2025-09-26 GnuCash IRC logs
00:07:55 *** chris has joined #gnucash
00:07:56 *** ChanServ sets mode: +v chris
00:09:37 *** jonakeys has quit IRC
00:09:53 *** jonakeys has joined #gnucash
00:13:20 *** chris has quit IRC
00:16:15 *** chris has joined #gnucash
00:16:15 *** ChanServ sets mode: +v chris
00:19:22 *** chris has quit IRC
00:21:35 *** chris has joined #gnucash
00:21:35 *** ChanServ sets mode: +v chris
00:53:11 *** sacdrj has joined #gnucash
00:56:11 *** sacdrj has quit IRC
00:58:40 *** mechtilde_ has joined #gnucash
01:06:56 *** chris has quit IRC
01:09:31 *** fell_laptop has quit IRC
01:10:50 *** fell_laptop has joined #gnucash
01:10:50 *** ChanServ sets mode: +o fell_laptop
01:42:06 *** chris has joined #gnucash
01:42:06 *** ChanServ sets mode: +v chris
02:25:29 *** mechtilde_ has quit IRC
02:29:56 *** sacdrj has joined #gnucash
02:32:57 *** sacdrj has quit IRC
02:39:06 *** chris has quit IRC
03:04:22 *** gjanssens has joined #gnucash
03:04:22 *** ChanServ sets mode: +o gjanssens
03:19:03 *** sacdrj has joined #gnucash
03:23:34 *** sacdrj has quit IRC
03:23:55 *** chris has joined #gnucash
03:23:55 *** ChanServ sets mode: +v chris
03:23:55 *** gncbot sets mode: +o chris
03:27:55 *** chris has quit IRC
03:31:10 *** chris has joined #gnucash
03:31:10 *** ChanServ sets mode: +v chris
03:59:10 *** chris has quit IRC
03:59:19 *** mechtilde_ has joined #gnucash
04:27:38 *** sacdrj has joined #gnucash
04:30:37 *** sacdrj has quit IRC
04:45:24 *** sacdrj has joined #gnucash
04:48:24 *** sacdrj has quit IRC
05:15:14 *** sacdrj has joined #gnucash
05:18:14 *** sacdrj has quit IRC
05:58:10 *** sacdrj has joined #gnucash
06:01:10 *** sacdrj has quit IRC
06:53:18 *** sacdrj has joined #gnucash
06:58:53 *** sacdrj has quit IRC
07:34:35 *** mechtilde_ has quit IRC
07:58:21 *** sacdrj has joined #gnucash
08:01:20 *** sacdrj has quit IRC
09:34:37 *** sacdrj has joined #gnucash
09:37:38 *** sacdrj has quit IRC
09:51:32 *** sacdrj has joined #gnucash
09:54:46 *** sirgregsalot has joined #gnucash
09:59:53 *** ChanServ sets mode: +v sirgregsalot
10:05:02 <sirgregsalot> Hi all - I've got a couple questions about banking integrations. For starters, since ofxhome.com isn't a thing anymore, is there a feature request to remove it from the online banking connection screens? (Or, is it not as dead as it seems?) Second, how do non-OSS institutions connect to banks? I see that a few of them have API access; do 3rd party apps all use Plaid for their integrations,
10:05:02 <sirgregsalot> or do they just have to collect the API for each bank they want to integrate with and write up a connector for each one?
10:08:12 *** sacdrj has quit IRC
10:08:32 *** sacdrj has joined #gnucash
10:14:00 *** mechtilde_ has joined #gnucash
10:41:39 *** sacdrj has quit IRC
10:45:50 *** sacdrj has joined #gnucash
10:47:44 *** witcher has quit IRC
10:56:11 *** sacdrj has quit IRC
10:56:26 *** sacdrj has joined #gnucash
11:06:14 *** sacdrj has quit IRC
11:12:18 *** sacdrj has joined #gnucash
11:15:19 *** sacdrj has quit IRC
11:33:46 *** sacdrj has joined #gnucash
11:48:47 *** sacdrj has quit IRC
11:57:45 *** sacdrj has joined #gnucash
12:02:45 *** sacdrj has quit IRC
12:16:47 *** sacdrj has joined #gnucash
12:19:47 *** sacdrj has quit IRC
13:11:20 *** mechtilde_ has quit IRC
13:13:45 *** sacdrj has joined #gnucash
13:21:16 *** sacdrj has quit IRC
13:33:39 *** sacdrj has joined #gnucash
13:36:39 *** sacdrj has quit IRC
14:22:53 *** sacdrj has joined #gnucash
14:31:16 *** sacdrj has quit IRC
14:54:13 *** sacdrj has joined #gnucash
14:57:13 *** sacdrj has quit IRC
15:02:46 *** sirgregsalot has quit IRC
15:05:18 *** sacdrj has joined #gnucash
15:11:20 *** sacdrj has quit IRC
15:20:36 *** sacdrj has joined #gnucash
15:33:05 *** sacdrj has quit IRC
15:33:11 *** sacdrj has joined #gnucash
15:42:35 *** sacdrj has quit IRC
15:44:45 *** sacdrj has joined #gnucash
15:47:44 *** sacdrj has quit IRC
15:47:49 *** sacdrj has joined #gnucash
15:54:42 <jralls> @tell sirgregsalot OFX Direct-connect in general is dead, which is pretty much why OFXHome.com died. In the US there's an integration for aggregators like Plaid that requires a developer key that must be kept secret, making it unusable by open-source project.
