florinciu joined #xwiki at 00:04
florinciu left at 00:35 (Read error: Connection reset by peer
abusenius left at 00:51 (Quit: Konversation terminated!
lucaa left at 01:29 (Ping timeout: 258 seconds
sdumitriu left at 03:17 (Ping timeout: 240 seconds
mflorea joined #xwiki at 06:25
nuvolari left at 07:21 (Excess Flood
nuvolari joined #xwiki at 07:22
nuvolari left at 07:24 (Changing host
nuvolari joined #xwiki at 07:24
kibahop joined #xwiki at 08:00
vmassol joined #xwiki at 08:16
sburjan joined #xwiki at 08:26
plunden joined #xwiki at 08:30
vmassol left at 08:50 (Quit: Leaving.
vmassol joined #xwiki at 08:53
vmassol1 joined #xwiki at 08:53
vmassol left at 08:58 (Ping timeout: 265 seconds
vmassol joined #xwiki at 09:14
vmassol1 left at 09:14 (Read error: Connection reset by peer
SvenDowideit left at 09:15 (Ping timeout: 264 seconds
SvenDowideit joined #xwiki at 09:18
SvenDowideit_ joined #xwiki at 09:22
SvenDowideit left at 09:23 (Ping timeout: 258 seconds
SvenDowideit_ is now known as SvenDowideit ([email protected]
Enygma` joined #xwiki at 09:26
silviar joined #xwiki at 09:27
lucaa joined #xwiki at 09:28
mflorea left at 09:33 (Quit: Leaving.
arkub joined #xwiki at 09:33
evalica joined #xwiki at 09:43
florinciu joined #xwiki at 09:52
sburjan - (09:52): hello guys. Question.
sburjan - (09:53): when I try to import an Office Document, I get an error saying "This feature requires an active openoffice server which we could not locate, please contact your administrator to resolve this issue. "
sburjan - (09:54): Is this normal ?
vmassol - (09:54): hi sburjan
vmassol - (09:54): yes it's normal
sburjan - (09:54): okay
tmortagne joined #xwiki at 10:04
evalica1 joined #xwiki at 10:11
sdumitriu joined #xwiki at 10:12
Denis joined #xwiki at 10:13
evalica left at 10:13 (Ping timeout: 272 seconds
KermitTheFragger joined #xwiki at 10:18
abusenius joined #xwiki at 10:23
jvdrean joined #xwiki at 10:30
CalebJamesDeLisl - (10:36): Good morning. It's too bad we can't flip the order of the 1.0 renderers because IMO 5272 is a blocker.
evalica1 is now known as evalica ([email protected]
mflorea joined #xwiki at 10:40
abusenius - (10:42): CalebJamesDeLisl: why do you think it is worse than 5223?
abusenius - (10:42): the result is the same :)
CalebJamesDeLisl - (10:42): In 5223 you are restricted, (no <>"&)
CalebJamesDeLisl - (10:43): Not a good excuse though. They are related, I'd like to fix them both at the same time.
abusenius - (10:44): well, unless you want to do arithmetic its fine
abusenius - (10:44): " is not a problem
CalebJamesDeLisl - (10:44): These are both runious which is why I think it's worth it to break backward compatibility.
CalebJamesDeLisl - (10:44): *ruinous
abusenius - (10:45): I agree, those things should have never been allowed
CalebJamesDeLisl - (10:46): vmassol: What say you to adding a config param for breaking 1.0 renderer compatibility?
vmassol - (10:46): I don't understand why you want to touch the 1.0 rendernig engine, it shouldn't be touched
vmassol - (10:46): it's read only basically
vmassol - (10:46): and only there for backward compat
vmassol - (10:46): so we shoudn't touch it as much as possible
vmassol - (10:47): it's deprecated if you prefer
CalebJamesDeLisl - (10:47): To plug a _big_ hole.
vmassol - (10:47): the rendering 1.0 *IS* a big hole by itself
vmassol - (10:47): this is why we wrote the 2.0 one
CalebJamesDeLisl - (10:47): Well, XSS is not good but this hole is really bad.
abusenius - (10:47): there is no difference whether some insecure code is deprecated or not, as long as its is accessible, it can be exploitet
CalebJamesDeLisl - (10:48): see: 5272 and the list of documents.
vmassol - (10:48): well we do allow not making the 1.0 syntax avail
vmassol - (10:48): it's a config option
CalebJamesDeLisl - (10:49): Not sure that each of those has the hole but I can see that some do.
vmassol - (10:49): if you define a new config param you'll need to hav eit off by default so it won't help
abusenius - (10:49): this one should be on
CalebJamesDeLisl - (10:49): Why off by default? New installations won't need this.
vmassol - (10:49): then you break backward compat and you're going to hurt a lot of people
abusenius - (10:50): IMO there is no point in trying to make new code secure if there are still tons of old security holes kept for backward compatibility with old exploits
CalebJamesDeLisl - (10:50): Meaning upgrades?
vmassol - (10:50): hmm you're right, if people are caeful
vmassol - (10:50): they won't merge it
vmassol - (10:50): *careful
vmassol - (10:50): so it means off by default
CalebJamesDeLisl - (10:50): IMO people should merge it and only revert if there is a problem.
vmassol - (10:50): ie when it doesn't exist it's off
vmassol - (10:51): CalebJamesDeLisl: people won't know about it
CalebJamesDeLisl - (10:51): Also we are going to have to put out a bulletin for this IMO.
vmassol - (10:51): anywya needs to be discussed on the security list not here
abusenius - (10:51): true
CalebJamesDeLisl - (10:52): Well I'll send a proposal there.
sburjan left at 10:59 (Read error: Connection reset by peer
sburjan_ joined #xwiki at 10:59
jvelo joined #xwiki at 11:20
CalebJamesDeLisl - (11:28): Anyone (vmassol?) have a problem with me applying Alex's "no nested scripts" patch? http://jira.xwiki.org/jira/browse/XWIKI-5223
vmassol - (11:29): I can have a quick look to see if I spot anything wrong
vmassol - (11:30): tmortagne will want to review it too I'm sure
vmassol - (11:30): I can already see some things that need to be fixed before applying it
vmassol - (11:30): like:`
vmassol - (11:30): -.expect|event/1.0
vmassol - (11:30): +.# Skipped, since nested scripts are not allowed any more, but it is hard to match the error trace here
vmassol - (11:31): I don't like it FTM
vmassol - (11:31): wait I mis-read something
vmassol - (11:31): so I remove that last statement
vmassol - (11:31): ;)
vmassol - (11:31): stillr eading
vmassol - (11:32): thought alex had introduced the notion of script in abstractblock…. ;)
CalebJamesDeLisl - (11:32): But you have no problem with the basic idea that scripts shouldn't be nested?
vmassol - (11:32): ah yes he has
vmassol - (11:32):    currentBlock.setIsScript(true);
vmassol - (11:32): I don't like that part FTM (I'd need to understand it better)
vmassol - (11:33): CalebJamesDeLisl: I have no idea, haven't thought about it
vmassol - (11:33): I don't like that the checks are done internally as a general rule
vmassol - (11:33): I would have thought about some external rules
vmassol - (11:33): applied to an xdom
tmortagne - (11:33): i'm still not 100% sure about and and having script noting at AbstractBlock level is bad for sure
vmassol - (11:33): if someone wants nested scripts he won't be able not to run the filter
vmassol - (11:34): I'm ?1 to apply it as is
vmassol - (11:34): (after a quick review)
vmassol - (11:34): it adds the notion of scripts in several places
vmassol - (11:34): which shouldn't be aware of that
CalebJamesDeLisl - (11:35): -1 to the concept of blocking script in script?
vmassol - (11:35): (MAcroMaarkerBlock for ex)
tmortagne - (11:35): i don't even understand why he needs that
vmassol - (11:36): CalebJamesDeLisl: no, ?1 to hard code stuff and especially in places that shouldn't know about it
tmortagne - (11:36): also the patch contains lot's of code unrelated to the nested script blocking thing
vmassol - (11:36): (we need to keep an extensible implementation)
abusenius - (11:37): the reason why I added isScript is that I didn't wanted to hardcode "groovy" "velocity" etc
tmortagne - (11:37): abusenius: you don't need that
abusenius - (11:37): how do I distinguish between script and not script?
tmortagne - (11:37): just get the macro component and check if it's a ScriptMacro
abusenius - (11:38): but it ist the script macro, its a macro block that was added after macro execution
abusenius - (11:38): s/ist/isnt/
vmassol - (11:39): could it be that you want generic markers?
tmortagne - (11:39): and ? you know the macro id and all macros have corresponding components
tmortagne - (11:39): just get the component based on it
vmassol - (11:39): (haven't really thought about your algo though)
abusenius - (11:40): vmassol, well I wanted to distinguish differen macro types
abusenius - (11:40): but I need to look at the way tmortagne is suggesting
vmassol - (11:40): ok
tmortagne - (11:40): for now there is only an abstract for script macro i think but we can introduce a interface to be cleaner
tmortagne - (11:41): i need to open Eclipse but that's the second time it crashes...
abusenius - (11:42): vmassol: re skipped tests, I could find an easy way to match arbitrary error trace in unit test, I wrote functional tests instead
abusenius - (11:42): (for those 2)
vmassol - (11:43): abusenius: what I meant is that skipping tests is not a solution
vmassol - (11:43): either the tests are removed for some reason or they are executed
vmassol - (11:43): skipping is like commenting out code
abusenius - (11:44): well, it was meant as a temporary measure
vmassol - (11:44): sure
vmassol - (11:44): but I was responding to caleb
vmassol - (11:45): that it needs to be fixed before applying the patch
tmortagne - (11:45): abusenius: checked, there is only AbstractScriptMacro but you can introduce a ScriptMacro interface (it was not needed before and check the type based on an abstract is not nice) in the same package (it's a public package)
CalebJamesDeLisl - (11:45): Hmm how about ScriptMacroMarkerBlock extends MacroMarkerBlock then just check what type of class it is?
tmortagne - (11:46): CalebJamesDeLisl: the MacroBlock is generated by the generic macro transformation
tmortagne - (11:46): it doe snot know anything about scripts
tmortagne - (11:46): s/MacroBlock/MacroMarkerBlock/
CalebJamesDeLisl - (11:46): Ok. I'm not very well versed in the renderer.
abusenius - (11:50): tmortagne: ok, I'll update the patch accordingly
Enygma`1 joined #xwiki at 11:53
mflorea1 joined #xwiki at 11:53
tmortagne - (11:54): abusenius, CalebJamesDeLisl: btw after some tough i'm ok with this blocking nested script things in theses use case since if you really need that for a valid use case you can use other ways like special macro or programatically which are less easy but it's maybe better to let only users that knows what they do support this
evalica1 joined #xwiki at 11:54
florinciu1 joined #xwiki at 11:54
lucaa1 joined #xwiki at 11:55
silviar1 joined #xwiki at 11:55
silviar1 left #xwiki at 11:55
lucaa left at 11:56 (Ping timeout: 240 seconds
silviar left at 11:56 (Ping timeout: 240 seconds
Enygma` left at 11:56 (Ping timeout: 240 seconds
mflorea left at 11:56 (Ping timeout: 264 seconds
florinciu left at 11:56 (Ping timeout: 252 seconds
evalica left at 11:56 (Ping timeout: 265 seconds
vmassol - (11:57): tmortagne: you mean putting the check by default in AbstractScript instead of doing it in a filter (in a Tx for ex)?
sburjan_ left at 11:57 (Ping timeout: 240 seconds
vmassol - (11:57): why couldn't it be done in a Tx btw?
mflorea joined #xwiki at 11:57
vmassol - (11:57): (it was meant for this kind of use cases)
CalebJamesDeLisl - (11:58): Tx? Transformation?
evalica joined #xwiki at 11:58
vmassol - (11:58): yes
CalebJamesDeLisl - (11:58): I asked the same, it's because you can hide a macro inside of an html macro.
Enygma`1 left at 11:58 (Ping timeout: 276 seconds
CalebJamesDeLisl - (11:59): {{velocity}} {{html wiki=true}} {{velocity}} ....
lucaa1 left at 11:59 (Ping timeout: 240 seconds
CalebJamesDeLisl - (11:59): {{html}} is a black box as I understand it.
florinciu1 left at 11:59 (Ping timeout: 276 seconds
vmassol - (11:59): yes macro content is a black box right now
vmassol - (11:59): but
evalica1 left at 12:00 (Ping timeout: 264 seconds
vmassol - (12:00): hmm thinking...
mflorea1 left at 12:00 (Ping timeout: 252 seconds
CalebJamesDeLisl - (12:00): Maybe evaluate all inner content recursively and blow up if it finds another script macro?
CalebJamesDeLisl - (12:00): Sure would be easier.
vmassol - (12:01): I need to understand what you're doing first. When you say froboding scripts inside scripts , wdym?
vmassol - (12:01): {{velocity}}{{groovy}}…{{/groovy}}{{/velocity}} is valid for ex
vmassol - (12:01): or do you mean <script> as in HTML?
CalebJamesDeLisl - (12:01): No I mean {{velocity}}{{groovy}} ...
vmassol - (12:02): hmm that solves use cases. What is wrong with it?
