my bookshelf
I love my local library. You can check out books, movies, music and more at any
branch and return them to any branch. You can search for and reserve items online.
They have a secure RSS feed for checked in and due date alerts. Plus, they have
an online bookshelf, called My Bookshelf, that stores favorited items.
Each account's My Bookshelf comes with the Default bookshelf. You can then create
additional, user-named bookshelves. In a bookshelf you can add and delete items,
and choose whether or not to make the bookshelf publicly viewable.
To get the quick stuff out of the way, I learned that the bookshelf name is
vulnerable to XSS. Here you can see HTML rendering.
What you can't see is the bookshelf named history.go(-1)
(shouts, Evil1). There are some other oddities regarding bookshelf names that
I won't go into here.
Every user created bookshelf gets its own unique ID, i.e. mybookshelf.jsp?id=XXXXX.
Authenticate and put that in the URL bar and you get somebody else's bookshelf. I
don't believe you can see other default bookshelves without authenticating as that
user, just unique bookshelves given an ID number. Though you can view bookshelves
marked private, which is the default. You can also delete items from another's
bookshelf. Not good. Here's somebody's bookshelf. Algorithms? I'm terrible at music.
Given this, I poked around with ID ranges and found that 3000 to 22000 seemed to
bound accounts. I wrote a perl script that used wget's header capability to send the
session ID after I authenticated. It accepts four and five-digit IDs, of which I
used the latter for sorting.
mybookshelf_download.pl
I ran it for about 24 hours and got just over 18,000 files. I removed the empty
bookshelves and had over 10,000 left. I then looked at source for the strings I
needed to get what I wanted, namely, names and titles. These lines seemed to do
it.
mybookshelf_namesandtitles.txt
Another perl script and we get a nice readable file with bookshelf names and
associated titles.
mybookshelf_process.pl
I left out autovivification for my clarity and the resulting file is over 3.5 MB raw, 1 MB gzipped.
mybookshelf.txt
Some names are authors, a few are patrons, and one or two are library card
numbers. I simply find it fascinating to see what other people are consuming,
thinking. Yes, I put two and two together and didn't want to go any further. As
I said, I love my library. Though it would be a good exercise...
Addendum
My library now has a feature called "My Reading History." Here's what greets you when you enable it.
So, yeah, no.