15:54:42 <gncbot> jralls: The operation succeeded.
15:56:51 <jralls> @tell sirgregsalot Quicken also has a proprietary connection scheme that probably still uses OFX as a data transfer format but since they're not going to share the authentication mechanism doesn't do us much good.
15:56:51 <gncbot> jralls: The operation succeeded.
16:07:34 *** sacdrj has quit IRC
16:07:38 *** sacdrj has joined #gnucash
16:30:09 *** sacdrj has quit IRC
16:36:56 *** sacdrj has joined #gnucash
16:37:45 <jralls> warlord, wiki and bugzilla performance is bad today. Have the bots found a way in?
16:39:15 <warlord> Apparently, yes.
16:39:44 <jralls> Bummer.
16:40:27 *** gjanssens has quit IRC
16:45:58 *** sacdrj has quit IRC
16:47:10 <warlord> Yeah.
16:52:28 *** sacdrj has joined #gnucash
16:57:08 <warlord> I can't tell whether it's wiki or bugzilla... And I have no idea how they are getting in.
16:58:14 <jralls> Block bugzilla for a few minutes and see if the load drops. I take it the problem is thrashing the database like last time?
16:58:33 *** sacdrj has quit IRC
17:03:37 <warlord> Okay, blocking bugzilla..
17:05:37 <warlord> Load is coming down,
17:07:56 <warlord> So clearly it was bugzilla that they got in.. Not sure how?
17:08:02 <jralls> huh. Bugzilla has a rest api. Is it enabled?
17:08:07 <warlord> I thought we required authentication.
17:08:32 <warlord> How do I check that?
17:08:54 <jralls> Dunno off the top of my head. Looking...
17:11:04 *** sacdrj has joined #gnucash
17:11:44 <jralls> sacdrj could you find a less noisy way to monitor the channel? Like reading the logs at https://code.gnucash.org/logs?
17:14:06 *** sacdrj has quit IRC
17:14:12 <jralls> warlord, https://bugzilla.readthedocs.io/en/5.2/api/core/v1/general.html#authentication says that authentication isn't always required.
17:15:50 <jralls> And get is one of the methods that doesn't require it, *and* it enables searching. Perfect for AI bots. :-(
17:20:16 <jralls> Google's AI summary suggests blocking /rest/ endpoints in the server config. That would break integrations, but we don't use any of those.
17:21:04 <jralls> What version of BZ are we running?
17:23:11 <warlord> bugzilla-5.0.6-1.fc29.noarch
17:24:44 <warlord> Would it be /bugzilla/rest/?? Or something else?
17:27:31 *** skyenet has quit IRC
17:28:15 *** skyenet has joined #gnucash
17:28:15 *** ChanServ sets mode: +v skyenet
17:29:05 <jralls> Docs say just /rest/.
17:29:14 <jralls> https://bugzilla.readthedocs.io/en/5.0.4/api/core/v1/bug.html#get-bug
17:30:07 *** sacdrj has joined #gnucash
17:30:33 <warlord> I don't see anything in the logs that refer to 'rest'. The logs are like: 185.106.28.187 - - [26/Sep/2025:17:30:04 -0400] "GET /buglist.cgi?GoAheadAndLogIn=1&bug_id=785958%2C797071&order=changeddate%2Cbug_status+DESC%2Cproduct+DESC%2Cassigned_to%2Cresolution%2Cshort_desc+DESC%2Cpriority%2Cbug_id&query_based_on=&query_format=advanced HTTP/1.1" 403 199 "-" "Opera/9.66.(Windows NT 10.0; gez-ER) Presto/2.9.163 Version/10.00"
17:39:47 <jralls> Hmm. buglist.cgi might be what gets called with a search result.
