This site is now 100% read-only, and retired.

XML Logo

Posted by simonw on Thu 7 Mar 2013 at 00:29
Tags: none.
Reported issue of not being able to access a file in Drupal6 was due to the .htaccess file preventing access to files of that name (in this case a file name prefix sometimes associated with Subversion).

Easily fixed, but got me wondering how it could have been avoided.

There are several issues. Protecting me from subversion when it isn't in use is rather keen, but I don't mind a little mollycoddling.

However the underlying issue is, I think, treating uploaded files like files which are part of Drupal. Of course subversion could be being used to revision the uploaded files whereever they exist in the file system and it might be a bad idea to serve the revision controlled files associated with them.

Various mechanisms could be used to treat the files as a distinct type of thing from the Drupal application files, but probably for most people storing the files in the database would be perfectly fine, then they would receive similar protection, back-up, (replication?) and handling as other user content in Drupal. Of course someone somewhere will be distributing DVD images using Drupal and think this suggestion nuts.

Being Drupal there is already a module for doing this (dbfm), you just needed to know you wanted it that way first. I'm less clear how Drupal 7 handles this (Storage API?).

Microsoft also have some relevant comments on storing files in databases which make similar points, that treating them like other data may result in greater simplicity which may be more important than other concerns.


Posted by simonw on Wed 6 Mar 2013 at 15:27
Tags: none.
Wrestled OpenCart in anger today for the first time.

Linkchecked a site and our server died under the load, added "--pause=1" to linkchecker - same result.

On inspection of mysql-slow-log it was taking a long time to count the products in a given category (0.43s).

Various people offer the fix of switching off the category counts when I searched, but I figured something was wrong at the database level since a simple count like that should be pretty much instantaneous in a modern database with only ~40,000 records (and three products in the category I was testing). Some sniffing around got me to:


create index iproduct_description_language_id on product_description ( language_id );
create index iproduct_to_category_category_id on product_to_category ( category_id);

Now the problem query has gone from 0.43s to 0.00s - possibly the default precision of the MySQL timer will need addressing as Moore's law continues.

This was day one with OpenCart, this issue doesn't full me with confidence, or did the guy who installed it miss something?


Posted by simonw on Wed 20 Feb 2013 at 16:04
Tags: none.

The primary clipboard is cleared when you click to position mouse pointer in a text component.

GNOME developers seem not to get it at all.

The result is you can use PRIMARY to paste into a new Gedit document, you can paste content from gedit to itself as long as you don't click to set the pointer after making the selection. All horribly inconsistent with what I think is one of the best features of X, the automatic selection of text on highlight.

Has annoyed me once too often......

# apt-get install vim-gnome

Wonder also how this got declined as a papercut bug in Ubuntu....


Posted by simonw on Tue 19 Feb 2013 at 10:05
Tags: none.
Noted in logcheck this morning:

suhosin[7624]: ALERT - configured COOKIE variable limit exceeded - dropped variable 'ASPSESSIONIDCCCCSSST' (attacker 'HETZNER IP ADDRESS', file 'somephpfile')

Repeated for many PHP files on the site. Each page was fetched once with what looked like a browser, and then 4 times with Java. Total time of attack 16s.

User Agent of "browser": Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; InfoPath.2; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET CLR 1.1.4322)2011-10-16 20:22:33

User Agent of: "Java/1.7.0_04"

Hazard a guess that someone with ASP is going to discover there is a problem with their cookie handling.

Lack of other traffic suggests this was someone in a hurry to discover if this weakness exists on a lot of sites, rather than something more specific.


Posted by simonw on Tue 12 Feb 2013 at 22:36
Tags: none.
Just switched IP address, seems SpamAssassin had issues with (and addresses. Not hard to fix, and fixed in 3.3 (at least if they are up to date).

Moral - if you are going to mark not yet allocated IP addresses as bad make sure the system can keep up to date.

I can see a Postfix rule to delete the first "Received" header coming on depending how much 3.2 Spam Assassin is left, and how responsive folks are to suggestions to upgrade. Although if they have a version older than that in Debian Squeeze the chances sites will upgrade quickly seem remote.


Posted by simonw on Mon 4 Feb 2013 at 12:46
Tags: , ,
Dovecot kept dying out of memory of various kinds as I upped the limits.

Did a "find" on the user's maildir and the find command consumed 2GB of resident storage doing the find.

Did a big delete - got bored after a few minutes - decided to count the files left for bragging rights.

Only 3.3 million left at that point but the "ls -1 | wc -l" still consumes ~800MB resident, I suspect because the inode itself was bloat (ls reported ~400 megabytes).

Guess that is a lot of email in the Trash folder.

Sometimes having high arbitrary limits is a good thing, sometimes perhaps it is better if there is a soft sanity check before you hit the out of memory limit.

Time for the maildir quota plugin on that box maybe.


Posted by simonw on Mon 4 Feb 2013 at 01:31
Tags: none.
Noted "pecl" in "php5-pear" package has a "-f" option which will force the install where the package refuses to install because Debian php version number doesn't fit. As happens with "taint" in Wheezy.


