It seems that you're using an outdated browser. Some things may not work as they should (or don't work at all).
We suggest you upgrade newer and better browser like: Chrome, Firefox, Internet Explorer or Opera

×
Community
General discussionPSA: Serious security issue.(99 posts)(99 posts)
(99 posts)
Pages:
1
2
3
4
5
6
7
This is my favourite topic
Posted August 25, 2017
avatar
WinterSnowfall: Well, the posts are stored in a backend database you know, so it's not that impossible to do a quick check on things... but I doubt GOG will do even that.
Difficulty depends on how it is stored and what they are looking for. For example, how many variations of certain kinds of text are they looking for? What constitutes "malicious purposes" and how do they determine who was victimized? What sort of value will be derived by this effort?
Posted August 25, 2017
avatar
Bookwyrm627: Difficulty depends on how it is stored and what they are looking for.
Nothing a regular expression wizard can't sort out. But anyway, let's not split hairs here :). It's most likely not going to happen anyway.
Posted August 25, 2017
Sometimes I wonder whether the only reason why this site hasn't been hacked to hell and back is that even those people have pity here.
Posted August 25, 2017
avatar
Klumpen0815: Sometimes I wonder whether the only reason why this site hasn't been hacked to hell and back is that even those people have pity here.
Kind of like mugging a bum?
Posted August 25, 2017
avatar
litek: As you can see the issue has been fixed.
I believe the fix broke the "url" tag in "add/edit your post".
Posted August 25, 2017
Good job GOG! Now try to fix everything else! :p
Post edited August 25, 2017 by triock
Posted August 25, 2017
avatar
triock: Good job GOG! Now try to fix everything else! :p
It doesn't work like that. Correct order is - we report something's broken, they fix it, break one or two others in the process, then fix the ones they broke while fixing the reported one.

The cycle starts all over again as soon as we report something else.
Posted August 25, 2017
avatar
litek: As you can see the issue has been fixed.
Thanks for the swift action. However, this fix looks somewhat shaky to me... Stripping everything which looks like HTML upon edit/reply, rather than properly encoding it (which would've been the correct fix), can only lead to trouble.

What if I write I <3 gog, and then want to edit this?

Yep, indeed, that deletes half my post :(
Post edited August 25, 2017 by gogtrial34987
Posted August 25, 2017
avatar
gogtrial34987: This fix looks somewhat shaky to me... Stripping everything which looks like HTML upon edit/reply, rather than properly encoding it (which would've been the correct fix), can only lead to trouble.

What if I write I <3 gog, and then want to edit this?

Yep, indeed, that deletes half my post :(

> </textarea><script>alert('1)</script>
Is that why bold, italics and underline are broken now when applied within a hyperlink?
Posted August 25, 2017
avatar
gogtrial34987: This fix looks somewhat shaky to me... Stripping everything which looks like HTML upon edit/reply, rather than properly encoding it (which would've been the correct fix), can only lead to trouble.
avatar
HypersomniacLive: Is that why bold, italics and underline are broken now when applied within a hyperlink?
That'll more probably have to do with trying to workaround the separate issue of using the url tag to hide malicious output - so not quite the same issue, but yes, also fallout from the attempt to fix this security bug.
Posted August 25, 2017
Hit reply on gogtrial's post 83, and I got the following (except it had the square brackets instead of angle brackets around the quote_83).

===========================
<quote_83>
Thanks for the swift action. However, this fix looks somewhat shaky to me... Stripping everything which looks like HTML upon edit/reply, rather than properly encoding it (which would've been the correct fix), can only lead to trouble.

What if I write I
===========================


I really hope this is just a matter of slapping a tourniquet on the gushing wound until you have a chance to do the necessary surgery. :-/
Posted August 25, 2017
avatar
gogtrial34987: Thanks for the swift action. However, this fix looks somewhat shaky to me... Stripping everything which looks like HTML upon edit/reply, rather than properly encoding it (which would've been the correct fix), can only lead to trouble.

What if I write I
Holy shit. I suspected I should have checked out the "fix" myself, but I trusted that blue text.
It does look trustworthy doesn't it? So blue, so beautiful, so treacherous...

In reality, this just is another one of those 91-style bandaids.

Test is a bit more, guys. See what you can find. I'm at a hackathon right now, so I don't have the time to properly mess with it.
Post edited August 25, 2017 by Alaric.us
Posted August 25, 2017
<<test>
Post edited August 25, 2017 by ZFR
Posted August 25, 2017
avatar
HypersomniacLive: Is that why bold, italics and underline are broken now when applied within a hyperlink?
avatar
gogtrial34987: That'll more probably have to do with trying to workaround the separate issue of using the url tag to hide malicious output - so not quite the same issue, but yes, also fallout from the attempt to fix this security bug.
Well, their solution messed up their own links in news threads too. e.g., check first post here:
https://www.gog.com/forum/general/release_doom_3_bfg_edition_5c7f8/page13

So there is a good chance they'll work on it some more.
Posted August 26, 2017
Linking large sentence test

Linking small word test

A test of linking just one character

Number linking test - 1.

Punctuation linking test.

One character in word link test.


Edit: It looks like url tag was fixed. Thank you!
Post edited August 26, 2017 by Lin545
Pages:
1
2
3
4
5
6
7
This is my favourite topic
Community
General discussionPSA: Serious security issue.(99 posts)(99 posts)
(99 posts)