Valentines

[lnr]

OK so in the end I did have a go with the LVS. Oddly enough (when I finally got the notification, well done to Steve the author for sorting that out quickly and graciously) I found ewx and I had nominated each other. Neither of my two other nominees had nominated me back though. And I apparently have two mystery admirers. Wonder if they're brave enough to tell me who they are? You never can tell if I might not have been interested anyway, just out of slots.

Comments

[dennyd.livejournal.com]

A friend of mine was poking around the code looking for security holes and claimed to have found out a way to check if a given lj user had taken part. They correctly named the one who had out of the three in the room at the time, so I'm fairly convinced they were telling the truth. This was an exploit rather than a feature though  :)

[ewx.livejournal.com]

(Looks) yes, that should be really easy. The URL has a username and an opaque string in it; replace the username with the want you want and the opaque string with any old rubbish. If the user exists, you'll get one message, if they don't you'll get a different one. Voila.

The code to choose the hex string is rather poor too.

I believe that a better approach would be to encrypt the username using a secret key with a symmetric cipher, and quote the result (and not the username) in the URL send back by join.cgi. If the value received by validate.cgi decrypts to a known username, proceed for that user; if not then send back an error.

I notice lots of clone and hack in validate.cgi, where he ought to be using a loop. Yuck!