Open sourcing pouet.net ?
category: offtopic [glöplog]
<3
Quote:
I doubt we'll ever release the full SQL dump, but monthly cleaned dumps of selected data, like CSV of prods or groups is def a good idea if people find it useful
So people _may_ insert data, but not get the full dump in a useable format?
Quote:
Google Checkout equivalent for the end users
that's not a bad idea actually.
dfox: i understand, i dont see how it's possible to go back on that though. the only path left now is moving forward. it's not like i had "desperately try to salvage pouet drama from opensource bomb" on my todo list for this week either. but it does seem important to me now to try to help instead of letting it go further down the drain, even if i am not that versed with sql injection sanitation.
also, just because i was always in favor of open sourcing pouet doesnt mean i agree with what analogue did, which i dont, both the resseting access without proper discussing with gargaj, and launching the repo without a proper sql injection audit were stupid actions.
but that's done and unrevertable now. i'm just trying to minimize the damage here. i'm not telling you must contribute, i understand very well about lack of time, i'm on shortage myself.
i'm just saying, to no one in particular: if you know your shit and think this site is more vulnerable now than ever, then this is quite a good time to step up and make sure it doesn't collapse on itself. at the end of the day this isn't really about analogue, me or gargaj. it's about improving pouet. and in that sense either you care or you don't.
i'm not as good as kb with comment replies though, sorry about that.
also, just because i was always in favor of open sourcing pouet doesnt mean i agree with what analogue did, which i dont, both the resseting access without proper discussing with gargaj, and launching the repo without a proper sql injection audit were stupid actions.
but that's done and unrevertable now. i'm just trying to minimize the damage here. i'm not telling you must contribute, i understand very well about lack of time, i'm on shortage myself.
i'm just saying, to no one in particular: if you know your shit and think this site is more vulnerable now than ever, then this is quite a good time to step up and make sure it doesn't collapse on itself. at the end of the day this isn't really about analogue, me or gargaj. it's about improving pouet. and in that sense either you care or you don't.
i'm not as good as kb with comment replies though, sorry about that.
hmmm, i wonder if replacing all SESSION's, GET's and POST's with filter_var() wouldnt b0rk something in insertion.
Quote:
Well..but that's done and unrevertable now.
Quote:
At the end of the day this isn't really about analogue, me or gargaj. it's about improving pouet.
That is a valid point. If you nead any design help after Outline I'm willing to assist, but I'm no (web)coder so I leave that up to others.
Sure, I get it. I think now would be a good time for all the people rooting for the OSS release to step forward and help out like they said they would. Maybe they will, maybe they won't. I never intended to support this even though I agreed to helping out gargaj with v2 if he ever needed it - but that's different.
Not sure if you read my thoughts about pouet over the last years, but I'm not really a big fan of it :) Sadly, it's a very useful resource with no real alternative but that might not be the case forever.
I'm usually in favor of dropping old, deprecated stuff (not just code, but also ideas etc.) and start fresh since that usually drives innovation and also forces you to look ahead instead of being stuck in the past. There's lots of potential in the demoscene that hasn't been unlocked yet. Why? I don't know. People probably don't care enough or just want to be on the consuming side. And those who do have so much on their plate that it's not really possible to do more.
Not sure if you read my thoughts about pouet over the last years, but I'm not really a big fan of it :) Sadly, it's a very useful resource with no real alternative but that might not be the case forever.
I'm usually in favor of dropping old, deprecated stuff (not just code, but also ideas etc.) and start fresh since that usually drives innovation and also forces you to look ahead instead of being stuck in the past. There's lots of potential in the demoscene that hasn't been unlocked yet. Why? I don't know. People probably don't care enough or just want to be on the consuming side. And those who do have so much on their plate that it's not really possible to do more.
Quote:
it's about improving pouet. and in that sense either you care or you don't.
Yes, except people who were perfectly happy with something that just worked (warts and all), didn't really want for all of this to happen -let alone be pigeonholed like you just did.
Quote:
but that's done and unrevertable now.
why exactly is it unrevertable?
i feel exactly like shifter described it.
i wish i could take the 2000+ products i added over the past 12 years, haul them over to demozoo, and be done with pouet forever.
Quote:
and be done with pouet forever.
Ain't nobody gonna stop you from doing that.
And you can haul over the prods with the API.
Quote:
... there is no point. no reward, nothing.
ok, here's your reward:
first one to make an exploit and dump the entire db into public (first sanitizing private stuffs like emails and passwords, of course) gets historic fame (for saving teh pouet, that is) and lots of beer at the next demoparty i will participate (which one is it i dunno yet, too far away and bloody expensive).
<?php
shell_exec("mysqldump pouet > /home/pouet/public_html/grabme.sql");
?>
What do I win?
shell_exec("mysqldump pouet > /home/pouet/public_html/grabme.sql");
?>
What do I win?
Quote:
but we are living in the now, and right now the code is out there open sourced.
You're saying this like it was unavoidable and that we should all just shut up and accept that we're in a bad situation.
WTF?!
I've spent time naked in a hot tub, drinking beer with other naked sceners and I still didn't feel as exposed as I do after this "open sourcing" ...
Nobody expects the Kindergarden Fjeldabe Edition!
Analogue:
For some reason I get an error while submitting a new issue on github, so I do it here:
In submitprod.php there's a longstanding, very annoying bug:
This should not just be fixed, but completely deleted, because:
1. There are php prods
2. This kills csdb links (f.e: http://csdb.dk/getinternalfile.php/77573/Instinct+BoozeDesign - Andropolis.d64), because you don't check for php at the end of the URL, but everywhere
So, this is both useless AND doesn't work. ;) I would also kill some of the other checks, as they are both incomplete (there's a new sharehoster every other week) and they treat users like five year olds. ;) The disclaimer of what to add should be good enough, really.
For some reason I get an error while submitting a new issue on github, so I do it here:
In submitprod.php there's a longstanding, very annoying bug:
Code:
if(strstr($myurl["path"],".php") && !strstr($myurl["host"],"scene.org"))
$errormessage[] = "please link to the file directly";
This should not just be fixed, but completely deleted, because:
1. There are php prods
2. This kills csdb links (f.e: http://csdb.dk/getinternalfile.php/77573/Instinct+BoozeDesign - Andropolis.d64), because you don't check for php at the end of the URL, but everywhere
So, this is both useless AND doesn't work. ;) I would also kill some of the other checks, as they are both incomplete (there's a new sharehoster every other week) and they treat users like five year olds. ;) The disclaimer of what to add should be good enough, really.
dipswitch: it's unrevertable in the sense people can't unsee what's been seen. the sourcecode is online now. even if by some late cold feet syndrome analogue would decide to revert his decision, it is already available, people are already forking and internet search engines crawlers crawling.
gloom: no, i'm not saying it was unavoidable. i just don't see how captain hindsight will save the day on this one, that's all.
gloom: no, i'm not saying it was unavoidable. i just don't see how captain hindsight will save the day on this one, that's all.
gloom: So you are saying Gargaj has been this super-developer the last four years on pouet.net but there are still SQL-Injection bugs? Maybe you should get yourself a new hero.
Ok, this time it worked.
Hatikvah: I expected more elaborate flamebait from you - that was just lazy and boring.
Pouet's source code, if someone actually managed to skim through it, would be an eternal source of articles for thedailywtf.
