Monthly Archives: October 2008

argh! fedora 10

I should know better.

Every six months a new version of Fedora comes out, and every six months, I upgrade before it’s stable and screw up my computer.

For the sake of anyone else who encounters the same problem (bloody nothing loads – Gnome fails to load and Firefox fails as well), just downgrade to the Pango and Cairo libraries from Fedora 9.

update: if your machine boots, but only after you hit the keyboard a load of times, then try booting using the FC9 kernel instead.

btw: for some sad parties (myself included 😉 ): geansai gorm

codeweavers triggers global depression, offers software in compensation

Got to love it!

Giveaway Triggered in CodeWeaver’s Great American Lame Duck Presidential Challenge; “We take full responsibility for global economic collapse,” says CEO

Codeweavers, who make CrossOver office and CrossOver Games (applications which allow Windows programs to run in Linux), are giving away licenses for free, today, because Bush actually delivered on something – the price of petrol in Minneapolis fell to $2.79 on October 14th.

Of course, Bush had to destroy the global economy to do that, but hey, free software!

let's begin again – robots!

For years, I’ve had a (mad?) plan to build a robot to handle gardening for me. And so far, I haven’t built it.

This is not because it is impossible or stupid. Far from it – when you consider the task step by step, it’s reasonable, and could even be very important.

  • build a robot which is completely wireless.
  • the robot must be able to geo-locate and find its way to its charge-point when it needs it.
  • teach the robot to “see” rubbish such as twigs and leaves.
  • teach the robot to pick up rubbish and place it in a designated rubbish area. At this point, we have something which can be developed and sold, although maybe just as a curiosity.
  • teach it to see grass and to judge whether the grass is too long or not.
  • teach it to cut the grass, one blade at a time, and compost the blades. My plan here is that the robot is very small (20cm cubed?), making it difficult to cut a lot of grass at a time, thus making it easier to cut one blade at a time. Even so, cutting one blade at a time allows every piece of compostable material to be composted, thus making the garden neater than if it was cut by “brute force”.
  • teach it to recognise weeds and destroy them or cut them as close as possible to the root. your average lawnmower can’t do that!

These are reasonable goals, and at the end, you have a small robot (or a few small robots) which can manage a medium-sized garden unattended better than you could do yourself. Now that’s a product that would sell.

So what’s so difficult? Why have I not built it? I think the problem is that I was aiming for perfection – I wanted to go straight to the end product so was buying only the components that would fit in the 20cm cubed machine.

Unfortunately, I just don’t have the money for that. For example, the “brain” needed for the robot would need to be something like the Robostix, which would set me back over €300 euro which I just don’t seem to have lying around.

So, I’d dream and pine and do nothing about it.

The solution, which I have somehow failed to see for years, is to build something less than perfect, which does the job, and develop that into something that people can see actually does work. When that happens, someone will hand me the money to develop the proper thing, in the hope that they’ll make a tidy sum in return.

So, I’ve decided to resurrect some old laptops from the attic, in the hope that I can make them chew the grass for me. I’m going to stuck wheels on them and give them knives and other blades to play with. I’ve dug out my Latitude C610 and Travelmate 2420.

One thing discovered so far – laptops don’t like it when you leave them alone in a damp attic eave for years on end. The Latitude’s hard-drive literally squealed a few times when I booted it, and it would only boot once. Every time after that, the hard-drive threw up errors like it was being killed (I will also mention that the HD’s file-system is ReiserFS, making it more ironic…).

The other worked fine though – it has a few lines on the screen, but nothing more serious (the Latitude has no screen at all).

Tomorrow I hope to build the base of the robot for the TravelMate laptop. I’m going to try build two robots, one for each laptop. If I actually do it (notoriously lazy as I am) I’ll post photos.

Anyway – here comes world-domination step 1.

countries in europe

Just a quickie. I had to see if a selected country (selected by 3-letter code) was in Europe, but couldn’t find a handy function online for it.

So, here it is:

function inEurope($code){
  return in_array($code,array(
    'ALB','AND','ARM','AUT','AZE','BLR','BEL','BIH','BGR','HRV','CYP',
    'CZE','DNK','EST','FIN','FRA','GEO','DEU','GRC','HUN','ISL','IRL',
    'ITA','KAZ','LVA','LIE','LTU','LUX','MKD','MLT','MDA','MCO','MNE',
    'NLD','NOR','POL','PRT','ROU','RUS','SMR','SRB','SVK','SVN','ESP',
    'SWE','CHE','TUR','UKR','GBR','VAT'
  ));
}

That returns true or false depending on whether the submitted $code (an “ISO 3166-1 alpha-3” code) is in Europe or not.

security hole for files with a dot at the end

I received an email this morning saying that KFM has a security hole – if a user creates a file named “test.php.” (note the ‘.’ at the end), then it is run as if it was “test.php”, even if you explicitly banned the .php extension in your settings.

I immediately added a line of code to ban all filenames which end in ‘.’, released a new version of 1.3 (available on the front page of the site) and corrected 1.4 in SVN.

After thinking about it, I realised that the security problem is not as serious as it may seem (for KFM – not in general). It’s definitely a problem, but in order to use it, you need to have access to a KFM instance in the first place. As securing KFM is not difficult, I think the problem may be contained.

But I digress – this appears to be a problem in Apache. To test it, I checked if renaming a Perl CGI file from .cgi to .cgi. would work, and it did.

This is a little disturbing, as it does not appear to be documented anywhere, so there is no way that a developer would know to avoid this security hole.

