The Captain’s Log

Fri, 08 Dec 2023 19:17:25 EST

I am the Bug Bear.

Two of my SCGI application servers have been dropping connections occasionally. It took me days to diagnose the problems.

When processing submissions from Safari, the application servers periodically dropped connections. Debugging from the server side, I discovered that Safari submitted POSTs with no Origin header and with a x-www-form-urlencoded body. I knew that this was a cache issue. When the browser’s cache entry for the page expired, the browser “forgot” the page origin and submitted a form as a POST with the default encoding instead of multipart/form-data.

After days of scrutinizing my code, I eventually realized that my web server delivered a Cache-Control header with directives separated by a semicolon instead of a comma. This is illegal. Safari did not understand the Cache-Control header and so did not revalidate the page.

I fixed the bug.

When I attempted to refresh a PDF response on Firefox, the application servers dropped the connection. Debugging from the server side, I discovered that Firefox delivered a GET request intead of a POST, and that my SCGI server library contained a bug that dropped connections that delivered GETs.

I fixed the bug.

Firefox should ask the user if it wants to resubmit the form, and on confirmation, resubmit the form, but Firefox immediately submits a GET request with no Origin and no parameters. At first, I thought that this was a cache issue, but I confirmed that it was not. It’s a Firefox bug. I made the application servers redirect clients that do not supply Origins to the form page as a work-around.

The application servers continued to periodically complain about reading EOF when reading POST request bodies from Safari. This means that the web server dropped the connection. I added some syslog calls to the web server to provide diagnostic messages and waited for a connection to be dropped. I discovered that SSL_read() failed with a non-recoverable protocol error. The issue was not EOF before close_notify. I’m hip to that jive.

What’s going on Safari? Or are you the bad actor, iCloud Private Relay? Step forward and admit your guilt, guilty party.

Give me your data, or give me fried chicken.

permalink

Thu, 07 Dec 2023 20:16:31 EST

Evade Versus Avoid

Evade…: …carries the specific connotation of eluding responsibility, oppression, or catastrophe.
Avoid…: …carries the general connotation of averting undesired outcomes. You don’t evade a minor inconvenience. You avoid it.

permalink

Thu, 07 Dec 2023 17:26:05 EST

Lie, Prevaricate, and Equivocate

To lie…: …is to utter a false statement.
To prevaricate…: …is to use ambiguous language to avoid telling the truth. Today, prevaricate is used interchangeably with equivocate, but prevaricate originally had a different connotation. To prevaricate was to split hairs, to interpret language differently from others to avoid telling the truth or to justify bad behavior.
To equivocate…: …is to use ambiguous language to avoid telling the truth.

permalink

Thu, 07 Dec 2023 10:19:14 EST

Contactless payment cards are insecure.

If you lose your card, anyone who finds it can use the card to make purchases until your account is drained. You should disable contactless payments on your client cards and use your cell phone to perform contactless payments because your phone verifies your identity before proceeding.