/usr/portage

Live vom Webmontag 0

So, gerade nen Vortrag über webnews.de gehört. Ich habe nicht so genau verstanden, was die machen, aber ich habe das da gefunden:

http://www.webnews.de/suche/""<script>alert('XSS')</script>

Update:
Es scheint so, als hätten sie das Problem behoben. Jetzt warte ich nur noch auf meinen Milchschäumer. Aber ich finde das cool, dass das so schnell ging!

Filed on 22-01-2007, 21:09 under , , , , , , , , & no comments & no trackbacks

Retiring from the retirement? 0

In the last days there was a big discussion in the PHP-community about Stefan Essers retirement from the PHP Security Team. He states, that changing PHPs security from inside is futile, as he has been quoted by Slashdot. Stefan has found a lot of serious security holes in diverse software projects over years and he seems to be one of the best-skilled security researchers who permanently audits free software, which is always a good thing. He critizises, that fixing security holes in PHP takes too long and that he is taken as a persona non grata because he also blames PHPs design problems not just application bugs.
Stefan constantly put the finger on the wound in the last years, that PHP comes with bunch of features making it easy for beginners to blow away their whole leg when writing PHP-programs or being unexperienced in configuring their PHP-environment in a sane way. Starting from remote file inclusion, which is maybe the top-seller of remote exploits in PHP projects, over header-splitting attacks, to register globals he insists that not everything is in the application developers responsibility. Also he did research in PHPs »deep shit«, e.g. memory management. He is one of the authors of hardened PHP, a patch to make a PHP-installation more robust and suhosin, which attempts the same target and being binary compatible to vanilla PHP, which the hardened patch was not. I’m using the suhosin extension and also I really do not agree with the way to low defaults, I like the extension.
I’m not a PHP-insider, I cannot assess the different standpoints but I’m a software developer who likes to use PHP for daily work, for fun and for profit. And I care about application- and interpreter-level security. So my interest is to be sure that the best are working together in the PHP Security Team. Hopefully in a few weeks when heat of the discussion is gone a wise man could bang heads together again. It would be the best for the PHP-world and I would like to ask everyone not to make the gap deeper.

Filed on 20-12-2006, 01:01 under , , , , & no comments & no trackbacks

Mit den Augen eines Kindes 1

Das letzte mal, dass ich von Freier Software so richtig beeindruckt war, ist inzwischen über vier Jahre her. Der simple Grund damals war GNOME 2.0 auf Hannos Laptop, genauer gesagt der Login-Manager GDM mit diesem Theme. Ich hatte mich zur Gänze in den Look dieses Login-Managers verschossen, dass ich alles dafür gab, das Ding auch zu bekommen. Ich war damals SuSE-Nutzer, weil ich nichts anderes kannte und konnte. Leider gab es für SuSE keine Pakete und selbst bauen kam damals nun wirklich nicht in Frage. Jedenfalls nicht ohne passende Distribution. Nach einigem hin und her und dem Umweg über Debian verpasste mir Hanno ein Gentoo Linux. Nicht, dass ich damit hätte umgehen können, aber ich bekam immerhin GNOME 2.0. Seitdem ist einiges passiert. Ich sah Software kommen und gehen, habe ein paar Programmiersprachen gelernt, Elegantes und weniger Elegantes kennen gelernt, habe ziemlich viel Freie Software benutzt und benutze sie weiterhin jeden Tag. Aber dieser kindliche Blick auf einen schön gestalteten Login-Manager habe ich so nicht mehr erlebt. Bis gestern. Seit gestern verwende ich auch (wie Bernd und Jens) AIGLX.

Filed on 03-12-2006, 19:07 under , , , & one comment & no trackbacks

Die Konkurrenz hat gewonnen – vorläufig 5

Im Kölner Rheinhafen gibt es wunderschöne Büros mit Rheinblick und großen Fenstern. Zwischen Gustav-Heinemann-Ufer und dem Bayenturm, in unmittelbarer Nähe zur Südstadt, also kulinarisch nicht zu verachten, niemand wäre gezwungen zweimal in der Woche das gleiche Fast-Food-Restaurant aufzusuchen. Eben der optimale Ort für eine innovative Web 2.0 Company. Leider hat sich nun die Konkurrenz die Büros geschnappt. Ich sehe schon die frisch entlassenen Manager durch die U-Bahn-Abteile wanken: »Haben sie Interesse an einem Obdachlosen-Office oder auch vielleicht eine kleine Spende?«. Eine kleine Spende, gerne. Leider wird das mit den Büros im Rheinhafen nicht lange klappen, da bekanntlich Vista ein Misserfolg wird und Linux mit XGL, Composite-Extension und GNOME endgültig die ganze Welt rockt.
via

Filed on 03-09-2006, 14:02 under , , , , & five comments & no trackbacks

Question of the day 7

Why does nobody develop Gstreamer-bindings for PHP?