# pecl install taint
pecl/taint requires PHP (version >= 5.2.0, version <= 5.4.0), installed version is 5.4.4-12
No valid packages found
install failed

# pecl install -f taint
Build process completed successfully
Installing '/usr/lib/php5/20100525+lfs/'
install ok: channel://
configuration option "php_ini" is not set to php.ini location
You should add "" to php.ini


Posted by simonw on Wed 30 Jan 2013 at 23:46
Tags: none.
A note for myself that others may find useful.

Looking at the default behaviour of common current browsers with mixed content, and with mixed content and HSTS.

IE9 - hides mixed content with a little note saying what it has done.

IE8 - offers to show only the content delivered securely. You have to choose the non-default "no" to see the unsecured content.

FF18 - warns on first visit to site with mixed content but you must tick the box for similar warnings in future. This strikes me as wrong, have I misunderstood something?

Chrome 24.mumble for Linux - displays page omitting mixed content with a little mark on the padlock. I click the padlock and the information window (which mentioned the mixed content) disappears off the top of the screen (Grr).

Impact of using HSTS on mixed content handling.

HSTS maybe implemented in websites using SSL by adding a simple header to HTTPS requests that says this site should be encrypted for the next N seconds. Browser then convert all HTTP requests into HTTPS requests for that domain transparently.

The main use case is to prevent users contacting "" (no really PayPal paid for trying to fix the holes in SSL) over http, and being directed to an inappropriate insecure site because their connection or DNS has been compromised. Thus if they have used PayPal recently the browser remembers it should reconnect with SSL and if the SSL certificate is invalid it will stop (Yes HSTS means no more ignoring certificate errors).

HSTS RFC6797 Section 12.4 disallows mixed content when HSTS is in use.

IE doesn't implement HSTS yet. It has only just been formally ratified as a standard but they had hoped to include it in IE10, and I guess it may happen, probably it being a proper standard helps those inside Microsoft going "please".

Firefox 18 implements HSTS but is loading and executing jQuery from using vanilla HTTP when visiting another site which uses a copy of jquery from there.

I read that as a failure to adhere to standard by Firefox, where as Chrome is just doing its default HTTPS behaviour. The repercussions for Firefox are not as large as one might first think, as by definition people using HSTS should not be using the http version of third party resources, and their website will probably be broken in Chrome and IE although if it were analytics or something not immediately user visible that might not be spotted.

Chrome implements HSTS and didn't load the mixed content from

Firefox 18 can be "fixed" with visiting "about:config" and changing these two settings to "true".


These apply without HSTS as well. But unless these are the default only geeks like me are going to do that, and we are probably the lower end of the risk spectrum as far as being caught by this sort of thing, also these should be active when HSTS is active:

Firefox and Chrome both have pre-seeded lists of domains that are using HSTS (including, so when you see in your browser you can be confident it is protected by SSL. A lot of work for a modest security gain, on the otherhand my online bank doesn't yet use HSTS, and isn't preseeded in the browsers, and users are sent from the main bank page delivered using http to the secure site (sigh).

For completeness I should have looked at handling of certificate errors in Firefox with HSTS enabled, but that one answers my question, and certificate errors are evil and show a careless regard in handling cryptographic material.

Microsoft Ireland provide a handy mixed content test page. Thanks Guys.


Posted by simonw on Mon 21 Jan 2013 at 13:42
Tags: none.
A spammer just sent me a list of 1701 compromised website, I suspect the email was only suppose to have 1, and not 1701 redirects in it.

All those checked are (or were in the case of defaced ones) running Wordpress or Joomla.

This spammer has stuck PHP redirector names "yahooo.php" or "yahooocool.php" into all the sites they have compromised.

I've notified the worst affected hosting providers, but the list is clearly incomplete, so your absence doesn't mean you aren't compromised.

However it was enough to make me run 'find . -name "yahooo*php"' over our clients hosting space - just in case - fortunately nothing found.

I'd suggest it to those out there doing hosting of Wordpress or Joomla, especially any sites with Joomla 1.5 (or earlier - no surely not).

Joomla 1.5 was the long term stable release but support expired December last year. So presumably it is compromised, or has a common plugin is compromised. Probably a good time to upgrade if your site isn't owned already.

Wordpress versions include 3.4.2 and 3.5. I've asked a couple of those running recent Wordpress if they can tell me what happened.

I suspect old news in the vulnerability stakes - it usually is - but rare the spammers give you quite such a comprehensive list to someone who knows what it means, and since the spammers have been giving me such a hard time I figured I'd spend half and hour sharing it with those who need to know.


Posted by simonw on Wed 19 Dec 2012 at 10:05
Tags: , ,
Tucked away in the "Other" section of the migration guide, PHP 5.4 (e.g. the one in Debian testing) has changed the character set expected by htmlentities from ISO-8859-1 to UTF-8. Guess the heavy PHP programmers already know this, but kind of incompatible change that makes the casual programmer go back to Perl.