Simon Willison’s Weblog

Subscribe

July 2008

July 1, 2008

Evil GIFs: Partial Same Origin Bypass with Hybrid Files. First there were PNGs that had crossdomain.xml files embedded in them, now there are GIFs that contain Java applets (as JAR files). At this point I’d say don’t even bother trying to validate uploaded files, just make sure they’re served off an entirely different domain instead where XSS doesn’t matter.

# 8:58 am / xss, security, validation, uploads, pngs, crossdomainxml, gifs, javaapplets, applets

Delighting with Data. Tom Taylor’s full transcript and slides for his recent talk at Oxford Geek Night—talks about Twitter bots, wikinear, iamnear.net and various other small but neat data repurposing projects.

# 1:24 pm / wikinear, iamnear, fireeagle, tom-taylor, oxfordgeeknight

Whitespace Sensitivity. Amusingly, Ruby is actually far more sensitive about whitespace than Python is.

# 2:50 pm / ruby, python, armin-ronacher, whitespace

"Digital Manners Policies" is a marketing term. Let's call this what it really is: Selective Device Jamming. It's not polite, it's dangerous. It won't make anyone more secure - or more polite.

Bruce Schneier

# 2:51 pm / marketing, security, bruce-schneier

Poking new holes with Flash Crossdomain Policy File. This is an old article from 2006 which describes the crossdomain.xml hidden in a GIF exploit I referred to in an earlier post (scroll down to the appendix for an example). As far as I know the Flash Player’s crossdomain.xml parser has been tightened up since.

# 4:12 pm / flash, crossdomainxml, gif, security

Django File Uploads (via) Nearly two years in the making, Django’s file upload capacity has received a major (and backwards incompatible) upgrade. Previously, files were uploaded by default in to RAM—now, files larger than 2.5MB are streamed to a temporary file and extensive hooks are provided to customise where they end up—streaming to S3, for example.

# 5 pm / django, fileuploads, s3, uploads

July 2, 2008

ORG verdict on London Elections: “Insufficient evidence” to declare confidence in results. Electronic voting strikes again. Also of interest: the audit conducted by KPMG can’t be published due to “commercial confidentiality”.

# 10:36 am / kpmg, audit, elections, london, org, openrightsgroup, electronicvoting

Ruby’s Vulnerability Handling Debacle. The critical Ruby vulnerabilities are over a week old now but there’s still no good official patch (the security patches cause segfaults in Rails, leaving the community reliant on unofficial patches from third parties). Max Caceres has three takeaway lessons, the most important of which is to always keep a “last-known-good” branch to apply critical patches to.

# 10:39 am / ruby, security, open-source, maxcaceres, rails, patches

eval() Kerfuffle. The ability to read supposedly private variables in Firefox using a second argument to eval() will be removed in Firefox 3.1.

# 9:24 pm / firefox, eval, security, privacy, javascript, john-resig

July 3, 2008

Portable Social Networks, The Building Blocks Of A Social Web. Ben Ward’s tour de force of practical tools and techniques for building out the distributed social web, using XFN and hCard to represent the data. If you only read one article on portable social networks, make it this one.

# 9:08 am / ben-ward, microformats, xfn, hcard, portablesocialnetworks

IE8 Security Part IV: The XSS Filter (via) IE8 will include an XSS filter to identify and neutralise “reflected” XSS attacks (where malicious code in a query string is rendered to the page), turned on by default. Sounds like a good idea to me, and site authors can disable it using Yet Another Custom HTTP header (X-XSS-Protection: 0).

# 9:37 am / xss, security, microsoft, ie8, internet-explorer, xssfilter, http

ratproxy. “A semi-automated, largely passive web application security audit tool”—watches you browse and highlights potential XSS, CSRF and other vulnerabilities in your application. Created by Michal Zalewski at Google.

# 2:35 pm / ratproxy, proxy, michal-zalewski, google, security, testing, xss, csrf

July 4, 2008

A browser sniffing warning: The trouble with Acid3 and TinyMCE. Opera recommend “bug detection”, a step up from object detection and browser sniffing where your JavaScript includes mini unit test style fragments of code designed to test if buggy behaviour you are working around still affects the user’s browser.

# 8:24 am / bugdetection, javascript, object, browsers, opera, objectdetection, browsersniffing, acid3, tinymce

Running C and Python Code on The Web. Adobe are working on a toolchain to compile C code to target the Tamarin VM in Flash. This will allow existing C code (from CPython to Quake) to execute in a safe sandbox in the browser.

# 8:26 am / browser, c, python, quake, adobe, tamarin, flash

A printer driver is a folder with one ".ini" file, and a couple of ".dll"s and that's it. It is not a 50 MB download. It is not an IE Toolbar, and Side Pane. It is not half-baked photo software. It is not a splash screen when your computer starts. It is not a tray icon.

