bacbenji, gary_poster: either of you run the windmill tests from the command line lately?  the documented way doesn't run any tests.00:26
bacxvfb-run ./bin/test --layer=RegistryWindmillLayer -cvvt test_yuitests00:26
bachey benji, over here!  :)00:27
benjilook down, look back up and I'm here with you00:27
benjiI'm on a horse.00:28
bacthanks for the pointer, i'll try it00:28
* bac dinners00:29
gary_posterbac benji danilos gmb mumble about now-ish13:31
benjigary_poster: being a XSS vulnerability I wonder if I should use the non-public list for the email13:44
gary_posterbenji, yeah, I guess so.  I thought it was a theoretical vulnerability ("if you use it with bad info, it will bite you, but we are not sure that anyone is actually using it this way, but anyway it is bad")13:46
gary_postereven as a theoretical vulnerability I suppose it might give people ideas13:46
gary_posteras to what to try13:46
benjithat's true, but I strongly suspect... right; I bet I could come up with some place we allow dangerous values13:47
benjifor example, I wonder if bug descriptions are a vector13:47
gary_posterso, agreed that it should be on private list.  I'd be somewhat surprised if bug descriptions are a vector, but if they were, that would certainly get people's attention.  Might be worth a quick attempt.13:49
benjigary_poster: OK, I'm confused; it doesn't look like it should be possible to provoke XSS the way things are set up.  I'd like to investigate what we did wrong.14:39
gary_posterbenji, heh.  ...technically, you have a card in progress in the quick jobs lane, but you haven't actually moved it.  If you did, we would be over our limits.  I'm the one at fault, since I'm consuming the lanes, but if we honor the limits (which are supposed to help us stay on task) then you should be working on something else.  However, now you have it in progress...14:41
gary_posterYeah, move the card over to Active14:41
gary_posterExplain that it was started before consulting the kanban board and now it is in progress14:42
gary_posterAnd then timebox it14:42
gary_posterwhat do you think, two more hours max, benji?14:42
benjiI'm cool with leaving it until later (I only intended to send an email but in writing it I realized that something was amiss).14:42
gary_posterMaybe that's too shortsighted14:42
gary_poster(my comment was too shortsighted, I mean)14:43
gary_posterbenji, go ahead and do it.14:43
gary_posterthank you14:43
benjia timebox is fine too; I think that we fell into some sort of trap and it's likely that someone else will too14:43
gary_posterMaybe check in with me after lunch if you are still consumed by it?14:43
benjisounds good14:43
gary_posterthanks again14:43
gary_posterbenji, you had already verified that it was not just the innerHTML stuff we were doing that was the problem, right?  I thought I remember you saying that simply having the HTML in the lazr.restful generated JS blob at the bottom of the page was sufficient to trigger the problem.  That's what you are investigating further?14:47
benjiyet the JSON produced by bug descriptions is escaped but the escaped text is not stored in the DB; I now see why that is but I don't know why we didn't benefit from the same effect14:48
gary_posterinvestigate away :-)14:49
* benji gains +3 investigation from coffee.14:49
bacgary_poster: i've submitted a MP.  any thoughts on getting it reviewed?  seems unfair to stick gmb with it.16:33
gmbbac: How big is it?16:34
bacit is 2023 lines16:34
gary_posterbac, benji seems like an obvious candidate if he is willing, since he did not do any work on this onw16:34
bacyeah, sorry16:34
gary_posterI did a bit of work on it, but we could pretend I didn't and look at it this afternoon16:34
bacbenji: ?16:34
benjibac: yep, I can do it right after lunch16:35
gary_posterbenji, thank you.  Could you claim it, so we don't get outraged reviewers banging down our virtual doors?  bac, what's the URL?16:35
bacgary_poster: as i was writing the MP i realized the odd rules surrounding distros might need another look vis-a-vis not letting bug supervisors try to subscribe other teams that are not part of the bug supervisor team16:36
bacright now i only limit who gets the link16:36
bacgary_poster: i'll do that investigation after lunch16:37
gary_posterbac, interesting.  I'm inclined to say that is not a bad feature, but it is something we should know about at the least.16:37
bacgary_poster: well, it would error as the model enforces the rule16:37
gary_poster(and clarify to Jono, and maybe ask Deryck about since he was the one who warned me)16:37
gary_posteroh, well, there you go then16:37
gary_posterso, yeah, bac, sounds questionable.16:38
bacgary_poster: i think we can just filter 'get_administered_teams' in that situation16:38
gary_posterI was thinking something along those lines as well, though it is a shame that we will be adding yet more distributed fiddly bits for that policy...not that I'm suggesting we try to architect a grander solution ATM.16:39
bacgary_poster: yeah, ubuntu's odd rules have many tentacles16:40
bacit's like they think LP was built especially for them16:41
gary_poster:-) crazy people16:41
bacgary_poster: i've added and claimed a card16:41
gary_postergreat, thank you16:41
* danilos -> off, talk to you all tomorrow16:46
=== Ursinha is now known as Ursinha-afk
benjigary_poster: summary of XSS thing: it's better now.  I'm not entirely sure who fixed it, and I'm a little affraid that their fix will lead to escaped HTML in the DB, but I don't know if that warrants further investigation17:31
gary_posterbenji, ok.  I wonder if this was the XSS thing that wgrant ws working on.  Knowing how to use it might be smart17:34
gary_posteris how we use it now OK?17:34
* gary_poster going to get lunch, back in a bit17:34
benjiIt might be related to his work, looking at that a little now.17:37
benjidarn, the "fix" was to remove "structure" from the page template for LP.cache, but that will lead to HTML in the DB: https://code.launchpad.net/~wgrant/launchpad/bug-739915/+merge/5429617:51
benjiok, I'm going to do that review now17:51
benjibac: it took me longer than I expected, but the review is done (https://code.launchpad.net/~bac/launchpad/accordion-client-2/+merge/55361)19:47
bacbenji: great.  wasn't slow at all, given the branch19:48
bacbenji: it does have a couple of test failures ec2 found that i'm working on19:48

Generated by irclog2html.py 2.7 by Marius Gedminas - find it at mg.pov.lt!