Year: 2004

Categories
Technology Weblogging

Second change

A vulnerability was discovered with WordPress 1.2.1 and 1.3a, as detailed here and in a forum thread for WordPress, here. This was caused by the fact that an important system variable, siteurl is modified in wp-login.php if the application detects that the URI used to access wp-login.php has changed from what’s stored in the database.

As detailed in both of the above locations, there is usually more than one way to access a specific file, and accessing the file using different variations of URL results in a change to this value that could cause problems with the site. At a minimum, it could result in unnecessary updates to the database.

The current WordPress release was modified to lessen the amount of destructiveness of this vulnerability, but it hasn’t eliminated the problem completely. To fix the remaining vulnerability, I’ve removed the code that updates this value in the database from wp-login.php (though I’ve left the option in the database for now). Unfortunately, this leaves the original problem that served as reason for this code, which is to make it easier to move your WordPress weblog if you need to. Without this code, moving your weblog to another directory can make the administrative pages impossible to access. When I removed the vulnerability, I added back this problem.

To fix this original problem, I added SITEURL as a new parameter to the wp-config.php file, now renamed wf-config.php to differentiate it from the WordPress file. Now, when the WordPress weblog is moved, you can use a text editor to change this value:

define (’SITEURL’, ‘http://wordform.org’);

I also modified the code in the functions.php file that loads siteurl from the database, setting the cached values to that of SITEURL from the wf-config.php file.

if (’siteurl’ == $option->option_name) {
$option->option_value = preg_replace(’|/+$|’, ‘’, SITEURL);
}

This is an interim fix, while the rest of the code is adjusted not to depend on this as an option loaded from the database. Once I’m sure this is so, I’ll remove the option from the database.

Categories
Weblogging

Quick update on Kitchen

Just a quick note to say that the Kitchen is still open for those who would like to post at the site. I did close it down at one point when the security problem happened a week ago, but it’s still open for writing and comments.

Currently, I’m editing Frank Paynter’s long posting on Why do we Blog — not content, the formatting. When Frank sent it to me in an email, copying it into the tool added unfortunate line breaks and they’ve caused problems. It should be much more readable now, or you can see the original at Frank’s.

There are some very interesting and compelling responses in this work, but I have to say, my favorite response is Happy Tutor’s, at the end.

Categories
Writing

Spell check your comments

Cold Forged did a very nice encapsulation of spell checking as a plug-in for WordPress. I grabbed the code and incorporated it as a new option in my comments’ pages so you can spell check your comments–both the live comment, and the saved comment in the edit window.

But will we have as much fun without our quirky and endearing misspellings?

Categories
Weblogging

What? No nomination?

Recovered from the Wayback Machine.

I see that none of you nominated me in any of the categories at the 2004 Weblog Awards including the technical category. Or the photoblog category. Or in the “Small Mammal” category, which I think I was last time I looked.

Luckily there’s no ‘hiking weblog’ category, or you’d all be dirt right now.

Somehow, and it was tough I was so crushed, I have managed to swallow my disappointment and have gone out and cast votes for other people who were nominated –Molly and Meg for technical (taking turns daily), Meryl Yourish in her category, Feministe in her’s. If you’re nominated and I know you, holler and I’ll vote for you, too. Do remember, though, that this is the same award last year that created a separate category just for women bloggers, leading to one of my better posts: Best Blog with a Female Spirit.

The 2004 Weblogging Awards is put on by the Wizbang weblog, known far and wide for its even handed coverage of politics. Yup, the only weblog more balanced is Little Green Footballs, who I have no doubt will win best blog.

(The Greenies are legendary in their fanatical devotion to Charles – look at how they screwed up Wikipedia.)

However, I think the awards are missing one category: The Mr. Rogers as Warblogger Award. This award would be for the person whose weblog writing best represents a weblog written by Mr. Rogers…if he were a warblogger.

Oh, hello Iraq. Boys and Girls, this is Iraq. Can we all sing hello to Iraq?

It’s a beautiful day in this neighborhood,
A beautiful day for a neighbor.
Would you be mine.
Could you be mine.
It’s a neighborly day in this beauty wood,
A neighborly day for a beauty
Would you be mine.
Could you be mine.
I have always wanted to have a neighbor
Just like you.
I’ve always wanted to live in a neighborhood
With you, so
Let’s make the most of this beautiful day
Since we’re together,
We might as well say,
“Would you be mine, could you be mine,
Won’t you be, my neighbor?”
Won’t you please?
Won’t you please?
Please won’t you be
My neighbor?”

Welcome, neighbor, to this, neighborhood. You know how I like freedom. I’d like to talk to you about freedom. We usually talk over there on the couch, so let’s just go there. [gets up, sits over on the couch] Our special talking place. This talk is called “Fighting Terrorism and making the world safe for people like you and me.”

And for this award, I’d like to nominate Jeff Jarvis and the entire Spirt of America: Friends of Iraq campaign. I’ll even donate a red, white, and blue sweater as prize.

Categories
Technology

When open source is like bad sex

Recovered from the Wayback Machine.

Earlier, in response to designer demands for programmers to be more responsive to users, I wrote a post titled Open Source is Like Sex. In it I said that the users need to think about being less passive–to meet the techs half way.

Of course, when the users say, “Come on honey, I’m ready to rock and roll”, it would help if the developers don’t respond with, “Not now, I’m not in the mood.”

This new writing is related to the earlier post about the vulnerability found in WordPress 1.2.1 and 1.3 that would allow anyone to change a person’s siteurl value just by entering a bad URL into a browser. This can render a site unreadable, and even unusable; luckily though, it was a relatively easy hole to plug.

That WordPress, like all software, has bugs is nothing new and no big deal. There is no such thing as ‘perfect’ software, and you can spend the next twenty years jumping from weblogging tool to weblogging tool and still manage to stub your nose or your toes hopping into bed with each new hope of the moment. Perfection isn’t going to happen and the most that you can hope for is reliability, and that the tool doesn’t actively get in your way when you’re trying to write.

In their relationship with developers, users can meet them half way by understanding that shit happens. They can help with testing, by reporting the bugs, and by maintaining a sense of humor when things don’t quite go right. And yes, being grateful for the software, especially when it’s ‘free’. However, the developers also have a responsibility back to the user: to fix bugs, as soon as possible; to let users know about potential problems; and above all, to be respectful of the application’s users and their concerns.

That’s why I am disappointed about the events surrounding the siteurl bug – not because of the bug, but because of what happened before and after. It was best summed up by what one of the WordPress support forum moderators, podz said, “When decisions are made, we will no doubt be told.”

And that about sums up the entire communication about this whole problem.

You know, if I had even a tiny fraction of the enthusiastic users that WordPress has, with any of my ideas and efforts, I’d damn near cry in delight. Ask any developer and they’ll tell you the same thing: sure you can write code for yourself, but its more fun when others want to use it.

If users shouldn’t take developers for granted, the reverse should also be true: we should never take those who use our software for granted. Sometimes ‘free’ software developers forget that they truly are being paid for their time and their efforts; users are paying them with interest, with gratitude, and with trust.