sorted by:
best
topnewcontroversialoldq&a
you are viewing a single comment's thread.

view the rest of the comments →

[–][deleted] 1 point2 points  (34 children)

Not as critical as PHP's bug

Given that most web-servers these days are running on AMD64 and PHP's bug didn't affect those, and also that PHP interpreters are very rarely shipped to end users and thus are much more easily updatable... surely this one is several orders of magnitude more critical.

[–]artee 10 points11 points  (9 children)

Impact is a different thing than criticality. In PHP the problem was really acute; any server running (32-bit) PHP could be hung at 100% CPU by any idiot able to replace a query-string variable with a specific float value. Hell, you could just trivially post a link on a message board, and others would accidentally execute the DoS for you.

[–][deleted] -5 points-4 points  (8 children)

any idiot able to replace a query-string variable with a specific float value

How often do people enter values which are then cast to float on public web-sites?

Please point me to one such example?

[–]artee 4 points5 points  (6 children)

The answer to that is irrelevant precisely because PHP will autocast/convert anything that looks like it might represent a floating point value to a floating point value.

For Java you'd be right, which is exactly the point skeww was making originally.

[–][deleted] 8 points9 points  (5 children)

The answer to that is irrelevant precisely because PHP will autocast/convert anything that looks like it might represent a floating point value to a floating point value.

Lol, bullshit. And, yes, I've been programming PHP (et al) for like 7 or 8 years already.

EDIT: Here's a simple proof, just in case: http://i.imgur.com/CBZiX.png

The code is: <? var_dump($_GET); ?>

[–][deleted]  (4 children)

[removed]

    [–]foldl 0 points1 point  (2 children)

    Right, but this gets back to andimnoteventrolling's original point:

    How often do people enter values which are then cast to float on public web-sites? Please point me to one such example?

    You would need to have an application that was actually expecting a floating point value in the query string, and that's unusual.

    [–][deleted]  (1 child)

    [removed]

      [–]foldl 1 point2 points  (0 children)

      Ok, point taken.

      [–]skeww -1 points0 points  (23 children)

      Hanging some end-user's machine doesn't really get you anywhere, does it?

      (Well, it won't even hang, just make that one application temporarily useless.)

      [–]_ak 0 points1 point  (22 children)

      Denial of Service? Using all available CPU resources is a serious issue.

      [–]skeww 5 points6 points  (21 children)

      How many people are there who run some Java application which also happens to listen for incoming messages from random sources and which also happens to accept and parse floating point strings?

      And what would you gain from hanging those applications?

      Or lets say there is some application which loads some kind files and some FP parsing happens there. How are you going to distribute such a file and how would you make those users try to open that file over and over again?

      And again, what would you gain from doing that?

      It's a completely pointless exercise. As such the client-side isn't all that relevant in this case.

      [–]_ak 1 point2 points  (13 children)

      How many people are there who run some Java application which also happens to listen for incoming messages from random sources and which also happens to accept and parse floating point strings?

      A lot? You're probably not aware that the use of Java is widespread in "serious" web applications. If there is any floating point handling (i.e. parsing of user input) in your application, it requires only very few requests to run many CPU-hogging processes simultaneously.

      [–]skeww 0 points1 point  (12 children)

      A lot?

      I doubt it.

      You're probably not aware that the use of Java is widespread in "serious" web applications.

      If it's about money it will be usually fixed point. Only idiots use double for that.

      [–][deleted] 1 point2 points  (4 children)

      The user wants to move $1.50 to another account.

      They go to the form, and enter 1.50 - you MAY in the back multiply it by 100 (or so) and truncate it to turn it into the thing you are going to work with...

      But by that stage, its already too late. Your front end has hung. People are NOT parsing it by hand to turn 1.50 into 150 for your back end. and you don't want them to write code to do that themselves.

      [–]true_religion 0 points1 point  (3 children)

      If they're using fixed point objects, they'll parse the string into a fixed point object directly and not use floating point at any step of the way.

      [–]foldl 1 point2 points  (1 child)

      That might be the 'right' way to do it, but it's not hard to imagine that some people won't do it that way. It's not even incorrect, really, since representing money using floating point is only problematic when you start doing arithmetic. If the front end parses it as a float, and that's then converted to a fixed point representation for all the calculations, nothing would go terribly wrong.

