Loud Baking

Early this week, I finally went and purchased Leopard to upgrade my Mac Mini and start running the same MacOS version on all computers I use. Everything was going good until the automated system reboot. Somehow, on the login prompt, my root access wasn’t being authorized anymore.

A simple search quickly revealed I wasn’t the only one that ran into this kind of issue, every Mac user that had a password of 8 characters and more faced the same problem. But now what’s the solution when your root password is a long one?

You will be relieved to hear that Apple’s software engineers already thought of that. Actually, I don’t know how much thought was put into it, but there is a solution available. The only problem is that this same solution can be used by anyone on a computer running MacOS X (haven’t tried older versions) to gain root access.

I’ll let you judge for yourselves.

Wow - my last post was on December 6th, over 5 months ago! Having to write after all this time makes me feel like it was the first post ever… Where to start? Nowhere.

I can see that things have been moving pretty quickly in the CakePHP world: CakePHP 1.2 Beta, 1st CakeFest (damn, I missed that!) and last but not least, the Cookbook.

My highlights of the past 5 months:

• Moved back to Montreal
• Migrated from WinXP to Vista (very short) to Mac OS X
• Massive workstation upgrade
• Took a loooong break from work
• Hired new staff 

Some of the big changes to expect on the blog:

• Moving soon to its own domain
• Mike will start blogging in the coming weeks (my latest recruit on the development team)
• Getting a facelift sooner than later

I’ll leave it at that for the moment… After all, it’s just to say am back

Ok, ok - I’ve been slacking on this blog again, but I will keep that for another post where I will announce some major changes I have been thinking of lately. For today, I’d like to introduce the new DBO Source Driver: HtmlSource - which is completely functional but still lacking some of the features I have planned for it.

So what’s an HTML DBO driver you ask?

Simply put, it’s a way to treat any HTML page like a database and be able to retrieve (scrape) certain parts using an SQL-like command:

SELECT href, title FROM a WHERE class="submit"

Continue reading…

For the ones of you who have not opted to receive the PHP announcements from the php.net site, here’s an important one you shouldn’t miss if you are using the 5.2.x branch.

From the PHP team:

over 60 bug fixes, several of which are security related

Some of the vulnerabilities are:

1. Various errors exist in the “htmlentities” and “htmlspecialchars” functions where partial multibyte sequences are not accepted.
2. Various boundary errors exist in the “fnmatch()”, “setlocale()”, and “glob()” functions and can be exploited to cause buffer overflows.
3. An error in the processing of “.htaccess” files can be exploited to bypass the “disable_functions” directive by modifying the “mail.force_extra_parameters” php.ini directive via an “.htaccess” file.
4. An error in the handling of variables can be exploited to overwrite values set in httpd.conf via the “ini_set()” function.

More details can be found in the official announcement here.

Been busy as hell and I’m afraid it will be like this for another month or so, but here is a quick one I felt like sharing because I hope it will be helpful to some.

Haven’t you ever wished to only have to write something like this in your views:

e($grid->create($results));

Continue reading…

At different places where I read about ACL, a common question that always comes early in the comments is:

Assuming ‘Guests’ users are unidentified web visitors, how do you handler their access rights? They don’t login, so they can’t be assigned an ARO and thus ACL will reject their access to any actions.

How do you handle ‘Guest’ user’s permissons if they are not logged in?

Continue reading…

While working with Shells, most of the time I have some Tasks taking care of certain specific business logic each. Today, I had the need for a special Task. Special because it was actually a kinda duplicate of an existing Component, my quite useful but still incomplete to share, SerialComponent.

Like I just said, this Component is incomplete and I know that I will be making several changes in the coming month - so quickly, before thinking of duplicate code, good/bad cake or anything like that, I realized that I didn’t want to have 2 different classes to update every time. That been said, what’s coming next is my implementation of a Component inside a Task, which, I still don’t know if it makes a good or bad cake but it at least avoids most of the duplicate code. Maybe there is a better one I don’t know of that would entirely avoid that duplication but until then, the following works. Continue reading…

Today, while lurking on irc, someone asked about field sanitization and how to avoid XSS attacks (cross site scripting for those who are wondering), something, every one of us should think about when developing an application. Truth is, that while CakePHP does an amazing job at making you ‘forget’ about SQL injections (since it takes care of that right out of the box), it doesn’t deter nor filter other ways like the infamous XSS unless you ask it to do so.

I won’t go over the different kinds of possible attacks, I believe a lot has already been documented but to make it short, if your application uses forms, cookies or accepts parameters directly from the URL and you haven’t thought about that, it’s time you start doing some research. You should never trust your users!
Continue reading…

When I was coding some shells today, and after getting used to the invaluable query logs when working with controllers/views, it didn’t take much to realize that one of my favorite features in CakePHP just stopped working. When I asked on irc, gwoo said it doesn’t work.

I needed those and I wanted to avoid having to use the MySQL logging, so I started digging in the code until I got it fixed. So, if you’re like me, and want to optimize every single call made to your database, there is only one line to edit and that’s in /cake/console/cake.php at the bottom of the ShellDispatcher::__bootstrap() method:

//remove this line
Configure::write('debug', 1);

For some reason, they just decided to overwrite the debug settings you made in your core.php - I think someone had it there and just forgot about it because it’s supposed to be showing those errors. If you look at DbSource::showLog(), you will notice that it already takes care of separating between queries made using the command line (shells) and the ones using the browser (http) to show lines instead of table rows…

I really can’t answer what’s the reason for overwriting my debug settings but so far, removing it, hasn’t affected anything else, so I’ll consider it fixed for now. You have any idea why it’s there?

One of CakePHP’s magic is the routing system: router, dispatcher, error handler.

All three are involved in handling every HTTP request made to the application. Some of the invaluable features of this routing system are the default missing controller/action/helper/component/etc. which saves any new comer to the CakePHP community lots of trouble when starting to bake stuff.

When I started looking into the system’s core for how to best handle custom errors, I stumbled on different things that I thought interesting to point out and a couple _bugs_ (or uncleaned legacy lines of code). I also realized that it couldn’t do the basic stuff I needed to handle like logging errors and showing a specific error template for specific errors. So, let’s get to it.
Continue reading…