Tuesday, October 24. 2006
Unless you've been living under a rock you probably know that Firefox 2.0 was released today. Although, it seems that someone one on the Mozilla's team is definitely living in a cavern since the official siteis still linking to FireFox 1.5.
From a developer perspective Firefox 2.0 introduces a number of interesting features, which are explained in detail on the Firefox 2 for developers site . The thing that attracted my attention was the support for OpenSearch standard pioneered by A9 (Amazon), something IE7 also supports. The nature of this feature allows you to "push" your own site's search into the browser's search list for the searchbox, thereby providing a neat and consistent way to find content for the user.
This is surprisingly simple to do as you can tell from the excerpts taken from FUDforum code (yes, the next release will have support for this feature) which you can find at the bottom.
The other very handy addition to Firefox (something Safari had for quite some time) is the integrated spellchecker. However, the spellchecker by-default will only spell check text found within the textarea tag and not offer spelling suggestions for text inside <input type="text">. Fortunately, Firefox provides the means of telling the browser to spell check those as well via the spellcheck="true" attribute that can be added to the input tag or even the encompassing div and span tags. The same tag with the "false" option can be used to prevent spell checking of otherwise checkable form elements. As with the other option, this attribute will be found for relevant input boxes in the next FUDforum release.
Continue reading "Developer notes for FireFox 2.0"
Sunday, October 22. 2006
There are many instances where you may want to see what kind of PHP settings other people are using and what better source of this information then the phpinfo() page.
The problem with finding a reliable pool of such pages is that basic search often contaisn many blog, forum, bugs.php.net and alike entries which area copy & paste outputs from users. This maybe fine in some instances, but what if you just want the real phpinfo() pages. The answer is surprisingly simple.
To get the data you need to simply need to search for a element always present on the phpinfo() page such as the "Zend Scripting Language Engine" string and then for a user-agent containing the indexing bot of your favorite search engine. Among the data displayed by the phpinfo() page is a header containing the browser provided User-Agent field, which is always populated by respectable crawlers such as the ones uses by Google and Yahoo. The presence of this value guarantees that the page shown will be an actual page, rather then a copy in paste where the field will be populated by the user's own browser.
Here are the sample search queries for Google and Yahoo!.
Continue reading "Reliably locating phpinfo()"
Thursday, October 19. 2006
The 5.2.0 release is turning to be quite an adventure, we can't seem to get the bloody thing out. Hopefully RC6 will be the last release candidate, but given that I've said that about the last 3RCs, who knows...
This said, the delays were not entirely unproductive and every time more bugs were fixed and language was generally made better, so it is not all bad. The release snapshots is available here: http://downloads.php.net/ilia/php-5.2.0RC6.tar.bz2 (md5: 5a146c08f85d8535c76fe6219281a06e) and win32 binaries will be made available shortly be Edin.
As always I'd like to ask everyone to give this release a try to make sure no regressions were introduced and to make sure that your applications can still work with this release. If no major issues are uncovered, maybe, just maybe 5.2.0 in a week.
Thursday, October 5. 2006
Search engines have for a long time been a good helper of people trying to find sensitive information or vulnerabilities on the web. When you have a few billion documents indexed, it is inevitable some things that should remain private inadvertainly end up in public directories and get indexed, then its just a matter of writing a sufficiently creative search query to find that data.
There are even sites that aggregate "interesting" search queries designed to quickly locate sensetive data such as Google Hacking Database from "Johny" that has queries to find everything from old vulnerable software to credit card numbers, etc...
There have also been attempts to identify things like SQL injection and XSS by locating sites collecting common form of input and then checking to see if said input is not validated. A good example of this can be found on Michael Sutton's blog, who used Google to generate statistics to identify the frequency of SQL injections.
But this approach is does not really show you the full extent of the exploit, just indicates presence of SQL injection, which can then be explored further mostly through trial an error. Well, no more, thanks to Pierre I've discovered a Google's lab project called "Code Search", which as the name suggests indexes publicly available source code. Meaning that now not only can you easily find exploits, but also get the full context of the code allowing for a much nastier exploitation. Let's give it a shot
Continue reading "Google Code Search ~= Hacker's best friend?"