Filed on 25-07-2006, 20:08 under , , , , & seven comments & no trackbacks

What to do? 0

During my daily work I often heard discussions about how to handle charset properly. What a server must provide to handle charsets correctly, which configuration for Apache is needed, what options must be set in php.ini to make PHP correctly working, which functions should be avoided when using PHP, which locales must be used and so on. So I want to give a short overview how to sail around common problems in a LAMP-setup.

Kernel

Just to make sure the option CONFIG_NLS_UTF8 is set to y.

Environment

To make sure, newly created filenames are there in UTF-8 and in general VT-input is handled correctly, you have to choose a charset, which comes with an .UTF-8-suffix. For german feel free to choose de_DE.UTF-8. Make sure your glibc is provides this locales. To convert current names of files you can just use convmv. For a desktop you must also adjust the font and set a correct TTY-font but this could be ignored for a server which is just administrated via remote shell.

Webservers in general – focus on Apache

To make sure, the users input is UTF-8, the server has to deliver the correct Content-Type-header. Take a look at the output of wget -S http://usrportage.de, my weblog, which is hosted on Schokokeks.org, a properly configured server (sure!):
wget -S usrportage.de
—21:00:33— http://usrportage.de/ => `index.html’
Resolving usrportage.de… 87.106.4.7
Connecting to usrportage.de|87.106.4.7|:80… connected.
HTTP request sent, awaiting response… HTTP/1.1 200 OK Date: Thu, 13 Jul 2006 19:00:27 GMT Server: Apache X-Powered-By: PHP/5.1.4-pl0-gentoo with Hardening-Patch X-Blog: Serendipity Set-Cookie: PHPSESSID=9da2ded6522851ef8ddc3ebe7590b354; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache X-Serendipity-InterfaceLang: de X-FreeTag-Count: Array Connection: close Content-Type: text/html; charset=UTF-8
Length: unspecified [text/html]

[ <=> ] 65,557 250.71K/s

21:00:33 (250.19 KB/s) – `index.html’ saved [65557]


You see the header Content-Type: text/html; charset=UTF-8. (You can also the a bug in S9Y, which poorly casts an array, but anyway.) So your browser is notified, that it should send UTF-8 encoded data. That’s the whole secret. To configure Apache properly, make sure the directive AddDefaultCharset is set to UTF-8.

One thing at last: if you’re using AJAX-functions from Prototype for JavaScript-purposes, you have to reencode the string delivered by the AJAX-call. In PHP the following would work:
$string = utf8_encode( $_POST[‘key’] );

MySQL

Before transacting any data, make sure your connection charset is set to UTF-8:
SET NAMES utf8;
By the way: have I ever mentioned you should ever use mysql_real_escape_string() instead of mysql_escape_string()?

PHP

Just two rules: use mb_string-functions whereever it is possible, set the INI-setting default_charset to UTF-8 and – anyway – don’t use functions from the ereg-family also they have an mb_-Prefix. They aren’t binary-safe, that’s all you need to know.
Also make sure, your sources are UTF-8 encoded. Use iconv to correct those who are not.

Update


I forgot to mention, that the functions htmlentities(), html_entity_decode() and htmlspecialchars() does not reflect PHPs default_charset-directive but assumes iso-8859-15 as the default charset, which is pretty annoying and should be considered as a bug, from my point of view. So you need to pass UTF-8 as the third parameter to the function to make sure it will work properly with Unicode.

Filed on 13-07-2006, 20:08 under , , , , , , , & no comments & no trackbacks

Serendipity with a fresh look 0

With the 1.0 release of Serendipity, the world most famous blogging software, comes with a new look for the website, blog and forum. This is the point where I have to say thank you to all of the S9Y-guys for providing such a neat tool, which makes blogger’s live easy and comfortable.

Filed on 15-06-2006, 21:09 under , , , , & no comments & no trackbacks

MySQL Storend Procedure Programming 2

Falls mir jemand einen Gefallen tun möchte. Über dieses Buch würde ich mich sehr freuen.

Filed on 13-05-2006, 17:05 under , , , , & two comments & no trackbacks

Ejabberd 1.1.1 in BreakMyGentoo 0

I’m proud to provide a new Ejabberd-ebuild to our users. Ejabberd 1.1.1 comes with an important new feature: it supports MySQL natively. I fixed up PostgreSQL-issues in the ebuild and provide now the native drivers for MySQL and PostgreSQL Also I’m happy to mention that NU2M, the company which is involved in Mabber and for which I’m currently working for, is going to release some really interesting Jabber-components, especially for Ejabberd, during the next weeks.

