Year: 2005

Securing the form

Post author By Shelley Powers
Post date May 22, 2005

Wordform’s metadata extensions require form elements with a minimum of a button to push — usually with fields to fill in. These form elements are incorporated into the general gen_metadata.php page, depending on which extension is currently being invoked.

The gen_metadata.php (see source) file accesses the extension directory and outputs a list of available extensions — similar to how plugins work in WordPress. When you click on an option, the file name and post ID is sent, using GET, back to the same page. This is valid REST, as all that’s happening at this point is a query.

The extension file, (see source for one of the extensions) is then included in the page. In this file is the form processing code, and the rest of the form elements necessary to access the appropriate metadata.

The form begins and ends in gen_metadata.php. This file also has several hidden fields for the filename of the extension, the post identifier and URI, as well as a secret token that is also added as a SESSION variable.

How the security for this is all set up:

The register globals variable is turned off, ensuring that I properly pull the values from $_POST or $_GET.

The update is handled through a form POST, so that a GET cannot be triggered by a bot accessing the page contents.

The original page, gen_metadata.php calls code that validates the person’s authentication to access the page, as well as start the session. With this in place, you have to be logged in to access the page.

To prevent a cross-site scripting (XSS) attack, in the metadata files a check is made to ensure that the script is actually included in the gen_metadata.php file located within the application’s admin directory. I then checked this myself using a spoof, as well as cross-site script, and the security worked.

Finally, today, I added a form security token. The code for this is added after the included extension script (so that the session variable is only reset after it’s used to test the validity of the post); the value is added to a form field that’s passed with the other data when the form is submitted.

Question to the PHP developers — what have I missed? What gaps did I leave. Where is the code more complicated, or less, than needed?

Feedback would be appreciated. I would prefer the kind in writing, rather than the kind I have been getting, which has been actual XSS attacks, usually every time I post to the Wordform weblog. These have become a bit wearisome.

Technology Weblogging

CVS Check-in

Post author By Shelley Powers
Post date May 22, 2005

In order to help faciliate code walk throughs for those who are willing to help examine the Wordform source code for security and other problems, I’ll be looking at checking this code into SourceForge CVS in the next couple of days. I’ll probably also re-release the source code then–without the metadata extensions, until these are vetted out as secure.

Boy, I’m tired. Between the small jobs I’ve had from webloggers and which have helped me make it through this month (bless their souls) and the work on this, I haven’t had a break from code for almost two weeks. Need a break.

Tags Wordform

Weblogging

Wordform: CVS Check In

Post author By Shelley Powers
Post date May 22, 2005

Recovered from Wayback Machine.

Tags Wordform

Just Shelley

Meme cross-fire

Post author By Shelley Powers
Post date May 21, 2005

I am now caught in the crossfires of two memes: one having to do with books and a deserted island; the other having to do with music. Rather than answer each individually, I’ve decided to combine them into one post, thereby blurring the trail and breaking the ‘meme hex’.

I was passed the music meme by Dori Smith, Jewel at Jewel’s Web Graphics and Dougal Campbell. Answering the questions given:

Total volume of music files on my computer: 344M. Yes, just 344M. The only music I have on my machine is what I’ve loaded to create one of my few attempts at mixing, or what I’ve downloaded from iTunes. I never listen to music from my computer.

The last CD I bought It’s been so long since I’ve bought a CD, I’m not sure what the last one was. I think it might have been the Norah Jones: Feels Like Home. I can definitively say that the last song I downloaded was this.

Song playing right now The song “Sixteen Tons”, written by Merle Travis and sung by Tennesse Ernie Ford; in ad on television, where GE attempts to make coal mining into something sexy and environmentally sound. I hate the message, am jaw dropped amazed at the hutzpah of both the campaign and visuals –but love that song.

Five songs I listen to a lot, or that mean a lot to me This is a tougher one.

Every time I start out on a trip I play Gimme some loving’ by the Spencer Davis group. Not sure why, but I know that my trip will be jinxed if I don’t play this song when I start.

The Beatle’s song Michelle is not a favorite song, but it had a significant impact on me–it was the reason I changed my name from Michelle to Shelley. And if we are to ever meet some day, whatever you do, do not hum, mouth, whisper, or play this song.

