/usr/portage βeta — Lars Strojny - Entries from October 2007

Being a fanboy! 0

»... and I understand that Mac OS X support is often introduced due to the engineering staff owning MacBook Pros«
Zimbra on ZFS and Zones – Theo Schlossnagle

Filed under Solaris, Zimbra & no comments & no trackbacks

Xorg and Samsung SyncMaster 205BW 2

Next time I when try to set up a huge display as an external monitor for my MacBook, I will use DVI, not VGA. Because DVI works wonderfully, VGA does not. This enables the display above the builtin LCD (left or right is not possible with current intel drivers, because maximum virtual screen size is 2048×2048):

xrandr --ouput TMDS-1 --auto --above LVDS

Update

Sometimes after plugging in xrandr does not list the correct resolution for the external device. In that situation you need to create them by hand. The following three-liner does all the work for you:

xrandr --newmode "1680x1050" 149.00  1680 1760 1944 2280  1050 1050 1052 1089
xrandr --addmode TMDS-1 1680x1050
xrandr --output TMDS-1 --mode 1680x1050 --above LVDS

Filed under Linux, Samsung, xorg, xrandr & two comments & no trackbacks

Let's go to a holiday in 1

... dachten sich wohl die Herren Apfel und Delle. Leider wird daraus nichts.

(Gefunden bei classless)

Filed under Nazis, NPD & one comment & one trackback

Tocotronic in Düsseldorf 3

Tocotronic auf “Kapitulation”-Tour in Düsseldorf. Nachdem ich sie in Köln wegen übler Verpeilerei verpasst habe, beschlossen Lisa und ich, nach Düsseldorf zu fahren. Tocotronic spielte dort im zakk, das ein ausgesprochen netter Laden ist. Große Bühne, schöne Räume. Das Konzert war – um es mit einem Wort zu sagen – großartig. Für mich war es das dritte Tocotronic-Konzert und gleich das Beste. Dafür sorgt sicherlich, dass das aktuelle Album Kapitulation zu dem besten gehört, was die Jungs jemals eingespielt haben. Nicht so roh wie “Digital ist besser”, sondern feinsinniger, nuancierter und sehr spannungsvoll. Wer noch nie auf einem Tocotronic-Konzert war, versteht das Genre Rock meist nicht, in das man Tocotronic häufiger einordnet. Aber live sind sie so wuchtig laut und rockig, dass die vor allem auf Kapitulation doch manchmal opulenten Kompositionen auf das Wichtigste heruntergebrochen werden: Gitarre, Bass, Vocals und Drums. Dadurch wirken die Stücke roher, unfertiger – eben wie im Proberaum. Tocotronic spielten alleine acht Tracks von der aktuellen Scheibe (Lisa hat gezählt), dann altbekanntes wie “Freiburg” oder “Ich bin viel zu lange mit euch mitgegangen”, aber auch seltener gehörtes wie “Free Hospital” oder “Sailor Man”. Von der letzten Scheibe “Pure Vernunft darf niemals siegen” durften der Titeltrack und “Aber hier leben, nein Danke” nicht fehlen. Über Konzerte zu schreiben birgt ein Problem, dass das Erlebnis eh nicht zu transportieren ist. Es war sehr gut, fertig.

Filed under Düsseldorf, Music, Tocotronic, zakk & three comments & no trackbacks

Security reporting the productive way 0

This morning I reported an XSS-vulnarability to mugshot. An hour later I got a response, that they are investigating the issue and deploying a fix. Six hours later the fix was deployed and I was notified again. This is exemplary!

Filed under Security, Websecurity, XSS & no comments & no trackbacks

Preventing cross site scripting by design 4

This is more or less a reply to Dynamic global functions in PHP. My main problems with delegating escaping in the template is the fact, that the people who normally work with templates, are frontend developers and designers. Those who do not and should not care about web security. That is a programmers/architects field. Nobody of the frontend developers should have the possibility to create security level artefacts by accident. So, when a value arrives the template, everything should be done. No special escape-calls should be necessary. I will show you how we do escaping and template value sanitizing at Neu.de. But let’s step through all common models in order to explain, why they are bad. I assume you know the basic MVC-terms, I will use here mostlye view and controller action. First of all, the most common approach. Just assigning variables as-is to the view component:

The second – much better approach – is to escape values before accessing them in the template. This is fine as long as you do not use objects in your templates.