Links

Filed on 07-05-2006, 02:02 under , , , , , , , , & no comments & no trackbacks

Colonipedia gestartet 4

Seit ein paar Tagen gestartet und heute beim Kurzmeldungsgebastele für die Philtrat gefunden: Colonipedia, ein Stadtwiki für Köln.

Filed on 06-05-2006, 20:08 under , & four comments & no trackbacks

Senf dazu 6

Gerade erstes Mal Ehrensenf geschaut. Kurz gesagt: schlecht. Länger: die Moderatorin hat einen schwäbischen Akzent, den sie nicht therapiert hat, sie erzählt langweilige Bush-Witze und ich habe mir zwei Folgen angesehen und nicht einmal gelacht.

Filed on 06-05-2006, 19:07 under , , & six comments & no trackbacks

eZ components - doing things fast and smart 0

If you use PHP for some years, you will often fight the same problems, which leads to a lot of unuseful work when implementing basic issues like a properly designed class to send mails in a sane way, parsing an INI-file, basic generating of PHP-code, logging to a file or database or an implementation for a persistant object. This components are often needed and you have to write them by yourself, if you want to work around the tranditional and outdated PEAR-packages. So, maybe some day, you have all the patterns you need and can begin to write code but how long does it take? Two years? For years? Not that sensible. So it raises productivity if you can use a set of components which are small, independent and designed for the current state of the language, means: PHP 5.1.x. eZ components by eZ systems fit this specification. You can solve the problems above and much more – analysing and modifying images, debugging, working with user input and, as surplus, you can work with PHP for shell-scripts with ConsoleTools.
As theory is supposed to be useless without practice, a small example for reading an INI-file. Let’s assume the following INI-file:

[context]
foobar = Bla
bla = blubb
whatever = bar

Now the PHP-code with ezConfigurationIniReader:
$reader = new ezcConfigurationIniReader();
$reader->init('/path/to/your/config/dir, 'config' );
$config = $reader->load();
echo $config->getSetting( "context", "foobar" );

Isn’t that simple?

Filed on 03-05-2006, 11:11 under , , , , , , , & no comments & no trackbacks

PHP 5.1.3 released 0

Normally issues like aren’t my topic. Transcripting news from other sites is not minebut the new PHP-version of the 5.1-series provides some important fixes. Deprecation-notice when using the keyword »var« has been removed, so you can use Smarty in combination with PHP5 without the heap of error-messages, fixed buffer-overflow in wordwrap(), XSS-troubles in phpinfo() are fixed and safe-mode reflects itself and checks the first parameter of copy().

Filed on 02-05-2006, 11:11 under , , , , & no comments & no trackbacks

Just broken 10

Some months ago I ranted about Gentoo’s Ejabberd-ebuilds and I want to comment another issue: Ejabberd provides support for PostgreSQL via its ODBC-drivers. That’s reflected in the ebuild, there is a postgres USE-flag. That’s generally fine, but helps nothing, ’cause you need the native PostgreSQL-driver from the jungerl-distribution. But: there is no ebuild in portage. Whether you can’t find jungerl nor the native PostgreSQL-driver in portage, which makes the USE-flag buggy one the one hand and completely useless on the other hand. Is it common not to test functionality when adding a USE-flag?

Filed on 01-05-2006, 17:05 under , , , , , , , & ten comments & no trackbacks

Rails 1.1.0 1

Ich bin ja nun wirklich nicht so der Rails-Experte finde es aber trotzdem nicht nur cool (meistverwendetes Buzzword im RoR-Vortrag auf dem Webmontag gestern), sondern arbeite schlichtweg ab und an recht gerne mit diesem Framework. Mehr nicht. Einige der Dinge in Version 1.1 hören sich sehr praktisch an, so dass das integrierte Scaffolding nun endlich keine Injections mehr zulässt (nicht probiert, steht nur im Changelog), auch die Updates der JS-Bibliotheken scheinen mir sinnig und dass ich nun Unit-Tests auch direkt in den Source schreiben kann, erleichtert einiges. Auch wenn mir letzteres aus der Perspektive guten Software-Designs nur halb gefällt, ist es doch praktisch das für »ich mach ma flott was« schon in Ordnung. Für mehr taugt Rails wahrscheinlich eh nicht.
Version 1.1.0 gibt es jetzt alternativ zu 1.0 auf Schokokeks.

Filed on 28-03-2006, 20:08 under , , , , & one comment & no trackbacks

Newer Entries ↘