search

OpenRA / openrauseraccounts

Connect phpBB forum accounts to OpenRA installations
https://forum.openra.net/ucp.php?i=232
GNU General Public License v2.0
3 stars 3 forks source link

More compatible YAML #47

Open ubitux opened 4 years ago

ubitux commented 4 years ago

The exposed YAML is currently only valid with the custom dialect implementation in OpenRA. External tools currently need to re-implement the whole parser. Here are the 2 main (and only?) issues:

Tabs/spaces

The exposed YAML uses tabs instead of spaces; this is not valid:

Why does YAML forbid tabs?

Tabs have been outlawed since they are treated differently by different editors and tools. And since indentation is so critical to proper interpretation of YAML, this issue is just too tricky to even attempt. Indeed Guido van Rossum of Python has acknowledged that allowing TABs in Python source is a headache for many people and that were he to design Python again, he would forbid them.

Source: yaml.org

I believe the OpenRA parser does handle spaces as well so this should be easy to fix.

Unquoted strings

The ProfileName contains arbitrary data from the users. I'm not sure how much is allowed from phpbb, but I know that at least Unicode (to some extent?) is permitted. This means that there is a potential corruption vector here to alter the implied type.

One example of this is user ".1" (pointwon). Using a standard YAML parser will recognize the value as a float, meaning it will be recognized as 0.1. This could imply all kind of various issues. We could technically have integers as well, and maybe other types such as lists (comma and linebreaks are allowed?).

One possible fix for this would be to quote the string, but I'm not sure OpenRA code can handle this. Also, what would happen with a \ or a " in the name, is that possible?

Also, while there is probably a filter in phpbb, I see no such thing while displaying it (no escaping), this might be another problem.

pchote commented 4 years ago

re the second point: one of the core features of OpenRA's MiniYaml is that types are set by the parser (which maps the tree structure onto predefined C# classes), not the data.

I suspect that a better solution to your problem will be to expose a parameter or endpoint that returns json instead of MiniYaml.

dragunoff commented 3 years ago

Adding an endpoint that returns json is relatively easy. We just need decide what the endpoint should be. And if this API keeps growing we should think about documenting it in the long-term.