4chan source code leaked (2010)(pastebin.com) |
4chan source code leaked (2010)(pastebin.com) |
The original leak, from 2010 at least, possibly older: http://pastebin.com/4JVjS02b
4chan was hacked the other day, so the current source code could have been leaked, but if it was, this sure isn't it.
A diff that compares the old leaked source to the "new" one: http://pastebin.com/KkeLzb6q.
The hack of earlier today was due to an obsession over a female 4chan moderator. That should say enough.
Yes I hate PHP more than the next guy,
Yes this code is terrible,
But you know what? I can read it, and follow along. And that's actually more to say than other "beautiful" code that was obfuscated behind 3 or 4 levels of unnecessary levels of abstraction or indirection.
if ($sectrip != "") {
$salt = "LOLLOLOLOLOLOLOLOLOLOLOLOLOLOLOL"; #this is ONLY used if the host doesn't have openssl
#I don't know a better way to get random data system("openssl rand 448 > '".SALTFILE."'",$err);
if ($err === 0) {
chmod(SALTFILE,0400);
$salt = file_get_contents(SALTFILE);
}I don't blame people for buying into the TDD and other perfectionist bandwagons, until very recently the zeal around the topics meant that you couldn't question the fervent push for very narrow and specific types of software quality. I mean, people were saying "tests are documentation" and I had to nod my head and smile just so I wouldn't get trounced by folks without the development experience to know why that wouldn't work, but had read a blog post saying it does.
Don't they get a few million users? I'd say it's definitely nothing to scoff at.
It makes me wonder how many big profile websites might look like this or worse.
I still remember a week into the first job fresh-from-college me marching into the VPs office to tell him the source code was terrible and they were only still running due to luck. It was not well received (or right)
Things are different today though,people tend to use native apps, users want realtime features,hard to do that in pure PHP and scale.You often need 3rd party techs,mostly java based...
As if OpenSSL didn't prove this already.
That is technically correct but does not covey the scale at which 4chan operates. According to http://www.4chan.org/advertise,
Page impressions per month: 575,000,000;
Unique visitors per month: 25,000,000;
Posts per day: 1,000,000;
Alexa Traffic Rank: 836 (Global) & 371 (US)
Quantcast Rank: 305 (US)
Google PageRank: 6
Makes me wonder if WebM will increase or reduce 4chan's total traffic (when measured in bytes, not clicks).If the beautiful code with 1000 pageviews/month does that, good
If the ugly code does that, good as well. It may be harder to maintain (depending on the circumstances, some "beautiful" code is dreadful as well) which means less money in the bank
Code is usually beautiful until it meets reality with all the exceptions, corner cases, input sanitation, etc
If it is for personal satisfaction, option 2. I guess I don't need to explain this one.
http://9ch.in/overscript/ http://9ch.in/overscript/files/yotsuba.txt
"extract($_POST); extract($_GET); extract($_COOKIE);"
extract is one of those moronic things though that only exists to create security holes and other bugs.
OMG, it's horrible :D
Or is this some critical bit? (I noticed it handles cookies, but I'm too unexperienced with web, php or web-security to explore this wall of code)
Imageboard is dead easy in it's essence, so why not rebuild it from scratch, instead of feeding new bells and whistles to the existing spaghetti monster?
HAHAHAHAAHAHAHAHAA
Steal a cookie, gain access.. WTF
For more information on extract: http://www.php.net/extract
To make this easier, there was/is a tool called Firesheep that can be used to hijack session cookies. The popularity of Firesheep caused many sites to enable HTTPS by default (e.g. Facebook did so).
Man, 4chan is worse than I thought.
Redeveloping the site in Go, Dart, Python or Node, or whatever language you like best, wouldn't increase 4Chan's value in any discernible way.
At the end of the day, it works.
1. It's written in PHP. Finding a good PHP developer is nigh impossible (there are exceptions, like always). 2. I expected worse, to be honest.
Yep. Worked as a sysadmin in a company who had a product in PHP before. That was not fun. The bug count grew with each release in my time there.
Of course, if the language makes it very easy to write bad code, even as a good programmer I could easily end up writing stuff that's incomprehensible etc.
And NodeJS is bad ass rock star tech: http://www.youtube.com/watch?v=bzkRVzciAZg
Description
Import variables from an array into the current symbol table.
If flags is not specified, it is assumed to be EXTR_OVERWRITE.
EXTR_OVERWRITE
If there is a collision, overwrite the existing variable.
The danger is that any state variables set before the extract($_...)'s can be overwritten arbitrarily. This also makes it essential that any and every variable is instantiated prior to any use.The only thing I could find was a year-old thread from 4chan itself [1], in which the supposed VC never identifies himself, and in which (someone who is probably) Poole had the following to say:
>>this thread
>>my sides
>>the stratosphere
>
>If this is actually your profession, you should probably find a new job.
The advice never to believe everything you read is good advice in general; with regard to anything you read on, from, or about 4chan, it's indispensable.
[1] http://4chandata.org/q/VC-estimates-4chan-worth-1-2-billion-...
None of which the 4chan code actually uses.
I've never seen the utility of extract -- it's the recommended way of getting wordpress plugin parameters, but to me, just using whatever array you're extracting from is always a better solution.
4chan is a cultural and ideological landmark on the American internet. Not only are their clones, but "Cloning 4chan" is almost a business in and of itself. And they fail. 4chan's month to month profits are barely to not-at-all existent. In a purely dollars and cents way, 4chan is a failure.
So their is very little monetary motivation for discovering the secrets of the 4chan's operation.
Security is a trade off of Financial Risk vs Financial Investment. There is no Financial Risk in 4chan being hacked. They have no user accounts, they have no financial data. They have no overly complex-secret-sauce-search algorithm.
The only thing to 'steal' is a collection of Japanese/American Pop cultural referential gif, jpg, and webm files.
Please elaborate.
Right tool for the right job. You can use qualifiers like "serious" and "modern" but you're deluding yourself if you think they mean anything when the pool of PHP developers is so staggeringly high.
Of course, right tool for the right job. PHP has specific use cases but that's another discussion entirely.
Ive also seen much worse in Java world, with JSPs and all kinds of taglibs and action-handlers mashed up to create a soup which would make you crave for PHP.
People here love to poke fun at WordPress. I'd love to take any of them out of startup-land and make them work for a full week in a 10 years old corporate piece of software, written pretty much in any language.
A "serious PHP developer" is an oxymoron.
I don't think it's "bad"; it's damn simple and works well for what it is, and contains no unnecessary complexity. No dependencies on some other huge framework, multilayered overengineering, or excessive generality. The same can't be said of the many other clones of it that were attempting to be "better designed" rewrites.
As for "maintainability" or all that other software engineering stuff: this board script doesn't really need to be maintained, because it works, and if anything needs to be changed, it's so simple that the changes can be made easily. Along the same ideas as http://suckless.org/philosophy
http://may.2chan.net/27/futaba.htm
(that's their board for cat pictures, the most SFW one I could find, but the banner ads are probably still NSFW, so keep that in mind)
I think you're thinking of tinyboard: https://github.com/savetheinternet/Tinyboard