
5 Years of Bad Ideas -- Python tips, tricks, and chicanery - jnazario
http://www.scribd.com/doc/58306088/Bad-Ideas
======
jay_kyburz
Hey Scribd and or Google Chrome team.

I was just tricked into clicking an ad that simply said "play now" underneath
the first slide. I thought it was going to start a slide show of the
presentation. Scribd, if you are going to let just anybody advertise on your
site you need to clearly mark what is an ad and what isn't.

Google team, clicking the add opened a tab that when attempting to close
opened a custom dialog with two buttons at the bottom. "leave now" and
"cancel" (or something like that). The page had populated that dialog with a
bunch of text and ascii art pointing to the cancel button.

I didn't feel confident enough to click either buttons on this dialog because
I thought be may have been some co-oped permissions dialog.I was unable to
close the tab. I ended up using the task manager to kill chrome.

I took the time to make a note here because it's been ages (5 years perhaps)
since I had to deal with this kind of crap. Has it always been around and I
just haven't seen it or is there a resurgence these days.

~~~
drivebyacct2
What? You killed Chrome because of what? What is a custom dialog? How is a
"custom dialog" going to create a vulnerability?

~~~
jerf
There is a long history of such dialogs being used to exploit browsers and
cause the execution of arbitrary code. For instance, such a dialog may be used
to generate a true user click event, which the browser may then treat
differently than an event that can be faked by Javascript. This entices
malware developers to create dialogs in which you'll click on something, they
don't really care what, they just need an authentic click.

Yes, it _shouldn't_ do anything, but that doesn't mean it won't. I've hard-
killed my browser for the same reason a couple of times.

~~~
drivebyacct2
Oh the plight of a Windows user.

I know what you're talking about with click jacking. The implication that a
"true click" is any more likely to allow a JavaScript exploit to escape the
browser sandbox is complete and utter bullshit. If you can give me one
example, I won't scowl at the fact that 6 other people downvoted me without
saying why.

~~~
jerf
Think about why, if the attacker already has enough control over the page to
put up a transparent iframe and bind a click event to it, why not just _do_
the thing the attacker is trying to attack you with?

And the answer is, the browser will stop them. It treats stuff that sources
from a click differently. If it didn't, there would be no "clickjacking", the
attackers would simply redirect you to the desired URL. The very existence of
the term is evidence. It doesn't escape the sandbox, it gets raised privs from
the sandbox by design.

~~~
drivebyacct2
What?

What on Earth does this have to do with vulnerabilities in the browser? Like I
said, show me a single example of a vulnerability that is only exploited via a
"true click". They DO NOT EXIST. It's hogwash.

I'll say again, I know what you're talking about. It is NOT relevant in this
discussion about vulnerabilities.

Please show me an example otherwise.

------
Smerity
This presentation is by Armin Ronacher, the author (amongst many other things)
of Flask, Werkzeug and Jinja2. If people find this presentation interesting he
catalogues and provides slides (and recordings where appropriate) of all his
previous presentations: <http://lucumr.pocoo.org/talks/>

For those who prefer straight PDF over Scribd, Armin has a PDF provided for
this presentation[1]. There's also a video but it seems you need to be a
member of EuroPython[2].

[PDF]: <http://dev.pocoo.org/~mitsuhiko/badideas.pdf>

[EuroPython recording if you're a member]:
[https://ep2012.europython.eu/conference/talks/5-years-of-
bad...](https://ep2012.europython.eu/conference/talks/5-years-of-bad-ideas)

~~~
jnazario
i started using flask this past winter. i'm enjoying it as a lightweight
framework. armin's got some good code and the reason i posted this link is
that the topics and ideas are real and presently simply, useful (in some
situations), and great to understand.

------
downvoteme
Here's a shell function. Pipe the scribd html page into it and, voila!, out
pops .jpg urls for each page of the PDF document. Feed them to curl or
whatever you program you use. Open them with your browser or your image
viewer. Pipe them to ghostscript, remake the PDF to your own specs. Whatever.
But for the love of God, stay away from scribd.com That site is an annoyance
and I doubt it will ever improve.

scrib(){ sed -n ' s,<http://html.scribd.com,\>

&,g; s,<http://html[1-9].scribdassets.com,\>

&,g; s,assets,,; s,pages,images,; s,jsonp,jpg, ;
s,html[1-9].scribd.com,html.scribd.com,; s,pageParams.contentUrl = \",,;
s,\";,,; s,<img class=\". _orig=\",,; s,\"/ >,,; /^$/d;

/html.scribd.com._images.*jpg/p; ' |sed '/http/!d'; }

~~~
nikcub
suggestion: you could make that more useful by dumping it into a gist and
including a comment block on how to set it up in an rc file

------
kroger
Here's the video of the presentation and the slides as a pdf:

<http://www.youtube.com/watch?v=8e0l_Dt28MQ>

[https://ep2012.europython.eu/media/conference/slides/5-years...](https://ep2012.europython.eu/media/conference/slides/5-years-
of-bad-ideas.pdf)

------
sirclueless
Oh man, there is so much black magic in those slides. I hope to high heaven
that as few people as possible read that. Especially not any future employers.

Judging by the number of projects I have seen recently that are predicated on
defining new keywords and recognizing them through magic decorators, it may be
too late.

