Hacker Newsnew | past | comments | ask | show | jobs | submit | more mthomas's commentslogin

There is no information in that article except generic language about injection.

I believe this is the actual advisory: http://www.mindedsecurity.com/fileshare/ExpressionLanguageIn...

It appears that spring double evaluates the expressions, so you can send a request param that is an EL expression that references values present in the server environment.


Can I ask that all product blogs provide a link to the actual site? Not everyone knows what layervault is and it would be nice to browse to the site without having to manipulate the address bar.


It is annoying that facebook login is required.


it is, but still you gotta hand it to MS, they made script environment in javascript on andorid with device api. I already made fake facebook account just for this :)


Why not use S3 with cloudfront.


Isn't S3 really expensive?


I suppose it depends on one's definition of expensive, but it is simple enough to see their pricing: http://aws.amazon.com/s3/pricing/


How opensource is it if you have to agree to a TOS and give them your email to view any documentation about it.


Each retailer that "supports" Upromise sends them a sha256 hash of your creditcard along with the amount for each transaction.


So if made a large scale business that included small restaurants I would be relying on their "honor" to send in the sha256 to show a sale? That's not good.


That's more or less correct. But, the customer who is tracking their percentages earned would know that their purchases were not accounted for.


Unless they were unknowingly at a participating vendor. How long does it usually take to get this information back. Is it same day or is there a longer delay? Thanks for the information by the way.


If I recall correctly, we sent a daily feed to Upromise. I don't know how often or when they updated their totals.


Maybe you could go further upstream? Consider integrating with POS systems, merchant account providers, or payment gateways.


Seconded. Alternatively you can just take a power drill and drill a hole straight through the case into all the platters.


You simply highlight the blocked text to reveal it. The text is the same color as the background.


That was the first thing I tried, to no avail. I was able to see his response by going to his profile and hovering over the word "spoiler" in his comment stream. The word "spoiler" doesn't appear for me in the threaded comments and clicking through the word "spoiler" results in a 404.

Very strange.


That has to do with how spoiler tags are set up on that subreddit: the actual spoiler content is in the title attribute of the link and the href points to /s. The CSS for the subreddit uses an attribute selector to find links pointing to /s and styles them appropriately.

If you view the posts outside of the context of the subreddit, there's no special CSS, so the link appears normally with some title text that appears on hover.


I question the inclusion of bubble sort especially two versions of it. I worry that people are more prone to using bubble sort, because it's conceptually simple.


You'll never avoid the use of bubble sort by hiding it away from sight. People are constantly reinventing it regardless.


This always strikes me as odd. Personally, had I heard about it, I would never come up with bubble sort myself, nor any of my friends I asked about it. The most intuitive sorting algorithm is obviously selection sort. I'd even say that merge sort is more conceptually clear than bubble sort. Bubble sort is not much easier to implement than selection sort either. It has no interesting properties which make it worth considering (unlike, for instance, insertion sort). The only possibility of one knowing bubble sort is by hearing about it on algorithms classes, and in that case one already know heapsort and quicksort, so that there is no need for bubble sort. To sum up, I fear bubble sort in production much, much less than, say, selection sort.


> The only possibility of one knowing bubble sort is by hearing about it on algorithms classes,

That's simply not true. I know for a fact that for me personally the bubble sort was the most "intuitive" algorithm because when I was in elementary school we had a computer club, and we were given the task for figuring out how to sort a list. My implementation was a bubble-sort, and at the time I had absolutely no knowledge of sorting algorithms at all.

Obviously different people will find different things "intuitive".


Try asking 10 colleagues to right now write bubble sort on the white board. I bet at least half write some sorting algorithm that is not bubble sort. In contrast, if you ask these same 10 to do quicksort, you'll end up with 10 quicksort implementations.


You place a lot of confidence in your colleagues to claim that any arbitrary ten of them will come up with quicksort :)


I think it depends on the sort of 10 colleagues.


I think it's nice to have it included to realize that while merge sort is not significantly more difficult (once the idea of divide and conquer is clear) the latter is a lot faster.

I actually don't like the particular iterative version of merge sort, to me it's lacking in clarity; then again, I like to use the ternary operator ?: on the left side of an assignment in javascript (as an array index or function selector), so I'm probably not the right judge when it comes to clarity ;)

I was thinking to include some sorting visualizations in my html5 canvas experiments, this looks like a neat start,thanks for posting it!


I would before that, question the methods add/remove/get of specific positions on a linked list..


This headline is misleading. According to the article, Anonymous is targeting the US Chamber of Commerce http://en.wikipedia.org/wiki/United_States_Chamber_of_Commer... which is a business lobby, not part of the US Government.


Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: