[Clipart] the HASH bug again

Jonadab the Unsightly One jonadab at bright.net
Sat Sep 3 15:28:15 PDT 2005 

Nicu Buculei <nicu at apsro.com> writes:

> It was supposed to be solved, but it appears not entirely, 

Ugh.  I was sure it was gone...

> we have in Incoming:

> http://openclipart.org/incoming/firewall2_hash_0x89c79d4_01.svg
> http://openclipart.org/incoming/workstation_hash_0x89c79_01.svg

Okay, this is very odd.  I looked at the upload.log, and here are the
steps for the first one (Firewall2):

1.  The first time the user filled out the form, when the file was
    actually uploaded, the author field was left blank.

2.  So the user filled out the "we need more information" form,
    which included the filetoken for the already-uploaded file.
    This time, the author field was...  well, here's an excertp
    from the log:

!!!***--- Tue Aug 30 01:12:20 2005 ---***!!!
-----------------------------14002856319504639201301111353
Content-Disposition: form-data; name="filetoken"

H1PnweKQ60MZnbJfldWqryt1c34aIuedoBoqTZkzYXDI0
-----------------------------14002856319504639201301111353
Content-Disposition: form-data; name="filename"

firewall.svg
-----------------------------14002856319504639201301111353
Content-Disposition: form-data; name="filetype"

SVG
-----------------------------14002856319504639201301111353
Content-Disposition: form-data; name="author"

HASH(0x89c79d4)
-----------------------------14002856319504639201301111353
Content-Disposition: form-data; name="title"

Firewall2
-----------------------------14002856319504639201301111353
[and it goes on]

As you can see, it appears that the browser is sending us
'HASH(0x89c79d4)' in the author field of the form.  Why?

One of several things is going on here:

1.  A user is actually typing in stuff like 'HASH(0x89c79d4)' on the
    upload forms.  I think this is unlikely, but let me just say that
    if anyone does anything like that, and I find out about it, I will
    have words to say about what kind of practical jokes are in good
    taste.

2.  The data the browser sends is altered before it hits
    the upload log.  Here is the code in question:

       my ($formdata, %input);
       { my $num_bytes=$ENV{CONTENT_LENGTH};
         if ($num_bytes > 0) {
           $num_bytes == read (STDIN, $formdata, $num_bytes) or warn "CONTENT_LENGTH is full of lies!";
         } else {
           $formdata=$ENV{QUERY_STRING};
         }
       }
       loginput($formdata) if $formdata;

    If anyone sees a way that could be causing the problem,
    say something, but I don't see it.  Oh, and here's the
    loginput subroutine:
    
       sub loginput { if ($CONFIG{keep_input_log}) {
         my ($data) = (@_);
         open LOG, '>>', $CONFIG{keep_input_log}; {
           print LOG "\n!!!***--- " . gmtime() . " ---***!!!\n";
           print LOG $data;
         } close LOG;
       }}

    I can see how that could maybe have charset issues, but I
    do not see how it could cause the HASH bug.

3.  The file already has that information in it before it is
    uploaded.  In the upload log I did find some evidence of
    this happening a couple of times...
     * a file called ' sweden', by someone named ' Richard Torkar'
     * a file with the description,
       'Workstation based on "Andy Fitzsimon's Computer".'
       (This may be the second image you list above.  It was
        probably based on an image from a previous release,
        which had suffered from the bug at that time.)

    In cases like this, parsed metadata from the file could be
    autofilled on the need-more-information form and in any
    case could make it into the final image simply by not
    being changed.

    However, I did *not* find any evidence that this happened
    in the cases of Firewall2, and it _should_ be evident,
    as the characters 'HASH' should appear in the uploaded
    SVG in the log, and I didn't find them there.

4.  Somehow the text 'HASH(0x89c79d4)' is getting autofilled
    into the form the second time for some _other_ reason, and
    the user is not correcting it.  I am completely at a loss 
    as to how this could happen, but it is not entirely
    impossible, just quite bizarre.
  
5.  I have completely misinterpreted the information in the
    upload log, or...

6.  The upload log has been tampered with, which seems very
    unlikely to me.

Anybody want to start narrowing down that list?

-- 
Open Clip Art Library:  Drawing Together
http://www.openclipart.org/

More information about the clipart mailing list