The Old Joel on Software Forum: Part 4 (of 5) - Throwing the Baby Along with the Water

Throwing the Baby Along with the Water

There was an IIS bug some time ago, in which IIS could accept paths with ../../../ etc. leading to other documents in the hard-disk. (e.g: http://myhost.com/../../../windows/system.ini)

Microsoft "fixed" this bug by saying that it won't allow a path component which starts with a dot in it URLs. Thus, I cannot serve "http://myhost.com/~shlomi/.vimrc" - I have to rename it.

Now, Microsoft is ruling that Internet Explorer will not accept a username on the URL, because it had some security vulnerabilities in handling it.

These fixes do not remedy the bug or increase the code quality. And they harm the users due to the developers' incompetence. It's like throwing the baby along with the water.

Shlomi Fish
Sunday, February 1, 2004

Microsoft also produces extremely high quality software.

Yes, it has some problems, but all software has some problems.

We must look at the global picture, not at small features.

Row
Sunday, February 1, 2004

Well you could also consider that .xxxx files are also generally hidden on *nix and that they shouldn't be expressly displayed by default.

Simon Lucy
Sunday, February 1, 2004

You should probably serve that file as vimrc.txt, or serve it as a gzipped file with the .vimrc file inside of it. Your server probably defaults the mime type to text for the .vimrc file, but these solutions make sure it gets served the way you want it (as text) and retains enough of the name to make it identifiable and useful as well as servable from an Apache host if you ever decide to move your server.

Lou
Sunday, February 1, 2004

Simon Lucy: yes, but if I do "less $HOME/.bashrc" I see the contents of .bashrc. Similarly, I expect that if a web server has a file lilke that I can do a "wget http://myhost.com/~shlomif/.bashrc", I'll retrieve the file, whether I may or may not see it in http://myhost.com/~shlomif/.

In IIS however, I cannot do that, and it sucks, because I may want to. I know it causes problems with potentially serving Subversion repositories with such files over IIS.

Lou: why should I bother renaming the file? I'm not looking for workarounds, I'm looking for fixes that fix the bugs and not avoid the problem, and make life worse for the users. Imagine telling a webmaster which has thousands of accounts on his machine, telling all the people there to rename their files. If you have a problem fix it, but don't disable otherwise legitimate functionality.

Shlomi Fish
Sunday, February 1, 2004

Row, the problem is that bugs are a good indicator
of other bugs and poor design and implementation.
Work arounds do work around the bugs you
don't know about. Given the stream of bugs poor
quality must be the case. They need to fix it in the
code for anyone to feel secure. Work arounds should
make you feel less secure.

son of parnas
Sunday, February 1, 2004

Should read Work arounds do NOT work around bugs...

son of parnas
Sunday, February 1, 2004

"Microsoft "fixed" this bug by saying that it won't allow a path component which starts with a dot in it URLs. "

While I've never had the need, a quick test (IIS 5.1 fully patched) just confirmed that IIS has no such limitations -- it'll happily serve up . prefaced files successfully. Do you have IIS Lockdown with URLScan installed? If so, URLScan is rule driven -- if you think that that rule is unnecessary then change the rules to allow it.

Dennis Forbes
Sunday, February 1, 2004

ln -s /home/shlomif/.vimrc /home/shlomif/vimrc.txt

old fart
Sunday, February 1, 2004

Ah shit. I am going to have to change every single page on all my web sites. I used HREF="../../index.html" type links everywhere in my documentation webs to refer back to parent pages so that my pages work as well on a local folder as they do in a hosted browser.

Tony Chang
Sunday, February 1, 2004

I agree with Shlomi that this is not a fix for the stated bug - it is a horid and poorly thought out hack by the code monkeys at MS.

.. links don't go above the web directory on any web server I've ever used - I guess IIS is some freaky exception. The way to fix it was to fix it (a single line of code I imagine), not to break 20% of the web.

Tony Chang
Sunday, February 1, 2004

It's don't throw out the baby with the bath water.

Jorel on Software
Sunday, February 1, 2004

"Microsoft also produces extremely high quality software."

How do you define quality Row?

Tony Chang
Sunday, February 1, 2004

"Given the stream of bugs poor quality must be the case. They need to fix it in the code for anyone to feel secure. Work arounds should make you feel less secure."

son of parnas, this is a fantastically lucid statement. Couldn't have said it better myself.

Tony Chang
Sunday, February 1, 2004

"Microsoft also produces extremely high quality software."

Great news. Must have missed those titles. Tell me what they are and I'll switch to using them. :)

sgf
Sunday, February 1, 2004

Shlomi, relax. You are not going to have any problem with user directories or dot-files.

IE is removing support for RFC-1738 "user:pw@" syntax, which is a monumentally stupid idea anyway. The people using this for legitimate purposes ought to know better, and are probably NOT using IE or IIS. Nothing is going to break.

http://support.microsoft.com/?id=834489

Furthermore, the use of ".." in path names through ASP code may be disabled on IIS 5 and earlier, and is disabled by default in IIS 6. You can still turn it back on, and it only affects ASP code anyway.

http://support.microsoft.com/?id=332117

Any announcement that "Microsoft is about to make all of our web sites stop functioning" should generally be rephrased as "Microsoft is going to make everyone stop using their web browser" which is such an incredibly absurd concept that you will intuitively give it precisely the attention and credit it deserves.

Caliban Tiresias Darklock
Sunday, February 1, 2004

Damn, plain-text authentication is perfectly acceptable for many situations, e.g. forums. I have appropriate bookmarks set to username:password@forum.whatever.com to keep things simple for me. The idea of having to periodically type it in again is annoying.

i like i
Sunday, February 1, 2004

I'm rather embarassed to post, when I sense that I missed a joke. But... I really hope, Row, you were being ironic and we just missed the joke, because that response is ridiculous.

(Just on the off chance that you weren't being ironic... exactly which big picture could possibly justify such a shameful workaround?)

Shlomi, if you didn't have reason already, that sounds like reason enough to dump IIS. There are plenty of much better web servers, even on Windows.

veal
Sunday, February 1, 2004

"Damn, plain-text authentication is perfectly acceptable for many situations, e.g. forums. I have appropriate bookmarks set to username:password@forum.whatever.com to keep things simple for me. The idea of having to periodically type it in again is annoying."

Considering Windows will remember these passwords for you, why don't you just let the browser do the work instead of contriving the URL? It's not like it's that big a deal to hit enter when prompted with the already-filled-in user and password information... ;)

Brad Wilson (dotnetguy.techieswithcats.com)
Sunday, February 1, 2004

Because then the browser will periodically transmit my password information to Microsoft, allowing Bill Gates to surf my favorite porn sites while spoofing as me.

Zahid
Sunday, February 1, 2004

Zahid: that's it, he's crossed the line! DOWN WITH GATES!!!

H. Lally Singh
Sunday, February 1, 2004

Brad, I said 'periodically' because I periodically clean my cache, or visit places so rarely as for it to be forgotten anyway. And now I'm back to periodically going and looking at my list of insecure passwords..

The proper solution to people using @ to hide urls is to make the hyperlink preview emphaise it; presumably the bit before the @ can easily be another colour or slanted (italic, whatever, that was another thread) or something.

i like i
Monday, February 2, 2004

Mozilla shows the full link.

Opera handles it best. They pop up a dialog "You are logging into 'www.goatse.cx' with the username 'www.microsoft.com' and the password ''. Is this correct?"

Stuffing password in teh URL is insecure, but what's wrong with putting the username in the URL?

Richard P
Monday, February 2, 2004