CHXO Internet

Putting PHP to work for the people.

Jun 26, 2011:

The CHXOR Years

This blog continues at

Jul 09, 2007:

Trac Error: IntegrityError

You get the exception "IntegrityError: : columns rev, path, change_type are not unique" when you look at any page in Trac. How to recover?

Issue the command "trac-admin /path/to/projenv resync", and that should fix your borked database.

Trac is a great project, but it took me too long to track down this simple fix to an annoying bug.

Jun 19, 2007:

CHXO Internet Scapbook

I'm testing new scrap-blogging software at I don't think anyone actually follows this feed, but in case you do, you should follow that one for a while.

First impressions? Easier and funner than your real blog.

Apr 12, 2007:

svn: Your file or directory is probably out-of-date

This is one of the most maddening bugs in Subversion, ever.

You go to commit changes to your working copy, and svn responds with:

svn: The version resource does not correspond to the resource within the transaction. Either the requested version resource is out of date (needs to be updated), or the requested version resource is newer than the transaction root (restart the commit).

You follow the standard advice, which is to update your working copy using svn up. But nothing is out of date!

Arrrrgh! Can't commit!!!

You can do the following, but I don't know all the consequences of doing this so DON'T BLAME ME if you lose important local properties in your repository. I can say this has not hosed any of my working copies yet.

1) Go to the directory in your working copy that contains the problem file.
2) Delete .svn/all-wcprops from there.

That's it. Commit and be happy.

Feb 19, 2007:

Destructure This!

Neil Mix is excited about generators and the potential for threading in Javascript 1.7 (Firefox 2). Being a single-threaded kind of guy, I'm excited about destructuring assignment:
function size(img){
let w = img.width;
let h = img.height;
return [w, h];
[width, height] = size($('image25'));
The size() function returns two vars in an array, with are immediately assigned to scalar variables width and height.

Seems simple, why am I excited? Because it *is* simple, and we haven't been able to do it gracefully before.

Feb 12, 2007:

Is your Linux timezone data up-to-date?

In 2005, US Congress changed Daylight Savings Time so that, beginning in 2007, it begins on March 11 and ends on November 4.

Most servers have already been updated, but since you definitely want to check, here's the command to do so:
tzdump -v /etc/localtime | grep 2007
That should print out a list that confirms that DST is set to begin on March 11, and end on Nov. 4.

If it doesn't, well I suppose you need to get an updated tzdata package, or a patched zoneinfo file for your timezone. Ask your sysadmin.

Jan 29, 2007:

Safe_html.php Updated

Thanks to Görg Pflug, who sent me an interesting exploit for safe_html.php, your favorite HTML sanitizer has been updated to version 0.6.

His exploit embedded XSS code in such a way that when some tags were stripped by safe_html(), the exploit became active. Recombination attacks like that inspired safe_html() in the first place, so fixing the problem was straightforward: after stripping the tags, we check again for any obvious exploit attempts, and strip *everything* if found.

Remember, if you use safe_html.php or any other CHXO software, you should subscribe to our Announcements List to be informed of critical updates such as this one.

Jan 24, 2007:

Using LocationMatch to fix a trailing slash problem in Trac

We use Trac to manage open source projects at work. It has a nifty plugin that allows you to mix in Doxygen-generated API documentation.

Trac, being rendered by mod_python, doesn't append a trailing slash to requests. But Doxygen assumes the trailing slash is there. How to fix?
  <LocationMatch /doxygen$>
Redirect permanent /doxygen
Works like a charm.

Jan 18, 2007:

Dutch accessibility guidelines

A Tip document.

Jan 14, 2007:

Lessig on municipal networks

The Internet is fundamentally a network of peers. Packets sent by me are supposed to be handled the very same way, by agreement and common standard, as packets sent by Brand-X Megacorp.

Of course, some of the top-tier ISPs, and I'll single out the SBC/AT&T/Cingular megaplex since they're the subject of some controversy among alpha-geeks right now, want to be able to charge more for some packets.

Specifically, they want to charge more for packets containing commercial content, on the basis that those packets are somehow more valuable than all of the others.

In exchange for this predatory business practice they seem willing to forgo the protections afforded to "common carriers," exposing their shareholders to liability for any fraudulent of illegal packets sent over their networks. In other words, if they transmit packets used in the commission of a crime, they could be held accountable.

And the first time that happens, guess whose packets they will no longer consent to carry? That's right: yours and mine. The end of net neutrality will make it impossible for ISPs to allow the common man and woman to connect to the Internet as a peer. For that matter, it will make it impossible for them to transmit any email, considering the number of scams being perpetrated by the second in that medium alone.