CalebJamesDeLisl - (12:02): http://jira.xwiki.org/jira/browse/XWIKI-5223
abusenius - (12:03): the problem is that the content of {{groovy}} is generated using velocity
vmassol - (12:03): yesthat's the point :)
CalebJamesDeLisl - (12:03): Are there use cases where that's the only answer?
abusenius - (12:03): well, you can actually generate the {{groovy}} tags
tmortagne - (12:04): vmassol: (11:37:57 AM) <moi>: just get the macro component and check if it's a ScriptMacro
abusenius - (12:04): so as soon as you have any kind of injection
abusenius - (12:04): youre dead
abusenius - (12:05): a better solution IMO is to first parse xwiki completely and then evaluate scripts
CalebJamesDeLisl - (12:05): It's a particular pain because our current best practices don't address this vector.
vmassol - (12:05): I don't like it
vmassol - (12:05): as a general rule
abusenius - (12:05): so that we know which macros were there and which were injected
vmassol - (12:05): maybe for nested scripts inside velocity but generally I'm not sure
vmassol - (12:05): (even for velocity I'm not sure)
abusenius - (12:06): I don't see any reason why people should be able to generate scripts with other scripts
abusenius - (12:06): if there are strange use cases - too bad
vmassol - (12:06): that's called scripting languages
vmassol - (12:06): :)
vmassol - (12:06): there are lots of uises cases for that
CalebJamesDeLisl - (12:06): Such as?
vmassol - (12:07): any use case where you want o generate anotehr script
CalebJamesDeLisl - (12:07): :D Example?
abusenius - (12:07): you shouldnt want it :)
vmassol - (12:07): for example in the class wizard
tmortagne - (12:07): vmassol: actually that's not really scripting thing, in script you generally call some eval method to do that, you don't print the script to execute later
abusenius - (12:08): you can workaround it, make a script that take parameters
vmassol - (12:08): I need to read the jira issue to understand the need. So far I've only been commenting from the POV of the use cases
vmassol - (12:09): it's a lot to read
CalebJamesDeLisl - (12:09): 5223 is what started it.
tmortagne - (12:09): i think the main point is that abusenius and CalebJamesDeLisl think it's too difficult to properly protect a script when it's manipulating user datas
vmassol - (12:09): since you're several to understand the problem it seems I'll let you handle it (I need to finish coding something first). I just want to make sure we hardcode the minimum in the rendering
sburjan_ joined #xwiki at 12:10
CalebJamesDeLisl - (12:10): Hmm, I have some stuff which will break. I will need to fix it but I think that for the best.
vmassol - (12:10): (harcoding logic that is)
tmortagne - (12:10): (which would make user able to inject a new script in its datas)
vmassol - (12:10): tmortagne: yes I gathered that
tmortagne - (12:10): i don't think there is much more
vmassol - (12:10): but it shouldnb't be done at the detriment of valid use cases so we need to be sure there are no valid use cases
vmassol - (12:10): because if you listen to security guys
vmassol - (12:11): they'll tell you you shouldn't put any script in pages
vmassol - (12:11): becuase it's a security hole
vmassol - (12:11): :)
vmassol - (12:11): so you end up with a tool that is worthless
vmassol - (12:11): ;)
abusenius - (12:11): well, they are right :)
tmortagne - (12:11): vmassol: i already say it was kinf of ok for me because there is ways to support it
tmortagne - (12:11): but when you use theses ways you know what you do basically
tmortagne - (12:12): so you don't permit user to inject script by mistake
vmassol - (12:12): I remember I used that strategy in 1.0
vmassol - (12:12): when I had to dynamically generate the XML for a mindmap
vmassol - (12:12): it was very handy
vmassol - (12:12): if I had to do it programmatically I wouldn't have done it
CalebJamesDeLisl - (12:13): vmassol: I believe in principled security systems where there are lots features and functions while some are blocked (such as pointers in java)
CalebJamesDeLisl - (12:13): No features == no security because nobody uses it.
vmassol - (12:13): note to all: I'm not against it
vmassol - (12:13): just saying we have to be careful and not hardcode it if we can
vmassol - (12:13): not hardcode = follow generic rendernig architecture
CalebJamesDeLisl - (12:14): Maybe another "safe or dead" config param?
vmassol - (12:14): right now that's: parser, tx, renderer. If we need something more we need to add it
vmassol - (12:14): no param please :)
vmassol - (12:14): I'm talking java api here anyway
tmortagne - (12:14): vmassol: with the solution I gave to abusenius the only code added is in AbstractScriptMacro
abusenius - (12:15): why are you agains parsing xwiki macros first?
vmassol - (12:15): me?
tmortagne - (12:15): abusenius: WDYM ?
abusenius - (12:15): well, everyone, nobody seems to like the idea
abusenius - (12:15): parse xwiki - parse scripts - execute scripts
CalebJamesDeLisl - (12:16): Scripts which generate xwiki2 content?
abusenius - (12:16): so we first build a tree of xwiki macros (I know the generic parser now does it differently)
tmortagne - (12:16): abusenius:  what is the difference with now ?
vmassol - (12:16): maybe some notion of ProxyBlock
vmassol - (12:16): that a TX would add around MacroBlock when they are scripts
vmassol - (12:16): so that ProxyBlock would do some checks
tmortagne - (12:16): abusenius: finding nested macros is impossible
abusenius - (12:17): tmortagne, now each macro is first evaluated, then parsed again
abusenius - (12:17): why?
vmassol - (12:17): (at exeuction)
tmortagne - (12:17): abusenius: what ?
vmassol - (12:17): I like that actually
vmassol - (12:17): wdyt?
tmortagne - (12:17): only scrip macrio sare parsed
abusenius - (12:17): tmortagne: why impossible?
tmortagne - (12:17): because the produce wiki syntax
tmortagne - (12:17): so this is perfecty normal
tmortagne - (12:18): you can't parse something that doe snot already exists...
abusenius - (12:18): well, if the parser cant find it, it should not be alowed
CalebJamesDeLisl - (12:18): I think what abusenius is suggesting is see a macro, parse and render recursively until there are no macros left.
tmortagne - (12:18): abusenius: it's impossible because you can't support every posible syntaxes in the parser
abusenius - (12:18): normal use cases like nested groovy in velocity will be easy
abusenius - (12:18): and you shouldnt
tmortagne - (12:18): {{velocity}}
tmortagne - (12:18): {{include/}}
tmortagne - (12:18): {{/velocity}}
tmortagne - (12:18): is not some velocity with a macro inside
vmassol - (12:18): (the idea would be similar to the secure uberspector done in velocity but with a TX for script macros)
tmortagne - (12:19): it's  a vlocity content
tmortagne - (12:19): and only that
abusenius - (12:19): it is not as nice as it is done now, where macros are completely independent extensions, but is much safer
tmortagne - (12:19): it just happen that in the end this script macro produce a xwiuki/2.0 content containing some macro in it
abusenius - (12:20): IMO exactly this "feature" is very very bad
CalebJamesDeLisl - (12:20): {{velocity}}{{include/}} Ut oh. The current patch will break these.
abusenius - (12:20): CalebJamesDeLisl: no
CalebJamesDeLisl - (12:20): Include resets it?
abusenius - (12:21): yes, but it doesnt fix the problem with includes
tmortagne - (12:21): CalebJamesDeLisl: indeed that will not work
CalebJamesDeLisl - (12:21): problem with includes?
tmortagne - (12:21): so this is one use case
abusenius - (12:21): include vs. pr
tmortagne - (12:22): unless you specifically test for include in AbstractScriptMAcro
vmassol - (12:22): TX: macroblock("velocity") —> macroblock("proxyscript", param: language="velocity")
tmortagne - (12:22): which make include macro pretty hardcoded
abusenius - (12:22): thats another reason why I wanted to distinguish macro types...
abusenius - (12:23): smth like: nestable - not nestable - reset nesting
tmortagne left at 12:23 (Quit: Leaving.
