26 April 2008

updated WordPress security whitepaper

blogsecurity.net has released version 1.2 of their "How to secure WordPress" whitepaper. Looks like they've added some v2.5-specific details along with updated information about security-related plugins.

25 April 2008

Wil Wheaton and Radio Free Burrito

I've recently started reading Wil Wheaton's blog, and I've really enjoyed it. He's a very good writer with a lot to say.

Perhaps like many viewers, I felt that Wesley was one of the dimmer lights in Star Trek: The Next Generation. I think Wil might reply to that kind of comment with something along the lines of "I was a kid. I did what they told me to do." Look me in the eye and tell me you'd have done any differently. Thought so. And me neither.

(Besides, he got to make out with Ashley Judd. Look me in the eye and tell me you'd have done any differently. Thought so. And me neither.)

Anyway, this week he posted a couple of episodes of his Creative Commons podcast called Radio Free Burrito, on which he plays some music from podsafe. It's totally awesome and you're totally a hoser for not listening. So get over there and start listening.

18 April 2008


Battlestar Galactica is finally back, and I'm really enjoying it. The other day I found the Battlestar Wiki and thought it was pretty cool. I'm pretty eager to find out who the twelfth Cylon is. My money is on Tom Zarek. Or maybe Dualla.

16 April 2008

Prompt for new firefix window

I tend to run my window manager (fluxbox) with four desktops, and I typically have firefox windows open in two of them. Occasionally I have to open a firefox window on the third or fourth desktop, and it's a nuisance to go to one of the first two desktops, open a new window (Ctrl-N), and move the new window to the other desktop (and I acknowledge the irony of considering that a "nuisance").

I recently discovered the -new-window command-line option to firefox. It takes a URL as an argument, and it opens that URL in a new window. So I wrote a shell script that prompts me for a URL and then opens that page in a new browser window. If you want to try this, save the following to a file (I saved it to ~/bin/ffwin), and remember to make the file executable:


URL=$( dialog --stdout \
--backtitle ffwin \
--title 'new Firefox window' \
--inputbox 'URL:' 8 40 )
if [ ! -z "$URL" ]; then
exec firefox -new-window $URL

When you run this, a new xterm window will open, and dialog will prompt you for the URL. Preceding the firefox call with exec means that the xterm will go away after you enter the URL.

As a further refinement, make it so that you can run this from a menu-click. I added the following entry to ~/.fluxbox/menu, so that I just have to right-click on the desktop and select "ffwin":

[exec] (ffwin) {xterm -e ~/bin/ffwin}

Other window managers would likely allow you to create a custom application launcher from a toolbar or menu or widget or something.

14 April 2008

XML in PHP5: the weather

My favorite weather-related Web site is the weather underground, but their pages can be a bit heavy. Usually I just want a quick summary of current conditions and a forecast for the next day or two. Thankfully, wunderground provides this in XML format. Here's the example for Portland, Oregon: HTML, XML.

I thought it would be fun to write a quick PHP program to download the XML file, parse it, and present it in an easy-to-read format. I decided to use the SimpleXML extension for PHP5, because my XML-parsing needs are pretty modest for this project. And I'll use the curl extension to fetch the XML file.

$url = 'http://rss.wunderground.com/auto/rss_full'
. '/OR/Portland.xml?units=both';

$ch = curl_init($url);
curl_setopt( $ch, CURLOPT_RETURNTRANSFER, 1 );
curl_setopt( $ch, CURLOPT_HEADER, 0 );
$xmlstr = curl_exec($ch);
$res_info = curl_getinfo($ch);
if ( $res_info['http_code'] != 200 ) {
header( 'content-type: text/plain' );
die("couldn't open $url");