~~~
luriel
This is one of the reasons I love Go: simple, clean, concise, expressive, and
completely free of dark magic.

Code does what it says, and says what it does.

You don't get to feel so clever doing magic tricks, but you gain a lot of time
by not having decipher and debug such magic tricks.

~~~
marcus
I believe in a balance, too little magic, and you're working with one hand
tied behind your back, too much magic and you're working with blindfolds.

~~~
luriel
Seriously, try Go for a while, it wont take long before you feel that you have
three hands, and more importantly, an extra third eye.

~~~
hythloday
Can you give an example in Go of how you'd solve the same problem as any of
the python solutions?

~~~
sirclueless
Well actually, people with bizarre build requirements are starting to use
clean Go source code as a build target of their increasingly diverse
preprocessors. Can't be healthy.

[1]: [https://groups.google.com/d/msg/golang-
nuts/LQMv7Zsmsi0/8Aax...](https://groups.google.com/d/msg/golang-
nuts/LQMv7Zsmsi0/8Aax1XSekjAJ)

[2]: <https://github.com/jteeuwen/go-bindata>

[3]: [http://stackoverflow.com/questions/9838304/resource-
bundling...](http://stackoverflow.com/questions/9838304/resource-
bundling/9840851#9840851)

[4]: <https://github.com/chanwit/kgc>

[5]: <https://github.com/droundy/gotgo>

------
jtchang
Sometimes magic is necessary but these slides right here contain some serious
voodoo.

That said I've used monkey patching before which can be quite useful when you
don't want to change the underlying library too much but don't want to make a
complete fork. Specifically I've monkey patched methods onto the User model in
Django.

~~~
mfieldhouse
What is meant by Python magic? What is and isn't magic? Why would you want to
use it and why might it be considered a bad idea?

~~~
marcus
My definition of magic:

Magic is anything which makes other code behave in a way that would require
reading the magic to understand, despite not being apparent in the magicked
code.

Good because it makes many things a lot easier, bad because it makes code a
lot less explicit and simple and increases cognitive load (you need to always
consider the magic not just the current code you're looking at).

------
seigenblues
yikes. These are impressive (and terrifying). I particularly like the "see if
you use my return value and dynamically change my behavior" trick, I bet
debugging a library that used that would be fuuuun.

------
Mizza
Just got a full page ad with sound from this page. Fuck Scribd.

Any links to a video *or a PDF of these slides?

~~~
endgame
I assume you mean a "video OR a PDF", but since it's scribd we're dealing with
here, a video of the PDF would still be better.

------
notaddicted
Everything is a first class object? What about the if-statement? Anyway, my
personal gripes aside, I've been looking for something like this:
<http://www.scribd.com/doc/58306088/Bad-Ideas#outer_page_54> ... a way to
print "name=value" for variables for debugging.

~~~
MaxGabriel
Your link just goes to the first page. Is this presumably the code you're
referencing?

    
    
        import gc, sys
    
        def find_names(obj):
    	frame = sys._getframe(1) 
     	while frame is not None:
    	 	frame.f_locals
    	 	frame = frame.f_back
    	result = set() 
    	for referrer in gc.get_referrers(obj): 
    		if isinstance(referrer, dict): 
    			for k, v in referrer.iteritems(): 
    				if v is obj:
    					result.add(k) 
    	return tuple(result)

~~~
notaddicted
yup, thanks for the heads up, it worked for me. I realized that most of that
was unnecessary, this is what I was talking about:

    
    
      import gc, sys
      
      def show(*args):
        for obj in args:
          frame = sys._getframe(1)
          for k,v in frame.f_locals.iteritems():
            if v is obj:
                print "%s=%r" % (k,v)
      
      
      a, b, c, d, e, = False, 1, [1,2,3], {'x':2 }, map
      
      show(a, b, c, d, e)
    

outputs:

    
    
      a=False
      b=1
      c=[1, 2, 3]
      d={'x': 2}
      e=<built-in function map>
    

[ <http://codepad.org/4JogU069> ] [ edit: slight cleanup]

~~~
irahul
Not so useful when you have shared pool.

    
    
        a = 10
        b = 10
        show(a)
    

Or

    
    
        a = 'test'
        b = 'test'
        show(a)

------
vosper
Without the (assumed) accompanying presentation these slides aren't all that
illuminating

------
freyrs3
Code is here: <https://github.com/mitsuhiko/badideas>

------
tomrod
Wow. I'm a numpy aficionado and connoisseur.. I'm sad to say I really don't
understand most of whats going on in this code...

~~~
irahul
> I'm sad to say I really don't understand most of whats going on in this
> code..

Don't be:) Most of the dark voodoo there is not used(macros, implicit self),
some of it is used only by toolmakers(finding request, changing traceback
messages, import hooks), and then a small part is used here and there by
regular applications(monkey patching; "names of variables" sounds useful but
it won't work with shared pool. `a = 10; b = 10; show_names(a)` will show both
"a" and "b")

~~~
the_mitsuhiko
> but it won't work with shared pool. `a = 10; b = 10; show_names(a)` will
> show both "a" and "b")

That will actually show nothing because strings are not tracked by the cyclic
garbage collector because they can never be part of cycles.

~~~
irahul
My bad. I was talking about this alternate implementation:

<https://gist.github.com/2688055>