CalebJamesDeLisl - (12:24): he didn't like that idea ^^
vmassol - (12:24): :)
CalebJamesDeLisl - (12:25): Ok, an alternative for the moment would be to make escapetool.xml escape {
CalebJamesDeLisl - (12:26): Since it looks like we're going to have to add the concept of "can nest", "cannot nest" and "reset nesting".
abusenius - (12:28): btw the problem with {{include }} will remain in both cases
vmassol - (12:29): lunch time
arkub left at 12:34 (Ping timeout: 258 seconds
CalebJamesDeLisl - (12:56): "// included documents intercept the chain of nested script macros with XWiki syntax"  K.
CalebJamesDeLisl - (12:57): Really ought to be more generic though.
tmortagne joined #xwiki at 13:01
xwikibot joined #xwiki at 13:52
mariusbutuc joined #xwiki at 13:59
mariusbutuc left #xwiki at 13:59
silviar joined #xwiki at 14:06
CalebJamesDeLisl - (14:07): abusenius: Are you working on the nested macro patch?
abusenius - (14:10): yes
abusenius - (14:11): (was away for a lunch tough)
CalebJamesDeLisl - (14:11): Ok. Ping me when you have some changes. I'll look at having a patch for the 1.0 renderer.
abusenius - (14:12): ok
vmassol - (14:23): hehe
vmassol - (14:23): at last we're identified as a rendering engine:
vmassol - (14:23): http://kvoges.wordpress.com/2010/06/14/which-java-wiki-engine-should-one-use-within-an-opensource-application-xwiki-vs-wikitext-mylyn/
vmassol - (14:23): :)
lucaa joined #xwiki at 14:38
jvelo - (14:38): cool
CalebJamesDeLisl - (14:42): :) That's really our strong point.
CalebJamesDeLisl - (14:43): One day (when I'm old and gray) I'll write a BBcode parser. That would be cool.
lucaa left at 14:43 (Quit: Leaving.
lucaa joined #xwiki at 14:43
jvelo left at 14:59 (Read error: Connection reset by peer
sburjan_ left at 15:00 (Ping timeout: 240 seconds
jvelo joined #xwiki at 15:03
abusenius - (15:07): now it exeeds max fan-out complexity -_-
lucaa - (15:08): hi guys
lucaa - (15:08): where is xwiki initializing the plugins?
lucaa - (15:09): the ones configured int xwiki.cfg
vmassol - (15:09): XWiki.java
vmassol - (15:09): (I think)
vmassol - (15:09): checking
lucaa - (15:10): xwiki.java has 5000 lines of code :)
vmassol - (15:10): preparePlugins
vmassol - (15:10): in XWiki.java
vmassol - (15:10): line 1127
lucaa - (15:11): ok. thanks
florinciu joined #xwiki at 15:13
vmassol - (15:21): tmortagne and all: wdy about removing all our remote repo definitions in our pom.xml and instead configuring our nexus instance to proxy them? It would have several benefits but one of them is speed and caching
vmassol - (15:22): (for ex rtight now the jboss remote repo isn't answering so it's a pain to wait for the timeout)
jvelo - (15:22): +1
vmassol - (15:23): the definition of remote repos shouldn't be in the pom.xml as a best practice
vmassol - (15:23): ok I'll try to configure this
tmortagne - (15:23): sounds good (when you don't have nexus you don't have much choice ;))
vmassol - (15:23): I've noticed the pb while in Algeria where the internet connection wasn't good
vmassol - (15:23): tmortagne: you edit your settigns.xml
tmortagne - (15:24): then it's a pain for users
tmortagne - (15:24): to build
vmassol - (15:24): well they need to do that nayway
vmassol - (15:24): anyway
vmassol - (15:24): to add the xwiki remote repo
vmassol - (15:24): and it's the maven way
tmortagne - (15:24): yep but these repo are used by every single maven module of Xwiki
vmassol - (15:24): did you know that projects that have repos defined in pom.xml are not allowed to be put in the central repo
vmassol - (15:24): ?
tmortagne - (15:25): vmassol: makes sense since they are supposed to have all there dependencies in the central repo
tmortagne - (15:25): but when we depends on something that is not on central repo anyway event if we don't put the repo in the pom it's not valid eiother
abusenius - (15:32): hmm, I need to split AbstractScriptMacro because max class fan-out check fails, is it ok to extract a AbstractNotNestableMacro superclass?
abusenius - (15:32): tmortagne?
tmortagne - (15:33): abusenius: you mean extends a AbstractNotNestableMacro in AbstractScriptMacro ?
abusenius - (15:33): yes
abusenius - (15:34): and AbstractNotNestableMacro extends AbstractMacro
tmortagne - (15:34): how AbstractNotNestableMacro knows what parent macro it's supposed to filter ?
tmortagne - (15:34): could be usefiull to have AbstractNotNestableMacro for other use case if it's clean and not not contains anything about script
tmortagne - (15:34): so yes that would make sense
abusenius - (15:35): it would just have the method to check for nested macros
abusenius - (15:35): use MAcroManager to get the macro by id
tmortagne - (15:35): now maybe you need a component instead of an abstract
tmortagne - (15:36): if it's only tool methods in it
abusenius - (15:36): hm
abusenius - (15:36): well, this would also work I guess
mariusbutuc joined #xwiki at 15:46
sburjan joined #xwiki at 16:14
plunden left #xwiki at 16:39
florinciu left at 16:45 (Quit: Leaving.
abusenius - (16:53): tmortagne, why a component and not just an internal util class? its not very useful elsewhere
evalica left at 16:54 (Quit: Leaving.
tmortagne - (16:55): abusenius: you choose :)
abusenius - (16:59): I choose to keep it simple :)
abusenius - (17:01): added updated patch to XWIKI-5223
abusenius - (17:02): CalebJamesDeLisl: ping
CalebJamesDeLisl - (17:02): Ok, looking...