Thursday, October 5. 2006
After 2 weeks of inaction 5.2.0 final release is finally in sight. A few minutes ago I've released the last (I mean it this time) release candidate of 5.2.0, RC5. If all goes well a week from now 5.2.0 final will be out ready for use. In the meantime I'd like to ask once again that everyone try this RC, which can downloaded from here:
http://downloads.php.net/ilia/php-5.2.0RC5.tar.bz2 (md5sum: 9a7fb788fbfd2beb8ed7aecb0a7d1598)
I don't think you'd be able to find any major issues or regressions in this RC, but if you do certainly let me know, if necessary RC6 is not out of the question.
Tuesday, October 3. 2006
If you have been monitoring PHP's internal mailing list you probably know that over the last few weeks we've been locked in a stalemate in regard to the API revision of the filter extension brought to light by Dan from our documentation team. This is also the reason why despite this being early October PHP 5.2 is still not out.
Fortunately, after mediation with Derick and Pierre the two protagonists of the filter conundrum a compromise was finally reached. I took Pierre's proposed patch for the filter extension and based on it made a fairly series of adjustments yielding a very clear and flexible API (I hope) that seems to keep everyone happy. The patch was committed late last night and given lack of complaints today, I think we've finally got this issue resolved. YEY!
The only downside, is that my proposal to rename the filter extension to "Ilia' Awesome Filter Extension" was shot-down, with only Tony being in favor, oh well, I guess you can't have it all.
On a related note, since filter issue is now resolved, we can resume with the 5.2 release cycle and I hope to have RC5 out this Thursday to be followed shortly with a final release. On the bright side, the delay allowed us to fix about a dozen bugs and make PHP 5.2 even faster by fixing an inefficiency spotted by Matt W. related to creation of hash tables with known sizes.
Continue reading "Filter Extension Revamped (and PHP 5.2 news)"
Sunday, September 24. 2006
Now that the Jet-lag has worn off (all-night flights suck, even when they are first class) I figure it would be the perfect time to blog about my recent visit to Microsoft's Web Dev Summit.
A few weeks ago I got an invite from Brian (who thanks to Wez he got through my spam filters) to come to Microsoft and see what kind of cool stuff they are doing and to give some feedback from the "enemy camp" so to speak on the stuff they are doing. I thought it'd be a great opportunity to see what's going on the other side of the fence and readily agreed.
So, last week, I caught a plane to Redmond where I joined a number of other PHP luminaries (Wez, Marcus, Frank, Laura, etc...) and a lone Ruby developer (Yes, they do exist!). Over the next two days we had a very tightly packed schedule of presentations from Microsoft folks on things ranging from IIS7 to LINQ. Despite the very tight schedule we've got a number of opportunities to have informal talks with Microsoft developers which in my experience were quite interesting. They have certainly seemed open to new ideas, which was a very welcome surprise and were more then willing to listen to constructive criticism (which in some cases we were more then willing to provide ).
Continue reading "Microsoft Web Dev Summit Overview"
Tuesday, September 19. 2006
A new stable release of FUDforum is now available for download. This release incorporates all of the changes found in the previous two release candidates in addition to an updated German translation and a newly added Vietnamese translation as well. All users of FUDforum are encouraged to upgrade to this release for improved performance and stability.
Additional information about the content of this release can be found here:
http://fudforum.org/forum/index.php?t=msg&th=6994
and
http://fudforum.org/forum/index.php?t=msg&th=6916
here.
The installation and upgrade scripts are located at their usual location at: http://fudforum.org/download.php
Thursday, September 14. 2006
The slides from my two talks at PHP|Works are now available online for download in PDF and Flash formats, they can be found here:
http://ilia.ws/talks/. You'll need to scroll to the bottom of the page to find the download links.
Overall I think the talks went very well, and I hope that all the people who have attended found the material covered interesting and/or informative. I won't presume to assume the talks were fun, but c'mon what do you expect from a technical talk
Thursday, September 14. 2006
Huzzah!
The final release candidate of 5.2.0, RC4 is out, which means the final release is just around the corner. The tarballs can be found here:
http://downloads.php.net/ilia/php-5.2.0RC4.tar.bz2 (71456d89419e5b67c59aca713a3c86f4)
http://downloads.php.net/ilia/php-5.2.0RC4.tar.gz (41c5ac4a378266b17a7fde9565325cb9)
Given that this is a final release, this is the last chance to identify major issues or regressions. So, please test your code against this release to make sure that everything is working, and if not, let us know.
