• Lucy :3@feddit.org
    108·
    4 hours ago

    So we need to be careful with upper- and lowercase. Meanwhile the docs: > settiings

      • Bezier@suppo.fi
        12·
        3 hours ago

        had to use a different spelliings at backend and frontend, otherwise it wouldn’t work.

  • jjjalljs@ttrpg.network
    50·
    4 hours ago

    Is the backend Python and the frontend JavaScript? Because then that would happen and just be normal, because Boolean true is True in python.

    • testfactor@lemmy.world
      751·
      4 hours ago

      Probably, but if you’re interpreting user inputs as raw code, you’ve got much much worse problems going on, lol.

      • Trailblazing Braille Taser@lemmy.dbzer0.com
        3·
        2 hours ago

        Given the warning about capitalization, the best possible case is that they’re using ast.literal_eval() rather than throwing untrusted input into eval().

        Err, I guess they might be comparing strings to ‘True’ and are choosing to be really strict about capitalization for some reason.

      • LostXOR@fedia.io
        161·
        4 hours ago

        [...]&register=import os; os.system("sudo rm -rf /"); return True

        • MajorHavoc@programming.dev
          2·
          1 hour ago

          Hey, that’s my username too. Or it was going to be, while the site was still up.

          What a coincidence!

          I guess I’ll wait for the site to come back, and see if it’s still available…

      • mmddmm@lemm.ee
        123·
        3 hours ago

        It’s the settiings file… It’s probably supposed to only be written by the system admin.

        • raldone01@lemmy.world
          61·
          2 hours ago

          A good place to put persistent malware. That’s why when using docker images always mount as ro if at all possible.

          • Ashley@lemmy.ca
            3·
            3 hours ago

            It’s you can modify the settings file you sure as hell can put the malware anywhere you want

          • mmddmm@lemm.ee
            3·
            3 hours ago

            Every environment has plenty of good places to put persistent malware. Even if you run your docker images as ro.

      • PotatoesFall@discuss.tchncs.de
        13·
        3 hours ago

        Yep they should use a config file format like JSON or TOML or YAML or what have you, and then decode that into python objects. Using an actual programming language for config is dumb as hell IMO. (inb4 pissed off suckless fans)

      • jjjalljs@ttrpg.network
        4·
        4 hours ago

        Depends on how it’s set up. If the setting is going into the env it’s a string, so I’d expect some sort of

        if os.getenv("this_variable", "false").lower() == "true":   # or maybe "in true, yes, on, 1" if you want to be weird like yaml
  this_variable = True
else:
  this_variable = False

        Except maybe a little more elegant and not typed on my phone.

        But if the instructions are telling the user to edit the settings directly, like where I wrote this_variable=True, they’d need to case it correctly there.

  • lily33@lemm.ee
    7·
    3 hours ago

    That makes me think, perhaps, you might be able to set it to exec("stuff") or True

    • MajorHavoc@programming.dev
      3·
      1 hour ago

      I like your idea, but hear me out:

      A Python file for configuration is the best way to guarantee that any friendly code I write to help the user with config usually won’t execute. And I hate my users.