Discovering one bug after another in the UTF-8 decoding logic in OpenBSD, then going on to fix other aspects of related code.
https://research.exoticsilicon.com/articles/unbreaking_utf8_on_the_console [research.exoticsilicon.com]
2023-03-10 20:32
tags:
bugfix
investigation
openbsd
programming
text
tty
Still, the debugging process we went through here to discover the cause of the problems in the first place is worth sharing from the beginning, as the code in question was particularly bad with plenty of textbook mistakes. Who knows what you might find in your own investigations elsewhere.
Email: https://marc.info/?l=openbsd-tech&m=167734639712745&w=2
source: L
The Safari bug that never was
https://obyford.com/posts/the-safari-bug-that-never-was/ [obyford.com]
2023-01-07 21:56
tags:
browser
bugfix
html
text
web
We’d managed to get from ‘some quite strange things are happening to the header, beta banner and buttons’ to ‘text wraps unnecessarily within intrinsically-sized elements when using certain fonts and the inner HTML of the element contains a new line that is not preceded by a space’.
source: HN
A Tale Of A Trailing Dot
https://daniel.haxx.se/blog/2022/05/12/a-tale-of-a-trailing-dot/ [daniel.haxx.se]
2022-05-14 00:41
tags:
networking
security
standard
text
turtles
web
Trailing dots on host names in URLs is the gift that keeps on giving. Let me take you through a dwindling story of how the dot is handled differently in different places through the stack of an Internet client. The evil trailing dot.
source: L
U+237c ⍼ Right Angle With Downwards Zigzag Arrow
https://ionathan.ch/2022/04/09/angzarr.html [ionathan.ch]
2022-04-13 20:03
tags:
retro
standard
text
Known as right angle with downwards zigzag arrow, angle with down zig-zag arrow, \rangledownzigzagarrow, and ⍼, no one knows what ⍼ is meant to represent or where it originated from. Section 22.7 Technical Symbols from the Unicode Standard on the Miscellaneous Technical block doesn’t say anything about it.
source: L
This Man Thought Opening a TXT File Is Fine, He Thought Wrong. MacOS CVE-2019-8761
https://www.paulosyibelo.com/2021/04/this-man-thought-opening-txt-file-is.html [www.paulosyibelo.com]
2021-04-03 00:44
tags:
exploit
html
mac
security
text
turtles
This research originated when I realized the default text reader on OSX, TextEdit is used to open files with TXT extension by default. On the interface of TextEdit, it looked like you can do basic customization to your text (you can turn text bold, italic, change color etc...), so I was wondering how a TXT file was storing and parsing this information. It seems it uses RTF format instead of TXT if we add customizations to the text.
source: HN
An Exploration of JSON Interoperability Vulnerabilities
https://labs.bishopfox.com/tech-blog/an-exploration-of-json-interoperability-vulnerabilities [labs.bishopfox.com]
2021-02-26 22:29
tags:
format
javascript
security
standard
text
turtles
The same JSON document can be parsed with different values across microservices, leading to a variety of potential security risks. If you prefer a hands-on approach, try the labs and when they scare you, come back and read on.
https://github.com/BishopFox/json-interop-vuln-labs/
source: HN
present - A terminal-based presentation tool with colors and effects.
https://github.com/vinayak-mehta/present [github.com]
2020-08-30 21:36
tags:
release
swtools
text
tty
Slides follow Markdown syntax.
And there’s fireworks!
source: HN
A 35-year-old bug in patch found in efforts to restore 29 year old 2.11BSD
http://bsdimp.blogspot.com/2020/08/a-35-year-old-bug-in-patch-found-in.html [bsdimp.blogspot.com]
2020-08-17 17:46
tags:
c
programming
retro
swtools
text
Larry Wall posted patch 1.3 to mod.sources on May 8, 1985. A number of versions followed over the years. It’s been a faithful alley for a long, long time. I’ve never had a problem with patch until I embarked on the 2.11BSD restoration project. In going over the logs very carefully, I’ve discovered a bug that bites this effort twice. It’s quite interesting to use 27 year old patches to find this bug while restoring a 29 year old OS...
source: HN
Implementing a Type-safe printf in Rust
https://willcrichton.net/notes/type-safe-printf/ [willcrichton.net]
2020-08-17 04:35
tags:
programming
rust
text
type-system
I show how to use heterogeneous lists and traits to implement a type-safe printf in Rust. These mechanisms can ensure that two variadic argument lists share important properties, like the number of format string holes matches the number of printf arguments.
source: HN
How can CharUpper and CharLower guarantee that the uppercase version of a string is the same length as the lowercase version?
https://devblogs.microsoft.com/oldnewthing/20200804-00/?p=104040 [devblogs.microsoft.com]
2020-08-05 00:49
tags:
c
intro-programming
text
text
windows
Let's build a Full-Text Search engine
https://artem.krylysov.com/blog/2020/07/28/lets-build-a-full-text-search-engine/ [artem.krylysov.com]
2020-07-30 16:48
tags:
go
intro-programming
text
Today we are going to build our own FTS engine. By the end of this post, we’ll be able to search across millions of documents in less than a millisecond. We’ll start with simple search queries like “give me all documents that contain the word cat” and we’ll extend the engine to support more sophisticated boolean queries.
