Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!


Forgot your password?
Slashdot Deals: Deal of the Day - Pay What You Want for the Learn to Code Bundle, includes AngularJS, Python, HTML5, Ruby, and more. ×

Comment Re:fileutils (Score 2) 74

Even if you manage to invoke file in a safe manner, you probably shouldn't. The file utility isn't isn't immune to security issues either. A quick google found at least 3 different CVSs from 2014 only. Don't expose stuff that wasn't designed with a hostile Internet in mind, to a hostile Internet. Anyway, if file says it's a png file, it doesn't mean it's a _safe_ png file.

A paranoid (or sensible, depending on how juicy a target you are) way to handle it is to isolate the thing that verifies the file in some kind of sandbox, either a container or full VM with no access to anything. Pass the file to it and accept nothing back except raw pixel data. On the outside you re-encode it as a .png and pass that along to you users. Afterwards, assume the sandbox is full of nasties. Nuke it from orbit.

Comment Re:Not being PHP (Score 1) 298

Reasons why hat code is crap:

-Meaningless boilerplate comments. Comments on property getters and setters is pure noise.
-Questionable OO design. Why are this class keeping references to serviceReferenceGraph and loggingFormatter which it doesn't use for anything?
-Needless vertical scrolling. Given the triviality of this class, there is no reason for it not to be a one-pager.
-It's in the DependencyInjection namespace, but... doesn't use dependency injection!
-php pretending to be java. WTF is up with that?

Comment Re:Results (Score 2) 303

...which nicely demonstrates how hard it is to come up with good analogies. If I wrote a book, and you copied all my chapter titles for your book, be certain that I (or rather my publisher) would come after you. I put a lot of work into those titles after all.

APIs are different though. They are meant to be copied. You can't use them without copying them.

Comment Re:Sure they do. (Score 3) 101

While MS wasn't hit too hard by this praticular bug, they have been hit by bugs in open source "core infrastructure" libraries before. Anyone remember this: http://www.geek.com/news/micro... ? Basically everything MS shipped had to be patched due to zlib being statically linked all over the place.

Anyway, lots of people run open source stuff on windows servers (well, some do at least...), and it's in the best interest of MS that those boxes are safe.

And last but not least, it's if not free so at least very cheap publicity.

KDE Releases Calligra 2.7 30

jrepin writes "The Calligra team is proud and pleased to announce the release of version 2.7 of the Calligra Suite, Calligra active and the Calligra Office Engine. Words, the word processing application, has a new look for the toolbox. In the same toolbox there are also new controls to manipulate shapes with much enhanced usability. Author, the writer's application, has new support for EPUB3: mathematical formulas and multimedia contents are now exported to ebooks using the EPUB format. There is also new support for book covers using images. Plan, the project management application, has improvement in the scheduling of tasks. The formula shape now has new ways to enter formula: a matlab/octave mode and a LaTEX mode."

Comment Re:Hg (Score 1) 378

My 2 cents worth of data confirms your experience. My 3 last employers all moved to git from cvs or svn while i worked there. The first one was developing multi million LOC enterprisy stuff and ended up being bougth by Microsoft, which was ironic, until MS actually started supporting git themselves in tfs'12. How is that for closed sorce adoption? :)

"For the love of phlegm...a stupid wall of death rays. How tacky can ya get?" - Post Brothers comics