#saltr (irc2p) | I2P+ 2.7.0-11+ >> i2pplus.github.io | skank.i2p | git.skank.i2p | purokishi.i2p | vituperative.github.io/i2pchat | natter.i2p | notbob.i2p | ramble.i2p | shreddit.i2p | cake.i2p | /msg an op for voice

dr|z3d ok, fixes for the create torrent file filter feature courtesy of snex, /dev/ update now available.

T3s|4 o/ dr|z3d - I saw several iterations of -13, but did I somehow miss -14? Running -15+ now

dr|z3d hi T3s|4

dr|z3d you may have missed 14, it was up for a brief time before I realized the file filtering wasn't working as intended.

T3s|4 np

dr|z3d fortunately snex supplied a patch, and it should all be functional now.

dr|z3d that is, assuming you're using either dark, ubergine or zilvero themes (in the latest build) - other themes to follow shortly.

dr|z3d good call on the dune2 banner, zzz, was wondering when they were going to release the sequel.

zzz if you're getting your movie news from me you're in trouble

dr|z3d haha :)

zzz did you have any comments or test results on the susimail search MR I put up for you a couple weeks back?

dr|z3d haven't gotten around to looking at it yet, still somewhat distracted by "other things", but I'll get to it shortly and let you know.

zzz ok, no rush ofc

dr|z3d anything occupying your time at the moment you care to share with us, i2p-wise?

zzz speaking of distraction, have you abandoned your master branch and are devving off into the sunset or?

dr|z3d no, haven't abandoned it, just locked out of gitlab right now. in their wisdom they've decided to blacklist i2pmail.org

zzz odd. so you can push to the dev branch but not the master branch?

dr|z3d yeah, I configured it that way iirc. no direct pushes to master.

zzz so the dev branch is now the official branch until they unlock you?

dr|z3d I guess, it's where all the work's happening. master is, for the most part, just a feeder for dev unless there's code there that's volatile or otherwise incomplete.

T3s|4 thanks dr|z3d - and pleased to learn about the positive snex contribution; quite a departure from their normal rant(s) :)

dr|z3d if there's code that's wip and needs more time, I'll create a local branch to work in.

dr|z3d yeah, good collaboration and some good code, snex wanted filtering for torrent files on creation, I wanted more than just a text input. :)

zzz annoying but there's plenty of other options for hosting if you give up on them

dr|z3d yeah, annoying, I'll get around to finding who to communicate with at some point, hosting isn't an issue, already have github and of course git.skank.i2p, so no biggie.

zzz not familiar with git.skank.i2p but just gives me an empty page

zzz and an incognet title

zzz do i have the wrong b32 or is this some stealth thing

dr|z3d let me check that, should give you the full locally hosted git repo experience.

dr|z3d works for me.

dr|z3d and, no, not stealth :)

zzz hmph

dr|z3d let's see what b32 you should have.. 1 sec..

zzz i have dxlfhlrqd23exqwmjr6vmq5b5tn5lo2irwydhjvbiciolwq4auga.b32.i2p

dr|z3d dxlfhlrqd23exqwmjr6vmq5b5tn5lo2irwydhjvbiciolwq4auga.b32.i2p

dr|z3d yup, that's it. should work. can you check it works, T3s|4?

dr|z3d oh, wait.

dr|z3d that b32 takes me to, yeah, a blank incognet page. ok, something's screwed up somewhere.

zzz The resource from “http://git.skank.i2p/assets/css/header.css” was blocked due to MIME type (“”) mismatch (X-Content-Type-Options: nosniff).

zzz git.skank.i2p

zzz The resource from “http://git.skank.i2p/assets/css/style.css” was blocked due to MIME type (“”) mismatch (X-Content-Type-Options: nosniff).

dr|z3d yeah, that's basically telling you 404.

dr|z3d just checking what notbob.i2p has on record.

zzz a lot of svg and woff2 404s

dr|z3d I must have fat fingered the B64 in my hosts file I guess.

dr|z3d let me find the *correct* b32.

zzz I have it in my pvt addr book so it must have been from notbob. Not registered on stats

dr|z3d ok, thanks for pointing out the non-availability of git.skank.i2p, zzz, should be fixed now, no change to b32 required.