Friday, September 1. 2006
The third and possibly the final release candidate of PHP 5.2.0 is now available for download.
http://downloads.php.net/ilia/php-5.2.0RC3.tar.bz2 (79a9e8ecd8edcfcc033bbd49967ad47a)
http://downloads.php.net/ilia/php-5.2.0RC3.tar.gz (735c8f0385483afc732c09c5bb4257a3)
The number of changes are fairly small, which is always good when nearing the final release, but there were 2 important fixes that need attention. One is fix for a memory corruption in the new memory manager, something that could've caused random, hard to reproduce crashes. The second was a fix in the session extension's shutdown order, which caused problems when native objects (objects created by other PHP extensions) were stored inside $_SESSION.
Please try this release and give you feedback via qa mailing list or via this blog, either way we'd like to hear how this release works with your code.
Thursday, August 17. 2006
I think we've set a new PHP release record today, 3 releases in one day, PHP 5.1.5, 4.4.4 and 5.2.0RC2. The first two are aimed at addressing a series of security faults that were discovered in stable branches. The good thing is that the issues found are mostly local exploits, so upgrading should definitely be a priority to shared hosting providers or multi-user PHP systems. That said, I would still recommend that all users of PHP consider upgrading their installs to the relevant releases. For information about the exploits themselves go to php.net
The tar balls and win32 binaries for the releases can be found here for PHP 5.1.5 and PHP 4.4.4.
As far as PHP 5.2.0RC2, this is an intermediate release,which brings us one step closer to the final release, hopefully sometime in September. As always, I'd like to ask everyone to give this release a try and see if your code runs on it or not and provide the PHP Development team with feedback. We are particularly interested in any new bugs, regression or drops in performance. Since the 5.2.0 release contains a number of performance improvements, we'd also love to hear if your code does in fact run faster on this release.
The 5.2.0RC2 source tar ball can be found here http://downloads.php.net/ilia/php-5.2.0RC2.tar.bz2 (md5 checksum: 097b97ccc92003519e1df682bdb855b4)
P.S. Big thanks to all the people who have reported security vulnerabilities in PHP and have been patient while we work on solving these problems. Sometimes, we're not as fast as we should be
Tuesday, August 15. 2006
A new version of FUDforum is on the release path. This release is largely a feature addition release with a fair quantity of new functionality being added. That said there were a few bug fixes sprinkled in between as well.
The upgrade and installer can be downloaded from here:
Installer Download
Upgrade Script
The main features of the new release include the following:
- Added an option that enabled admins and moderators to edit topic ratings.
- Added account moderators, who can approve new accounts as well as manage existing users.
- Added ability to display flags beside user names based on IP geo-location.
- Added an option of adding "permanent" announcements.
To see details of all the changes see the release announcement.
Monday, August 14. 2006
I've just completed the upgraded of the bundled libsqlite in pdo driver from a fairly antiquated 3.2.8 to the latest 3.3.7.
Yet, another reason to upgrade to 5.2.0 when it comes it
Thursday, August 10. 2006
Thanks to a patch from Scott MacVicar that I've just applied to CVS, PHP 5.2 will have support for httpOnly cookie flag. This neat little feature allows you to mark a newly created cookie as HTTP only, another words inaccessible to browser based scripting languages such as JavaScript. This means it would become far more difficult, if not impossible to steal a user's cookie based session by injecting JavaScript into a page and then using to read cookies.
This flag can be toggled by passing TRUE as the 7th parameter to the setcookie() and the setrawcookie() functions respectively. Ex:
PHP:
<?php
setcookie("abc", "test", NULL, NULL, NULL, NULL, TRUE);
setrawcookie("abc", "test", NULL, NULL, NULL, NULL, TRUE);
?>
The support of the httpOnly flag extends to the session extension as well, where it can be enabled by setting the session.cookie_httponly INI setting to 1. Or passing TRUE as the 5th parameter to the session_set_cookie_params() function.
PHP:
<?php
ini_set("session.cookie_httponly", 1);
// or
session_set_cookie_params(0, NULL, NULL, NULL, TRUE);
?>
Unfortunately, at this time according to my tests no other browser has adopted this rather handy feature, but with the continual increase of XSS attacks, I am sure they'll adopt this concept soon.
For people using PHP 4 and PHP 5.1 you can add this flag yourself by sending cookies manually via the header function and prefixing the ;httpOnly flag to the cookie as shown in the example below:
PHP:
<?php
header("Set-Cookie: hidden=value; httpOnly");
?>
|