$xml = new SimpleXMLElement($xmlstr);
$epoch = strtotime( $xml->channel->pubDate );
$date = date( 'H:i:s l j F Y', $epoch );
$report_uri = htmlentities(
$xml->channel->item[0]->link );
$content = '';
$forecast_items = array();
foreach ( $xml->channel->item as $item ) {
$desc = strip_tags( $item->description );
$forecast_items[] = array(
'guid' => $item->guid,
'desc' => htmlentities( html_entity_decode($desc) ),

echo '<html><body><h1>Weather Underground Report</h1>',
'<h2>Portland, Oregon: ', $date, '</h2>';
foreach ( $forecast_items as $item ) {
$id = '';
if ( !empty($item['guid']) ) {
$id = ' id="' . $item['guid'] . '"';
echo "<p$id>", $item['desc'], '</p>';
echo '<p><a href="', $report_uri, '">Full report</a></p>',

There's some magic in the first foreach loop. Just as you should never trust anything typed into a Web form, you should also be skeptical of content from a foreign XML document, hence the strip_tags() and htmlentities() calls. But some of the characters in the wunderground XML are already HTML-encoded (like the degree symbol), so it's useful to call html_entity_decode() first (otherwise the temperature might look like "75&#176;F", rather than "75°F").

The code is otherwise straightforward. If you look at the raw XML, you'll find that the entire report is wrapped in a <channel> container, inside which the report date is wrapped in a <pubDate> container, etc. As its name implies, SimpleXML makes parsing XML pretty easy, and it's a great choice for small projects like this.

08 April 2008

fopen($url) v. curl in PHP

Occasionally you'll see PHP code which uses require() or include() or fopen() or file_get_contents() to import code from a remote location (the argument to those functions can be a URL). This sort of thing is generally considered to be a bad security practice, especially if you don't control the code at the remote location (it could unexpectedly change in such a way as to do something destructive to your application).

Many PHP security experts tend to recommend disabling the allow_url_fopen option in php.ini. Disabling this feature can even serve to prevent inadvertent code injection. Imagine an application which calls require($file) where $file is dynamically determined. If your application has some sort of problem which allows an attacker to set the value of $file, the attacker can inject the code of his/her choosing into your application.

So I feel that disabling allow_url_fopen is a good idea, but sometimes you need to initiate HTTP requests in your PHP code. The curl extension provides a good way of doing this. The following snippet will put the contents of the Web page at $url into the $page variable:

$ch = curl_init($url);
curl_setopt( $ch, CURLOPT_RETURNTRANSFER, 1 );
curl_setopt( $ch, CURLOPT_HEADER, 0 );
$page = curl_exec($ch);

The previous example is a GET request, but you can also do POST:

$postdata = 'var1=value1&var2=value2';
$ch = curl_init($url);
curl_setopt( $ch, CURLOPT_RETURNTRANSFER, 1 );
curl_setopt( $ch, CURLOPT_HEADER, 0 );
curl_setopt( $ch, CURLOPT_POSTFIELDS, $postdata );
$page = curl_exec($ch);

07 April 2008

undeclared attributes in PHP classes

I was recently surprised to discover that a PHP object can have attributes (variables) not declared in the class. The following works in PHP4 and PHP5 (it prints 'ick' and then 'yark'):

class Gakkk {}

$gakkk = new Gakkk();
$gakkk->blech = 'ick';
echo $gakkk->blech, "\n";
$gakkk->blech = 'yark';
echo $gakkk->blech, "\n";

At best, this strikes me as a very poor programming practice. Who knows when this sort of thing will stop working (in a future version of PHP)? And what kind of code readability is this?

I really like PHP, but this is just weird to me.

06 April 2008


Since last year's announcement that PHP4 will reach end-of-life this summer, I've been wondering what will become of PHP in the versions of Red Hat's Enterprise Linux distribution which shipped with PHP4. Looks like Red Hat will continue to provide bugfix and security updates for PHP4 throughout the lifetime of its PHP4-relevant distributions.

05 April 2008

Falkirk Wheel

Friends of mine like roller coasters. Screw that. I wanna ride the Falkirk Wheel:
I've long been fascinated by locks and canals (I walked over the Erie Canal twice a day my first year of grad school), and this is one of the cooler mechanisms I've seen. It's even quite energy efficient: because the two caissons (the 'chairs' of this two-chair merry-go-round) always weigh the same, it takes very little energy to run the thing.

If I'm ever in Scotland, I'm totally checking this out.