project out of it"
Well 3) Manual
[17:42]
cdottoo lazy for that [17:42]
gac410Well I'm 80% done :D
At least for the core.
[17:42]
cdotso the HMAC, which requires a site key, would have to be done in configure, I assume [17:42]
gac410lemme go read again. [17:42]
cdotI'm interested in how to automate it for build.pl
seems to me it *should* be fairly straightforward; unless jast did something *really* clever
cdot waits for jast to deny any possibility of cleverness
[17:43]
gac410Okay. HMACs are actually inserted into the code itself
/*safewiki:U2AGOBOv0pY4R4poBM/EXQNRFoE*/alert('This works (if the MAC is correct)');
So you sign the code using the site specific key, and then insert it into the code as a comment.
If you write a new code snippet, you paste it into safewiki-sign, and it generates both the SHA1 (universal) and HMAC (site specific) and you can use one or the other I guess.
I dont' really unerstand the benefit of the HMACs vs the simple sig. If you could c/p that code with comment, I assume you could use it anywhere on the site.
Unless the HMACs are redacted and never visible, in raw or any other topic view.
Ah okay. HMACs are really specialized. No use for us by default.
The third option is meant to be used for providing wiki apps that users can install without needing administrator rights; for instance, a wiki consultant might use their customers' secret keys to distribute pure wiki apps without causing any administrative overhead for the customers -
(c/p from the plugin)
[17:44]
LynnwoodI know this is waaaay off topic for this chanel, but I've been listening to the Hamilton sound track today cause my kids have been so into it. Also, i'm 2/3 of the way through Chernow's biography of Hamilton. I just gotta say: GREAT soundtrack and amazing read as well. Hamilton was really a piece of work. I have read several other biography's of founding fathers but Hamilton really was in a class by himself. [18:05]
gac410hm I thought the channel name was indeed #foswiki#hamilton :D [18:06]
LynnwoodMay not be of obvious interest to our Foswiki clan across the pond, but recommended anyway. It's a hell-of-a-story by any measure. [18:07]
..... (idle for 22mn)
***ChanServ sets mode: +o cdot [18:29]
gac410Ugh. Looks like the code that generates definition list needs to add a close ... SWP craters the PatternSkinElements page with a bunch of </dt> tags at the end. [18:40]
yup, <dt> needs a </dt> :( [18:47]
cdotyuck. That's a core bug. [18:47]
gac410yes it is :( [18:48]
jmk0different approach to what I'm trying to do. Using %WEBLIST% ... I can get the list I wanted. Is there a way to reverse the order?
SEARCH and TABLE have sort options but I didn't see one for WEBLIST
unless I can do it w/ CALC or some such
[18:48]
gac410If it's returning a simple list web,web,web ... then you can use %CALCULATE($LISTSORT(%WEBLIST ...
And I think %FORMAT can then format the list ... not sure though
[18:51]
jmk0ok
sounds like something for when I'm feeling slightly more ambitious ;-)
doesn't look like listsort lets you do a reverse order sort though
listsort + listreverse maybe
[18:52]
gac410y.
I'm still not completely followig though what is broken about the links. Could you either pastebin an example of how to recreate it, or use a f.o Sandbox topic?
[18:54]
GithubBot[SafeWikiPlugin] gac410 pushed 1 new commit to master: https://git.io/vy3Mm
SafeWikiPlugin/master f79aab0 George Clark: Item14334: Add the rest of 2.1.3 signatures...
[18:56]
***GithubBot has left [18:56]
FoswikiBothttps://foswiki.org/Tasks/Item14334 [ Item14334: Add Foswiki 2.1.3 / 2.2.0 signatures to SafeWikiPlugin ] [18:56]
gac410Note to developers. If you come across any Regex with an unescaped {, that's not a legitimate {n,m} expressoin, please escape it. Item14324 [18:58]
FoswikiBothttps://foswiki.org/Tasks/Item14324 [ Item14324: Unescaped left brace - Perl 5.25.10 in 2.1.3 tarball. ] [18:58]
jmk0hard to do without being able to create multiple subwebs [18:58]
gac410I thought we fixed them all 2.1, but it looks like they have tightened up the parser and are warning on more of them.
I've got the subwebs here. I just need to better understand what you are trying to do.
[18:58]
jmk0subwebs under...? I supposedly have my SKIN set to pattern but the skin doesn't look like pattern to me
short version: I can't see a list of subwebs on the left bar
eh, just pasted the weblist macro so I could get a list... working on reproducing the issue now
[19:02]
gac410I suppose an important question. What release of Foswiki are you using?
CDot actually we generate correct code. I'll bet the PatterSkin topic has some manual html in it.
Y, false alarm. That topic has manual html in it :P
[19:11]
jmk0gac410, version 1.1.9. That said I had a facepalm moment when I realized what was happening. My links were using / instead of . to separate web from topic. It works if you use .
Sandbox.JohnKnutsonSandbox has an example of what I was trying to do. A set of links to sub webs that can be included in both the parent and the subwebs and the links work in any case
[19:17]
gac410Ah.. yes. The code is pretty sensitive / web/web ... Topic delimiter is web.topic [19:18]
jmk0again, . works / does not
WEBLIST is still the better solution since I don't have to edit anything
(as new subwebs are added)
[19:18]
gac410generally best to use dot to separate web from topic. I think there are some other instances were the code messes up. [19:19]
jmk0yeah, I blame the original author. Which could be me, who knows. :-) [19:19]
gac410You could also use SEARCH for the WebHome topic [19:19]
...... (idle for 26mn)
cdotgac410: after reading the signatures code, I can't see any way to avoid having to iterate through every shipped topic extracting signatures. [19:45]
gac410topic, and I suppose templates as well. [19:46]
cdotno. Because of tyhe way it works, topic should be enough. [19:46]
gac410oh... good [19:46]
cdotshould be fairly easy to get it to generate a list of the sigs it sees on STDERR
or some such
[19:47]
gac410A quick %SEARCH{"onclick=" type="literal" web="Main,System,Sandbox"}%
Gave me a list of topics to click through Then I just c/p the sigs from the warning log. It wasn
't that onerous
[19:47]
cdoty, but what happens when a plugin is released by someone who doesn't case about SWP
care
it needs to be backgrounded, IMHO
[19:48]
gac410Hm, true. But wearing my RM hat .. :P search/paste/done
build.pl could probably scan for and extract onclick / onmouse pass it through the safewiki-sign, and spit out the sigs
That assumes though thtat they don't use dynamic code %macros, etc. otherwise it's more work.
[19:49]
....... (idle for 31mn)
GithubBot[distro] gac410 pushed 1 new commit to Release02x01: https://git.io/vy3hY
distro/Release02x01 e6a4b04 George Clark: Item13883: HTML Errors on the page...
[20:22]
***GithubBot has left [20:22]
FoswikiBothttps://foswiki.org/Tasks/Item13883 [ Item13883: Documentation changes for master and 2.1 ] [20:22]
............................ (idle for 2h19mn)
GithubBot[distro] gac410 pushed 1 new commit to master: https://git.io/vyslu
distro/master 8e25d34 George Clark: Merge branch 'Release02x01'
[22:41]
***GithubBot has left [22:41]
...... (idle for 27mn)
gac410jast: Maybe it's the "hook", but SWP is clobbering the zone classes somehow
Item14336
[23:08]
FoswikiBothttps://foswiki.org/Tasks/Item14336 [ Item14336: SafeWikiPlugin breaks zone id information ] [23:08]

↑back Search ←Prev date Next date→ Show only urls(Click on time to select a line by its url)