Unless there are viable non-commercial alternatives, of course! As freedom lawyer Lawrence Lessig reminds us, cooperatives can accomplish amazing feats of transparent engineering when motivated by need. And not being able to send and receive email would qualify as a pretty big need.

The Internet as we know it may become a locked-down, commercialized, sanitized, rights-managed toll-road. But there are tens of millions of users who will choose to opt out of the commercial networks and forge ahead with a true network of peers. Just like the old days.

We can do it the hard way, on our own and with limited connectivity and bandwidth (think BBS), or we can convince our city and state governments to spend some fraction of a percent of our taxes to ensure that we all get a free and open internet, supplied by a common carrier.

So let AT&T charge as much as it wants for its pipes, and the sooner the better. When only MSN can afford to send content to AT&T subscribers, there will be exactly 5 subscribers left. Everyone else will be watching YouTube on the muni-net.

Jan 11, 2007:

Schneier on Passwords

Bruce Schneier is recommending mixed-case "first letter of each word in a sentence" (Floewias), with mixed-in numbers, rather than the usual word-plus-appendage approach.

The article also provides a good summary of why web applications, when not exposing XSS or other flaws, can be much harder to break into. There's no way, at least with my slow servers, that a program could make 900 guesses per second against my accounts.

Also, remote applications can tarpit or firewall chronic guessers, something desktop apps can't do.

Oct 27, 2006:

Firefox 2.0 Macintosh Menus

Argggh! The latest version of Firefox takes away a very important feature for Mac OS X users: long-click context menus.

See, Mac laptops have only one button, which means that if you want to see right-click context menus (to open a link in a new tab, for instance) you need to use two hands and Ctrl-Click. One of the many great features of Firefox 1.x is that, for OSX, if you held down the mouse button for more than a second, the context menu would just appear.

The Fix! Hooray! You can enable long-click context menus using the about:config screen.

The key is ui.click_hold_context_menus. Set it to true and you'll be one-hand surfing again in no time!

Sep 21, 2006:

Trying to install Debian on Virtuozzo?

Says I: How do I put Debian on my VPS?

Says support: Ye'll get no support from the likes of me fer that, arrrrr.

That's okay. Linux supports itself. Here's a step-by-step (in German) for installing vanilla Debian on a Virtuozzo guest.

Tiefe Abneigung gegenüber Plesk, indeed. Rock on, DanielD.

Aug 22, 2006:

Browsers Leak History Through Visited Links

Jeremiah Grossman has posted some proof-of-concept javascript that can determine if you have visited any of a number of popular websites. (Select the "I Know Where You've Been" div on the right and View selection source to see it.)

In a nutshell, if you want to find out whether someone has visited a particular url you simply render a link to that url on your page, and then use javascript to check the computed color of the link. If it matches the color of visited links, you can guess that they've seen the page.

Clever, because the visited link behavior is old-school and seems safe enough, but it's actually leaking private information about your browsing habits.

Aug 21, 2006:

VMWare rtc: lost some interrupts

You run VMWare Server on Debian Linux. You start a Guest OS, and suddenly your logs start filling up:
Aug 21 12:56:11 dey kernel: rtc: lost some interrupts at 2048Hz.
Aug 21 12:56:42 dey last message repeated 1528 times
Aug 21 12:57:43 dey last message repeated 3050 times
Aug 21 12:58:44 dey last message repeated 3050 times
VMWare is being a little too aggressive about checking the clock.

I'm sure there are better ways to fix this, but the VMWare Timekeeping Manual recommends the following workaround for Guest OSes where exact timekeeping isn't necessary:

You can prevent /dev/rtc from being used. This will generally cause clocks to run slow
in any virtual machines you have that need the additional interrupts, but that may be
acceptable to you, depending on your application. To do so, add the following setting to
each virtual machine's .vmx configuration file, or add the setting globally to the host's
configuration file (/etc/vmware/config):
host.useFastClock = FALSE
Added that line to /etc/vmware/config, called /etc/init.d/vmware restart, and the messages disappeared.

Update: As pointed out here, you can also fix the problem (rather than just ignoring it as I did) by building a custom kernel with HPET_EMULATE_RTC.

I don't use VMWare anymore, but if you do, you should definitely take the time to grok the High-Precision Event Timer and the various kernel options related to it.

Aug 11, 2006:

PHP 5.2 to support HttpOnly cookie flag

From Ilia Alshanetsky comes news that PHP 5.2's setcookie() will support a new "HTTP only" parameter. The idea is that you can ask browsers to use the cookie for HTTP requests only, and not share it with Javascript, Flash, etc.

