freenode/#lisp - IRC Chatlog
Search
19:30:34
adam0001
New Ubuntu system, I notice ~/quicklisp/setup.lisp is in the hidden directory ~/.quicklisp/setup.lisp Should I uninstall and reinstall using Quicklisp method?
19:35:25
MichaelRaskin
I have multiple QuickLisp installations in various very non-default locations, and I never have any problems with that
19:38:34
adam0001
OK. Thank you. It seems that the Lisp of others often expects it in the non-hidden directory.
19:39:17
adam0001
So, no real convention I guess. Will take another look at the Quicklisp install notes.
19:39:46
MichaelRaskin
Well, I load mine manually. (Of course that could go into .sbclrc if you have exactly one installation)
19:40:51
Bike
adam0001: implementations don't really expect it to be anywhere. they just need to load setup.lisp
19:42:33
adam0001
a quick fix, might be to link or copy the hidden directory and file, alias it to a non-hidden ~/quicklisp/setup.lisp
19:43:22
Bike
on my system .sbclrc is set for quicklisp/setup.lisp. if i threw a period in there it would do the hidden location instead.
19:51:12
adam0001
@Bike OK. Yes, my .sbclrc has it pointing to the hidden. So, its simply programmed hard-wired in the software I'm trying to run. I can change that, or copy setup.lisp to where it expects to find it.
19:53:54
seok
How would one verify user-uploaded image in common lisp? Did anyone answer me just then
19:55:23
seok
So, if someone uploads a jpg on my web, how would I ensure that it is actually a jpg file?
19:56:32
pjb
seok: you would use a jpg parser and check that it can run without detecting any error.
19:56:49
pjb
seok: it's just like for a lisp file or a C file. You use the compiler to check for errors.
19:57:04
Bike
oh, something like jpeginfo. i don't know that there's a library to do that. cl-jpeg is more about the data in the jpeg
19:57:25
pjb
seok: unfortunately, jpeg libraries are in general written without this aspect of validation. Instead, they often prefer to crash or to allow security problems.
19:58:00
seok
I'm sure there are established libraries in other established languages like PHP node or python, I'm considering outsourcing just the validation to another language
20:03:21
pjb
seok: your lisp program can be sold and use by any web server, not only by web browser written in lisp!
20:03:48
seok
but I'm sure there are libraries already verifying user uploaded images in PHP or node
20:04:07
pjb
Writing any validing software in other programming language fails, because then you introduce more bugs than you detect!
20:04:39
adam0001
@Bike simply copying ~/.quicklisp/ directory tree to ~/quicklisp/ runs the software. Now I'm getting this which is progress. "unhandled condition in --disable-debugger mode, quitting "
20:05:32
seok
I'm actually looking for one in node, I'm surprised it is harder than I had thought to find one
20:05:56
pjb
seok: as I said, not surprising, because any non-lisp code introduces more bugs than it can detect.
20:06:11
seok
Are you telling me a simple feature such as image verification has not been implemented properly in any popular libraries?
20:07:00
pjb
seok: yes, the purpose of libraries is not to verify or validate, but to read the image.
20:08:48
seok
Then how are all these other websites coping? surely none of them are using a lisp web server
20:09:06
MichaelRaskin
I guess a _pure_ JavaScript solution would be also okay-ish safety-wise, but I am not sure one exists
20:09:12
pjb
seok: how do you think we get all those databases of personal data and credit card number available?
20:09:46
MichaelRaskin
They are using imagemagick, which supports a huge number of formats and is really unsuitable for untrusted input
20:10:59
seok
Yeah, I'd imagined that node would have a library verification since node servers are pretty common and so is image upload function
20:11:10
MichaelRaskin
Many sites with image upload functionality don't even do anything with images
20:12:08
pjb
seok: this would be an interesting experiment. Locate malicious jpegs, and test uploading them everywhere…
20:13:01
pjb
seok: 90% won't detect anything bad. 9% will break somehow without telling you why (you could probably hack them). And I'm very optimisitic here: 1% will tell you they reject the malformed file.
20:13:17
seok
I have been having a headache for a week trying to figure this out, how everyone else is doing it
20:13:59
pjb
seok: but as I said, if you do something solid in lisp, you have a market, and given the number of web site, you could very well end up not billionaire, but trillionaire.
20:14:46
pjb
MichaelRaskin: there are legal risks, so they may want to run an antivirus software on those files.
