Archive for June, 2007

TurboGears and Pylons will merge! (and CleverHarold RIP)

1685 days

by Lior Gradstein in framework, python, web

Mark Ramm, one of TurboGears‘s core developers announced on TurboGears’s mailing list that they will merge with Pylons! To be more precise, the API of TurboGears will be implemented on top of Pylons. It seems they already made some test/proof of concept that are, as they say “a huge success”. That’s really good news for Python web frameworks development, and a good news for me, as I’ll not have to choose between the two :-

As a sidenote, it seems another framework, CleverHarold has disappeared without anybody noticing. Its domain is parked, and today its Google Group page went off (the last messages were from people asking if the project was still alive).

Update: Noah Gift wrote a nice article about the merge.

CCT (CalCubeTimer) v0.2 is now available

1685 days

by Lior Gradstein in rubik

CalCubeTimer in its newest version is now available! For people who don’t know, CCT is a java program that times for Rubik’s cubing performance. It is really cool not only because it is beautiful, easy to use, has a client mode to connect to a central server (for contests), but because it allows you to plug you stackmat and show its content in full screen!

HOWTO Installation of OpenWRT on a WGT634U usb router Part 2

1694 days

by Lior Gradstein in hardware

OK, we now have to configure the network. The goal is to be able to connect to our access point, where we’ll get information to connect to our “sound server” (I call it like that because I’ve still not decided between using mpd+mpc+samba or some more direct access like the use of esd).

We’ll set the wifi interface as a client for a remote access point. We’ll keep the WAN interface with a static ip (here, 192.168.1.1)

Please note, that changing the configuration will make the remote network access as previously used unusable. The only secure access is still through the serial console.

First, edit the file /etc/config/network:

config switch eth0 option vlan0 "0 1 2 3 5*" option vlan1 "4 5" [...] # localhost config here [...] config interface wan option ifname "eth0.1" option proto static option ipaddr 192.168.1.1 option netmask 255.255.255.0 [...] config interface lan option type bridge option ifname "eth0.0" option proto dhcp

And then the file /etc/config/wireless:

config wifi-device wifi0 option type atheros option channel 8 option disabled 0 [...] config wifi-iface option device wifi0 option network lan option mode sta option ssid YOUR_SSID option encryption none option hidden 0

If your access point has some encryption, like WEP, do this instead of the wifi-iface block:
config wifi-iface option device wifi0 option network lan option mode sta option ssid YOUR_SSID option encryption wep option key 1234567899 option hidden 0

You can take a look at the different available options on this documentation. If all is well, you should have an ip address on your br-lan interface (your WHGT634U hub port is bridged with the wifi interface).

Next part will be the most interesting :-) I think I’ll try all the different methods to implement an automatic player daemon. Direct methods, and indirect methods, using a share fielsystem like CIFS.

Reference

Jkx@Home’s article explaining another use of WGT634U

Videos of every presentation of Journée Python 2007 are now online!

1700 days

by admin in language, python, twisted

As the title says it, each presentation was filmed, and has just been uploaded for everyone’s pleasure! Here is the two-part video presentation of Twisted, done by Michael SCHERER.

Oh, by the way, please take a minute to vote for your favourite Internet Engine!

Security patching WordPress themes against Cross-Script Attacks (XSS)

1700 days

by Lior Gradstein in security, wordpress

A nice article explaining the vulnerability in Worpdress themes (in fact anything using php :-) was published some days ago. Now, there’s even a vulnerability scanner available (done in Perl).

I ran it on several of the blogs I manage, and all of them were vulnerable to XSS (wp-scanner also tests other vulnerabilities) :-(
I followed the advices on blogsecurity’s website and modified all of the search functions I could find. Now wp-scanner doesn’t report any vulnerability (it doesn’t mean it is cracker-proof, but it’s a good start).

So if anybody else uses the Redoable theme like me, you should patch the header.php file. Near the top of the file, find the "Search for" string, and enclose the $s string with the htmlspecialchars() method:

Search for <?php echo htmlspecialchars($s); }

Do the same for the searchform.php file:

searchform” action=”<?php echo htmlspecialchars($_SERVER['PHP_SELF']);

An even better protection would be to use the mod_security module for Apache/Apache2, which can detect and block these kind of attacks. But this requires that you control your server.
To prevent web visitors from sending tags, you can add the following rule in your virtual host:

SecFilter “<(.|\n)+>”

Now, when someone requests < anything >, the visitor gets a 403 error, and in your audit log, you now have:

==36d82a37==============================
Request: www.gradstein.info 82.67.175.56 – - [11/Jun/2007:11:10:56 +0200] “GET /?s=%3Cwpscan%3E HTTP/1.1″ 403 202 “-” “Mozilla/5.0″ – “-”
—————————————-
GET /?s=%3Cwpscan%3E HTTP/1.1
mod_security-message: Access denied with code 403. Pattern match “<(.|\\n)+>” at REQUEST_URI [severity "EMERGENCY"]
mod_security-action: 403
HTTP/1.1 403 Forbidden
Content-Length: 202

Please note, that mod_security does not correct your application. Here if you only use mod_security, WordPress theme will still be vulnerable on the underlaying level. It is OK to use mod_security, but it is much much more advisable to correct the origin of the problem and not cover it.

HOWTO Installation of OpenWRT on a WGT634U usb router

1702 days

by Lior Gradstein in hardware

Before the 7.06 stable version of OpenWRT there were many problems for making USB audio working on this exceptional router (the only one I know with a USB port). Problems with kernel version 2.4/2.6, problems with alsa, problems with USB not working (usb2), etc. Take a look at the forums, and see all horrible, painful modifications/patches you needed to apply to make it working.
I have to say that the OpenWRT developers/contributors (and the forum members) did a wonderful job and corrected every known problems. So with this version, the installation is really straightforward!

Please read the following to get all the details.
(more…)

Journées Python Francophone 2007 Conference at La Villette, France

1708 days

by Lior Gradstein in python

I went today to the JournÃ©e Python 2007 Conference in France. I managed to see half of the Twisted intro, some lightning talks, and most of the afternoon presentations (thanks to Ido’s mid-day nap).

Most of the talks were introductory type, but they were finely presented (alas most of the audience already knew python). I hope I’ll find the time to prepare some more advanced Twisted presentation for next year’s Conference (there’s one, right?)