17:42:11 <jralls> So you could block it unless code is the referrer, but that's still porous because it's trivial to fake the referrer header.
17:48:08 *** sacdrj has quit IRC
17:52:10 *** sacdrj has joined #gnucash
17:58:10 *** sacdrj has quit IRC
18:20:36 *** sacdrj has joined #gnucash
18:23:07 <warlord> This is so frustrating.
18:24:43 <jralls> No kidding.
18:25:06 *** sacdrj has quit IRC
18:26:34 <warlord> I thought requiring auth would have blocked them.. How did they get past?
18:27:03 <warlord> FWIW, the system load is down to 4.. (from 300).. So it was definitely BZ
18:27:17 *** sacdrj has joined #gnucash
18:31:40 <warlord> I don't understand it, because the top of the file says:
18:31:44 <warlord> # We have to check the login here to get the correct footer if an error is
18:31:44 <warlord> # thrown and to prevent a logged out user to use QuickSearch if 'requirelogin'
18:31:44 <warlord> # is turned 'on'.
18:31:44 <warlord> my $user = Bugzilla->login();
18:32:09 <warlord> ... So it should require a user login, because I am pretty sure we have requirelogin turned on!
18:33:11 <jralls> Does the Goaheadandlogin=1 parameter bypass it?
18:36:31 <warlord> I have no idea.
18:37:32 <warlord> According to google: The URL parameter
18:37:32 <warlord> buglist.cgi?GoAheadAndLogin=1 is not a standard, functional query in Bugzilla and is associated with how some systems handle login pages, not a search function. While this parameter is sometimes seen in Bugzilla URLs, using it will not list all bugs or perform a meaningful search.
18:37:49 *** sacdrj has quit IRC
18:44:55 *** sacdrj has joined #gnucash
18:54:18 <warlord> Somehow there were still over 10 "authenticated" requests per second hitting the server.
18:54:38 <jralls> I got a different response by saying "bugzilla goaheadandlogin". Its first paragraph says that it forces a redirect to the login page, but a later paragraph says that it might be used to automat logging in.
18:54:50 <warlord> I filtered out the 403 and 302 responses.. But the rest (200) | tail (last 10) are all in the same second!
18:55:42 <warlord> How could the bot login without an account?
18:56:03 <jralls> Maybe it got an account.
18:57:50 <warlord> How? Don't we need to approve accounts?
18:58:25 <jralls> https://support-bugzilla.mozilla.narkive.com/qgWIjPCH/bugzilla-auth-howto-login-with-perl-api says "send a POST to the index page with GoAheadAndLogIn=1 plus your login name and password, then store the cookie you get back, and send that cookie along with each successive request after that"
18:59:16 <warlord> The URL I posted above was a GET, not a POST?
19:00:20 <jralls> Right. There's also nothing resembling credentials in it. Maybe there's a bug?
19:00:33 <warlord> Could be.
19:20:21 <jralls> OTOH cookies live in headers, not in the URI, even for a GET. So maybe no bug.
19:22:23 <jralls> https://serverfault.com/questions/48971/how-can-i-log-information-about-cookies shows how you can log cookies.
19:23:16 <jralls> It's time for me to make dinner, so afk until tomorrow afternoon.
19:27:54 <jralls> Oh, on approving accounts: It isn't necessarily a new one. I bet we have hundreds with weak passwords, plus I wouldn't be surprised if BZ's auth isn't very strong.
19:46:07 *** sacdrj has quit IRC
19:50:51 *** sacdrj has joined #gnucash
19:53:51 *** sacdrj has quit IRC
19:59:07 *** sacdrj has joined #gnucash
20:02:07 *** sacdrj has quit IRC
20:05:13 *** sacdrj has joined #gnucash
20:55:46 *** chris has joined #gnucash
20:55:46 *** ChanServ sets mode: +v chris
21:02:46 *** chris has quit IRC
21:35:25 *** sacdrj has quit IRC
21:54:36 *** sacdrj has joined #gnucash
21:59:07 *** sacdrj has quit IRC
22:15:51 *** sacdrj has joined #gnucash
22:18:51 *** sacdrj has quit IRC
22:33:39 *** sacdrj has joined #gnucash
22:36:39 *** sacdrj has quit IRC
22:52:31 *** sacdrj has joined #gnucash
23:10:01 *** jonakeys has quit IRC
23:10:07 *** jonakeys has joined #gnucash