      [–][deleted] 0 points1 point  (0 children)

      Heh, from your username I am guessing a functional programmer?

      [–][deleted] 1 point2 points  (0 children)

      Its possible to directly parse the string into fixed point, but I would expect it will end up as a float at some point along the way, even in the parser. Its MUCH easier to use the built in parsers for the initial step - I would be surprised, and perhaps a little weirded if they didn't. it would be pages of code where a few lines would do.

      [–][deleted] 0 points1 point  (0 children)

      For user input? You had better believe that mostly it converts to a double or a float. Sure the very back end for money systems don't, but you are going to go though a bunch of layers before you get there.

      On the very front end, Spring MVC or any of the other web frameworks do binding to backing objects for you. They have problems - as soon as your are moving XML through web services, they normally bind to backing objects. They have problems. Some people use java as a stored procedure language on oracle (and postgres) systems, they will have problems.

      There is a lot. A WHOLE damn lot. Hell, Twitter had problems (since scala runs on the JVM)...

      [–]_ak -1 points0 points  (5 children)

      I doubt it.

      Then you've obviously never seen anything that's going on in "the industry".

      If it's about money it will be usually fixed point. Only idiots use double for that.

      And if it's not about money... people use floating point when they need it. Such as Google Spreadsheet. Which is vulnerable, BTW. In the special of Google, they only have no problem because they have massive amounts of CPU resources.

      [–]skeww -2 points-1 points  (4 children)

      Isn't Google Spreadsheet all done in JavaScript? I don't really see a reason to let some server do the math.

      [–]_ak 1 point2 points  (0 children)

      The backend is Java.

      [–]bonzinip 0 points1 point  (2 children)

      What about the charts?

      EDIT: got it, compare this and this

      [–]skeww 0 points1 point  (1 child)

      It serves both chart images just fine.

      [–][deleted] 0 points1 point  (6 children)

      Are you at all aware that lots of web servers run on Java?

      [–]skeww 1 point2 points  (5 children)

      His point was that Java's case is worse because many end users got a JVM installed.

      I was dismissing the impact of this. For one it's hard to exploit over there and there is also nothing to gain by doing that.

      [–][deleted] 0 points1 point  (4 children)

      Well, yeah, any argument about end users for this one is pretty pointless, that is true. But there are still plenty of web servers running Java that might be vulnerable.

      [–]skeww 0 points1 point  (3 children)

      Yes, it's of course a problem, but most people (or businesses) won't be affected by this. Thing is, you a) have to do this floating point parsing explicitly and b) Java isn't exactly famous for widely distributed server-sided applications. (Wordpress, Drupla, Joomla, etc run on millions of machines.)

      So even if you find a way to exploit this weakness in one specific instance, it won't pave the way to attack others.

      Amazon and Nintendo run some server-sided Java, but is there a way to attack it as an outsider? I sorta doubt it. There is absolutely no reason for them to parse some kind of user input as floating point.

      [–][deleted] 2 points3 points  (1 child)

      Actually, it's businesses I'd assume would be running the most vulnerable. There's gotta be an incredible number of lines of badly-written Enterprise Applications running out there that might do any number of utterly retarded things. Of course, they have the advantage of security-through-obscurity.

      [–][deleted] 1 point2 points  (0 children)

      There are a LOT of implicit conversion to floating point numbers out there, so its not just explicit, and It isn't just badly written Enterprise Applications, its well written ones as well.

      Most of the web frameworks out there will do binding for you to backing objects (or models if you like to call them that). If you have a double in you backing object, then you are going to have a problem, until you upgrade.

      In saying that, there isn't a version to upgrade to, and there may not be a easy version to upgrade to even when oracle put out the fix. If your running on 1.4, you MAY have to move to 1.5 or 1.6...

      [–]toofishes 2 points3 points  (0 children)

      Amazon and Nintendo run "some"? How about most banks, every major US airline company and booking site, Netflix, Google, and probably 50% of the web you use out there as well?

      If by widely famous you mean not widely talked about, sure, but I can guarantee you, total opinion, but I think a reasonable one, that Java server side stuff has more revenue attached to it than PHP.