As for other songs, there are so many that I love and are important to me. I guess the ones I have particularly enjoyed listening to recently are Breathe (2am) by Anna Nalick; Me & Bobby McGee by Janis Joplin (”Freedom’s just another word for nothing left to lose…”); and Cat in the Window by Petula Clark–a personal anthem.

Now, on to the books.

I was passed the book meme by Loren Webster and Ken Camp. I gave a lot of thought to this meme–perhaps more than one should.

You’re stuck inside Fahrenheit 451, which book do you want to be?

There are so many beautiful books I would want to memorize, to preserve against destruction. However, when faced with a society that could condone the burning of books, truth has to matter more than beauty. But what is the ultimate book on truth? This one I couldn’t figure out, because I don’t think it’s been written yet.

After all, look around: at the killings in Iraq; untreated AIDs in Africa; our own homeless. Humanity hasn’t grown enough to write the ultimate book on truth.

Have you ever had a crush on a fictional character

Yes, indeedy! I have had a crush or two among the weblogging community, and though the gentlemen aren’t fictional, they are most definitely characters.

The last book you bought?

All these memes must assume you have a great deal of discretionary income. Either that, or they’re planted by Amazon. Anyway, I believe my last book purchased was 60 Hikes within 60 Miles of St. Louis. I usually only buy hiking books; anything else I check out from the library.

What are you currently reading

I just started what promises to be a wonderful book, Wicked: The Life and Times of the Wicked Witch of the West by Gregory Maquire.

Five books you would take to a deserted island

I thought about this for a long time, running all the books I have read and enjoyed through my mind. I have several favorite books, but also knew if I was stuck with any book for any length of time, I would grow weary of it at first, and then loath it in the end.

Like the other pragmatic souls who have answered this question, I would want one of the books to be a survival guide. Most people have mentioned the Army Survival Manual, but I rather like what I’ve read about the SAS Survival Guide.

When I was searching for a survival guide, I found an interesting survival book list at Amazon, which included books such as Wilderness Survival, The Worst Case Scenario Survival Book, The Bipolar Disorder Survival Guide, and The Zombie Survival Guide. The latter book proves there is no subject that can’t end up as a book.

Ultimately, though, I decided that if I were going to be stuck on a deserted island, I would want the one survival guide and four large journals with blank, unlined pages. I would then use the journals to write my own books; and if I were to get tired of them over time, I would carefully erase the pages, one by one, and write new stories.

My thank you for those kind enough to pass the memes on to me, and apologies for the lateness of the answer. As for who to turn these memes to in turn, like my books on the island, I leave the spaces for these names blank and let those who are interested fill in their names.

So I’ll pass this on to the last five people who have left comments (with a web site–sorry Dan and Ed):

Denise Howell
Frank Paynter
Kafkaesquí
Scott Reynen
Dave Winer

Burningbird

I heard your pain

Post author By Shelley Powers
Post date May 21, 2005

Well, I heard your pain and have modified my Burningbird theme to something I hope is a bit easier to read. To be honest, when I was tired and had been working on the computer for some time, even I found my site to be overly bold and colorful.

Yeah and the design was a little tough on the eyes, too.

The original design featured too much of the ‘wings’ of flames to the left, and that was a bit overpowering. I’ve made the design much smaller, and fitted it into the title. I still have the flirty little flip to the right, though. I am not giving up my flirty little flip to the right. Besides, I like my design ‘breaking out of the box’, so to speak.

I’ve added more gray, which should help tone down the bright colors, and also darkened the blue and the orange. In fact, these colors I did ‘borrow’ from Corante–I liked them better than the too light colors I had originally. These were getting overwhelmed by the design.

I like the modifications. It’s not as professional as the Corante theme, and I think I might put Zoë back into the sidebar (I love that photo)–but I don’t believe the new look will drive any reader to want to …yank their eyes out of their head, either.

As for the issues brought up about the use of Creative Commons, my appreciations to Denise Howell for taking time to chat about them. Perhaps the CC folks will benefit from this exchange. Or they won’t and we’ll have opportunities for new ‘themes’ and other exciting adventures in the future.