Kroc Camen

# 9:03 am / printerdrivers, software, kroccamen

Phasing out support for IE 6 across all 37signals products on August 15, 2008. Interesting move considering BaseCamp is used for communicating with (often corporate) clients. It would be nice to see the browser stats behind the decision.

# 9:17 am / basecamp, 37-signals, ie6, browsersupport

Show Us a Better Way. The UK Government’s Power of Information Taskforce are running a mashup competition (a.k.a. “ideas for new products that could improve the way public information is communicated”) with a £20,000 prize fund and gigabytes of brand new data and APIs. This is a great opportunity for the software community to demonstrate how important this kind of open data really is.

# 9:36 am / powerofinformation, open-data, ukgovernment, mashups, apis

Independence Day: HTML5 WebSocket Liberates Comet From Hacks. The HTML5 spec now includes WebSocket, a TCP-style persistent socket mechanism between client and server using an HTTP handshake to work around firewalls. The Orbited comet implementation provides a WebSocket compatible API to existing browsers today, and can also act as a firewall/proxy between WebSocket and regular TCP sockets, allowing browsers to talk to things like XMPP servers using Orbited to bridge the gap.

# 9:54 am / orbited, comet, html5, sockets, tcpsocket, xmpp, websockets

Table Drag and Drop jQuery plugin. Drag and drop of table rows is a special case (jQuery UI doesn’t seem to support it)—this plugin works pretty well though.

# 12:04 pm / jquery, draganddrop, tables, jqueryui

quipt (via) Extremely clever idea: Cache JavaScript in window.name (which persists between page views and can hold several MB of data), but use document.referrer to check that an external domain hasn’t loaded the cache with malicious code for an XSS attack. UPDATE: Jesse Ruderman points out a fatal flaw in the comments.

# 3:49 pm / security, referrer, quipt, caching, optimisation, javascript, windowname, xss

A Look at the Presidential Candidates. The Big Picture (the Boston Globe’s fantastic photojournalism blog) presents a fascinating collection of historical photos of Senators Barack Obama and John McCain.

# 9:09 pm / barack-obama, john-mccain, politics, photography, thebigpicture, photos

Queue everything and delight everyone. Les Orchard explains why I’ve been getting interested in queues recently: “One of the problems it seems most modern web apps face is the tendency to want to do everything all at once, and all in the same code that responds directly to a user.”

# 10:38 pm / les-orchard, queues

July 5, 2008

Berlin Zoo on OpenStreetMap. Someone has added all of the animal enclosures in Berlin Zoo (with German animal names) to OpenStreetMap.

# 3:07 pm / openstreetmap, berlinzoo, mapping, zoos, german

OSM routing, A*, cycle-filtered, python (via) A python library for finding routes using OpenStreetMap data.

# 3:13 pm / python, routing, osm, mapping, openstreetmap

CKAN—Comprehensive Knowledge Archive Network. Aims to be the “Debian of data”, with apt-get style tools for installing datasets. Presented at Open Tech 2008 by Rufus Pollock.

# 3:24 pm / opentech, opentech2008, ckan, data, rufuspollock

July 7, 2008

Up Ship!: New Branding. I hadn’t realised the Airpship Ventures Zeppelin (en route to San Francisco) is going to be used for the Stella Artois Star Over London promotion—they’ve just changed the livery.

# 11:13 am / airshipventures, staroverlondon, stellaartois, airships, zeppelins

Historically the project policy has been to avoid putting replication into core PostgreSQL, so as to leave room for development of competing solutions [...] However, it is becoming clear that this policy is hindering acceptance of PostgreSQL to too great an extent, compared to the benefit it offers to the add-on replication projects. Users who might consider PostgreSQL are choosing other database systems because our existing replication options are too complex to install and use for simple cases.

Tom Lane

# 2:08 pm / replication, postgresql, tom-lane, databases

OpenTech 2008 “Impossibox” presentation. One of my favourite Open Tech sessions—Tom Loosemore describes the “Impossibox”, a cloud of PVRs collaborating to transcode and share “all decent UK TV for a year” via BitTorrent.

# 2:11 pm / bittorrent, opentech, opentech2008, tom-loosemore, impossibox, tv, pvr

Django Unit Tests and Transactions. If you’re using a transactional database engine (MySQL with InnoDB, Postgres or SQLite) you can speed things up by running each of your unit tests inside a transaction and rolling back in tearDown().

# 2:14 pm / unittesting, unittest, python, django, transactions, innodb, mysql, sqlite, postgresql

3 and 1/2 minutes to sort a Terabyte, and a look at Hadoop’s code structure. Bill de hÓra uses some clever static analysis tools to explore Hadoop’s 100,000+ lines of code.

# 2:15 pm / hadoop, bill-de-hora, staticanalysis, java

2008 » July

MTWTFSS
 123456
78910111213
14151617181920
21222324252627
28293031