This is a Big Deal from a security standpoint, because it would protect web applications from a whole class of Javascript-based cross-site scripting or XSS attacks, wherein an attacker uses script to steal the victim's session cookie and impersonate them.

There will also be a php.ini setting to set the httpOnly flag on session cookies, which is where it is needed most.

Right now, httpOnly is an MSIE thing, supported by IE6.5 (and presumably 7). Other browsers are working on it.

Warning: If you use XMLHttpRequests, you may still be exposing the Cookie: header of a response to javascript. Further testing will be required once browser implementations of HttpOnly are ironed out.

Jul 27, 2006:

Pro PHP Security Reviewed on Slashdot

I just got back from China to find out that Pro PHP Security, which I co-authored with Mike Southwell, was reviewed on Slashdot.
Pro PHP Security is arguably the most comprehensive PHP security book available, and is highly recommended to any developer or administrator of a PHP-based Web site.
Wow, that's exactly what we set out to do. Yay!

Jun 20, 2006:

Prototype.js Documentation Update

The Snook Chart has all the objects/methods as a cheat sheet (though not the arguments or what types are returned, grr...)

Opereira's Notes are still by far the best everyday reference.

And for filling in the rest (that is, everything that isn't Prototype), I can't recommend Krook's DOM Doc enough.

That's the update.

May 12, 2006:

Dear Apple Computer

I think, in light of Bootcamp, you need to sell Windows XP Home Licenses in the Apple Store.

(check it)

I have several copies of this fine software in the family, so all I need is another key, and I'll have myself a nice little gaming rig or "business" workstation.

If I could buy it from you, I would... you know, to support the cause.


Apr 24, 2006:

Get you some DOM
Best. API doc. Ever.*

*until someone does the same thing for Prototype

Apr 11, 2006:

Ajax Considered Harmful?

I'm gonna have to think about this one: csej (Cross-Site Evilness with JSON) makes a good point about the potential for abuse that can occur in the following situation:

1) You are logged into a private, AJAX-enabled site in one tab

2) You visit a bad guy in another tab

Traditionally, the bad guy could cause your browser to make an authenticated request to the private site, but the content of the response would not be visible to his script, because it would be in an iframe.

But if the request is sent by xmlHttpRequest() and a JSON object or a collection of JSON objects is requested, then the response will be visible to bad guy's JavaScript... hmm.

I'd like to see a demo to prove that xmlHttpRequest() will send the session cookie for the private site with a request that originated on a page controlled by bad guy.

Even if it doesn't work as described, it's close enough to warrant the use of a shared secret besides a session cookie when transmitting private data.

Prototype documentation summary

Prototype is an extremely handy JavaScript language extension, which gives developers a whole new way of writing js apps.

There is no "official" documentation, and unless you're fully clued in to the Prototype way of doing things (apparently Rails gurus have an advantage), it can take a while to find your way around.

In fact, when you consider the breadth of Prototype's utility (in only 2000 lines), an exhaustive reference with real world examples and explanation of advanced JavaScript concepts would be book-length.

But real hackers just dive in... You could start with the Overview of the Prototype Javascript Library which has some interesting observations and tips to get you up to speed fast.

If you liked jordan's writeup, then read the entire source of prototype.js. I didn't understand half of it the first time through, but it was incredibly helpful to work through those bits and recognize patterns.

If you want a good review of important concepts, Particletree's Quick Guide should be on your list.

And finally, for a comprehensive reference to use while coding, tag Serio Pereira's Using Prototype.js 1.4.0.

Apr 06, 2006:

The real reason Apple's bootcamp is a Good Thing

Who is going to boot or virtualize into Windows so they can use IE?

If more people start using OSX, we (web developers) can finally be free of ActiveX, MSHTML, and all the other dreck that comes with the big blue e, in all its guises.

So here's a hint to everyone who buys Mactel in the next few years: that Firefox thing is available no matter what OS you're using.

Mar 15, 2006:

Backup Linux to NTFS Using GNU tar

We have a nice, disk-based backup system at work that uses BackupExec, and a disaster recovery policy that sees full backups stored offsite every week.

Rather than duplicate the system for the unix servers I manage, I've been writing my backups to a share on the Windows system, and they get backed up and archived with everything else.

But because the share is NTFS, I have to make a really nasty choice: preserve unix permissions and file times by using archives (which backup everything every night) or use rsync to only backup what's changed, but loose all the file metadata thanks to Windows' brain-dead filesystem.

Additionally, the share that I'm writing to has a 2GB filesize limit, which seems to preclude the use of tar altogether, since full backups are at 6GB and growing for our media server.

