1. 12 Jul, 2012 1 commit
    • Leigh B Stoller's avatar
      Cleanup in the web interface to prevent XSS attacks. · 6cf701f9
      Leigh B Stoller authored
      We had a couple of different problems actually.
      
      * We allow users to insert html into many DB fields (say, a project or
        experiment description).
      
      * We did not sanitize that output when displaying back.
      
      * We did not sanitize initial page arguments that were reflected in the
        output (say, in a form).
      
      Since no one has the time to analyze every line of code, I took a couple of
      shortcuts. The first is that I changed the regex table to not allow any <>
      chars to go from the user into the DB. Brutal, but in fact there are only a
      couple of places where a user legitimately needs them. For example, a
      startup command that includes redirection. I handle those as special
      cases. As more come up, we can fix them.
      
      I did a quick pass through all of the forms, and made sure that we run
      htmlspecialchars on everything including initial form args. This was not
      too bad cause of the way all of the forms are structured, with a
      "formfields" array.
      
      I also removed a bunch of obsolete code and added an update script to
      actually remove them from the www directory.
      
      Lastly, I purged some XMLRPC code I did a long time ago in the Begin
      Experiment path. Less complexity, easier to grok and fix.
      
      	modified:   sql/database-fill.sql
      	modified:   sql/dbfill-update.sql
      6cf701f9
  2. 11 Jul, 2012 11 commits
  3. 10 Jul, 2012 2 commits
  4. 08 Jul, 2012 3 commits
    • Mike Hibler's avatar
      Patch to add frisbee and pubsub dissectors to wireshark. · 388ef6bc
      Mike Hibler authored
      Did the pubsub one a long time ago, but added a frisbee one as well.
      
      The pubsub dissector has not been tested in its wireshark 1.8 incarnation,
      I just converted it from the 1.2.10 version and made sure it compiled.
      The frisbee dissector just supports the base UDP protocol (not the TCP
      master server protocol) and doesn't implement wireshark conversations.
      
      This last few commits were the result of a two-day trip into the weeds.
      This started out as getting a hack shared 10Gb LAN working on the new 820
      nodes. Then I decided to test it out by running frisbee at high bandwidth
      over that LAN. Next thing you know, I'm out in the fields, looking at
      frisbee traces and tweaking Linux sysctls...
      388ef6bc
    • Mike Hibler's avatar
      For dynamic socket buffer sizing, don't trust the return value of setsockopt · acd929c1
      Mike Hibler authored
      In at least the Linux 3.2 kernel on Ubuntu 12, setsockopt to set the socket
      buffer size does not return an error if you try to set a value higher than
      the kernel max. So we do an immediately following getsockopt to verify.
      
      This will prevent the server from over-driving the send socket (leading to
      re-requests of blocks from clients) for really high bandwidth values (i.e.,
      with large burst sizes).
      acd929c1
    • Mike Hibler's avatar
      Fix some bitrot in the tracing functions. · 58c871e1
      Mike Hibler authored
      58c871e1
  5. 06 Jul, 2012 4 commits
  6. 05 Jul, 2012 1 commit
  7. 03 Jul, 2012 6 commits
  8. 02 Jul, 2012 12 commits