CalebJamesDeLisl - (17:06): Maybe we should have a "public" issue for this a comment containing 5223 won't help lay code readers.
CalebJamesDeLisl - (17:07): Is this code tested?
abusenius - (17:08): probably, afair Sergiu was talking about adding a public version of issues some time ago
abusenius - (17:08): yes
abusenius - (17:08): there are even tests :)
CalebJamesDeLisl - (17:09): AFAIK @Requirement doesn't work when the class is instantiated with "new"
abusenius - (17:10): where does this happen?
CalebJamesDeLisl - (17:11): MacroUtils
CalebJamesDeLisl - (17:11): private ScriptMacroUtils scriptUtils = new ScriptMacroUtils();
abusenius - (17:11): (rerunning tests)
tmortagne - (17:11): yep no way @Requirement would work if not initialized by component manager
abusenius - (17:12): strange, it worked somehow last time I checked
abusenius - (17:12): maybe I again forgot to build something
CalebJamesDeLisl - (17:15): XWIKI-5275
CalebJamesDeLisl - (17:17): I like that design much better.
CalebJamesDeLisl - (17:18): :D
CalebJamesDeLisl - (17:19): Do you have an old computer kicking around?
abusenius - (17:19): and huge RAM disk please
abusenius - (17:19): no, its a core 2 duo actually
CalebJamesDeLisl - (17:20): Was going to say if you have an old computer which isn't doing anything you can set up a network, ssh in to it and compile there.
abusenius - (17:21): well, this wouldnt be much faster
abusenius - (17:21): actually even slower
CalebJamesDeLisl - (17:21): Did you do the test trick?
abusenius - (17:22): still recompiling
CalebJamesDeLisl - (17:23): In xwiki-core/pom.xml:
CalebJamesDeLisl - (17:23): -          <forkMode>pertest</forkMode>
CalebJamesDeLisl - (17:23): +          <argLine>-Xmx1024m</argLine>
CalebJamesDeLisl - (17:23): That speeds it up a couple of minutes.
abusenius - (17:25): my slow disk might be the cause (laptop)
CalebJamesDeLisl - (17:25): Disk shouldn't be any slower than others, is it solid state?
abusenius - (17:26): no
abusenius - (17:26): hm, ok NP exception
abusenius - (17:26): well its 5400
CalebJamesDeLisl - (17:27): All my disks are 5400 but their big.
mariusbutuc left #xwiki at 17:27
CalebJamesDeLisl - (17:28): You could instantiate ScriptMacroUtils with the dependency.
tmortagne - (17:28): or make it an internal component
tmortagne - (17:28): (O:-))
CalebJamesDeLisl - (17:29): There's a concept of internal components without public api?
tmortagne - (17:29): yep, just put the api in internal :)
tmortagne - (17:29): or you can alos have no api i think
tmortagne - (17:30): have the ^componenet and ^componenetRole in teh same place
tmortagne - (17:30): that should work
CalebJamesDeLisl - (17:30): That sounds like the best solution for this.
tmortagne - (17:30): i don't think @componentRole has to be an interface
abusenius - (17:34): trying...
silviar left at 17:35 (Read error: Connection reset by peer
vmassol - (17:36): tmortagne: hmm I can't find  org.jboss.cache:jbosscache-core:jar:3.2.4.GA in remote repos. It's supposed to be in the jboss one I guess but I can't find it there. Any idea? http://repository.jboss.org/maven2/org/jboss/
tmortagne - (17:36): vmassol: yep it's supposed to be in jboss repository i think
tmortagne - (17:36): checking
vmassol - (17:36): http://repository.jboss.org/maven2/org/jboss/cache/jbosscache-core/
vmassol - (17:37): there are other versions but not this one
tmortagne - (17:41): vmassol: https://repository.jboss.org/nexus/content/groups/public/org/jboss/cache/jbosscache-core/3.2.4.GA/
tmortagne - (17:41): looks like that's not the sames repos after all
jvelo - (17:41): tmortagne, can you check your m2 repos size ?
vmassol - (17:41): tmortagne: indeed
jvelo - (17:41): (so we get an idea what we would need for nexus)
tmortagne - (17:42): https://repository.jboss.org/nexus/content/groups/public/ is the one documented on jbosscache website
tmortagne - (17:42): make me found theree is a 3.2.5 :)
vmassol - (17:42): I switched nexus to this one but it's still not working maybe it needs some time
vmassol - (17:42): yes saw that too
vmassol - (17:42): :)
tmortagne - (17:43): it's working well for me
tmortagne - (17:43): or i don't understand what you mean by it's not working
vmassol - (17:43): you're using the nexus as youre remote repo?
vmassol - (17:43): xwiki nexus
vmassol - (17:43): arf
tmortagne - (17:43): in the xwiki cache pom.xml yes
vmassol - (17:43): my bad, I put a wrong url
tmortagne - (17:44): i'm using what JBoss cache tell me to use actually
vmassol - (17:44): ok we're not talking about thr same thing
vmassol - (17:44): son't worry
vmassol - (17:44): s/son't/don't/
abusenius - (17:55): mixing Component and ComponentRole doesnt seem to work
abusenius - (18:05): ok, should work now ^^
CalebJamesDeLisl - (18:12): Looks good from here. Lunch time though.
vmassol - (18:13): sburjan: for copy you need to add a warning explaining that it currently requires PR
vmassol - (18:13): and link to the jira issue
sburjan - (18:13): PR ?
sburjan - (18:14): rights ?
vmassol - (18:14): http://jira.xwiki.org/jira/browse/XSCOLIBRI-209 and http://jira.xwiki.org/jira/browse/XWIKI-5081
vmassol - (18:14): PR = programming rights
sburjan - (18:14): okay.. I'll mention that
vmassol - (18:15): re Print it's in the Action menu for colibri
sburjan - (18:15): I don;t know exactly how or what PR is
sburjan - (18:15): just give me 5 minute
sburjan - (18:15): i hase still more 5 images to upload
vmassol - (18:15): IMO you should split Print section into 2: Print + Exports
vmassol - (18:15): ok
vmassol - (18:15): np
sburjan - (18:15): and the .. i'll tell when to take a looke
vmassol - (18:15): I'll read later
vmassol - (18:15): :)
vmassol - (18:16): thanks
sburjan - (18:16): okay.. so Print for Toucan and Explort for Colibri ?
vmassol - (18:16): for export yes
sburjan - (18:16): okay
vmassol - (18:16): for print no
sburjan - (18:16): stored
jvelo - (18:16): Hi CalebJamesDeLisl
mflorea left at 18:17 (Quit: Leaving.
