Joined: 31 Jul 2021 Posts: 2146 Location: All over YOUR webs
Posted: Mon Oct 03, 2022 12:41 Post subject:
mwchang wrote:
I think we forgot one thing: a patch can be submitted via the forum as a file attachment!
Thus developers and helpers can review and talk about the patch using the forum.
I don't wanna directly touch the source codes using git until I can properly secure my PC like those mainframe computers in big banks. It's really very dangerous to do it otherwise.
This is what GitHub is for and pull requests allow fine grained feedback, you can comment on any given line of the patch, something you will never get where a patch is attached or any other means.
Sorry, personally I do not support convoluted methodologies for patch reviews, where better and modern technologies exist that are tried and tested for said reviews over a web browser, any git web frontend will beat this.
As for security, Ive no idea what you're so belt and braces, git -- Github and Gitlab offer 2 layer security logins Github even offers a physical security key login, and unless youre not that type of person who falls for dumb phishing emails, no such issues will happen, and FYI bank mainframes are not that secure mk? Most large institutions run severely outdated software.
And plus you can run a sandboxed Virtual machine like I do for development. I wouldn't dream of using the host OS for this.
I think you needed to use eval() to add Unbound into the list? I dunno... as for example:
Code:
/* when adding external media some services should be restarted, e.g. minidlna in order to scan for media files*/
static bool usb_startservices(void)
....
#ifdef HAVE_PLEX
eval("startservice", "plex", "-f");
#endif
#ifdef HAVE_UNBOUND
eval("startservice", "unbound", "-f");
#endif
char *next;
char *services = nvram_safe_get("custom_configs");
char service[32];
foreach(service, services, next) {
eval("service", service, "stop");
eval("service", service, "start");
}
}
I think I need to track variable custom_configs. Um... how could I do it via the SVN webiste?
"nvram_safe_get("custom_configs");" is not like regular nvram...
Joined: 26 Mar 2013 Posts: 1855 Location: Hung Hom, Hong Kong
Posted: Mon Oct 03, 2022 15:35 Post subject:
the-joker wrote:
Sorry, personally I do not support convoluted methodologies for patch reviews, where better and modern technologies exist that are tried and tested for said reviews over a web browser, any git web frontend will beat this.
As for security, Ive no idea what you're so belt and braces, git -- Github and Gitlab offer 2 layer security logins Github even offers a physical security key login, and unless youre not that type of person who falls for dumb phishing emails, no such issues will happen, and FYI bank mainframes are not that secure mk? Most large institutions run severely outdated software.
And plus you can run a sandboxed Virtual machine like I do for development. I wouldn't dream of using the host OS for this.
But OK you are clearly inexperienced so you're going to be afraid of your own shadow for a while.
I am not ready to carry the burden. I rather just suggest and persuade in the forum.
And I am more experienced with business applications (Foxpro, SQL, some PHP+Javascript) than firmware. I know C and some C++.
My programming jobs never required the use of version control system, and nothing had gone wrong! That included patching an old and kind-of-buggy MIS system to get pass year 2000.
_________________ Router: Asus RT-N18U (rev. A1)
Drink, Blink, Stretch! Live long and prosper! May the Force and farces be with you!
Joined: 26 Mar 2013 Posts: 1855 Location: Hung Hom, Hong Kong
Posted: Tue Oct 04, 2022 15:37 Post subject:
the-joker wrote:
This is what GitHub is for and pull requests allow fine grained feedback, you can comment on any given line of the patch, something you will never get where a patch is attached or any other means.
Are version control tools really about making maintenance easy? Or are they disguising tools to track (criminal?) responsibilities? Well... well ... well....
How do you prevent bad guys from forging evidences inside the system? You cannot just trust the top management because they could be bad guys.
I better stay away from them.
_________________ Router: Asus RT-N18U (rev. A1)
Drink, Blink, Stretch! Live long and prosper! May the Force and farces be with you!
Um... this httpd_filter_name() is interesting. Might explain why some HTML character were not escaped when displayed in those textboxes of WEBUI. And this function might affect Javascript HTML escape function in the WEBUI... Will come back to this later, with a new thread.
How about adding """ and "&" to patterns[] and see what might happen? Meow...
Joined: 26 Mar 2013 Posts: 1855 Location: Hung Hom, Hong Kong
Posted: Tue Oct 11, 2022 12:30 Post subject:
the-joker wrote:
which textboxes? be specific. some examples and a screenshot may even help.
All those textboxes in the tab Admin -> Commands -> the Command Shell -> Commands, including USB Script, Firewall Script...
But for experiment, try Command Shell first. Could be interesting... of course, it might break things. Still httpd_filter_name() might be for sanitizing HTTP POST strings, that is, input not output.
_________________ Router: Asus RT-N18U (rev. A1)
Drink, Blink, Stretch! Live long and prosper! May the Force and farces be with you!
Joined: 31 Jul 2021 Posts: 2146 Location: All over YOUR webs
Posted: Tue Oct 11, 2022 12:49 Post subject:
The commands boxes and execution renders everything to HTML that you execute in there without exception including that crap in the filters. Anything anywahere that goes in UI like that will do similar aberration.