source: L
SAT solver on top of regex matcher
https://yurichev.com/news/20200621_regex_SAT/ [yurichev.com]
2020-07-08 00:05
tags:
compsci
programming
text
A SAT problem is an NP-problem, while regex matching is not. However, a quite popular regex ‘backreferences’ extension extends regex matching to a (hard) NP-problem.
source: trivium
xi-editor retrospective
https://raphlinus.github.io/xi/2020/06/27/xi-retrospective.html [raphlinus.github.io]
2020-07-01 00:55
tags:
compsci
concurrency
development
programming
rust
swtools
text
I still believe it would be possible to build a high quality editor based on the original design. But I also believe that this would be quite a complex system, and require significantly more work than necessary.
A few good ideas and observations could be mined out of this post.
source: L
Unicode Security Considerations
https://unicode.org/reports/tr36/ [unicode.org]
2020-06-11 17:41
tags:
defense
language
security
text
turtles
Because Unicode contains such a large number of characters and incorporates the varied writing systems of the world, incorrect usage can expose programs or systems to possible security attacks. This is especially important as more and more products are internationalized. This document describes some of the security considerations that programmers, system analysts, standards developers, and users should take into account, and provides specific recommendations to reduce the risk of problems.
A large number of problems as well.
source: solar
Psychic Paper
https://siguza.github.io/psychicpaper/ [siguza.github.io]
2020-05-02 00:39
tags:
auth
exploit
hash
iphone
security
text
turtles
Yesterday Apple released iOS 13.5 beta 3 (seemingly renaming iOS 13.4.5 to 13.5 there), and that killed one of my bugs. It wasn’t just any bug though, it was the first 0day I had ever found. And it was probably also the best one. Not necessarily for how much it gives you, but certainly for how much I’ve used it for, and also for how ridiculously simple it is. So simple, in fact, that the PoC I tweeted out looks like an absolute joke. But it’s 100% real.
I dubbed it “psychic paper” because, just like the item by that name that Doctor Who likes to carry, it allows you get past security checks and make others believe you have a wide range of credentials that you shouldn’t have.
source: grugq
Notes on Parsing in Rust
https://blog.wesleyac.com/posts/rust-parsing [blog.wesleyac.com]
2020-04-30 22:37
tags:
library
programming
rust
text
I’ve recently been writing a bit of parsing code in Rust, and I’ve been jumping back and forth between a few different parsing libraries - they all have different advantages and disadvantages, so I wanted to write up some notes here to help folks who are undecided choose what libraries and techniques to consider, and also to offer some suggestions for the future of the Rust parsing ecosystem.
source: L
Hashtag of note
https://languagelog.ldc.upenn.edu/nll/?p=46455&utm_source=rss&utm_medium=rss&utm_campaign=hashtag-of-note [languagelog.ldc.upenn.edu]
2020-03-18 17:18
tags:
social
text
web
You will probably notice immediately that it contains a full-width dash, in other words a Unicode (probably Chinese-origin?) character. For some reason, this is all over Twitter in posts from Anglophone people I am almost completely sure have no input method installed that can actually produce it.
It’s not a real dash at all but a “Katakana-Hiragana prolonged sound mark“:
The unexpected Google wide domain check bypass
https://bugs.xdavidhu.me/google/2020/03/08/the-unexpected-google-wide-domain-check-bypass/ [bugs.xdavidhu.me]
2020-03-09 21:01
tags:
security
text
web
Let me tell you this “funny” story of me trying to bypass a domain check in a little webapp, and acidentally bypassing a URL parser that is used in (almost) every Google product.
Spoiler: it’s a regex bug.
source: HN
JetBrains Mono
https://www.jetbrains.com/lp/mono/ [www.jetbrains.com]
2020-01-24 05:31
tags:
design
text
Another developer font. With a fancy web site to explain the design.
source: DF
Introducing Glush: a robust, human readable, top-down parser compiler
https://www.sanity.io/blog/why-we-wrote-yet-another-parser-compiler [www.sanity.io]
2019-12-18 17:54
tags:
compiler
compsci
programming
release
swtools
text
It’s been 45 years since Stephen Johnson wrote Yacc (Yet another compiler-compiler), a parser generator that made it possible for anyone to write fast, efficient parsers. Yacc, and its many derivatives, quickly became popular and were included in many Unix distributions. You would imagine that in 45 years we would have further perfected the art of creating parsers and would have standardized on a single tool. A lot of progress has been made, but there are still annoyances and problems affecting every tool out there.
This is great, even just for the overview of parsing.
The CYK algorithm (named after Cocke–Younger–Kasami) is in my opinion of great theoretical importance when it comes to parsing context-free grammars. CYK will parse all context-free parsers in O(n3), including the “simple” grammars that LL/LR can parse in linear time. It accomplishes this by converting parsing into a different problem: CYK shows that parsing context-free languages is equivalent to doing a boolean matrix multiplication. Matrix multiplication can be done naively in cubic time, and as such parsing context-free languages can be done in cubic time. It’s a very satisfying theoretical result, and the actual algorithm is small and easy to understand.
source: trivium