klog

For years, I’ve had a (mad?) plan to build a robot to handle gardening for me. And so far, I haven’t built it.

This is not because it is impossible or stupid. Far from it - when you consider the task step by step, it’s reasonable, and could even be very important.

• build a robot which is completely wireless.
• the robot must be able to geo-locate and find its way to its charge-point when it needs it.
• teach the robot to “see” rubbish such as twigs and leaves.
• teach the robot to pick up rubbish and place it in a designated rubbish area. At this point, we have something which can be developed and sold, although maybe just as a curiosity.
• teach it to see grass and to judge whether the grass is too long or not.
• teach it to cut the grass, one blade at a time, and compost the blades. My plan here is that the robot is very small (20cm cubed?), making it difficult to cut a lot of grass at a time, thus making it easier to cut one blade at a time. Even so, cutting one blade at a time allows every piece of compostable material to be composted, thus making the garden neater than if it was cut by “brute force”.
• teach it to recognise weeds and destroy them or cut them as close as possible to the root. your average lawnmower can’t do that!

These are reasonable goals, and at the end, you have a small robot (or a few small robots) which can manage a medium-sized garden unattended better than you could do yourself. Now that’s a product that would sell.

So what’s so difficult? Why have I not built it? I think the problem is that I was aiming for perfection - I wanted to go straight to the end product so was buying only the components that would fit in the 20cm cubed machine.

Unfortunately, I just don’t have the money for that. For example, the “brain” needed for the robot would need to be something like the Robostix, which would set me back over €300 euro which I just don’t seem to have lying around.

So, I’d dream and pine and do nothing about it.

The solution, which I have somehow failed to see for years, is to build something less than perfect, which does the job, and develop that into something that people can see actually does work. When that happens, someone will hand me the money to develop the proper thing, in the hope that they’ll make a tidy sum in return.

So, I’ve decided to resurrect some old laptops from the attic, in the hope that I can make them chew the grass for me. I’m going to stuck wheels on them and give them knives and other blades to play with. I’ve dug out my Latitude C610 and Travelmate 2420.

One thing discovered so far - laptops don’t like it when you leave them alone in a damp attic eave for years on end. The Latitude’s hard-drive literally squealed a few times when I booted it, and it would only boot once. Every time after that, the hard-drive threw up errors like it was being killed (I will also mention that the HD’s file-system is ReiserFS, making it more ironic…).

The other worked fine though - it has a few lines on the screen, but nothing more serious (the Latitude has no screen at all).

Tomorrow I hope to build the base of the robot for the TravelMate laptop. I’m going to try build two robots, one for each laptop. If I actually do it (notoriously lazy as I am) I’ll post photos.

Anyway - here comes world-domination step 1.

Just a quickie. I had to see if a selected country (selected by 3-letter code) was in Europe, but couldn’t find a handy function online for it.

So, here it is:

function inEurope($code){
  return in_array($code,array(
    'ALB','AND','ARM','AUT','AZE','BLR','BEL','BIH','BGR','HRV','CYP',
    'CZE','DNK','EST','FIN','FRA','GEO','DEU','GRC','HUN','ISL','IRL',
    'ITA','KAZ','LVA','LIE','LTU','LUX','MKD','MLT','MDA','MCO','MNE',
    'NLD','NOR','POL','PRT','ROU','RUS','SMR','SRB','SVK','SVN','ESP',
    'SWE','CHE','TUR','UKR','GBR','VAT'
  ));
}

That returns true or false depending on whether the submitted $code (an “ISO 3166-1 alpha-3″ code) is in Europe or not.

I received an email this morning saying that KFM has a security hole - if a user creates a file named “test.php.” (note the ‘.’ at the end), then it is run as if it was “test.php”, even if you explicitly banned the .php extension in your settings.

I immediately added a line of code to ban all filenames which end in ‘.’, released a new version of 1.3 (available on the front page of the site) and corrected 1.4 in SVN.

After thinking about it, I realised that the security problem is not as serious as it may seem (for KFM - not in general). It’s definitely a problem, but in order to use it, you need to have access to a KFM instance in the first place. As securing KFM is not difficult, I think the problem may be contained.

But I digress - this appears to be a problem in Apache. To test it, I checked if renaming a Perl CGI file from .cgi to .cgi. would work, and it did.

This is a little disturbing, as it does not appear to be documented anywhere, so there is no way that a developer would know to avoid this security hole.

So, if you write programs that allow your users to upload or rename files online, make sure that the filename does not have a ‘.’ at the end!

edit: OMG! I was reading the Apache source to try spot the problem, and found the area where it happens - it’s in the file “http/mod_mime.c”. The function “find_ct()” extracts the extension for the server to use. Unfortunately, it ignores all extensions it does not understand, so it’s not just a case of “test.php.” being parsed as ‘.php’, but also “test.php.fdabsfgdsahfj” and other similar rubbish files! This is a serious problem.

There are a number of solutions to this:

1. Possibly the correct solution: Keep your downloadables outside the web-accessible area and force the download through a PHP script. Doesn’t matter what extension the file has then.
2. Tricky but easier to make portable: Write your own extension identifier using the httpd source as a guide, so you know what Apache will identify the file as (annoyingly complex, possibly, but I’ll need to do it…)
3. Easiest, but most annoying for users: Only allow one ‘.’ per filename.
4. More difficult, but possibly also correct: Convince Apache that this needs to be fixed, then upgrade immediately when the fix is available.

further update: An easy solution. This problem rears its head when PHP is identified in your httpd.conf using this:

AddHandler php5-script .php

the solution is to change the above to specify the extension must be at the end.

<FilesMatch \.php$>
  SetHandler php5-script
</FilesMatch>