cabbey

cabbey, 1 day ago

@Crell yeah, just trying to get a feel for how long the stagger is. But also meh… it’s not a lot of data, and it’s CDN’d pretty hard.

cabbey, 6 days ago

@afilina oooh! I didn't know this package existed. I think pretty much every package from The League I've used has fit this description though, so that's a good sign. Sadly, after looking at it's docs, it doesn't even attempt to solve the biggest problem I think @kboyd and I see with writing csv files... managing the column positions when you have variable data. :(

cabbey, 6 days ago

@afilina @kboyd say you have 50 columns... say 40 of them are populated in every row, but the other 10 you get some random subset (depending on what the other values maybe, you may have 10 of them or you may have 3 of them or somewhere between.) Then say you have another 6 or so columns that get added for certain customers but not for others.
It would be awesome if you could give it a header array and then pass in a hash for the row and have it populate just the ones that are set.

cabbey, 6 days ago

@kboyd @afilina or a patch to add it if they're open to it.

cabbey, 6 days ago

@afilina @kboyd ahh... I must have misunderstood what formatters could do... I thought they were processed cell by cell. If they get the whole record then yeah, that would probably work.

cabbey, 9 days ago

@valorin @bobmagicii @j3j5 eh, I dunno... this was my first exposure to him as well and frankly the fact that he called utf-8 "the encoding for English" basically put me into "lol, no." mode and closed the tab,. Thank you @andrewfeeney for the direct CVE link.

cabbey, 8 days ago

@valorin @mergy @bobmagicii @andrewfeeney distros should be able to just land a new, patched, module. The only reason there are manual steps here is the attempt to work around the fixed binary not being available. #ubuntu for example seems to have already dropped a fix: https://ubuntu.com/security/notices/USN-6737-1

cabbey, 8 days ago

@bobmagicii oh yeah, there's certainly something to be said for being able to just ssh into a box, boot the encoding out of the support list and rebuild the iconv catalogs. :)

cabbey, 8 days ago

@andrewfeeney @arnan @valorin @mergy we don’t know yet.

But assumed worst case: there is some magic string that if they can get your web server to spit it out, in that encoding, can be used to dump anything php has access to… or run any arbitrary assembly… as your php user.

There are probably a dozen lesser degrees too.

Disclaimer: I’m not a security researcher either… it’s been 20+ years since I sat down and crawled through any code looking for malicious ways to abuse it.

cabbey, 6 days ago

@grmpyprogrammer ooh, they still exist? All the ones out here closed last year.

cabbey, 13 days ago

@Girgias not sure I follow how that would help?

cabbey, 13 days ago

@Girgias ooh, yeah. I thought you meant down a level in foo. That's easy enough to determine if the flag is null that I don't think this is helpful. Also I'll note that in the real code, due to multiple named optional parameters it's a bit more complex: https://3v4l.org/PfBe4

cabbey, 13 days ago

@Crell honestly mostly trying to avoid having two copies of the call to foo() in an if/else with different argument lists. (way more obvious why in the real case with more params to foo.)
It really boils down to "this library allows you to specify an old format version and defaults to it's current one, which is an internal detail." vs "this function lets you specify the version of the object you're dealing with, in case you need to use an old object from storage"

cabbey, 13 days ago

@Girgias yeah, certain Obj-C library programmers really love that trick too. I recall an entire library for doing graphics that had functions like drawLine() which took 100 named variables, because you could specify points with x/y coords or with angle (as degrees or radians) and distance, or with a data class called a Point, then the other end could be specified with all sorts of different approaches including both absolute and relative offset from the start. Ugh. So glad #php doesn't do that!

cabbey, 13 days ago

@Crell I was a Java developer for several years, I still cringe every time I resort to using reflection (all in tests, never in production code!) because of the memories of just how painful the performance penalties were back then.

I just started the PR with the "assemble an array and spread it" approach. I suspect it won't be received with torches and pitchforks.

cabbey, 10 days ago

@ramsey @gmazzap yeah, as I discussed with crell in another branch of the thread the root issue was avoiding two calls to foo in a conditional with a long argument list. The solution I put into PR Friday assembles an argument array, conditionally adds the one discussed here then calls foo(…$args);

cabbey, 14 days ago

@kboyd @grmpyprogrammer @janl yeah, having been born and raised in the desert this doesn't surprise me at all. We used to laugh our asses off at the folks from down by the coast that would come up and buy land, then bulldoze the gullies flat and start to build houses on them. Then the first gully-washer of the season would come ripping through in the later winter/early spring and they'd be shocked that over night there's a 30' tall trench cutting through the property.

cabbey, 15 days ago

@kevbob ROFL. I’m curious how they took that.

cabbey, 15 days ago

@michael @Sdfendor I reduced the frequency of this to basically zero by disabling a bunch of built in plugins for stuff I don’t use. Laravel and symphony and behat and like 10 other things. Haven’t had any hiccups since.

cabbey, 19 days ago

@alda I kinda want to know where the dozen or so folks that voted yes work, so I know where to avoid doing business.

cabbey, 19 days ago

@kevbob ugh. I have a list of things queued up to sell off cheap. Crap like that is part of why I keep adding to that list and not selling anything. :(

cabbey, 19 days ago

@kboyd it’s worth the watch. Even if it has somewhat moved from satire to documentary.