Re: [new] www/esniper
On 2/12/19 11:44 AM, Stuart Henderson wrote: On 2019/02/05 12:55, Renaud Allard wrote: Any chances of getting it committed? I don't think we should be encouraging its use by having it in ports. Complex string parsing of a frequently updated website, in C, and the above bug isn't a good indication that they are getting things right (why does it even set CURL_POSTFIELDSIZE at all when it's doing a GET? why reuse a stale pointer?) - this is something I'd be wary of even for a standard website. But for something which has your ebay credentials? My comment about https wasn't so much "ports should change this" but more "the developers are insane if they think this is acceptable, what else are they doing wrong". OK, agreed, on the positive side, this story has led to a patch in libcurl. smime.p7s Description: S/MIME Cryptographic Signature
Re: [new] www/esniper
On 2019/02/05 12:55, Renaud Allard wrote: > > > On 2/1/19 3:38 PM, Renaud Allard wrote: > > > > Hi, > > > > I have made a change, in fact setting CURL_POSTFIELDSIZE to 0 when GET > > needs to be used. This resolves the segfault, but the -m option doesn't > > seem to be working yet, but I will report that to the dev. > > > > I also made patches to initialize curl the right way with LONG, limit > > the protocols to HTTP(S) and made it to prefer HTTPS. > > Also, I have changed the useragent to be more modern, and less like the > > default one in esniper. > > > > Best Regards > > Any chances of getting it committed? > I don't think we should be encouraging its use by having it in ports. Complex string parsing of a frequently updated website, in C, and the above bug isn't a good indication that they are getting things right (why does it even set CURL_POSTFIELDSIZE at all when it's doing a GET? why reuse a stale pointer?) - this is something I'd be wary of even for a standard website. But for something which has your ebay credentials? My comment about https wasn't so much "ports should change this" but more "the developers are insane if they think this is acceptable, what else are they doing wrong".
Re: [new] www/esniper
On 2/1/19 3:38 PM, Renaud Allard wrote: Hi, I have made a change, in fact setting CURL_POSTFIELDSIZE to 0 when GET needs to be used. This resolves the segfault, but the -m option doesn't seem to be working yet, but I will report that to the dev. I also made patches to initialize curl the right way with LONG, limit the protocols to HTTP(S) and made it to prefer HTTPS. Also, I have changed the useragent to be more modern, and less like the default one in esniper. Best Regards I filed a bug with libcurl and they already made a patch for it. https://github.com/curl/curl/issues/3548 smime.p7s Description: S/MIME Cryptographic Signature
Re: [new] www/esniper
On 2/1/19 3:38 PM, Renaud Allard wrote: Hi, I have made a change, in fact setting CURL_POSTFIELDSIZE to 0 when GET needs to be used. This resolves the segfault, but the -m option doesn't seem to be working yet, but I will report that to the dev. I also made patches to initialize curl the right way with LONG, limit the protocols to HTTP(S) and made it to prefer HTTPS. Also, I have changed the useragent to be more modern, and less like the default one in esniper. Best Regards Any chances of getting it committed? smime.p7s Description: S/MIME Cryptographic Signature
Re: [new] www/esniper