But then I discovered that GNU tar can do incremental backups! And there is a handy unix utility called split which will break files (or standard input) into conveniently-sized chunks.

Here, then, is how I solved my backup dillemma: incremental tar piped to split.

Mar 01, 2006:

BitTorrent Will Save Us All

The BBC Program Newsnight was apparently deluged with email when they suggested that using BitTorrent implies theft. Producer Adam Livingstone responded with an apology, and then sought to elaborate on what the segment was trying to say.

Of interest to me is that, in response to ISPs' use of traffic shaping to throttle BitTorrent transfer (30% of all internet traffic yadda yadda yadda), BT clients now use an encrypted channel, effectively eliminating the kind of analysis required for traffic shaping. The capital-F Fear is that with all that encrypted data flying around, it is now even easier for bad guys to hide their evil plottings.

Hah. I have at least five things to say in response.

First of all, bravo to BT client authors for finally protecting our privacy. It's about time those streams were encrypted, I always assumed they were.

Second, if you're spying on people, watching internet traffic is a horrible way to try to do it. Internet packets are forgeable, reroutable, and ephemeral. Any judge who would allow a felony conviction based on internet packet capture needs an education in how this stuff really works.

Third, BitTorrent may make up 30% of all internet traffic, but BT is designed to move content through the edges of the network rather than from a single point in the center. BT clients are constantly optimizing the download so that packets are sent across the fewest hops possible.

The 30% number is likely bogus, but even if you took it at face value, the right way to phrase it is that 30% of all internet traffic is now being efficiently served from peers rather than being forced through the internet backbone. ISPs should be encouraging this kind of use!

Fourth, the network is much more robust than we think it is. There are millions of miles of dark fiber (in America, at least). There are extremely competent people running the show behind the CEOs backs. TCP/IP can cope with massive demand, even at version 4.

Fifth, and finally, do we really live in an age when, five years after a content distribution technology as nearly perfect as BitTorrent is introduced, the major content producers in our society still haven't figured out that they could be using it to their advantage? Is the management at Disney, Viacom, News Corp, et al really this brain dead? And if so, why does their stock still trade?

It's not that difficult. I should charge your media company hundreds of thousands of dollars for this advice, but I'm a softie and you guys are just pathetic, so here it is for free:

Release your own BitTorrents. In stereo HD. With advertisements. For free, without DRM. Publish the torrent files on your show's website.

It will cost you nothing. It will put an end to pirated versions. You will know how many people downloaded based on click. You can tell advertisers that their ads will be on the harddrives of hundreds of millions of viewers around the world.

Most of all, your audience will think that you actually appreciate and respect them.

Or you can bitch about illegal downloading and piracy (arrrr!) and how BitTorrent is going to crash teh internets, and watch as people desert your shows in droves.

Feb 19, 2006:

Postfix on OSX: Fatal: Open Lock File pid/

You use OSX. You change the Postfix configuration, or maybe you install your own. You get this error throughout your mail.log: "fatal: open lock file pid/ unable to set exclusive lock: Resource temporarily unavailable"

I know you do, because I've seen you asking about it all over the Internets, and no one ever has an answer. Well, try this, because it worked for me (click through)...

Feb 16, 2006:

Search and replace in nano

Oops, I just learned how to search and replace in nano.

I've been using this excellent little editor (which is like pico but available without pine) since 1999. I didn't know until just now that Ctl-\ intiates search and replace. How embarassing...

...but _very_ good to know.

Feb 14, 2006:

The "Simple" Guide to Secure Webhosting

I found this Slashdot post to be extremely informative, and I'll be happy to admit that it even taught me a few new tricks (like, it never occured to me (not being a C coder) to edit /bin/sh so that "nobody's" userid was locked out).

But I have to take issue with the "tired of people getting rich writing books making hype about what (should be) a very trivial issue" thing at the end. Utter bullshit. It only seems like a trivial issue once you master all of the concepts involved, and by then you'll be far more valuable as a sysadmin than a PHP coder.

Someone has to write about this stuff, otherwise how are the rest of us supposed to find out how to do it?

Feb 11, 2006:

Gmail Jumps the Shark?

Gmail's new popup. Is anybody else meta-annoyed by the new...

Jan 28, 2006:

Batch Export of QuickTime Movies

A little AppleScript can go a long way, especially once you know
how to save export settings from the QuickTime (Pro) Player.

Combine that with some folder actions or an Automator droplet (or just the command line), and you can make your own video processing robot.

Next page »

CHXO Internet: a folder

permalink - RSS Newsfeed

jump to top