Show Posts
This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.
Topics - Arantor
181
Off-topic / OK, so I've had the new favicon in my browser for ~4 days...
« on March 21st, 2012, 02:17 AM »
And it finally dawned on me why it bothered me in a really odd way.
The first attachment is of course the favicon, the second is what it reminds me of. That damned advert.
From Aqua Fresh Advert 2007 if you're wondering. Yes, this is a real commercial from the 1980s that I grew up with and over the last few years have been reshowing it unedited, because it still works.
The first attachment is of course the favicon, the second is what it reminds me of. That damned advert.
From Aqua Fresh Advert 2007 if you're wondering. Yes, this is a real commercial from the 1980s that I grew up with and over the last few years have been reshowing it unedited, because it still works.
182
Archived fixes / Thoughts don't handle entity content properly
« on March 20th, 2012, 08:56 PM »
See live's thought, it had a double space in it, wedit::preparsecode converted that to an nbsp, but that's displayed rather than converted.
183
Archived fixes / Split topic appears to trip Bad Behaviour
« on March 20th, 2012, 03:40 PM »
I did a split topic here, and somehow I managed to trip the 'offsite form' detection (but because I'm an admin it merely warned me, as opposed to blocking me entirely)
I'm suspecting there is something wrong with that, but I'm in the middle of writing the log viewer so I'll be able to see WTF is going on with it.
I'm suspecting there is something wrong with that, but I'm in the middle of writing the log viewer so I'll be able to see WTF is going on with it.
184
Archived fixes / Misalignment with edited post
« on March 20th, 2012, 11:49 AM »
Screenshot says everything. Current Chrome beta branch for me.
185
Features / "Username does not exist" warning
« on March 20th, 2012, 02:42 AM »
I'm not sure how I feel about this one.
Here's the deal: when you present a username/password box, you're expecting a username and password. Either being absent is fair game to report to the user, and if the password is wrong, again, fair game to admit it.
But what should happen if the username is invalid?
SMF, and currently Wedge, report that the username does not exist. Note that this will be the same for email addresses, which means it's possible to brute force email addresses out of the system with work.[1]
If it isn't obvious what I'm getting at, let me explain. If you type in a username and password, but the username doesn't exist, it will tell you so, regardless of what the password is. If you type in a valid username (or email address), but a useless password, you get told the password is wrong. Given that information it is possible to use the login feature to validate email addresses against your forum's userbase to a degree.[2] All because you're telling them something about the data they have.
Here's the catch: it is better user experience to tell them what's wrong with their information, but by doing so you give away something in security that it might be better not to do.
So I'm on the fence about what I should do; the current approach is not wrong but neither is right. It's certainly a better experience than it blandly stating 'The username or password is wrong', but it is less secure. How important is this security, especially in light of privacy laws?
Here's the deal: when you present a username/password box, you're expecting a username and password. Either being absent is fair game to report to the user, and if the password is wrong, again, fair game to admit it.
But what should happen if the username is invalid?
SMF, and currently Wedge, report that the username does not exist. Note that this will be the same for email addresses, which means it's possible to brute force email addresses out of the system with work.[1]
If it isn't obvious what I'm getting at, let me explain. If you type in a username and password, but the username doesn't exist, it will tell you so, regardless of what the password is. If you type in a valid username (or email address), but a useless password, you get told the password is wrong. Given that information it is possible to use the login feature to validate email addresses against your forum's userbase to a degree.[2] All because you're telling them something about the data they have.
Here's the catch: it is better user experience to tell them what's wrong with their information, but by doing so you give away something in security that it might be better not to do.
So I'm on the fence about what I should do; the current approach is not wrong but neither is right. It's certainly a better experience than it blandly stating 'The username or password is wrong', but it is less secure. How important is this security, especially in light of privacy laws?
| 1. | Oh, and did I mention, this isn't recorded anywhere either? |
| 2. | The session level brute force detector will still catch it, but it's not like that's too hard to sidestep. |
186
Plugins / Yet another: PM flash
« on March 20th, 2012, 02:17 AM »
Really simple idea, and I was bored. All it does is gently flash the PM envelope icon when there are unread messages.
187
Plugins / Another little plugin: topic buttons
« on March 20th, 2012, 01:44 AM »
Eh, I wanted to do a quick plugin that could be used to demonstrate menu manipulation in the message and display areas.
Really simple to perform, it's taken me about 20 minutes start to finish, including changing how I did it part way through because I found it cleaner in the end :P
The screenshots should speak for themselves: for guests, they get a nice little 'register to post' link in the normal navigation menu, for normal members, they get a 'new topic' button next to the reply button.
