vimprobable-users

[Vimprobable-users] [PATCH] Allow loading of user javascripts

[Daniel C. <dan...@gm...>]

Hi!

I asked some times ago for the possibility to run userdefinded javascripts on
every page load.

Here is a patch to do this. If someone else is interested in it I will updated
the manpages too.

I use also attached script file to block flash on all pages and to enable it
via mouseclick (script is from another brower project - but I can't find it
anymore).

Daniel

[Vimprobable-users] [PATCH] Allow loading of user javascripts

[Daniel C. <dan...@gm...>]

> I use also attached script file to block flash on all pages and to enable it
> via mouseclick (script is from another brower project - but I can't find it
> anymore).

The script cames from the uzbl project http://www.uzbl.org/wiki/flashblock

Daniel

Re: [Vimprobable-users] [PATCH] Allow loading of user javascripts

[Hannes S. <ha...@yl...>]

Patch merged, the example script should probably be added to the wiki
(with the appropriate credit).

Hannes

[Vimprobable-users] User Javascripts utility similar to CPAN now available for auto script installs

[Matthew C. <je...@gm...>]

Hi all,

I have made an interactive interface (similar to CPAN or any other CLI
installation utility) to allow users to share and use each other's user
scripts.

Code is all done via bash, it requires wget/grep/curl to be installed.

I'd say it is a beta version still, you can download the latest version
at:

	http://ahungry.com/vp2_scripter/ahungry_scripter.sh

	(or grab this email's attachment)

If you run it with -h, help, or about commands you can see how to use
it.

It should probably be placed in and run from ~/.config/vimprobable,
unless your vimprobable config directory is elsewhere (really it just
needs to be in the same directory as your scripts.js file is expected to
be in).

The script makes 3 directories: scripts.{available,enabled,constant}

The scripts.available consists of all user submitted userscripts, while
any you want to use but not share should be stored in scripts.constant.

If you want to add a script to the server, just use:

	./ahungry_scripter.sh push ./yourscript.js

and it'll be merged into the tar.gz within the next minute.

The main purpose of the script (other than pushing and pulling files) is
to merge multiple javascript files into the single scripts.js file that
vimprobable2 reads.

If you run in wizard mode you can see comments for files as you choose
to include or leave out of your own scripts.js file (if you submit your
own file use @ahungry to have the script print your comment during the
wizard).

To start with, I have included the following userscripts:

	flashblock user script

	auto scroller (written by me, moves page based on mouse position)

	password auto filler (I sent this to the mailing list awhile ago as a
	patch to hinting.js, now it gets its own spot - requiers some user
	config so copy it to scripts.constant and add your own passwords, do
	NOT push your password containing file to my server or add any super
	sensitive passwords here as they are plaintext)

Please let me know if you like this little utility.

If desired I can send out the server side code (its not much) and this
can be run from the main vimprobable servers instead of my own.

Thanks,
-Matt

On Sat, Oct 13, 2012 at 11:17:00AM +0200, Hannes Schüller wrote:
> Patch merged, the example script should probably be added to the wiki
> (with the appropriate credit).
> 
> Hannes
> 
> ------------------------------------------------------------------------------
> Don't let slow site performance ruin your business. Deploy New Relic APM
> Deploy New Relic app performance management and know exactly
> what is happening inside your Ruby, Python, PHP, Java, and .NET app
> Try New Relic at no cost today and get our sweet Data Nerd shirt too!
> http://p.sf.net/sfu/newrelic-dev2dev
> _______________________________________________
> Vimprobable-users mailing list
> Vim...@li...
> https://lists.sourceforge.net/lists/listinfo/vimprobable-users

-- 
Matthew Carter
je...@gm...

Re: [Vimprobable-users] User Javascripts utility similar to CPAN now available for auto script installs

[Hannes S. <ha...@yl...>]

Hello Matthew,

this sounds great and I think it would be very useful if you could
document all of this in the wiki as well so that people not on the
mailing list can discover about it as well.

