1 2012-12-01T01:49:31 <sunu> moin
2 2012-12-01T01:52:23 <sunu> ThomasWaldmann: Yes, I never realised that. So should we add some prefix to the cache key based on the specific item ?
3 2012-12-01T01:57:56 <sunu> dreimark: yes, I was telling ThomasWaldmann that before. I experience no hang with log.configured = false either. It's just that all the log-entries in the gae logs are marked as error.
4 2012-12-01T03:16:08 *** sudo_dirk1
5 2012-12-01T03:17:23 *** sudo_dirk
6 2012-12-01T08:52:04 <ThomasWaldmann> sunu: just look at the code you have replaced and understand it first
7 2012-12-01T09:06:43 *** Marenz
8 2012-12-01T10:33:28 *** MattMaker
9 2012-12-01T11:42:50 *** grzywacz
10 2012-12-01T11:42:50 *** grzywacz
11 2012-12-01T11:56:26 <dreimark> sunu: that is maybe because of the logging mismatch, I try that later today
12 2012-12-01T12:09:48 *** greg_f
13 2012-12-01T12:35:10 <dreimark> didn't dolve it
14 2012-12-01T12:35:16 <dreimark> bbl
15 2012-12-01T12:45:29 *** spy_
16 2012-12-01T13:23:55 <ThomasWaldmann> dreimark: your issue reports often lack detail or are unclear
17 2012-12-01T13:28:31 *** grzywacz
18 2012-12-01T14:15:58 *** bruno_
19 2012-12-01T15:02:36 <moinBot> http://hg.moinmo.in/moin/2.0/rev/5036a7273f5e 2012-12-01 Thomas Waldmann <tw AT waldmann-edv DOT de> gae merged default into gae branch
20 2012-12-01T15:22:41 <moinBot> http://hg.moinmo.in/moin/2.0/rev/39151f399b59 2012-12-01 Thomas Waldmann <tw AT waldmann-edv DOT de> namespaces merged default into namespaces branch
21 2012-12-01T15:40:33 *** RogerHaase
22 2012-12-01T16:01:36 <dreimark> ThomasWaldmann: what is unclear?
23 2012-12-01T16:15:52 <dreimark> bbl
24 2012-12-01T16:23:30 <dreimark> if you mind reporting strange things i can stop doing that
25 2012-12-01T16:49:09 *** RogerHaase
26 2012-12-01T16:49:52 *** RogerHaase
27 2012-12-01T16:50:32 *** eSyr
28 2012-12-01T17:03:34 *** bruno_
29 2012-12-01T17:15:02 *** bruno_
30 2012-12-01T17:40:32 *** esyr
31 2012-12-01T17:41:54 *** esyr
32 2012-12-01T17:45:37 *** eSyr
33 2012-12-01T18:46:48 *** greg_f
34 2012-12-01T19:16:18 *** RogerHaase
35 2012-12-01T19:59:38 <ThomasWaldmann> dreimark: if you just read through your stuff again from the point of view of a reader that has no context knowledge about that issue, you'll find the issues
36 2012-12-01T20:01:36 <ThomasWaldmann> usually it is very fundamental stuff, like "what's the point?", "why do we need that?", "what precisely happened?", etc.
37 2012-12-01T21:12:43 *** spy_
38 2012-12-01T21:55:15 <dreimark> ThomasWaldmann: ok, you are right
39 2012-12-01T22:31:30 *** MattMaker
40 2012-12-01T22:35:51 *** MattMaker
41 2012-12-01T22:45:16 *** MattMaker
42 2012-12-01T22:54:24 * ThomasWaldmann thinks about killing the createTicket/checkTicket code in moin2
43 2012-12-01T22:54:44 <ThomasWaldmann> for csrf protection, we can just use flask-csrf
44 2012-12-01T23:03:04 <dreimark> hmm, the tickets in 1.9 are also used to verify that input to a page is done by the belonging form
45 2012-12-01T23:05:56 <dreimark> may be that is superfluos
46 2012-12-01T23:06:11 <ThomasWaldmann> the question is what we are trying to achieve
47 2012-12-01T23:07:00 <ThomasWaldmann> for anti-csrf, a session-long csrf random unique token that is stored into the session is enough
48 2012-12-01T23:07:08 <ThomasWaldmann> (and that is what flask-csrf does)
49 2012-12-01T23:08:59 <ThomasWaldmann> i think the only slight advantage that our tickets currently have is that a spammer can't just post
50 2012-12-01T23:09:16 <dreimark> the tickets expire, how long is that token valid
51 2012-12-01T23:09:26 <ThomasWaldmann> but he would first have to get the editor form, extract the ticket value and then post
52 2012-12-01T23:09:47 <ThomasWaldmann> so it is a little harder, but no real protection
53 2012-12-01T23:12:07 <ThomasWaldmann> flask-csrf token is valid session-long
54 2012-12-01T23:14:28 <ThomasWaldmann> hmm, flask-csrf also protects from direct posting
55 2012-12-01T23:14:45 <ThomasWaldmann> if there is no csrf token in the post, it is rejected
56 2012-12-01T23:15:36 <ThomasWaldmann> so, you need: a) do a get request, get a session cookie and a csrf token b) do post, provide cookie and token
57 2012-12-01T23:16:16 <ThomasWaldmann> b) could be done more than once, though
58 2012-12-01T23:17:02 <ThomasWaldmann> but if automated, it doesn't really matter if you automate abababababab or abbbbbbbbbb
59 2012-12-01T23:30:19 <dreimark> does session-long mean per user or per any user
60 2012-12-01T23:30:45 <dreimark> i wonder why it is not updated after it is once used
61 2012-12-01T23:31:31 <dreimark> then it would be only valid for one action and if it is too fast updated we can catch that by suregprotection
62 2012-12-01T23:34:33 <ThomasWaldmann> a session is always per user
63 2012-12-01T23:35:01 <ThomasWaldmann> last week i did a lot of csrf work on another project
64 2012-12-01T23:35:38 <ThomasWaldmann> if one has one-time tokens, one needs to do book-keeping for potentially lots of them (10, 100, 1000?)
65 2012-12-01T23:36:12 <ThomasWaldmann> because there can be a lot of other requests between giving out the token and it being used
66 2012-12-01T23:36:25 <ThomasWaldmann> (from same user)
67 2012-12-01T23:37:00 <ThomasWaldmann> so while that can be done, just using a static token is easier and also effective against csrf
68 2012-12-01T23:42:26 <dreimark> true, yes it should not become to problematic for valid users
69 2012-12-01T23:43:07 <dreimark> per user it is ok but not for anonymous users.
70 2012-12-01T23:43:39 <dreimark> spammers can be blocked by the textcha too
71 2012-12-01T23:44:16 <dreimark> however if we have more spam it can be improved again
72 2012-12-01T23:58:19 *** MattMaker
73
