Monday, 2012-07-02

*** Joins: dhx1 (~anonymous@60-242-247-232.static.tpgi.com.au)01:19
dhx1nextgens: thanks for the patches, I'll look at them this weekend -- sorry for the delay02:32
nextgensit's fine; I've been busy myself and didn't submit the main one yet02:33
nextgensfor the auth cookie, I took off the substr() call, making it way longer than it was02:36
dhx1thanks02:36
nextgenswell, arguably that's a bad thing as it's sent every single request02:36
nextgens128bits of entropy ought to be enough02:36
dhx1yep02:36
nextgensbut it shouldn't be 'cut' using substr()02:37
dhx1nope, timing issues02:37
nextgensand it should be the less significant bits of the hash, rather than the MSB like it was02:37
dhx1hmmm, so you're not using the raw output of OpenSSL's PRNG or /dev/urandom -- you're first hashing some of this data and truncating a certain amount from the hash?02:38
nextgensthere's two main reasons why you'd want to hash:02:40
nextgens- ensure there's no side-channel in case your PRNG is flawed02:40
nextgens- ensure that the output is uniformly distributed (so that base64 encoding it will be constant-size most of the time)02:41
nextgensarguably these are very weak reasons, and could do without02:42
dhx1so I take it you're base64 encoding a raw (binary) hash string?02:42
nextgensyes02:42
dhx1rather than truncating a hexadecimal notation?02:42
dhx1good :)02:42
*** Quits: kirillka (~Miranda@195.242.142.17) (Read error: Connection reset by peer)02:43
dhx1with these changes (+ more upcoming) I wouldn't be surprised if MantisBT becomes one of the most secure web apps02:43
*** Joins: kirillka (~Miranda@195.242.142.17)02:43
nextgensthat being said, I really think that this session management is madness, and should be let in the hands of php02:43
dhx1yes, agreed02:43
*** Quits: dhx1 (~anonymous@60-242-247-232.static.tpgi.com.au) (Quit: Leaving)05:57
*** Quits: kirillka (~Miranda@195.242.142.17) (Quit: kirillka)06:55
GitHub13[mantisbt] dregad pushed 2 new commits to master: http://git.io/H77qag08:54
GitHub13[mantisbt/master] SOAP API: calling mc_issue_update unduly updated bugnotes - Damien Regad08:54
GitHub13[mantisbt/master] LDAP binding calls are made even if $g_login_method <> LDAP - Damien Regad08:54
GitHub28[mantisbt] dregad pushed 2 new commits to master-1.2.x: http://git.io/27Bj9g08:54
GitHub28[mantisbt/master-1.2.x] SOAP API: calling mc_issue_update unduly updated bugnotes - Damien Regad08:54
GitHub28[mantisbt/master-1.2.x] LDAP binding calls are made even if $g_login_method <> LDAP - Damien Regad08:54
*** Quits: dregad (~dregad@155.250.128.35) (Quit: Ex-Chat)09:03
*** Joins: paulr (~IceChat09@cpc1-enfi15-2-0-cust580.hari.cable.virginmedia.com)11:00
paulrmoo15:12
*** Quits: paulr (~IceChat09@cpc1-enfi15-2-0-cust580.hari.cable.virginmedia.com) (Quit: Pull the pin and count to what?)16:14
*** Quits: sdfjkljkdfsljkl (~sdfjkljkd@static.96.23.63.178.clients.your-server.de) (Remote host closed the connection)17:00
*** Joins: sdfjkljkdfsljkl (~sdfjkljkd@static.96.23.63.178.clients.your-server.de)17:00
*** Joins: kirillka (~Miranda@195.242.142.17)22:48

Generated by irclog2html.py 2.10.0 by Marius Gedminas - find it at mg.pov.lt!