jvelo - (18:18): ping me when you are back, I'd like to discuss couple of things re the invitation app
tmortagne - (18:18): vmassol: you have a non passing test, see http://hudson.xwiki.org/job/xwiki-platform-core/org.xwiki.platform$xwiki-core-velocity/6115/testReport/org.xwiki.velocity.internal.jmx/JMXVelocityEngineTest/testGetTemplates/
vmassol - (18:18): checking thanks
vmassol - (18:19): initially I thoguht it was because the mgmt module wasn't built
vmassol - (18:19): but it seems it's not for that reason
tmortagne left at 18:25 (Quit: Leaving.
sburjan - (18:33): vmassol : done with images
sburjan - (18:33): now moving to content
vmassol - (18:34): sburjan: "Simply click on the link to resolve the error.". It's not really an error. It's a wanted link
sburjan - (18:35): "Simply click on the link to add one:
sburjan - (18:35): "Simply click on the link to add one"
vmassol - (18:35): to create the page
sburjan - (18:35): "Simply click on the link to create the non-existing page"
vmassol - (18:36): "Simply click on the link to create the page."
vmassol - (18:36): I'll let you do the text
vmassol - (18:36): and I can review after
vmassol - (18:36): thanks
sburjan - (18:39): I didn't understand pretty well
sburjan - (18:39): when you said about spliting PRINT and EXPORT
vmassol - (18:39): they are 2 differnet features
vmassol - (18:39): right?
sburjan - (18:39): in Colibri it's called Export, in Toucan it's callen Print
sburjan - (18:39): nop
sburjan - (18:39): same action
vmassol - (18:39): no
vmassol - (18:40): think from a user point of view
vmassol - (18:40): printing is different from exporting
sburjan - (18:40): well they both export
sburjan - (18:40): even if in toucan it's written Print
vmassol - (18:40): grrrr
vmassol - (18:40): toucan was wrong
vmassol - (18:40): that's why it was fixed in colibri
vmassol - (18:40): :)
sburjan - (18:40): so what can I do :)
sburjan - (18:41): do you want the change the text from Toucan tfrom Print to Export ?
vmassol - (18:41): for printing:
vmassol - (18:41): let me start again
vmassol - (18:41): we need 2 sections
vmassol - (18:41): one for printing
vmassol - (18:41): one for exporting
vmassol - (18:41): same as we have sections for editing, renaming, etc
vmassol - (18:41): in the printing section you explain how to print using both skins
vmassol - (18:42): in the exporting section you explain how to export using both skins
sburjan - (18:42): you're refering more exactly to the Prin Preview Feature from both skins ?
sburjan - (18:42): *Print
vmassol - (18:42): I'm referrring to printing and exporting
vmassol - (18:43): for the printing part, yes I'm referring to print preview
sburjan - (18:43): okay, I see
sburjan - (18:43): in Toucan Export and Print are under the same menu, under Colibri they are not. and I will make 2 categories, describing for both skins
vmassol - (18:43): in toucan for the print feature, there are 2 actions:
vmassol - (18:43): - print
vmassol - (18:43): - print preview
vmassol - (18:43): in colibri for the print feautre, there's one action
vmassol - (18:43): - print preview
vmassol - (18:44): I'm not sure why we removed the print action in colibr, you'd need to ask sdumitriu
sburjan - (18:45): I will
sdumitriu - (18:45): Print as in print to a real printer?
vmassol - (18:45): yes, as in opens the print dialog box of the browser
sburjan - (18:45): I can't find normal print in toucan
sburjan - (18:45): only Print Preview
sburjan - (18:45): same as in Colibri
vmassol - (18:46): sburjan: http://platform.xwiki.org/xwiki/bin/download/Features/DocumentLifecycle/PrintToucan.PNG
vmassol - (18:46): ? Print: Calls you're browser's Print feature to print the current page
vmassol - (18:46): ? Print Preview: Generates a page which is formatted so that it can be easily printed using your browser's Print feature.
sburjan - (18:46): that's Print Preview
vmassol - (18:46): there are 2 links
vmassol - (18:46): check the image
sburjan - (18:46): but NOT user friendly to have to click on the parent button to print and on the child (Print Preview) button to preview
jvdrean left at 18:47 (Quit: Leaving.
sburjan - (18:47): it's not intuitive
sburjan - (18:47): IMO
vmassol - (18:47): you've lost me
sburjan - (18:47): on the link you gave me
sburjan - (18:48): you have next options: Print Preview,  Exportas PDF, Export as RTF, Export as HTML, Export as XAR
sburjan - (18:48): true ?
sburjan - (18:49): and in order to actually PRINT the page, you have to click the PRINT button (the category button), aka the Father button of the menu
vmassol - (18:49): no
vmassol - (18:49): I see "Print", "Print preview", etc
sburjan - (18:49): I don't see Print
KermitTheFragger left at 18:50 (Quit: Leaving
CalebJamesDeLisl - (18:50): jvelo: Back
sburjan - (18:50): I see Prind .. and that is a drop-down menu. If I click on that, the Print Windows appears
sburjan - (18:51): it's not too suggestive to have them separated (one being parent, and previwes as child)
vmassol - (18:51): wait
sburjan - (18:51): do you understand what am I saying ?
vmassol - (18:51): I'm talking about sub menu items
sburjan - (18:51): i don;t have a mic.. if I had I would had skyped you
vmassol - (18:51): not the top level menu itself
sburjan - (18:51): yes.. i have NO Print submenu, ONLY Print Preview
vmassol - (18:52): there are 6 sub menu items
vmassol - (18:52): http://platform.xwiki.org/xwiki/bin/download/Features/DocumentLifecycle/PrintToucan.PNG
sburjan - (18:52): I have only 5
sburjan - (18:52): Yes .. only 5
vmassol - (18:52): we need someone else to look at that image :)
sburjan - (18:52): wail
sburjan - (18:53): I'll create a JPEG screenshot of what I see
jvelo - (18:53): CalebJamesDeLisl, cool. I've downloaded latest snapshot of XE to test the invitation app
jvelo - (18:54): my first remark is that the i18n resources appear missing
vmassol - (18:54): sburjan: I've tested in real and the latest toucan doesn't have the print menu item as shown on the image
CalebJamesDeLisl - (18:54): jvelo: They are in a document bundle.
jvelo - (18:55): ok. it means we need to add them automatically in XWiki.Preferences, or move them to xwiki-core resources.properties
CalebJamesDeLisl - (18:55): But now that you mention it, development seems to have slowed down enough that I can put them into the hard coded .properties file
jvelo - (18:55): yep
vmassol - (18:55): sburjan: so the toucan image is not up to date anyway
vmassol - (18:56): but in any case in toucan there are print actions: printing for real and print preview
vmassol - (18:56): while in colibri there's only one
jvelo - (18:56): besides that, I find it odd that nowhere in the Invitation.WebHome UI you explain what the application is about
CalebJamesDeLisl - (18:56): You can get them by putting Invitation.InvitationDocumentBundle into XWikiPreferences
sburjan - (18:57): vmassol : the picture you are seeing, It's created using LATEST snapshot from today ... 20 minutes ago
jvelo - (18:57): like a 1-line on top of the form that says "Use this to invite your friends or coworkers to use this wiki, etc etc."