Hi, I have made a change, in fact setting CURL_POSTFIELDSIZE to 0 when GET needs to be used. This resolves the segfault, but the -m option doesn't seem to be working yet, but I will report that to the dev. I also made patches to initialize curl the right way with LONG, limit the protocols to HTTP(S) and made it to prefer HTTPS. Also, I have changed the useragent to be more modern, and less like the default one in esniper. Best Regards esniper.tar.gz Description: application/gzip smime.p7s Description: S/MIME Cryptographic Signature
Re: [new] www/esniper
On 1/31/19 2:09 PM, Sebastian Reitenbach wrote: You might get some more clues from building curl with debug symbols. I have this in my /etc/.mk.conf: DEBUG=-g -O0 which usually does the ticket. It seems that to get debug symbols in curl, you need to modify the Makefile to add --enable-debug (gdb) run Starting program: /usr/ports/pobj/esniper-2.35.0/esniper-2-35-0/esniper -m Program received signal SIGSEGV, Segmentation fault. strlen () at /usr/src/lib/libc/arch/amd64/string/strlen.S:125 125 /usr/src/lib/libc/arch/amd64/string/strlen.S: No such file or directory. in /usr/src/lib/libc/arch/amd64/string/strlen.S Current language: auto; currently asm (gdb) bt #0 strlen () at /usr/src/lib/libc/arch/amd64/string/strlen.S:125 #1 0x04a2edf3e9e5 in Curl_pretransfer (data=0x4a270901008) at transfer.c:1406 #2 0x04a2edf4eb9a in multi_runsingle (multi=0x4a2b2eb7808, now={tv_sec = 96041, tv_usec = 578763}, data=0x4a270901008) at multi.c:1441 #3 0x04a2edf4e3ca in curl_multi_perform (multi=0x4a2b2eb7808, running_handles=0x7f7dc48c) at multi.c:2214 #4 0x04a2edf41d25 in easy_transfer (multi=0x4a2b2eb7808) at easy.c:686 #5 0x04a2edf4074e in easy_perform (data=0x4a270901008, events=false) at easy.c:780 #6 0x04a2edf40563 in curl_easy_perform (data=0x4a270901008) at easy.c:799 #7 0x04a0606dae68 in httpRequest ( url=0x4a343e38880 "https://my.ebay.com/ws/eBayISAPI.dll?MyeBay=MyeBayWatching;, logUrl=0x0, data=0x4a0606c9a49 "", logData=0x0, rt=GET) at http.c:177 #8 0x04a0606dab7a in httpGet ( url=0x4a343e38880 "https://my.ebay.com/ws/eBayISAPI.dll?MyeBay=MyeBayWatching;, logUrl=0x0) at http.c:79 #9 0x04a0606cfdec in printMyItems () at auction.c:1217 #10 0x04a0606d4df2 in main (argc=0, argv=0x7f7dc858) at esniper.c:850 smime.p7s Description: S/MIME Cryptographic Signature
Re: [new] www/esniper
On Thu, Jan 31, 2019 at 03:28:02PM +0100, Otto Moerbeek wrote: > On Thu, Jan 31, 2019 at 03:09:54PM +0100, Renaud Allard wrote: > > > With the attachment, it might be better > > > > On 1/31/19 3:08 PM, Renaud Allard wrote: > > > I have changed the http requests to https ones and cleaned up the > > > Makefile, but this still needs some investigations about that segfault. > > > It seems that it's easier to reproduce when having a malloc.conf with > > > SURF. > > > > > > I had never tested the -m switch, so I don't know when it broke. > > > > > \337 (octal) is 0xdf hex, that is the value malloc uses to fill > free'ed mem. So you're most likely looking at use-after-free, > > -Otto > > BTW, S implies URF And on -current you want to set sysctl vm.malloc_conf instead of creating a malloc.conf symlink.
Re: [new] www/esniper
On Thu, Jan 31, 2019 at 03:09:54PM +0100, Renaud Allard wrote: > With the attachment, it might be better > > On 1/31/19 3:08 PM, Renaud Allard wrote: > > I have changed the http requests to https ones and cleaned up the > > Makefile, but this still needs some investigations about that segfault. > > It seems that it's easier to reproduce when having a malloc.conf with > > SURF. > > > > I had never tested the -m switch, so I don't know when it broke. > > \337 (octal) is 0xdf hex, that is the value malloc uses to fill free'ed mem. So you're most likely looking at use-after-free, -Otto BTW, S implies URF
