This seems like as good a place as any to link to some of my favorite posts:

But here are the most recent pieces...

ChatGPT hallucinates software bugs and ignores real ones

I've seen any number of people defending ChatGPT's use as a tool that can not just write code, but find bugs in existing code. My own position is that it could be useful for this, but only in the hands of someone who is skeptical, detail-oriented, and experienced with the language. This is because ChatGPT doesn't know anything about programming; it just knows what code looks like and what people say about it. This is sometimes good enough to write code, but it very readily departs from reality onto its own hallucinatory journey. In my case, it took a single line of code with one bug in it and instead of identifying that bug decided to add 3 or 4 more.

You can find any number of examples of this online along with discussion and analysis, so this blog post is just a vehicle for posting my own January 9 2023 chat transcript in a way I can conveniently link to.

(I would have posted it earlier, but OpenAI's chat history function was down for several weeks, so I could not retrieve it.)

Read more

Fixing a broken Firefox profile via Sync

I've been using Firefox for something like 15 years, so it's no surprise that I eventually ended up with a corrupted profile (perhaps from a sudden shutdown). It was functional 99% of the time, but a few things would break in weird ways, like Local Storage getting cleared periodically for both web pages and extensions. It was subtle enough that by the time I noticed, it was too late to just restore from backup.

The way I eventually fixed it was to use Mozilla's "Firefox Sync" service to copy the data to a new profile. This post describes the steps I took, in case someone else wants to take the same approach.

Read more

URL filtering vulnerabilities in lxml

The lxml toolkit is a library for working with XML and HTML from Python. It includes a utility called Cleaner that supports filtering HTML for dangerous and unwanted elements and attributes, although since early 2022 it has been marked as not suitable for security purposes. Nevertheless, it is still used that way by many projects.

A coworker and I were recently exploring its capabilities. At one point he made a simple mistake that is extremely common in Python, and stumbled onto what I recognized as a vulnerability. Exploring the code more, I found another vulnerability, this one not dependent upon misconfiguration.

(As of this posting, the issues are not fixed and released, but patches are available.)

Read more