T3s|4 dr|z3d: as noted, dxlfhlrqd23exqwmjr6vmq5b5tn5lo2irwydhjvbiciolwq4auga.b32.i2p never loads here

dr|z3d some work I was doing for incognet required a local cache, and that was being applied globally, so you were getting crud for cache. try now T3s|4

zzz the Venn diagram intersection of i2p users and competent website admins is annoyingly small

dr|z3d are you calling me incompetent on the sly? :)

zzz nahhh, would never

T3s|4 dr|z3d: a hard refresh worked

dr|z3d thanks, T3s|4.

zzz yeah took a shift-reload

dr|z3d well now you're there, you can assess the functionality and load times vs locally hosted gitlab.

zzz ? I don't have a locally hosted gitlab

dr|z3d you don't, eyedeekay does :)

zzz it's not local to me

dr|z3d let me rephrase. you can assses the functionality and load times for both git.skank.i2p and idk.gitlab.i2p

zzz so far I assess that both work ))

dr|z3d I did a brief one page test yesterday, just looking at the master branch page on both sites. gitlab is a lot heavier.

dr|z3d just mentioning in light of eyedeekay's ongoing tribulations with gitlab.

dr|z3d what gitea lacks vs gitlab is the CI stuff, though it's not that hard to provide something similar.

zzz if it were me I'd turn off all the CI stuff and leave it to github. Not worth the hassle

dr|z3d yeah, right.

dr|z3d got a question for you, zzz. snex was having an issue getting various regex characters processed on form submit. is there any special sauce required? we probably only want * $ and ^.

zzz dr|z3d, please elaborate?

dr|z3d ok. basically snex was attempting to process some input strings that contained regex chars, and on submission they were filtered out. I _think_ * was one of them, possibly others.

snex when submitting a form, it was eating special chars. so for example if i typed in "/^.*.nfo$/" this wouldnt arrive at the server

snex it would just say null for that param

dr|z3d I'm looking at the slashes in that string, possibly part of the issue?

snex i tested many variants, im pretty sure anything with a * in it got eaten while things with only slashes worked

dr|z3d anyways, we decided we only need to support * ^ and $.

zzz right, that's the XSS filter, you should see it in the logs

zzz if you don't want it, name the form param with the prefix nofilter_ or nf_

zzz but then it's your problem to escape it if you output that string out again

snex why would * present an issue

zzz dunno, but the regex is in XSSRequestWrapper

snex this is some real jank shit, why doesnt the java class handle all this for us

zzz for any sort of search form you definitely have to use nofilter_xxx and then be super careful with escaping on output

zzz it's safe by default, with a way to bypass if you know what you're doing, might be annoying but it's not jank ))

snex safety would mean it does its own internal escaping, not it disallows certain characters

zzz not really because you don't want to operate interally on escaped chars, or else you'd never be able to search for < because it would become <

zzz you have to escape on output, not input

snex sorry but modern web frameworks ALL do this for you and they all work flawlessly

zzz java doesn't magically save you from escaping issues

snex the idea that java cant is absurd

zzz our "framework" is jsp and jetty. we don't have some fancy framework

snex you need one

dr|z3d we've done pretty well without one for the last 20 years :)

snex this stuff is unmaintanable over the long term

snex snark has thousand-line methods. unacceptable

zzz I'm explaining how it works now, take a minute to be cranky but then slap a nf_ prefix and then start testing with <alert>xxx and emojis and everything

snex theres no automated testing. you have to know every little corner case

zzz it is what it is, take a deep breath and test test test because anything with nf_ could be a problem

snex assuming that will fix the input problem, it seems like its going to present even worse problems if the user starts getting clever and typing other nonsense in there

dr|z3d we can handle that with limits on the input.

zzz that's what I'm saying. There is no framework. It's your responsibility to strip or escape if you're going to write it back out. test test test. Stick <foo> into every form input

dr|z3d snex: w3schools.com/TAGS/att_input_pattern.asp

dr|z3d obviously we also want server-side validation, but that's a good start.

zzz "limits on input" doesn't really explain it. You either have to strip or escape or send an error, and you might have to escape the error message

zzz you can't do "%s contains an illegal char"

zzz but now you know why the snark search param is nf_s

dr|z3d sure, I get that, but I'm suggesting that as a preventative measure to mitigate against cleverness, that's a good start.

dr|z3d of course it doesn't handle processing, escaping etc.

dr|z3d anyways, thanks for the insight on form processing, that gets us somewhere :)

zzz yup. Our XSS filter _is_ the preventative measure. That's as much of a "framework" as we have.

zzz Yes some languages/frameworks have a concept of safe and unsafe strings, and some magic to escape/unescape.

zzz nothing like that in Java iirc and it would be a real pain because String is final

zzz you can't do public class SafeString extends String { ... }

dr|z3d yeah, the closest you'd come to a framework in Java is probably apache's StringEscapeUtils

dr|z3d which of course is an external dependency we've managed to live without.

dr|z3d commons.apache.org/proper/commons-lang/apidocs/org/apache/commons/lang3/StringEscapeUtils.html

zzz ofc we have equivalents already - DataHelper.escapeHTML(), .stripHTML(), plus some URL encode/decode methods rattling around

snex at some point we should consider ditching snark

zzz again there's no magic, because each escaping regime is different. Is it HTML? js? URLs? filenames? properties? hostnames?

dr|z3d big bag o' worms.

zzz sure, snark has grown unwieldy, as is susimail, both could use a refactor

dr|z3d yeah, both could probably use some jsps to make things a little less unwieldy.

zzz but every other torrent app code I've looked at is 10x worse.

dr|z3d snark isn't bad, it's just the servlet's a bit of a monster, especially when you first look at the code.

zzz I'm sure you've contributed to the monster. As have I. That's the way it goes

zzz coders gonna code

dr|z3d I hold my hand up. Guilty as charged.

zzz you asked what I'm up to

zzz mostly little stuff

zzz looks like we're back to a 4/8 release which is 5 weeks, so I'm going thru my lists and promises

zzz also talking to a couple folks about research ideas

zzz finished my PoW rant which you saw

snex could probably rewrite snark in ruby without TOO much effort, but would it even be worth it

dr|z3d oh, rant? I'm not sure I caught that, or I wasn't paying enough attention.

zzz stuck again on secureDNS

dr|z3d yeah, about that. what's wrong with DoH that you're aiming to fix?

zzz I thought the tl;dr made it clear it was pretty ranty

zzz if thats a word

dr|z3d ah, missed that, just reading now.

dr|z3d "the wildest code" .. yeah, that's signature zzz rant mode <on>

zzz SDNS is more secure than DoH, it fills in some holes. DoH is kindof a hack. The DNSCrypt site has some explainers about why SDNS is better

dr|z3d remind me what we're using DNS lookups for again? time servers I recall. anything else?

zzz reseed

dr|z3d ok, I guess you think it deserves attention, otherwise you wouldn't be spending time on it.

zzz it's a dalliance, another implementation-as-research project, like jequix

zzz but it grew out of trying to maintain the DoH server list, which got me to sdns "stamps", which got me to maybe this would all be easier if we switched to sdns

dr|z3d fair enough. if it's motivating you, that's sufficient :)

dr|z3d just finished your take on PoW in Tor. amusing stuff, mostly over my head, but amusing nonetheless.

dr|z3d If ever you get into the t-shirt business, "It's very very tiny baby bananas." will surely sell well.

dr|z3d On I2P, PoW is a solution looking for a problem we don't have right now.

zzz its over my head too. I started on it over Christmas and really fell down the rabbit hole

zzz I'm probably 100 hours invested in it

dr|z3d whatever PoW fixes in Tor-land, mostly inter-darknet market DDOS attacks afaict, throttling and tunnel filtering, perhaps with modifications, has us covered.

zzz but still can't get over the 'this code is doing WHAT?!?!?!?" feeling

zzz disagree though, I'm not as comfortable that we're sitting pretty

zzz I'd like to answer the question 'if we have to put in PoW where would we put it'

zzz i.e. get started on top-down design. Playing around with equix in java is interesting research but is backwards bottom-up approach to doing anything in i2p

not_bob Is ban.i2p some sort of gag?

snex i sure hope not

not_bob "I2P - internet for terrorists"

not_bob It just screams satire, or something.

dr|z3d where would we put PoW? if we were going down that route, maybe the obvious place would be on server tunnels to handle requests, but I can't see that doing much other than introducing latency where we don't want it right now.

dr|z3d same problem if we put it on floodfills to handle lookups.

dr|z3d unlike Tor, we can identify the source of incoming requests via dests, Tor doesn't have that luxury with hidden services.

zzz think sooner. much sooner.

zzz streaming. or ratchet. or even the IBGW

snex what kind of PoW can you do that wont destroy sbpcs or mobile

dr|z3d that's a valid question, even if it's missing a suffixed ? :)

snex i aint got time for punctuation

dr|z3d put that on a t-shirt :)

snex anyone looked at proof of uptime before? would be nice if we could reward nodes that are online for longer

dr|z3d we do already assess routers based on uptime to some degree, floodfills at least, insofar as too new floodfills are downrated.

dr|z3d uptime as a metric could be something to consider, though.

dr|z3d not_bob: yeah, safe to assume it's irony.

not_bob I think it would be a useful metric.

not_bob dr|z3d: Thank you for your input.

dr|z3d that's ok, ai_not_nob.

dr|z3d *bleep bloop*

dr|z3d I'm still firmly of the belief some beefing up of tunnel throttling / filters could be handy, regardless of any future threats.

dr|z3d not least because keep-alive connections make request throttling less viable.

dr|z3d and also because we could use some defences against hostile/exploit-oriented requests on the http server tunnel.

zzz p

not_bob Got it!