20:15:17
MichaelRaskin
If there were real legal risks for redistributing the viruses, Google ad network would be already shut down
20:16:40
MichaelRaskin
And there is an easy and cheap solution for sanitising jpegs. Which is not perfectly safe but safeish
20:19:28
seok
This threat is well documented risk https://www.owasp.org/index.php/Unrestricted_File_Upload
20:19:44
seok
I'm still not buying what you guys are saying that most websites if not all are vulnerable
20:20:50
pjb
seok: even plain text files can be dangerous. Recently, iOS had a problem processing some unicode encoding, so you could break its Messenger application, just by sending a SMS with some chinese or so characters…
20:20:57
MichaelRaskin
Well, given that it is enough to have a remote code execution at the level of OS network stack…
20:21:29
pjb
You don't even need "execution" as such. Any file processing is a kind of evaluation. Basically, data = code.
20:22:31
pjb
And the worse part is that it's not because you've validated some data with some bug-free library that are good: your same data could be evaluated by a buggy program on the same system, and hose you.
20:23:49
pjb
They have people to correct things when they happen. Like the time iCloud would show you picture of other customers :-)
20:24:36
MichaelRaskin
And also Google can afford the overhead of a few levels of isolation so that an exploit doesn't let you do anything interesting
20:25:32
seok
I should probably stick with one of these third party image hosting and link images from there until I am ready
20:26:09
MichaelRaskin
You can search for «Eternal Blue» to see how security problems are actually handled in the real world. In that case, there was a lot of coverage
20:28:11
seok
Because the one who comes up the solution is going to release the hacks together so the websites who don't use the patch are going to suffer
20:33:37
seok
So if there are no practical vulnerability why have you scared me off with our previous conversation
20:35:04
MichaelRaskin
If you are not trying to process the file, just serve it further, checking the first few bytes for a valid JPEG header is enjough to make it not-your-problem (but your users' one)
22:18:45
akoana
hmm,after (ql:update-dist "quicklisp") i got debugger invoked on a QL-DIST:BADLY-SIZED-LOCAL-ARCHIVE ... The archive file "bodge-glfw-stable-7519a922-git.tgz" for "bodge-glfw" is the
22:18:48
akoana
wrong size: expected 511,390, got 39,493 but ./quicklisp/dists/quicklisp/archives/bodge-glfw-stable-7519a922-git.tgz has 511390 bytes and the tar.gz is ok, should I ignore this error?
22:30:54
akoana
as a lisp newbie I'm rather confused and have no clue how to fix this, so anyone bringing light into this is greatly appreciated - thanks in advance
22:35:21
no-defun-allowed
What's the SLIME package named that makes indentation in Emacs reasonable?
22:35:44
akoana
_death: thank you, hmm, I can't repeat the (ql:update-dist "quicklisp"), it says You already have the latest version of "quicklisp"
22:38:18
_death
is it possible that after you got that error you picked the DELETE-AND-RETRY restart?
22:40:24
nirved
could it be that the download was happening in another thread, and wasn't yet finished at that point?
22:41:33
_death
you could assume all is well until you hit a problem, or you could remove quicklisp libraries and reinstall..
23:02:38
akoana
so probably chosing DELETE-AND-RETRY would have fixed it, I just was scared by "DELETE" :)
3:26:08
reepca
weird question: is it normal for it to be possible to evaluate lisp code but not compile it? As in, I can copy+paste it into the REPL and it'll work fine, but trying to compile it with C-c C-k causes an error?
3:29:59
reepca
Due to my distribution's packaging of flexi-streams and usocket, loading them produces a warning about not following "asdf version numbering convention", but aside from that they load fine when pasted into the repl
3:31:37
reepca
full error and backtrace for those skilled at making sense of it: http://paste.debian.net/1120300
3:34:57
loke`
reepca: When you get a failed AVER, the first thuing to do is to make sure you have the latest version of SBCL
3:38:01
loke`
Well, sure. But there is no way we'll ever be able to invesigate unless we know they're not using 10 year old versions of some random library (which tends to happen with Debian in particular)
4:26:42
LdBeth
What I naturally think it the emulator returns a closure preserves the execution state when executing IO instruction
4:30:15
fengshaun
it looks like (loop for x in xs sum x into y finally (+ y 2)) doesn't work and returns nil. I have a list of numbers I want to sum but then want to do something at the end while x points to the last element. I can think of a way to do it with (do), but can I do it with (loop)?
4:32:16
LdBeth
Mine is also small that has run out all energy trying solve that question that it does not have enough for structuring sentence correctly
5:06:45
White_Flame
fengshaun: only accumulation clauses return a value from LOOP, else you get NIL without a manual return
5:07:32
White_Flame
so you could do (loop ... collect x finally (do-cleanup)) and still get X collected
5:10:42
White_Flame
if you use RETURN, you would usurp that, and it would be consing up the COLLECT value needlessly, afaik
5:33:49
aeth
White_Flame: well, no, what you'd do if you needed to is you'd :collect the-thing :into a-variable and then you could :finally (return (values a-variable whatever-else))
5:34:28
aeth
It's fairly common to use two collects to generate two different lists depending on some condition