1. 27

    A reminder as to why older geeks, like myself, have precisely zero trust towards Microsoft when it comes to open source, or a customer-first mentality in general:

    http://www.catb.org/~esr/halloween/

    More recently, they’ve shown their true colours with the Minecraft Education Edition, that’s only available to students at schools affiliated with Microsoft. I’ve tried (repeatedly, at the behest of my literally teary-eyed children) to pay money for Minecraft EE, only to be repeatedly rebuffed.

    The answer I was given is that they’re afraid that the low price of EE licensing might cannibalize their regular Minecraft sales. So they’ll only offer it for sale to students of schools where they’re already making up the difference on bulk licensing.

    Perhaps I’m wrong; I certainly hope I am. But I eye things like Microsoft’s acquisition of Github, and their embrace (to be followed by extending and extinguishing?) of Linux in Windows, with great skepticism. They certainly weren’t to be trusted in the 90s and early 2000s, and their treatment of Minecraft users suggests nothing has changed.

    1. 5

      You’re not alone! I am very afraid that the younger generations fail to study history and understand that Microsoft’s so-called “friendly” attitude towards the open source community is nothing more than a new business strategy.

      Things are actually much worth today than in the past. In the past it was clear and obvious that Microsoft was very hostile towards all open source, now they hide it, which makes it worse.

      1. 2

        I agree. I’m more upset that people aren’t upset about this. Microsoft has never been the good guy. They’ve open sourced some stuff here or there, but they still track you just as hard as Google or Facebook in every way imaginable.

        If the Pi team wanted to offer VS Code, why not do it from an official repo, or add a repo for vscodium?

        Maybe it’s just because I lived through the Windows 95 era and all the garbage Gates and his company tried to pull to completely crush Linux. But nothing has really changed. Sure Windows 10 doesn’t blue screen of death once every 2 ~ 3 days, but instead you get ads on everything from the start menu to lockscreen, endless amounts of telemetry, Cortana … why are so many people so quick to give Microsoft a free pass? This distribution literally has a Microsoft repo in it. Depending on the repo priority, it could offer Microsoft versions of other packages on your system.

        Also, have people just forgotten about youtube-dl and github? I don’t understand all the Microsoft apologists. Keep Linux MS free. It’s not a hard ask. It’s just common sense.

        1. 3

          Keep Linux MS free. It’s not a hard ask.

          It is a hard ask, because that would break Freedom Zero.

          1. 2

            I don’t think that @djsumdog’s comment was a legal request, but a “social” one.

      1. 3

        If only 10% of the work went into fixing the unbelievable poor state of the PHP documentation.

        1. 1

          This isn’t working for me with local host names only FQDM. With a local host name, clicking the “HTTP” button to continue to the http version does nothing.

          Also, I think it would be very beneficial with a whitelist, like HTTPS everywhere has.

          1. 8

            Using plain PHP templates is a bad idea because

            • it relies on the fact that PHP treats accesses to undefined variables as something relatively normal
            • it doesn’t do any kind of string quoting/escaping by default and there’s no way to add default processing. Yes, you could be using htmlspecialchars everywhere, but forget it once and you have an XSS at your hand. Proper template engines escape by default. Forget to mark something as HTML and you have visible markup on the page which is way better than XSS.
            • PHP templates allow unmitigated access to global state and due to the they how PHP keeps request state as mutable global dictionaries, this means that PHP templates can even mutate request state at will.
            • include() puts the template file into the current scope, so a template gets access to all of the variables in scope inside of the rendering function (which, as the article explained, also included $this.
            • Because the templates are plain PHP, there’s nothing a template can’t do, including accessing external resources, reading the file system, etc. Yes. you shouldn’t put business logic in your templates, but it happens and then you’re screwed a few years down the line.

            People have invented template engines for reasons. Most of them were and still are valid reasons.

            1. 2

              Author here. You are mostly right, but in most cases I’d consider those a feature and not necessarily a problem. Those features help keeping things simple. Of course you can abuse those features, but you shouldn’t.

              As for the escaping to avoid XSS: you are very right. This is the weakest point of this approach to doing templates and requires a certain amount of developer discipline when designing the templates…

              1. 2

                I’d consider those a feature and not necessarily a problem

                so did I nearly 20 years ago and now I wish I hadn’t.

                Of course you can abuse those features, but you shouldn’t.

                people always think that and poof 10 years (if you’re lucky. probably sooner) later they drown in technical dept and the rewriting-effort starts to get going.

                requires a certain amount of developer discipline when designing the templates

                discipline doesn’t work. Never has. You only need to forget a single htmlspecialchars() to get the equivalent security of having none. A solution that requires the developer to take care of all instances of something when all an attacker needs is a single instance can’t scale.

                Simplicity is nice, but not at this price.

                1. 2

                  I appreciate where you are coming from. I’ve worked in “enterprise” software development where my approach would make people lose their shit. I’m trying to get that way of working out of my system and build neat simple solutions that are not perfect, but are worth considering, probably for many (smaller) projects. If nothing else, it introduces you to some nice long forgotten PHP features :-)

                2. 1

                  It would be possible to write a template validator that inspects template PHP files and has a whitelist of acceptable PHP features. Things like <?=$var?> could be flagged, and the Tpl class could have an extra function so that you can do <?=$this->unescaped($var)?> if you really mean it. You only need to run the validator when you ship the template, in the same way you already run the rest of your code through Phan and/or Psalm.