Re: [new] www/esniper
With the attachment, it might be better On 1/31/19 3:08 PM, Renaud Allard wrote: I have changed the http requests to https ones and cleaned up the Makefile, but this still needs some investigations about that segfault. It seems that it's easier to reproduce when having a malloc.conf with SURF. I had never tested the -m switch, so I don't know when it broke. esniper.tar.gz Description: application/gzip smime.p7s Description: S/MIME Cryptographic Signature
Re: [new] www/esniper
I have changed the http requests to https ones and cleaned up the Makefile, but this still needs some investigations about that segfault. It seems that it's easier to reproduce when having a malloc.conf with SURF. I had never tested the -m switch, so I don't know when it broke. smime.p7s Description: S/MIME Cryptographic Signature
Re: [new] www/esniper
On 1/31/19 12:34 PM, Sebastian Reitenbach wrote: Hi, #6 0x0378b0d8 in curl_easy_perform () from /usr/local/lib/libcurl.so.25.19 #7 0x1b83a381 in httpRequest (url=0x6de41680 "http://my.ebay.com/ws/eBayISAPI.dll?MyeBay=MyeBayWatching;, logUrl=0x0, data=0x3b82df06 "", logData=0x0, rt=GET) at http.c:177 #8 0x1b83a058 in httpGet (url=0x6de41680 "http://my.ebay.com/ws/eBayISAPI.dll?MyeBay=MyeBayWatching;, logUrl=0x0) at http.c:79 #9 0x1b82d356 in printMyItems () at auction.c:1217 #10 0x1b832b33 in main (argc=0, argv=0xcf7c5e14) at esniper.c:850 I found a very old bug report about this: https://sourceforge.net/p/esniper/bugs/294/ It was closed as "closed-works-for-me" smime.p7s Description: S/MIME Cryptographic Signature
Re: [new] www/esniper
On 1/31/19 2:16 PM, Renaud Allard wrote: On 1/31/19 1:21 PM, Stuart Henderson wrote: #7 0x1b83a381 in httpRequest (url=0x6de41680 "http://my.ebay.com/ws/eBayISAPI.dll?MyeBay=MyeBayWatching;, logUrl=0x0, data=0x3b82df06 "", logData=0x0, rt=GET) at http.c:177 #8 0x1b83a058 in httpGet (url=0x6de41680 "http://my.ebay.com/ws/eBayISAPI.dll?MyeBay=MyeBayWatching;, logUrl=0x0) at http.c:79 http://? Are they nuts? Should be easy enough to fix that, but this is not a good sign for software that expects you to trust it with your ebay credentials. I am under the impression that those requests to http without ssl pages come from ebay itself. Sorry, my bad auction.c:static const char MYITEMS_URL[] = "http://%s/ws/eBayISAPI.dll?MyeBay=MyeBayWatching;; smime.p7s Description: S/MIME Cryptographic Signature
Re: [new] www/esniper
On 1/31/19 1:21 PM, Stuart Henderson wrote: #7 0x1b83a381 in httpRequest (url=0x6de41680 "http://my.ebay.com/ws/eBayISAPI.dll?MyeBay=MyeBayWatching;, logUrl=0x0, data=0x3b82df06 "", logData=0x0, rt=GET) at http.c:177 #8 0x1b83a058 in httpGet (url=0x6de41680 "http://my.ebay.com/ws/eBayISAPI.dll?MyeBay=MyeBayWatching;, logUrl=0x0) at http.c:79 http://? Are they nuts? Should be easy enough to fix that, but this is not a good sign for software that expects you to trust it with your ebay credentials. I am under the impression that those requests to http without ssl pages come from ebay itself. smime.p7s Description: S/MIME Cryptographic Signature
Re: [new] www/esniper