Personally, I'm a bit worried about this, though:

> If you want to add a script to the server, just use:
>
>	./ahungry_scripter.sh push ./yourscript.js
>
> and it'll be merged into the tar.gz within the next minute.

So if I push some malicious script, it will be merged into the 'repo'
automatically. OK, you could argue that people should check the code
before using the script, fair enough. How is versioning handled,
though. I.e. what if I (being an evil attacker) push a file with the
same name you're using for your popular script? Will it then be
overwritten and distributed to all the happy users of your script?

Hannes

Re: [Vimprobable-users] User Javascripts utility similar to CPAN now available for auto script installs

[Matthew C. <je...@gm...>]

Hi Hannes,

Right now script updates are locked down by IP address, so at this point no one can update the three scripts I put on unless they spoof my ip.

I realize this may lock some out of their own scripts if ip changes, I plan to add an auth system to this and let user store a usrname/key to pass to server to validate their script edit access.
 
I'll probably include a rating system and vote to remove system also.

Thanks,
Matt


Sent from my Palm Pre on AT&T
On Oct 14, 2012 3:59, Hannes Schüller <ha...@yl...> wrote: 

Hello Matthew,



this sounds great and I think it would be very useful if you could

document all of this in the wiki as well so that people not on the

mailing list can discover about it as well.



Personally, I'm a bit worried about this, though:



> If you want to add a script to the server, just use:

>

>	./ahungry_scripter.sh push ./yourscript.js

>

> and it'll be merged into the tar.gz within the next minute.



So if I push some malicious script, it will be merged into the 'repo'

automatically. OK, you could argue that people should check the code

before using the script, fair enough. How is versioning handled,

though. I.e. what if I (being an evil attacker) push a file with the

same name you're using for your popular script? Will it then be

overwritten and distributed to all the happy users of your script?



Hannes





------------------------------------------------------------------------------

Don't let slow site performance ruin your business. Deploy New Relic APM

Deploy New Relic app performance management and know exactly

what is happening inside your Ruby, Python, PHP, Java, and .NET app

Try New Relic at no cost today and get our sweet Data Nerd shirt too!

http://p.sf.net/sfu/newrelic-dev2dev

_______________________________________________

Vimprobable-users mailing list

Vim...@li...

https://lists.sourceforge.net/lists/listinfo/vimprobable-users

Re: [Vimprobable-users] User Javascripts utility similar to CPAN now available for auto script installs

[Hannes S. <ha...@yl...>]

"Matthew Carter" <je...@gm...> wrote:
> Right now script updates are locked down by IP address, so at this
> point no one can update the three scripts I put on unless they spoof
> my ip.

I'm sure you are aware that the source address in IP is just a text
field, so that is not really an authentication.

> I realize this may lock some out of their own scripts if ip changes,

Also, most people use dynamic IP addresses anyway.

Anyway, I don't think any of this is really a problem right now,
because I doubt that the Vimprobable user base, which would probably
notice quickly enough, is really a worthwhile attack target. I just
want to make sure that everybody is aware of the potential risks.

Looking forward to see how this develops!

Hannes

Re: [Vimprobable-users] User Javascripts utility similar to CPAN now available for auto script installs

[Matthew C. <je...@gm...>]

Hi all,

I'm thinking most users wouldn't want to bother going to the site to
create an account (and passing their credentials via a manually edited
config file).

I am thinking I will generate a key on the server end that is sent back
during the user's first 'push', and save it locally, to be used with
subsequent pushes (if key doesn't match, user cannot update the
javascript file of the same name).

Oh btw, I have a working scriptblock (similar to firefox's noscript).
I started by modifying Daniel's flasblock and ended up expanding quite a
bit a little bit of the same code got reused).

It seems to work quite nicely, by default it does the following:

	Allows same domain scripts to run automatically (you can comment out
	a single line in scriptblock.js if you do not wish this)

	Blocks all scripts loaded from external sources until user left
	clicks (to allow entire domain) or right clicks (to allow individual
	script)

The :set scripts=false option is nice, but not as fluid for pinpointing
which scripts to keep around and which to discard.