So, if you write programs that allow your users to upload or rename files online, make sure that the filename does not have a ‘.’ at the end!

edit: OMG! I was reading the Apache source to try spot the problem, and found the area where it happens – it’s in the file “http/mod_mime.c”. The function “find_ct()” extracts the extension for the server to use. Unfortunately, it ignores all extensions it does not understand, so it’s not just a case of “test.php.” being parsed as ‘.php’, but also “test.php.fdabsfgdsahfj” and other similar rubbish files! This is a serious problem.

There are a number of solutions to this:

  1. Possibly the correct solution: Keep your downloadables outside the web-accessible area and force the download through a PHP script. Doesn’t matter what extension the file has then.
  2. Tricky but easier to make portable: Write your own extension identifier using the httpd source as a guide, so you know what Apache will identify the file as (annoyingly complex, possibly, but I’ll need to do it…)
  3. Easiest, but most annoying for users: Only allow one ‘.’ per filename.
  4. More difficult, but possibly also correct: Convince Apache that this needs to be fixed, then upgrade immediately when the fix is available.

further update: An easy solution. This problem rears its head when PHP is identified in your httpd.conf using this:

AddHandler php5-script .php

the solution is to change the above to specify the extension must be at the end.

<FilesMatch \.php$>
  SetHandler php5-script
</FilesMatch>

kfm progress

Didn’t do much on KFM this week. I’ve spent most of the time in work, sleeping, or trying to convince the kids that 3am is not a good time to be awake.

This morning (got up at 3.30…) I implemented lazy-loading for icon thumbnails.

What this means, is that in a folder which has 500 icons in it, if only 25 are visible without scrolling, then only 25 are actually downloaded. This helps speed up your usage in a few ways.

  • if you download an icon which is not immediately visible, then you are slowing down the showing of an icon which is right in front of you.
  • Sometimes you only want to see the first few icons of a directory anyway – let’s say they’re photos and the folder title is something like “DCIM1010” (you know what I mean), then its easy to see if they’re the right photos by viewing the first few.
  • If you’re downloading 500 icons at one time, that means not many other HTTP actions can be taken until those have been taken care of… – so if you wanted to rename one of the visible files, for example, then you’ll just have to wait for the other hundreds of thumbs do download first!

What I’m supposed to be working on is the new translation system, but that’s very hard. There are some little problems I haven’t cleared in my head yet. Hopefully the solution will come to me before the end of the day so I can get it finished this weekend.

KFM work restarted, translation plans

After a long break, I’m back working on KFM. I’ve done an average of maybe 2 hours every day this week, cleaning up code and preparing for future plans.

What I’m working on at the moment is a rewrite of the translations code. There are a few things wrong with the way that it works at the moment:

  • JavaScript and PHP language strings are currently separate – en.php and en.js for example.
  • Whenever KFM is loaded, the entire JS language file is loaded, even if very little of it will actually be used.
  • There is no easy way apart from hacking KFM to add translations for user-contributed plugins.

The solution we (Benjamin and myself) have come up with is to use a database solution, with an import facility for plugins. The idea is a complete rewrite of how we do it.

Currently, translations are recorded in a JS object something like this:

kfm.lang={
  Errors                  : "Ошибки",
  LastModified            : "последний раз изменен"
};

The above is easy to use in KFM, in that the strings can be accessed using normal object notation, kfm.lang.Errors for example. However, it should be easier.

What we will be doing is to convert all language files so they are written using the English string as the key instead of a code such as “LastModified“. And, using the common nomenclature of other languages, the translation will be done such as: alert(__("What do you want to rename %1 to?","default",filename));, where the second parameter is the language context (are we talking about files, people, dogs, etc?).

To help improve the speed at which KFM opens, only the most popular strings will be preloaded. If an unknown string is requested, it will be loaded through AJAX.

How that will work is that all translations will be asynchronous. When you request a translation, a span element will be returned containing the translation. If the translation is already known or cached by the client, then the element will be pre-filled. Otherwise, an AJAX request will be fired off, and when it returns, the element will be populated.

The popularity of the strings will be determined by the number of requests for it.

On the server side, when a request comes in, KFM will search its database looking for the string. If it is found, it is returned (and its ‘requests’ field incremented). If it is not found, then all installed plugins will be searched for language files, which will be imported into the database then returned. If the string is not found anywhere, then the plain English is recorded in the database, and a note is added that the translation was not found.

I’m considering whether or not to add in a bit which periodically reports back to the main KFM server a list of missing translations. Also, a periodic report of popular strings and even of unused strings, allowing us to prune the files for future releases.

If you want to try out the work, then download a copy of the trunk via SVN: svn checkout http://kfm.googlecode.com/svn/trunk/trunk/ kfm

case-insensitive authentication in postfix-mysql

Just a quick note. If you find that your customers can log into their postfix account ok, but can’t read their email, check the directory their email is in:

[root@postfix /]# cd /home/vmail/domainname.ie/
[root@postfix domainname.ie]# ls -l
drwx------  5 postfix postfix 4096 Sep  4 11:52 joe.smith
drwx------  9 postfix postfix 4096 Sep  9 09:30 jane.smyth
drwx------  9 postfix postfix 4096 Sep  9 21:09 Jane.Smyth

The problem appears to be that postfix authenticates using MySQL, which is case-insensitive by default, then creates a default email skeleton directory named after the login username if it doesn’t find one already.

You can see in the above example that our user has logged in using uppercase letters in the username, MySQL verified the user had a right to be there, then postfix created the user’s directory using the login credentials, even though a lower-case version of the directory name already existed…

Obviously, this incorrect account will not receive email – email will be sent to the correct one.

There are a few solutions:

  • you can remove the Jane.Smyth directory and tell the user to change their authentication to use a lowercase username.
  • you can remove the Jane.Smyth directory then create a symbolic link from jane.smyth to Jane.Smyth.
  • change your MySQL installation to use a case-sensitive collation.

Personally, i go for the first solution.