Am Donnerstag, Januar 31, 2019 13:21 CET, Stuart Henderson schrieb: > On 2019/01/31 12:34, Sebastian Reitenbach wrote: > > Hi, > > > > Am Donnerstag, Januar 31, 2019 11:59 CET, Renaud Allard > > schrieb: > > > > > > > > > > > On 1/31/19 10:51 AM, Renaud Allard wrote: > > > > Hello, > > > > > > > > Here is a port of esniper 2.35.0. > > > > esniper is a simple, lightweight tool for sniping ebay auctions > > > > > > > > > > Solene suggested to add a WANTLIB variable, so here is the port with > > > that variable added > > Diff against your latest version: > > - use make to fix up the DISTNAME rather than enter the version twice > - use standard sourceforge MASTER_SITES > - don't list as both BUILD_DEPENDS and LIB_DEPENDS > > diff --git Makefile Makefile > index a0404ce..25815fe 100644 > --- Makefile > +++ Makefile > @@ -2,7 +2,7 @@ > > COMMENT =lightweight console application for sniping eBay auctions > VERSION =2.35.0 > -DISTNAME = esniper-2-35-0 > +DISTNAME = esniper-${VERSION:S/./-/g} > PKGNAME = esniper-${VERSION} > EXTRACT_SUFX=.tgz > > @@ -15,10 +15,10 @@ MAINTAINER =Renaud Allard > # GPLv2+ > PERMIT_PACKAGE_CDROM = Yes > > -MASTER_SITES = ${MASTER_SITE_SOURCEFORGE:=esniper/}esniper/${VERSION}/ > +MASTER_SITES = ${MASTER_SITE_SOURCEFORGE:=esniper/} > > WANTLIB += c crypto curl nghttp2 ssl z > -BUILD_DEPENDS = net/curl > + > LIB_DEPENDS =net/curl > > CONFIGURE_STYLE =gnu > > > > > > > > > Trying to list my watchlist, esniper -U ebayusername -m > > it most of the time segfaults like this: > > You might get some more clues from building curl with debug symbols. I have this in my /etc/.mk.conf: DEBUG=-g -O0 which usually does the ticket. Renaud no malloc.conf, just standard everything. Sebastian
Re: [new] www/esniper
On 1/31/19 12:34 PM, Sebastian Reitenbach wrote: Hi, Am Donnerstag, Januar 31, 2019 11:59 CET, Renaud Allard schrieb: On 1/31/19 10:51 AM, Renaud Allard wrote: Hello, Here is a port of esniper 2.35.0. esniper is a simple, lightweight tool for sniping ebay auctions Solene suggested to add a WANTLIB variable, so here is the port with that variable added Trying to list my watchlist, esniper -U ebayusername -m it most of the time segfaults like this: Are you using a non default malloc.conf? smime.p7s Description: S/MIME Cryptographic Signature
Re: [new] www/esniper
On 2019/01/31 12:34, Sebastian Reitenbach wrote: > Hi, > > Am Donnerstag, Januar 31, 2019 11:59 CET, Renaud Allard > schrieb: > > > > > > > On 1/31/19 10:51 AM, Renaud Allard wrote: > > > Hello, > > > > > > Here is a port of esniper 2.35.0. > > > esniper is a simple, lightweight tool for sniping ebay auctions > > > > > > > Solene suggested to add a WANTLIB variable, so here is the port with > > that variable added Diff against your latest version: - use make to fix up the DISTNAME rather than enter the version twice - use standard sourceforge MASTER_SITES - don't list as both BUILD_DEPENDS and LIB_DEPENDS diff --git Makefile Makefile index a0404ce..25815fe 100644 --- Makefile +++ Makefile @@ -2,7 +2,7 @@ COMMENT = lightweight console application for sniping eBay auctions VERSION = 2.35.0 -DISTNAME = esniper-2-35-0 +DISTNAME = esniper-${VERSION:S/./-/g} PKGNAME = esniper-${VERSION} EXTRACT_SUFX= .tgz @@ -15,10 +15,10 @@ MAINTAINER =Renaud Allard # GPLv2+ PERMIT_PACKAGE_CDROM = Yes -MASTER_SITES = ${MASTER_SITE_SOURCEFORGE:=esniper/}esniper/${VERSION}/ +MASTER_SITES = ${MASTER_SITE_SOURCEFORGE:=esniper/} WANTLIB += c crypto curl nghttp2 ssl z -BUILD_DEPENDS =net/curl + LIB_DEPENDS = net/curl CONFIGURE_STYLE = gnu > > > > Trying to list my watchlist, esniper -U ebayusername -m > it most of the time segfaults like this: You might get some more clues from building curl with debug symbols. > Program received signal SIGSEGV, Segmentation fault. > 0x0a49db90 in _libc_strlen (str=0x6eb36800 '\337' ...) at > /usr/src/lib/libc/string/strlen.c:39 > 39 /usr/src/lib/libc/string/strlen.c: No such file or directory. > (gdb) bt > #0 0x0a49db90 in _libc_strlen (str=0x6eb36800 '\337' ...) > at /usr/src/lib/libc/string/strlen.c:39 > #1 0x037898ae in Curl_pretransfer () from /usr/local/lib/libcurl.so.25.19 > #2 0x03797a30 in multi_runsingle () from /usr/local/lib/libcurl.so.25.19 > #3 0x0379713d in curl_multi_perform () from /usr/local/lib/libcurl.so.25.19 > #4 0x0378c6ea in easy_transfer () from /usr/local/lib/libcurl.so.25.19 > #5 0x0378b2ef in easy_perform () from /usr/local/lib/libcurl.so.25.19 > #6 0x0378b0d8 in curl_easy_perform () from /usr/local/lib/libcurl.so.25.19 > #7 0x1b83a381 in httpRequest (url=0x6de41680 > "http://my.ebay.com/ws/eBayISAPI.dll?MyeBay=MyeBayWatching;, > logUrl=0x0, data=0x3b82df06 "", logData=0x0, > rt=GET) at http.c:177 > #8 0x1b83a058 in httpGet (url=0x6de41680 > "http://my.ebay.com/ws/eBayISAPI.dll?MyeBay=MyeBayWatching;, > logUrl=0x0) at http.c:79 http://? Are they nuts? Should be easy enough to fix that, but this is not a good sign for software that expects you to trust it with your ebay credentials. > #9 0x1b82d356 in printMyItems () at auction.c:1217 > #10 0x1b832b33 in main (argc=0, argv=0xcf7c5e14) at esniper.c:850 > > If it doesn't segfault, it just doesn't show my watchlist. > With a different accout, it doesn't seem to crash on me, but also doesn't > show me that watchlist. > > happens on i386 as well as on amd64. > > cheers, > Sebastian >
Re: [new] www/esniper
Hi, Am Donnerstag, Januar 31, 2019 11:59 CET, Renaud Allard schrieb: > > > On 1/31/19 10:51 AM, Renaud Allard wrote: > > Hello, > > > > Here is a port of esniper 2.35.0. > > esniper is a simple, lightweight tool for sniping ebay auctions > > > > Solene suggested to add a WANTLIB variable, so here is the port with > that variable added > > Trying to list my watchlist, esniper -U ebayusername -m it most of the time segfaults like this: Program received signal SIGSEGV, Segmentation fault. 0x0a49db90 in _libc_strlen (str=0x6eb36800 '\337' ...) at /usr/src/lib/libc/string/strlen.c:39 39 /usr/src/lib/libc/string/strlen.c: No such file or directory. (gdb) bt #0 0x0a49db90 in _libc_strlen (str=0x6eb36800 '\337' ...) at /usr/src/lib/libc/string/strlen.c:39 #1 0x037898ae in Curl_pretransfer () from /usr/local/lib/libcurl.so.25.19 #2 0x03797a30 in multi_runsingle () from /usr/local/lib/libcurl.so.25.19 #3 0x0379713d in curl_multi_perform () from /usr/local/lib/libcurl.so.25.19 #4 0x0378c6ea in easy_transfer () from /usr/local/lib/libcurl.so.25.19 #5 0x0378b2ef in easy_perform () from /usr/local/lib/libcurl.so.25.19 #6 0x0378b0d8 in curl_easy_perform () from /usr/local/lib/libcurl.so.25.19 #7 0x1b83a381 in httpRequest (url=0x6de41680 "http://my.ebay.com/ws/eBayISAPI.dll?MyeBay=MyeBayWatching;, logUrl=0x0, data=0x3b82df06 "", logData=0x0, rt=GET) at http.c:177 #8 0x1b83a058 in httpGet (url=0x6de41680 "http://my.ebay.com/ws/eBayISAPI.dll?MyeBay=MyeBayWatching;, logUrl=0x0) at http.c:79 #9 0x1b82d356 in printMyItems () at auction.c:1217 #10 0x1b832b33 in main (argc=0, argv=0xcf7c5e14) at esniper.c:850 If it doesn't segfault, it just doesn't show my watchlist. With a different accout, it doesn't seem to crash on me, but also doesn't show me that watchlist. happens on i386 as well as on amd64. cheers, Sebastian
Re: [new] www/esniper
On 1/31/19 10:51 AM, Renaud Allard wrote: Hello, Here is a port of esniper 2.35.0. esniper is a simple, lightweight tool for sniping ebay auctions Solene suggested to add a WANTLIB variable, so here is the port with that variable added esniper.tar.gz Description: application/gzip smime.p7s Description: S/MIME Cryptographic Signature