Simple tweaks, but it's a nice enough little demonstration.
Naturally when Wedge is available for download, this little one will be as well, but there's not a lot of point my offering it now, you can't do a lot with it.
Really simple to perform, it's taken me about 20 minutes start to finish, including changing how I did it part way through because I found it cleaner in the end :P
The screenshots should speak for themselves: for guests, they get a nice little 'register to post' link in the normal navigation menu, for normal members, they get a 'new topic' button next to the reply button.
Simple tweaks, but it's a nice enough little demonstration.
Naturally when Wedge is available for download, this little one will be as well, but there's not a lot of point my offering it now, you can't do a lot with it.
188
Archived fixes / DNS lookup can sometimes throw errors
« on March 19th, 2012, 09:06 PM »
2: dns_get_record() [<a href='function.dns-get-record'>function.dns-get-record</a>]: res_nsend() failed
Subs.php
Line: 1744
This is related to my custom lookup code, but need to check why it might throw this.
Subs.php
Line: 1744
This is related to my custom lookup code, but need to check why it might throw this.
189
Features / Number of posts per page
« on March 19th, 2012, 02:49 PM »
How many of you realised you could configure the number of posts you see in a single page?
How many of you realised that you could set one thing as an admin and users can set their own separately? And that you can even turn off the user's ability to do so?
There's two reasons I'm asking this, firstly because I think it's a setting that can safely be ditched[1] and secondly, because I don't think I can make likes be cachable without this change.
(That's probably not a big deal for most of you, but it is for me, OK? :P Specifically, when you like something, you need to be able to expire that cache, and the only viable way to do that is based on the page you're on, e.g. topic 1, page 1, which only works if it's the same size for everyone, of course)
Thoughts?
How many of you realised that you could set one thing as an admin and users can set their own separately? And that you can even turn off the user's ability to do so?
There's two reasons I'm asking this, firstly because I think it's a setting that can safely be ditched[1] and secondly, because I don't think I can make likes be cachable without this change.
(That's probably not a big deal for most of you, but it is for me, OK? :P Specifically, when you like something, you need to be able to expire that cache, and the only viable way to do that is based on the page you're on, e.g. topic 1, page 1, which only works if it's the same size for everyone, of course)
Thoughts?
| 1. | If anything, I'd suggest it *should* be ditched not only because of the user interface stuff but also the fact that you can performance tune it better doing it one-setting-fits-all and upping it from the default of 15 to more like 20-25 per page, it's more posts per page but fewer pages if that makes sense. |
190
Archived fixes / Boards don't get their PURLs created properly
« on March 19th, 2012, 12:58 PM »
I believe Nao's already aware of this one, but when creating a board, its pretty URL isn't generated properly, causing all sorts of odd breakage when creating new boards.
191
Archived fixes / Preparsing adds url bbc where it shouldn't
« on March 19th, 2012, 12:32 PM »
Multiple cases now we've seen preparsing (especially on edits, but sometimes on first posting) perform hard conversion of bare URLs to [url]link[/url], especially when it occurs inside img tags, breaking the tag.
I've seen this on and off for a while but I thought I'd fixed it a bit back - but apparently not.
I've seen this on and off for a while but I thought I'd fixed it a bit back - but apparently not.
192
Features / Thought privacy icons
« on March 18th, 2012, 07:14 PM »
I think it'd be nice to add icons for thought privacy, sort of like FB does, just to indicate who it'll go to - not so much for the sidebar but on the front page to show who can see what.
193
Off-topic / How to piss Arantor off, part 3
« on March 18th, 2012, 02:55 AM »
http://anotheradminforum.com/forum-seo/favorite-seo-mods/msg23107/#msg23107
You all know I don't have a lot of sympathy for forum SEO, but this is honestly frustrating. But if you're going to suggest places for me to read, and suggest that I should read them, expect me to do that and come back later on to continue the debate. It's funny how everything I've been saying is what Google's own starter guide + best practices say.
You all know I don't have a lot of sympathy for forum SEO, but this is honestly frustrating. But if you're going to suggest places for me to read, and suggest that I should read them, expect me to do that and come back later on to continue the debate. It's funny how everything I've been saying is what Google's own starter guide + best practices say.
194
Features / Admin upload facilities
« on March 17th, 2012, 02:51 PM »
OK, since this has been asked, I'm going to explain this in a lot more detail.