abusenius left at 18:57 (Ping timeout: 252 seconds
sburjan - (18:57): XWiki Enterprise 2.4-SNAPSHOT.29458
vmassol - (18:57): sburjan: then it's a cache issue
CalebJamesDeLisl - (18:57): Ok, that makes sense. Maybe we should put it to a UI specialist.
vmassol - (18:57): yes it is
vmassol - (18:58): seems like you replaced the old image with a new one
sburjan - (18:58): yeas.. the new one is taken usingthe latest version
jvelo - (18:58): BTW how does it work when guest is not allow to register ?
sburjan - (18:58): i cleared the cache of my browser, and It looks the same as before
jvelo - (18:58): you can still invite people ?
jvelo - (18:59): can you "deactivate" the UI?
CalebJamesDeLisl - (18:59): jvelo: Yup, there's a test to prove it :)
CalebJamesDeLisl - (18:59): deactivate?
jvelo - (18:59): who can send invitations?
jvelo - (18:59): all users or only admins?
CalebJamesDeLisl - (19:00): Anyone who had view access on Invitation.WebHome (registered users)
jvelo - (19:00): ok
jvelo - (19:00): maybe it could be an Admin feature as a default setting (I don't know -  just asking)
jvelo - (19:01): why is the SMTP settings duplicated from the general one BTW?
sburjan - (19:01): vmassol : i'll talk to sdumitriu when he will be around
CalebJamesDeLisl - (19:02): jvelo: Because 1. you might want to send through a different server, different username, etc. 2. xpmail7
jvelo - (19:03): ok. maybe we could provide a link from one to another, so that pple know there's more
vmassol - (19:03): CalebJamesDeLisl: so if the settings is not set it uses the default ones?
CalebJamesDeLisl - (19:03): Correct. I need to document this better.
jvelo - (19:04): CalebJamesDeLisl, I have a display issue on FF / ubuntu in the Invitation section of the Administration section
jvelo - (19:05): I'm uploading a screenshot
CalebJamesDeLisl - (19:05): What is it?
jvelo - (19:05): labels are not aligned with their inputs, at some point in the form
sburjan - (19:05): I'm going out .. see ya tomorrow. vmassol .. don't be angry, we'll clarify the situation tomorrow
vmassol - (19:06): np
CalebJamesDeLisl - (19:06): Ok, I have been working on the alignment issue. It's an administration app issue.
jvelo - (19:06): CalebJamesDeLisl, last thing for now:) It could be nice to intercept the clicks on links on the preview email
jvelo - (19:07): (in JS)
jvelo - (19:07): right now when you click the accept link, you land on an error page
jvelo - (19:07): ok, cool
jvelo - (19:07): no need for my screenshot then
CalebJamesDeLisl - (19:07): Ahh, I will pretty up a lot of things when I start js.
CalebJamesDeLisl - (19:07): For now it works in IE! (because it has no js) ;)
CalebJamesDeLisl - (19:08): jvelo: Feel free to report issues on the XAINVITATION project.
jvelo - (19:08): hehe
jvelo - (19:09): OK.
CalebJamesDeLisl - (19:11): Anyone have any comments on this: http://jira.xwiki.org/jira/secure/attachment/17394/XWIKI-5223-forbid-nested-scripts-fix-updated-working.patch
jvelo - (19:17): got to go for now. bbl
CalebJamesDeLisl - (19:17): see ya.
vmassol1 joined #xwiki at 19:18
lucaa left at 19:19 (Ping timeout: 265 seconds
vmassol left at 19:20 (Ping timeout: 240 seconds
abusenius joined #xwiki at 19:21
sburjan left at 19:24 (Ping timeout: 248 seconds
CalebJamesDeLisl - (19:27): I have a piece which allows us to set the order of the 1.0 renderers.
CalebJamesDeLisl - (19:27): xwiki.render.renderingorder=macromapping, groovy, velocity, plugin, wiki, wikiwiki
CalebJamesDeLisl - (19:27): Like that in the .cfg file.
jvelo left at 19:29 (Ping timeout: 276 seconds
arkub left at 19:48 (Ping timeout: 258 seconds
abusenius - (20:54): CalebJamesDeLisl: have tried to look whether this patch breaks something in the default installation of XE?
CalebJamesDeLisl - (20:54): Have I?
abusenius - (20:55): yes :)
CalebJamesDeLisl - (20:55): The syntax 1 patch?
abusenius - (20:55): yes
CalebJamesDeLisl - (20:55): I haven't but I don't think it will.
CalebJamesDeLisl - (20:55): The list of docs in syntax1 is pretty small and that's a very odd use case.
CalebJamesDeLisl - (20:58): There is a code snippet which it will break but whoever wrote that was an idiot http://code.xwiki.org/xwiki/bin/view/Snippets/ReplaceWordsWithLinksSnippet
abusenius - (21:00): only applications/workstream/src/main/resources/Workstream/Service.xml seems to contain <%
CalebJamesDeLisl - (21:00): hey good thinking.
abusenius - (21:00): grep rules :)
CalebJamesDeLisl - (21:02): find -exec grep.
abusenius - (21:02): is there any other way to use groovy in syntax 1?
CalebJamesDeLisl - (21:02): Nope. that was a good idea making the groovy char an xml entity.
CalebJamesDeLisl - (21:02): find ./wiki/ -name '*.xml' -exec grep '&lt;%' {} \; -print
abusenius - (21:02): nope, fgrep '&lt;%' ((*~target)/)#*
abusenius - (21:02): zsh rules too
CalebJamesDeLisl - (21:03): in enterprise, the only thing that shows up is XWikiSyntax which is snytax2
CalebJamesDeLisl - (21:04): Hah, same for manager. Looks like where good.
