Fire the programmer (was: Re: Appeal to ISO 639 RA in support of Elfdalian)

Fri Apr 29 22:39:54 CEST 2016

On 29-04-16 20:09, Shawn Steele wrote:
> Their server application will get a request for a tag it doesn't think conforms from a http accept language, and try to throw an exception, which is caught and it tries again (because it's a badly written app).  It causes a DOS attack on itself an no further requests work until someone comes to investigate.  At which point they have no clue so they restart the process and it works until that guy tries to connect again.  In the meantime you are unable to make your electronic bank payment for your mortgage (because the computer is stuck in this busy loop).

Are you really trying to tell me that I can DOS a web server, simply by
sending it a header with:

   Accept-Language: english

That server would be a really badly written app indeed. And if I found
out that my bank was running such a piece of crap, I'd fire my bank <g>.

Anyway, it's not like a blackhat needs a 5-letter tag to be in the IANA
registry to be able to send one. All he needs is telnet, a keyboard, and
a copy of RFC2616.

Or to put it another way: we can't prevent people from intentionally or
accidentally sending 5-letter tags by keeping them (the tags) out of the
repo.

Furthermore, I would bet a beer that somebody somewhere at some point in
time has already tried to send:

   Accept-Language: 123456789abcdefhegsmsldkfqsmlfkqdsmkfmldskf

You never know that it might lead to an exploitable buffer overflow...

Joking (maybe) aside, I understand what you are saying. But any
application should be written to cope with syntax errors in its input,
and handle them in a meaningful way.

An application that is unaware of "king-size tags" (i.e. > 3) should
treat "elfdal" simply as a syntax error, same as "12345".

The "meaningful way" depends on the type of processing that the app is
expected to do. In your example, that webserver should probably send a
406 in response (meaning: "sorry, no pages in the requested language
found in here" - which would be true), instead of pinging the operator.

On the other hand, a word processor, when asked to open a document in
Elfdalian, may throw a pop-up in despair, saying "I can't make sense of
this document". Most users would probably nod approvingly, saying "it's
Greek to me too".

But if some processor comes down crashing and burning whenever somebody
feeds it an invalid tag, that's a problem of another magnitude than when
it's unable to process a document in a meaningful way because it speaks
no Elfdalian (or doesn't recognize it as such because it doesn't "see"
the tag).

We may tread carefully before triggering the latter type of bugs, but we
should not care a dime about the former.

And as I said, the latter type should not affect your existing
customers. The other bugs don't need our help to bite them.

Luc