The simple version: having any kind of ability where the admin uploads something for the forum itself, e.g. themes, plugins, smiley images, badges/rank images... this is a security risk. So too is media and attachments and avatars, but specific things can be done to mitigate those.
But anything that requires touching any of the core files is a serious security risk. Why? Because it requires opening up the core folders and files to higher permissions than they should have. This means making things writable by ANY USER on a shared host. Can we say 'hackable'? YES WE CAN!
The obvious answer is 'put permissions back again afterwards' but the thing is, people don't. They leave permissions set open for their own convenience later on, which is how come so many SMF installations get hacked at some time or another.[1]
Now, I have proposed a solution for this elsewhere but it's not a brilliant one. Specifically, it would require you (as the admin) to put in your FTP password periodically to upload things like plugins. Certain magic can be worked so that FTP (or SFTP) can be used to perform this kind of work, without making a security hole.
Before anyone asks, what are the chances of me giving you an admin upload facility that doesn't use FTP/SFTP and works solely by you changing permissions yourself? ZERO. There is ABSOLUTELY NO WAY IN HELL I will give you that ability. The idea is that you shouldn't be screwing around with it, and especially not screwing around with setting core files/folders to 777. And if you do, that's YOUR responsibility. My responsibility is in making a decision whether I give you a gun to shoot yourself with, or giving you an air rifle that probably won't kill you, you can guess where I'm going with this.
The simple version: having any kind of ability where the admin uploads something for the forum itself, e.g. themes, plugins, smiley images, badges/rank images... this is a security risk. So too is media and attachments and avatars, but specific things can be done to mitigate those.
But anything that requires touching any of the core files is a serious security risk. Why? Because it requires opening up the core folders and files to higher permissions than they should have. This means making things writable by ANY USER on a shared host. Can we say 'hackable'? YES WE CAN!
The obvious answer is 'put permissions back again afterwards' but the thing is, people don't. They leave permissions set open for their own convenience later on, which is how come so many SMF installations get hacked at some time or another.[1]
Now, I have proposed a solution for this elsewhere but it's not a brilliant one. Specifically, it would require you (as the admin) to put in your FTP password periodically to upload things like plugins. Certain magic can be worked so that FTP (or SFTP) can be used to perform this kind of work, without making a security hole.
Before anyone asks, what are the chances of me giving you an admin upload facility that doesn't use FTP/SFTP and works solely by you changing permissions yourself? ZERO. There is ABSOLUTELY NO WAY IN HELL I will give you that ability. The idea is that you shouldn't be screwing around with it, and especially not screwing around with setting core files/folders to 777. And if you do, that's YOUR responsibility. My responsibility is in making a decision whether I give you a gun to shoot yourself with, or giving you an air rifle that probably won't kill you, you can guess where I'm going with this.
| 1. | Though I stress, it really isn't only SMF, it's just that's what I know for certain. |
195
The Pub / Improvement to drafts (and posting, actually) I need to do
« on March 17th, 2012, 02:37 PM »
Something I've noticed about drafts that I didn't quite notice before is a slightly complex chain of events that needs cleaning up.
If you type something, then preview it, it does autosave the draft, and it does actually remember that draft - so if you go from quick reply-with-draft through to preview, it won't create a second draft (as it shouldn't), but you won't be able to delete that draft there and then, you'll have to wait until the post is edited and resaved automatically. (Confirmed here just now, I was able to start a post, let it autosave, preview, then noted the behaviour)
I suspect something similar occurs to PMs, too.
I still need to fix the case of editing a draft when the board no longer exists that the draft originally came from.[1]
Also: IMO, the tabindex structure on posting is a touch off, it needs to go from subject to body, not via the selectboxes. I don't think it should take 4 tabs to get from subject to body.
If you type something, then preview it, it does autosave the draft, and it does actually remember that draft - so if you go from quick reply-with-draft through to preview, it won't create a second draft (as it shouldn't), but you won't be able to delete that draft there and then, you'll have to wait until the post is edited and resaved automatically. (Confirmed here just now, I was able to start a post, let it autosave, preview, then noted the behaviour)
I suspect something similar occurs to PMs, too.
I still need to fix the case of editing a draft when the board no longer exists that the draft originally came from.[1]
Also: IMO, the tabindex structure on posting is a touch off, it needs to go from subject to body, not via the selectboxes. I don't think it should take 4 tabs to get from subject to body.
| 1. | If you have a draft for a reply, but the topic no longer exists, that's fine, it will just take you to editing as if you were creating a new topic. But if the board no longer exists, it gets very upset and dumps you at the no_board error. |