Popular Tags
Recent Links
- Cooks.com - Recipe - Wi...
- The Kanzius Machine: A ...
- Slow Motion Slap - Coll...
- Hi, I'm the DJ
- A Hotel Wifi Hack
Yes, I can now confirm that I have found a bug in Picasa Web Albums. Since the new "tagging" features are not validated - either client side or server side - you can use URL signficant characters in your tags. At first, I used a plus sign (+), which was URL decoded as a space. This lead me to try #, then ?, and finally &, which inexplicably - WORKS!
So I created a new tag D&psc=CONTACTS -- and guess what? -- it has some funny results. It searches all of your contacts' photos for the letter D (which is common in default photo names, such as DSC001.jpg). Then I thought, "I wonder if I browse the JS source if I can find a command that is passed via URL GET variable that can be instantiated via an intentionally malcrafted tag?" I have posted on the Google USENET group and filed a bug through the standard complaint form. I consider this pretty big news, but I don't want to submit it to digg or Slashdot or post on OSNews until someone has a chance to implement a fix, which is probably pretty trivial (URL encode the tag links) or fix it properly (validate tags on creation).
Anyway, I'm psyched, because I understand it's pretty rare to find a bug in Google's code.
>> I Found a Google Bug! 2006-12-16 18:35:49
Tags
Yes, I can now confirm that I have found a bug in Picasa Web Albums. Since the new "tagging" features are not validated - either client side or server side - you can use URL signficant characters in your tags. At first, I used a plus sign (+), which was URL decoded as a space. This lead me to try #, then ?, and finally &, which inexplicably - WORKS! So I created a new tag D&psc=CONTACTS -- and guess what? -- it has some funny results. It searches all of your contacts' photos for the letter D (which is common in default photo names, such as DSC001.jpg). Then I thought, "I wonder if I browse the JS source if I can find a command that is passed via URL GET variable that can be instantiated via an intentionally malcrafted tag?" I have posted on the Google USENET group and filed a bug through the standard complaint form. I consider this pretty big news, but I don't want to submit it to digg or Slashdot or post on OSNews until someone has a chance to implement a fix, which is probably pretty trivial (URL encode the tag links) or fix it properly (validate tags on creation).
Anyway, I'm psyched, because I understand it's pretty rare to find a bug in Google's code.
Facebook Redesign Launched (Bug)
Google Slips on SLL Renewal (Google)
Dope Wars for the iPhone (Code)
From Bloglines to Google, and Back (Google)
How To REALLY Survive Digg on a Shared Host (Code)
Integers on the Intertubes (Code)
A Review of Online Photo Services (PicasaWeb)
Google Slips on SLL Renewal (Google)
Dope Wars for the iPhone (Code)
From Bloglines to Google, and Back (Google)
How To REALLY Survive Digg on a Shared Host (Code)
Integers on the Intertubes (Code)
A Review of Online Photo Services (PicasaWeb)
You've been duggposted by Memnoch (sdlfd&lkdjf...dsdf) on 12/17/2006 6:31 PM (Reply)I don't know if it'll make news, but you've been dugg.
RE: You've been duggposted by Adam S (adam at firsttube.skipthispart.com) on 12/17/2006 7:22 PMCool. They pointed to the OSNews Staff Blog, which is cool because I know that server can withstand a digging. I would've loved to see if firsttube.com can though.