If you have complex, nested objects encapsulating complex business rules, you do not want to convert them to an array to make it possible to escape them afterwards because of speed concerns. So if you pass an object with a method which returns fragile user input, your escaping logic is bypassed. See:

The solution is to wrap assign objects in mock objects. You can easily implement a mock object builder using PHP5s reflection features and create a simple proxy which escapes the return values of every call – or – if an object is returned – wrappes this return object in another mock object. And so on and so on:

Once you implemented that, a) your developers must not care about XSS anymore, they just use the framework and b) you can sleep better at night, because it is not likely probable, that your site is vulnarable against XSS. Sometimes you want to allow HTML-code passing to the template. That’s ok, just give the developer a chance to avoid mocking or escaping. If you want to audit your code for XSS security problems, just grep for the method signature.

Filed under Design, Design patterns, Patterns, PHP, Security, Websecurity & four comments & no trackbacks

PHP trick: array or struct? 2

PHP does not have different primitive types for arrays and structs. It is all an array. The only difference is, that a list contains just ascending integers as keys, starting from zero, the rest is a struct.

<?php
if (array_keys($array) === range(0, count($array) - 1)) {
    // Is an array
} else {
   // Is a struct
}

In the Zend Framework this differentiation is needed in the XmlRpc-component. I’ve submitted a patch to make it more efficient.

Filed under Development, PHP & two comments & no trackbacks

The reincarnation of static classes 0

The coming version 5.3 of PHP could be summarized under reincarnation of static classes. Two of the biggest problems with static classes, late static binding and missing method-interceptor for static methods, are fixed now (ok, interceptors for static values are missing, what about __setStatic() and __getStatic()?) but nevertheless it is more than a first step. Also the nice to have feature, to call static class from variables containing a the name as a string is implemented now.
The long overdue feature of namespaces has also been included in the current tarballs of PHP 5.3.

Continue reading "The reincarnation of static classes"

Filed under Interceptors, Late static binding, PHP & no comments & no trackbacks

XSS-exploits filtered by person 0

xssed.com is a directory for XSS-exploits You can submit your exploits and they got listed and – most important – a copy of the exploit is archived. Of course it is a bit a challenge but it is also useful to keep track with the vendor reactions on your exploits. There is one thing missing, a personalized RSS-feed, which just renders the exploits of a certain author. But there is Yahoo Pipes, at the end a pretty impressive program hosting service, which basically provides tools, filters and operators to be chained to remix content. I’ve played around with it months ago, but never had a real usecase. Now I had and I implemented a pipe for creating an newsfeed from xssed.com. As a result, you can follow my exploits on the startpage.

Update xssed.com is currently blocking requests from the user agent Yahoo Pipes 1.0 which I find pretty sad. I try to get in contact with the xssed.com staff.

Filed under Security, Websecurity, XSS, Yahoo Pipes & no comments & no trackbacks

Rangelei unter Berufseltern 1

War ich eigentlich der einzige, der sich gewundert hat, dass ausgerechnet der Vorzeige-Familienvater Johannes B. Kerner Eva Herman rauswirft? Ich meine den idellen Gesamtpapi Johannes B. Kerner, der gerne mal mit Uri Geller plauscht, häufiger mit Andreas Englisch, der seineszeichen bei der Bildzeitung für den geringstmöglichen journalistischen Abstand zur katholischen Kirche sorgt, über päpstliche Unterwäschewahl schwatzt oder auch einfach nur den unsäglichen Donnersmarck auf dem Schoß sitzen hat. Jener Kerner spielt nun den Sozialarbeiter im Resozialisierungsprogramm für die ideelle Gesamtmutter Herman. Leider will die Herman nicht so wie der Kerner und sie muss gehen. Gestern übrigens erklärte Franziska van Almsick was sich in ihrem Leben so alles verändert hat, seitdem sie – nunja – Mutter ist.

Filed under Andreas Englisch, Eva Herman, Johannes B. Kerner, Trutz Hardo & one comment & no trackbacks

New blog layout 6

Thanks to Mike Wollenschläger, our new starlet in our frontend development department, I am able to present you my new and shiny blog layout. He did the whole layout but I did the adaption for Serendipity, the wonderful blog software which drives this weblog, so blame me for bugs. Apropos bugs. There are some, I know. I will fix them in the next days. What I really like is the new meshup page on / which summarized my web activities pretty well. Hopefully you enjoy the new look, comments appreciated.

Filed under Me & six comments & no trackbacks