this hadn't given any warning. It was a secondary drive in one of my spare boxes and I thought - ah, I'll make it primary, reinstall and let my nephew have the machine
2006-02-08 03949, 2006
ojnkpjg
that's no fun
2006-02-08 03950, 2006
wolfsong_
luks: when you add your login to the CC in Trac does it send you an email on changes?
2006-02-08 03900, 2006
ojnkpjg
sounds like there probably wasn't anything very important on it, though right?
2006-02-08 03908, 2006
ojnkpjg
reinstalling stuff is a pain in the ass, though
2006-02-08 03951, 2006
luks
wolfsong_: yes, it sends you emails if you are in CC, or you are reporter or owner of the ticket
2006-02-08 03949, 2006
rowaasr13
Ok, seems like unsubscribing old address and moving new subscription to it did work. I thought mailman could complain on move, because that old address already registered for other lists.
2006-02-08 03959, 2006
wolfsong_
i've never gotten one
2006-02-08 03912, 2006
wolfsong_
where can i check the email? My Account just lets me change my pwd
2006-02-08 03928, 2006
inhouseuk
ojnkpjg: fortunately nothing important on the drive. It's just inconvenient and means I'll need another drive before I can let him have the machine
Those japanese guys kill me with name changes. Say, what do you people think, what's best way to deal with case when signer changes her name by just one kanji, leaving same reading. Two entries for both names? Link them with some AR or what?
2006-02-08 03914, 2006
yalaforge
luks: so, does anyone have a blank email address set?
2006-02-08 03922, 2006
yalaforge
it's not me :-)
2006-02-08 03923, 2006
luks
yes, probably
2006-02-08 03917, 2006
yalaforge
"Opened 9 months ago". yay
2006-02-08 03907, 2006
luks goes to fix it and send them patch
2006-02-08 03916, 2006
rowaasr13
It'd be good to have separate entries for all those linked with some kind of "changed name to" AR that would link them in single discography. And ability to see entire such discography on MB's site, of course.
2006-02-08 03951, 2006
rowaasr13
Would help a lot in cases of slight name changes, but remaining same "persona".
2006-02-08 03928, 2006
zout has to go
2006-02-08 03933, 2006
zout
bye!
2006-02-08 03935, 2006
zout has quit
2006-02-08 03907, 2006
luks
awww, this code is so broken :/
2006-02-08 03946, 2006
yalaforge had a look at their sql code. they are completely clueless
2006-02-08 03955, 2006
Shepard
someone did not read the 'fragile' note on the box
2006-02-08 03947, 2006
yalaforge
'select whatever from wherever where str = %s' % (value)
2006-02-08 03915, 2006
ojnkpjg
is that actually in there?
2006-02-08 03921, 2006
yalaforge
yes
2006-02-08 03932, 2006
yalaforge
they're filtering the strings manually though
2006-02-08 03952, 2006
yalaforge
but of course, they forgot one, so they had an sql injection leak
2006-02-08 03902, 2006
ojnkpjg
probably more than one
2006-02-08 03905, 2006
yalaforge
almost 200 vulnerable trac installs are still out there
2006-02-08 03906, 2006
yalaforge
yup
2006-02-08 03911, 2006
ojnkpjg
just one found so far :/
2006-02-08 03911, 2006
luks
hmm, i think they only use 'select whatever from wherever where str = %s', (value)
2006-02-08 03915, 2006
luks
which escapes the strings
2006-02-08 03916, 2006
yalaforge
in this case, the db driver would do the filtering, but IIRC that's not how they do it
2006-02-08 03901, 2006
yalaforge
oh, it's mixed. sometimes they do, sometimes not :-)
2006-02-08 03908, 2006
luks
:)
2006-02-08 03931, 2006
yalaforge
% (by, by))
2006-02-08 03938, 2006
luks
haha
2006-02-08 03953, 2006
yalaforge
"WHERE milestone=%s ORDER BY value", (field, milestone))
2006-02-08 03907, 2006
inhouseuk
they sound like a bunch of muppets
2006-02-08 03908, 2006
yalaforge
seems there was someone with a clue
2006-02-08 03926, 2006
inhouseuk
one clue maybe
2006-02-08 03952, 2006
yalaforge
their design looks nice, but apparently they have some weak programmers
2006-02-08 03959, 2006
luks
yep
2006-02-08 03904, 2006
flamingcow
this is trac code?
2006-02-08 03909, 2006
yalaforge
yup
2006-02-08 03942, 2006
yalaforge
better keep it on a DB on its own :-)
2006-02-08 03954, 2006
Muti joined the channel
2006-02-08 03954, 2006
dju` has quit
2006-02-08 03949, 2006
inhouseuk
and on a machine that does nothing else
2006-02-08 03900, 2006
luks
i can't believe this is really in their code:
2006-02-08 03902, 2006
luks
cursor.execute("SELECT DISTINCT author,ticket FROM ticket_change "
2006-02-08 03903, 2006
luks
"WHERE ticket=%s", (tktid,))
2006-02-08 03905, 2006
luks
for author,ticket in cursor:
2006-02-08 03906, 2006
luks
recipients.append(row[0])
2006-02-08 03909, 2006
luks
notice the 'row' variable
2006-02-08 03949, 2006
yalaforge
hmmm.
2006-02-08 03906, 2006
inhouseuk
is there any validation on that?
2006-02-08 03907, 2006
luks
it's from previous block of code
2006-02-08 03929, 2006
luks
validation on what?
2006-02-08 03932, 2006
yalaforge
the cursor.execute() is safe
2006-02-08 03938, 2006
inhouseuk
the variables
2006-02-08 03912, 2006
yalaforge
the DB driver is used to expand the %s, not the python string interpolation (this time)
2006-02-08 03924, 2006
inhouseuk
ah
2006-02-08 03906, 2006
yalaforge suddenly wonders where the row variable comes from :-)
2006-02-08 03919, 2006
ojnkpjg
form input
2006-02-08 03920, 2006
luks
"from previous block of code"
2006-02-08 03920, 2006
HairMetalAddict
Okay, there's the usual "submitting an album that's already listed"-types... and now I got one that *knew* the album existed because they submitted an edit for it, then submitted an Add Album for said album only a few minutes after editing the current listing..
2006-02-08 03922, 2006
ojnkpjg
hehe
2006-02-08 03932, 2006
yalaforge is a bit slow today :-)
2006-02-08 03934, 2006
HairMetalAddict slaps his head in Doh! fashion...
2006-02-08 03926, 2006
ojnkpjg
there's a lot of sprintf and str{cpy,cat} in the musicbrainz libs, to be fair, though :P
2006-02-08 03934, 2006
ojnkpjg
not sure it's all safe
2006-02-08 03950, 2006
yalaforge
yup
2006-02-08 03929, 2006
yalaforge
fortunately, the MB server doesn't attack clients
2006-02-08 03937, 2006
ojnkpjg
YET.
2006-02-08 03944, 2006
yalaforge
unlike evil people on the internet, having access to trac
2006-02-08 03948, 2006
yalaforge
:-))
2006-02-08 03904, 2006
ojnkpjg
i'm more worried about possible malicious metadata in files