CalebJamesDeLisl - (21:04): *we're
CalebJamesDeLisl - (21:05): What's better about zsh than bash?
abusenius - (21:07): everything :)
abusenius - (21:07): it has e.g. interactive mode
abusenius - (21:07): for completion
CalebJamesDeLisl - (21:08): like hitting tab?
abusenius - (21:08): so if you type say /<TAB> you dont just see what directories are there, you can go throudh them with arrows or tab
abusenius - (21:08): yes
abusenius - (21:09): same for command line arguments etc.
abusenius - (21:09): kill -9 firefo<TAB>
abusenius - (21:09): transforms firefox into its pid
CalebJamesDeLisl - (21:09): ok that's nice.
abusenius - (21:10): also extended globbing, like **/*(#q.) for all files in all subdirectories
abusenius - (21:10): (just files)
abusenius - (21:10): #q/ are directores, #[email protected] symlinks
abusenius - (21:10): and it doesnt look into hidded dirs like .svn
abusenius - (21:11): *hidden
abusenius - (21:11): and everything is configurable
CalebJamesDeLisl - (21:11): I've been just discovering the ridiculous things you can do with `
abusenius - (21:11): I have current git branch displayed in prompt :)
CalebJamesDeLisl - (21:12): I have to get back to playing with git soon.
abusenius - (21:12): and part of the path that is in repository highlighted in the right prompt
CalebJamesDeLisl - (21:12): Sounds like emacs.
abusenius - (21:12): yea, or vim
abusenius - (21:13): I have vim mode in command line, you press escape and can use vim shortcuts
abusenius - (21:13): something like this is also possible in bash, but more limited
abusenius - (21:13): (and emacs mode works too)
CalebJamesDeLisl - (21:14): Well emacs has a shell of it's own.
abusenius - (21:14): its an operating system :)
CalebJamesDeLisl - (21:14): http://24.media.tumblr.com/3REj7E7az6jdx5ssrgpEzH8L_500.jpg
CalebJamesDeLisl - (21:15): I always thought that described emacs well.
abusenius - (21:15): :D
abusenius - (21:15): do you know this: http://xkcd.com/378/ ?
abusenius - (21:16): the've implemented this feature in emacs :)
CalebJamesDeLisl - (21:16): yup. I like this one http://xkcd.com/404/
abusenius - (21:17): xkcd is cool :)
CalebJamesDeLisl - (21:17): meh, it's ok.
abusenius left at 21:18 (Quit: Konversation terminated!
abusenius joined #xwiki at 21:18
CalebJamesDeLisl - (21:19): Nice reboot time.
abusenius - (21:21): no, my connection lives its own life
CalebJamesDeLisl - (21:22): Hmm that didn't look like a connection drop. Wifi?
abusenius - (21:22): yes
abusenius - (21:22): reconnects from time to time for no particular reson
CalebJamesDeLisl - (21:23): Did you hear about the latest wifi hack? You set up a router with internet access, people connect to it, sniff their data, MITM etc.
CalebJamesDeLisl - (21:24): It works great because windows, mac, ubuntu will connect to any wifi they find.
CalebJamesDeLisl - (21:25): Supposedly it works with security because nobody was thinking about authenticating the router.
abusenius - (21:25): hm, sounds more like social ingenering
abusenius - (21:26): if you find a free open wifi it doesnt mean you should do online banking over it :)
CalebJamesDeLisl - (21:28): Actually MITM is (sort of) blocked by the CA's   sort of...
CalebJamesDeLisl - (21:29): The other attack though is if it's a windows box, check the infamous port 443.
CalebJamesDeLisl - (21:29): and attach PDF ruin to every webpage they load.
abusenius - (21:29): have you heard of a "cookie monster" attack?
CalebJamesDeLisl - (21:29): hah, nope.
abusenius - (21:30): its cool, if somebody is browsing over https and cookies doesnt have secure flag set
abusenius - (21:31): you can inject a fake image on http://bank.com/ and the browser will send cookies in plaintext
abusenius - (21:31): (into some other http responce)
abusenius - (21:32): then sniff cookies, impersonate
CalebJamesDeLisl - (21:32): I thought cookies would fail for domain if it was https instead of http.
CalebJamesDeLisl - (21:33): "inject a fake image" messing with dns?
abusenius - (21:33): seems to work for some reason
abusenius - (21:34): no, if youre in the same network, just answer faster than the server
CalebJamesDeLisl - (21:36): So you're answering a call to http://bank.com?
CalebJamesDeLisl - (21:36): The browser must then make a call to http:// and not https://
abusenius - (21:37): e.g. https://bank.com/ in one tab and google in another
CalebJamesDeLisl - (21:38): do you read rsnake's blog?
abusenius - (21:38): you inject http://bank into google responce, browser will try to load it - boom
abusenius - (21:39): no
abusenius - (21:39): hm, looks interesting
CalebJamesDeLisl - (21:45): Ok, got it, you're adding <img> tags to the http site which pull (nonexistant) images from the bank in http mode.
abusenius - (21:48): exactly
CalebJamesDeLisl - (21:48): Still you need to be in their network.
CalebJamesDeLisl - (21:49): The Kaminsky attack doesn't really work because everyone's looking for it and everyone pretty much knows that .org is not hosted on somebody's dsl line.
CalebJamesDeLisl - (21:50): And the cool kids use opendns.
abusenius - (21:51): yes, but many people do online banking over free unencrypted wifi
CalebJamesDeLisl - (21:54): Well, you can also attack their software and get their info that way.
CalebJamesDeLisl - (21:55): the ancient pdf buffer overflow comes to mind but there must be other stuff you can do to a browser.
CalebJamesDeLisl - (21:57): Something I've never figured out is what do people do with stolen bank information?
abusenius - (21:58): I guess fraud
abusenius - (21:58): buying something on the wrong name
abusenius - (21:59): or send a fake bill, with correct data it will look very convincing
CalebJamesDeLisl - (22:00): You never hear about anybody losing money and not getting it back though.
CalebJamesDeLisl - (22:00): I'm convinced they hold it for ransom in exchange for fat checks from the bank which had an unencrypted database ;)
abusenius - (22:01): probably :)
abusenius - (22:01): there was a nice talk about stuff like that on FOSDEM
CalebJamesDeLisl - (22:01): So look for banks which hired do-nothing security managers with high pay and low hours.
abusenius - (22:03): http://fosdem.org/2010/schedule/events/eviloninternet
CalebJamesDeLisl - (22:13): Hmm, interesting. We have to worry about the site getting hit and turned into phishing pages.
lucaa joined #xwiki at 22:35
vmassol1 left at 22:50 (Quit: Leaving.
mflorea joined #xwiki at 22:53
florinciu joined #xwiki at 22:53
mflorea left at 23:25 (Quit: Leaving.
Freud_ joined #xwiki at 23:41
Freud_ - (23:44): is $doc.getSpace and $doc.GetName variables from Xwiki core or a plugin? And if it's from core, is there a similar variable go $doc.GetUrl or someplace I can find these variables?
Freud_ - (23:45): I found them within the SendPageByEmail application, but i'd like to modify it to send only the link...
florinciu left at 23:50 (Read error: Connection reset by peer
CalebJamesDeLisl - (23:51): Freud_: Have a look at: http://platform.xwiki.org/xwiki/bin/view/DevGuide/Scripting
CalebJamesDeLisl - (23:51): $doc is a binding to the current document.
CalebJamesDeLisl - (23:52): Document is part of the core.
Freud_ - (23:58): cool
Tags:
   

Get Connected