[00:26] <bac> benji, gary_poster: either of you run the windmill tests from the command line lately?  the documented way doesn't run any tests.
[00:26] <bac> xvfb-run ./bin/test --layer=RegistryWindmillLayer -cvvt test_yuitests
[00:27] <bac> hey benji, over here!  :)
[00:27] <benji> look down, look back up and I'm here with you
[00:28] <benji> I'm on a horse.
[00:28] <bac> thanks for the pointer, i'll try it
[00:29]  * bac dinners
[13:30] <gary_poster> aloha
[13:31] <gary_poster> bac benji danilos gmb mumble about now-ish
[13:31] <gmb> Yup
[13:31] <bac> ready-ish
[13:44] <benji> gary_poster: being a XSS vulnerability I wonder if I should use the non-public list for the email
[13:46] <gary_poster> benji, yeah, I guess so.  I thought it was a theoretical vulnerability ("if you use it with bad info, it will bite you, but we are not sure that anyone is actually using it this way, but anyway it is bad")
[13:46] <gary_poster> even as a theoretical vulnerability I suppose it might give people ideas
[13:46] <gary_poster> as to what to try
[13:47] <benji> that's true, but I strongly suspect... right; I bet I could come up with some place we allow dangerous values
[13:47] <benji> for example, I wonder if bug descriptions are a vector
[13:49] <gary_poster> so, agreed that it should be on private list.  I'd be somewhat surprised if bug descriptions are a vector, but if they were, that would certainly get people's attention.  Might be worth a quick attempt.
[14:39] <benji> gary_poster: OK, I'm confused; it doesn't look like it should be possible to provoke XSS the way things are set up.  I'd like to investigate what we did wrong.
[14:41] <gary_poster> benji, heh.  ...technically, you have a card in progress in the quick jobs lane, but you haven't actually moved it.  If you did, we would be over our limits.  I'm the one at fault, since I'm consuming the lanes, but if we honor the limits (which are supposed to help us stay on task) then you should be working on something else.  However, now you have it in progress...
[14:41] <gary_poster> So...
[14:41] <gary_poster> Yeah, move the card over to Active
[14:42] <gary_poster> Explain that it was started before consulting the kanban board and now it is in progress
[14:42] <gary_poster> And then timebox it
[14:42] <gary_poster> what do you think, two more hours max, benji?
[14:42] <benji> I'm cool with leaving it until later (I only intended to send an email but in writing it I realized that something was amiss).
[14:42] <gary_poster> Maybe that's too shortsighted
[14:43] <gary_poster> (my comment was too shortsighted, I mean)
[14:43] <gary_poster> benji, go ahead and do it.
[14:43] <gary_poster> thank you
[14:43] <benji> a timebox is fine too; I think that we fell into some sort of trap and it's likely that someone else will too
[14:43] <gary_poster> Maybe check in with me after lunch if you are still consumed by it?
[14:43] <gary_poster> cool
[14:43] <benji> sounds good
[14:43] <gary_poster> thanks again
[14:47] <gary_poster> benji, you had already verified that it was not just the innerHTML stuff we were doing that was the problem, right?  I thought I remember you saying that simply having the HTML in the lazr.restful generated JS blob at the bottom of the page was sufficient to trigger the problem.  That's what you are investigating further?
[14:47] <benji> right...
[14:48] <gary_poster> k
[14:48] <benji> yet the JSON produced by bug descriptions is escaped but the escaped text is not stored in the DB; I now see why that is but I don't know why we didn't benefit from the same effect
[14:48] <gary_poster> oh
[14:48] <gary_poster> huh
[14:49] <gary_poster> investigate away :-)
[14:49] <benji> :)
[14:49]  * benji gains +3 investigation from coffee.
[14:49] <gary_poster> heh
[16:33] <bac> gary_poster: i've submitted a MP.  any thoughts on getting it reviewed?  seems unfair to stick gmb with it.
[16:34] <gmb> bac: How big is it?
[16:34] <bac> it is 2023 lines
[16:34] <gmb> 0.o
[16:34] <gary_poster> bac, benji seems like an obvious candidate if he is willing, since he did not do any work on this onw
[16:34] <bac> yeah, sorry
[16:34] <gary_poster> I did a bit of work on it, but we could pretend I didn't and look at it this afternoon
[16:34] <bac> benji: ?
[16:35] <benji> bac: yep, I can do it right after lunch
[16:35] <bac> ok
[16:35] <gary_poster> benji, thank you.  Could you claim it, so we don't get outraged reviewers banging down our virtual doors?  bac, what's the URL?
[16:36] <benji> yep
[16:36] <bac> gary_poster: as i was writing the MP i realized the odd rules surrounding distros might need another look vis-a-vis not letting bug supervisors try to subscribe other teams that are not part of the bug supervisor team
[16:36] <bac> right now i only limit who gets the link
[16:36] <bac> https://code.launchpad.net/~bac/launchpad/accordion-client-2/+merge/55361
[16:37] <bac> gary_poster: i'll do that investigation after lunch
[16:37] <gary_poster> bac, interesting.  I'm inclined to say that is not a bad feature, but it is something we should know about at the least.
[16:37] <bac> gary_poster: well, it would error as the model enforces the rule
[16:37] <gary_poster> (and clarify to Jono, and maybe ask Deryck about since he was the one who warned me)
[16:37] <gary_poster> oh, well, there you go then
[16:37] <benji> claimed
[16:37] <gary_poster> thanks
[16:38] <gary_poster> so, yeah, bac, sounds questionable.
[16:38] <bac> gary_poster: i think we can just filter 'get_administered_teams' in that situation
[16:39] <gary_poster> I was thinking something along those lines as well, though it is a shame that we will be adding yet more distributed fiddly bits for that policy...not that I'm suggesting we try to architect a grander solution ATM.
[16:40] <bac> gary_poster: yeah, ubuntu's odd rules have many tentacles
[16:41] <bac> it's like they think LP was built especially for them
[16:41] <gary_poster> :-) crazy people
[16:41] <bac> gary_poster: i've added and claimed a card
[16:41] <gary_poster> great, thank you
[16:46]  * danilos -> off, talk to you all tomorrow
[16:46] <gary_poster> bye
[16:46] <danilos> bye
=== Ursinha is now known as Ursinha-afk
[17:31] <benji> gary_poster: summary of XSS thing: it's better now.  I'm not entirely sure who fixed it, and I'm a little affraid that their fix will lead to escaped HTML in the DB, but I don't know if that warrants further investigation
[17:34] <gary_poster> benji, ok.  I wonder if this was the XSS thing that wgrant ws working on.  Knowing how to use it might be smart
[17:34] <gary_poster> is how we use it now OK?
[17:34]  * gary_poster going to get lunch, back in a bit
[17:37] <benji> It might be related to his work, looking at that a little now.
[17:51] <benji> darn, the "fix" was to remove "structure" from the page template for LP.cache, but that will lead to HTML in the DB: https://code.launchpad.net/~wgrant/launchpad/bug-739915/+merge/54296
[17:51] <benji> ok, I'm going to do that review now
[19:47] <benji> bac: it took me longer than I expected, but the review is done (https://code.launchpad.net/~bac/launchpad/accordion-client-2/+merge/55361)
[19:48] <bac> benji: great.  wasn't slow at all, given the branch
[19:48] <bac> benji: it does have a couple of test failures ec2 found that i'm working on
[19:48] <benji> k