At this time I chose not to add an auto reloader to the page when
scripts are allowed/denied, so you will have to press 'r' to reload
yourself.

Next up I will work on an adblocker, I use privoxy myself, but I have to
admit doing an "./ahungry_scripter.sh -a" would have been a lot easier
to set up for adblocking than setting up privoxy when I first started
with vimprobable.

Thanks,
-Matt

On Mon, Oct 15, 2012 at 08:52:21PM +0200, Hannes Schüller wrote:
> "Matthew Carter" <je...@gm...> wrote:
> > Right now script updates are locked down by IP address, so at this
> > point no one can update the three scripts I put on unless they spoof
> > my ip.
> 
> I'm sure you are aware that the source address in IP is just a text
> field, so that is not really an authentication.
> 
> > I realize this may lock some out of their own scripts if ip changes,
> 
> Also, most people use dynamic IP addresses anyway.
> 
> Anyway, I don't think any of this is really a problem right now,
> because I doubt that the Vimprobable user base, which would probably
> notice quickly enough, is really a worthwhile attack target. I just
> want to make sure that everybody is aware of the potential risks.
> 
> Looking forward to see how this develops!
> 
> Hannes
> 
> 
> ------------------------------------------------------------------------------
> Don't let slow site performance ruin your business. Deploy New Relic APM
> Deploy New Relic app performance management and know exactly
> what is happening inside your Ruby, Python, PHP, Java, and .NET app
> Try New Relic at no cost today and get our sweet Data Nerd shirt too!
> http://p.sf.net/sfu/newrelic-dev2dev
> _______________________________________________
> Vimprobable-users mailing list
> Vim...@li...
> https://lists.sourceforge.net/lists/listinfo/vimprobable-users

-- 
Matthew Carter
je...@gm...

Re: [Vimprobable-users] User Javascripts utility similar to CPAN now available for auto script installs

[Matthew C. <je...@gm...>]

Hi Hannes,

The main script has been updated to use a key gen method, please let me
know what you think.

If you already have the script, you can update it to the newest one
with:

	./ahungry_scripter.sh update

Thanks,
-Matt

On Mon, Oct 15, 2012 at 08:52:21PM +0200, Hannes Schüller wrote:
> "Matthew Carter" <je...@gm...> wrote:
> > Right now script updates are locked down by IP address, so at this
> > point no one can update the three scripts I put on unless they spoof
> > my ip.
> 
> I'm sure you are aware that the source address in IP is just a text
> field, so that is not really an authentication.
> 
> > I realize this may lock some out of their own scripts if ip changes,
> 
> Also, most people use dynamic IP addresses anyway.
> 
> Anyway, I don't think any of this is really a problem right now,
> because I doubt that the Vimprobable user base, which would probably
> notice quickly enough, is really a worthwhile attack target. I just
> want to make sure that everybody is aware of the potential risks.
> 
> Looking forward to see how this develops!
> 
> Hannes
> 
> 
> ------------------------------------------------------------------------------
> Don't let slow site performance ruin your business. Deploy New Relic APM
> Deploy New Relic app performance management and know exactly
> what is happening inside your Ruby, Python, PHP, Java, and .NET app
> Try New Relic at no cost today and get our sweet Data Nerd shirt too!
> http://p.sf.net/sfu/newrelic-dev2dev
> _______________________________________________
> Vimprobable-users mailing list
> Vim...@li...
> https://lists.sourceforge.net/lists/listinfo/vimprobable-users

-- 
Matthew Carter
je...@gm...

Re: [Vimprobable-users] User Javascripts utility similar to CPAN now available for auto script installs

[Andraž 'r. L. <ru...@co...>]

> Code is all done via bash, it requires wget/grep/curl to be installed.

You could drop either wget or curl. Both can handle everything the other
does more or less.