                  About $this being in the scope, I do think that’s a feature, but for shorter templates, would it be possible to make in-scope functions, so that you can write <?=e($var)?> instead of <?=$this->e($var)?>?

                3. 2

                  This is a bit contradictory as all PHP template engines suffer from these problems.

                  1. 2

                    That doesn’t mean they’re good. There are template engines that can give you at least default escaping. I’ve used to maintain PHPTAL that has context-sensitive escaping and even ensures HTML is well-formed.

                    Some template engines claim to be “universal” or “format-independent”, so that you can use the same syntax for HTML, e-mails, and even SQL if you want. But in practice it means they’re not good for anything: you get XSS, messed up e-mail encodings, and SQL injections.

                    “Just don’t write bugs” approach doesn’t work, so you really need a template engine where security vulnerability isn’t the default behavior.

                    1. 2

                      There is no default escaping. There is only code. If you rely on the template engine you’re relying on someone else to do the escaping for you.

                      All output is done using ‘echo’, ‘print’, etc. Make a custom “always escaping” function or method, and you have just as good “default escaping” as any template engine can provide.

                      1. 2

                        “There is only code” entirely misses the point of secure defaults. If you have to remember to use an escaping function, you will eventually forget it, and create an XSS vuln.

                        PHP templates == XSS, and this is a people problem, not a code problem.

                        PHP makes it particularly messy:

                        • Humans are bad at noticing absence of things, so a code review is more likely to miss <?=$foo than it would ${foo|unsafe} (both equally risky, but one looks more innocent).

                        • Escaping is technically required pretty much everywhere in HTML for syntax correctness, but there’s a commonly held belief that escaping is only for “untrusted” data or strings that “contain unsafe characters”. Or that strings can be “sanitized” by stripping tags. This creates disagreements about what even has to be escaped.

                        1. 2

                          You’re missing the point. The people who make the engine also have to remember to escape and what not, they will eventually forget it too. It doesn’t matter.

                          Besides, when you add a huge monster of a template engine the chance of errors, mistakes, and security issues increase exponential.

                          Adding some engine doesn’t automatically solve these problems. Good coding solves these problems.

                          1. 1

                            There are far less boundaries/inputs in the template engine than there are in your own code, combined with the amortization of effort.

                            “Good coding” doesn’t solve the massive safety issues we have with programming the same way that “good driving” makes seatbelts redundant.

                  2. 1

                    I think it’s fine for smaller projects; e.g. the type where everything is just in one or a few pages. Not having an external dependency is a pretty good advantage in those cases.

                  1. 4

                    This is the best approach no matter the size of the project. With PHP there is no need to add yet another layer of abstraction. Make sure you use a couple of inspection/escaping/validation functions or methods to eliminate any risk of forgetting to escape output, etc.

                    1. 2

                      Never filter input, validate input! And then escape output.

                      1. 3

                        Because many corporations need extensive control Mozilla has created a something called “policy support” which can be implemented using a JSON file called policies.json. This file is a cross-platform compatible file that makes it the preferred method for enterprise environments to control Firefox in different environments. By using the policies.json file you can control a great amount of how Firefox works, including the DNS over HTTPS feature.

                        Create the file before you start using Firefox in order to avoid initial data going through Cloudflare.

                        Find out where Firefox is installed. On Arch Linux Firefox gets installed in /usr/lib/firefox/. On FreeBSD it gets installed in /usr/local/lib/firefox/. If a subdirectory called distribution doesn’t exist you need to manually create it. Then create the policies.json file in that directory.

                        On the README for the policies templates you can find a list of options to control.

                        I have created a policies.json that looks like this:

                        {
                          "policies": {
                            "DisableAppUpdate": true,
                            "DisableFirefoxAccounts": true,
                            "DisableTelemetry": true,
                            "DNSOverHTTPS": {
                              "Enabled": false,
                              "Locked": true        
                            },
                            "DontCheckDefaultBrowser": true,
                            "NetworkPrediction": false,
                            "PromptForDownloadLocation": true,
                            "SearchEngines": {
                              "PreventInstalls": true
                            },
                            "SearchSuggestEnabled": false
                          }
                        }
                        

                        You can view your settings by typing about:policies in the address bar.

                        If you want to block Cloudflare and other known companies that supply DoH at good list with both domain names (for DNS blocking) and IP addresses (for firewall blocking) is available at: https://github.com/oneoffdallas/dohservers

                        1. 2

                          An easier way to do this, if you’re already running your own custom DNS resolver, is to block the canary domain

                          I’m figuring that we’re going to have ISPs blocking the canary domain, and the arms race will continue onward, but at least for now that’s how it is.

                          1. 2

                            I forgot to mention the canary domain.

                            I’m blocking the canary domain on my DNS server already, but since we will most likely begin to see fallback options, like systemd did with systemd-resolved, I think it’s good to have a list that we can work on and add domains and IP addresses as they go public.