arc> (let (x . y) '(a b c) y)
Anyway, is it safe to assume that you're not going to try to get me arrested or anything?
Do you mean your username is actually descriptive? Since you are obviously a Lisp hacker, I'd be happy to have a truce. Can you send me an email?
(let (x . _) '(a b c) x)
I'm not comfortable with destructuring values "flexibly" when I don't control the data coming in.
"nil" could be used instead, since nil isn't allowed to be rebound.
(let (x . nil) '(a b c) x)
(let nil t nil) ---> nil
You could go a step further and have a special ignore symbol, (for instance * ) like most pattern matching languages/libraries have with the property that it can appear multiple times:
arc> (let (x * y . *) '(a b c d e f) y)
I think that people used to dynamic programming languages would normally pick the list rather than the tuple simply because it at first appears easier. I think Dijkstra had something to say on that particular subject :)
I'm imagining you'd have some kind of Field record type, with isDisplayable and isModifyable fields. Instead of destructuring as a list (or tuple), you would explicitly look for isDisplayable and isModifyable.
But, of course, you could still make the same mistake in a statically typed language if you chose not to set up the data structure this way.
Out of curiosity, why did you take the site down two times before applying the fix?
If I'm not mistaken, that had nothing to do with SQL injection. The fnid basically was the authenticator that allowed a person to edit a page, regardless of who was logged in.
What about other HN-powered Arc sites? Are they vulnerable as well? I won't name names, because I'm guessing they are indeed vulnerable.
Edit: Yes, they are.
Anyway your mention of fnid prompted me to learn a bit about arc and the arc web server which looks very interesting. Might have to play with it a bit.
From the source, it looks like there was a vulnerability in which the fnid (I'm guessing a string that authenticates a user to edit an item?) was searched for on PG's profile page (using the regex /<input type=hidden name="fnid" value="([^"]+)">/. Then a POST request was made on the standard profile saving resource news.ycombinator.com/x, with the fnid which authenticated the user's permission to edit the page, along with the about text, as parameters.
Edit: PG says the fnid just points to a closure on the system. See above. Which means... all you needed was a randomly generated fnid, and that's all that you needed to edit anyone's page. Apparently?
Clever, or just poor authentication design. But that's only one half of the exploit. How were the points done? I'm going to rule out millions of accounts created.
(When you think about it, this was pretty simplistic. All anybody did was edit text fields on the site. That hints it was injection.
While I appreciate and admire the sentiment that this is a "community of trust", security still must be taken seriously. There are plenty of guys out there with the ability to pull such tricks; they may not care about trust, and the website is accessible to anyone, good or bad.
I emailed PG, if he didn't know already, and slowly some of the things are being fixed back. PG's account is still vulnerable as of this posting. EDIT: No it's not.
For the question whether it's cracked... I dunno but nothing is perfect.
Anyways, the fact it is hacked drove some nice traffic to HN from reddit :)