> If you want to add a script to the server, just use:
> 
> 	./ahungry_scripter.sh push ./yourscript.js

I'm wondering why not just use a git or hg or even svn repo for the
scripts and handle them there. You could with git have a "mob" branch
that anyone could push to without an account then you could just merge
anything relevant through(this is an idea from http://repo.or.cz).

To replace wget with curl just use curl -O url and you'll get the remote
filename used to download.

For the date used I'd prefer 'date -u --rfc-3339=seconds' simply because
it makes checking when various people updated easier(if there is an
issue to solve) and the ISO formated date since it's easy to parse.

Just some of my thoughts on this thing. I'll keep watching it because I
am interested in such stuff. Though I run with js off 99% of the time.

Regards
-- 
Andraž 'ruskie' Levstik
Source Mage GNU/Linux mage
Re-Alpine Coordinator http://sourceforge.net/projects/re-alpine/
Geek/Hacker/Tinker

Seilf Emit

Re: [Vimprobable-users] User Javascripts utility similar to CPAN now available for auto script installs

[Matt C. <je...@gm...>]

Hi Andraz,

Thanks for the feed back, I will clean up the code to remove the wget calls.

Regarding the pushing of files, at this time I am locking files down to the
original uploader based on the key sent to the user's directory from the
server, so that if I am the creator of, say, scriptblock.js, no one else
can overwrite or modify the file (they could upload scriptblock_v2.js just
fine, and have it included in other user's pulls).

When I got to writing the script, it was easier to set up a single
receiving page (upload.php) to handle this than to set up git or any other
versioning system on my web server (I am a bit lazy, also not as
experienced with git as I should be).

If there is a lot of interest in this project and there would be a large
benefit to doing it that way, I am open to trying out a new method (what
would we gain exactly?  web server side versioning and ability for multiple
users to contribute to the same .js file?).

Other than cleaning up malicious uploads, I do not want to be so "hands on"
that I have to keep an eye on and merge everyone's changes however.  If
someone wants to share a script, assuming the name isn't taken yet, all
they'll have to do is the push and everyone else can immediately use their
script.

I'll add on the rating system so we can do ./ahungry_scripter.sh rate
./someone_script.js [1 to 10 here] pretty soon, as well as a web based
interface for users to browse the scripts manually over http.

Thanks,
-Matt



On Tue, Oct 16, 2012 at 2:04 AM, Andraž 'ruskie' Levstik <
ru...@co...> wrote:

> > Code is all done via bash, it requires wget/grep/curl to be installed.
>
> You could drop either wget or curl. Both can handle everything the other
> does more or less.
>
> > If you want to add a script to the server, just use:
> >
> >       ./ahungry_scripter.sh push ./yourscript.js
>
> I'm wondering why not just use a git or hg or even svn repo for the
> scripts and handle them there. You could with git have a "mob" branch
> that anyone could push to without an account then you could just merge
> anything relevant through(this is an idea from http://repo.or.cz).
>
> To replace wget with curl just use curl -O url and you'll get the remote
> filename used to download.
>
> For the date used I'd prefer 'date -u --rfc-3339=seconds' simply because
> it makes checking when various people updated easier(if there is an
> issue to solve) and the ISO formated date since it's easy to parse.
>
> Just some of my thoughts on this thing. I'll keep watching it because I
> am interested in such stuff. Though I run with js off 99% of the time.
>
> Regards
> --
> Andraž 'ruskie' Levstik
> Source Mage GNU/Linux mage
> Re-Alpine Coordinator http://sourceforge.net/projects/re-alpine/
> Geek/Hacker/Tinker
>
> Seilf Emit
>
> ------------------------------------------------------------------------------
> Don't let slow site performance ruin your business. Deploy New Relic APM
> Deploy New Relic app performance management and know exactly
> what is happening inside your Ruby, Python, PHP, Java, and .NET app
> Try New Relic at no cost today and get our sweet Data Nerd shirt too!
> http://p.sf.net/sfu/newrelic-dev2dev
> _______________________________________________
> Vimprobable-users mailing list
> Vim...@li...
> https://lists.sourceforge.net/lists/listinfo/vimprobable-users
>
>