posts brought to you by the category “movable
type”
Das eez kaput! Sometime around 2002 I spaced the
entire database table that mapped individual entries to
categories. Such is life. What follows is a random
sampling of entries that were associated with the
category. Over time, the entries will be updated and then
it will be even more confusing. Wander around, though,
it's still a fun way to find stuff.
Movable Thoughts #21 : Removed -T from mt.cfg and
mt-send-entry.cgi
You can enable taint mode explicitly with the
-T
command-line switch. You should do this for daemons,
servers, and any programs that run on behalf of someone
else, such as
CGI
scripts. Programs that can be run remotely or anoymously
by anyone on the Net are executing in the most hostile of
environments. You should not be afraid to say
No!
occasionally. Contrary to popular belief, you can
exercise a great deal of prudence without dehydrating
into a wrinkled prude.
On the more security-conscious sites, running all
CGI
scripts under the
-T
flag isn't just a good idea: it's the law. We're not
claiming that running in taint mode is sufficient to make
your script secure. It's not, and it would take a whole
book just to mention everything that would. But if you
aren't executing your
CGI
scripts under taint mode, you've needlessly abandoned the
strongest protection Perl can give you.
The Camel
Book, 3.0
Movable Thoughts #20 : Your mother wears Google
boots
Subject: [google] I'm not sure I understand what you're after...
From: Aaron Straup Cope
To: Derek Powazek
Date: Wed, 19 Nov 2003 13:29:32 -0500
...exactly. But in an MT setup, you could just use mod_rewrite and
a
10-20 line Perl script :
# Stick this in a .htaccess file at the root
# of your website. Obviously, the USER_AGENT
# condition(s) would need to be adjusted
# accordingly
RewriteEngine On
RewriteCond %{REQUEST_URI} ^/yer/mt-comments.cgi
RewriteCond %{USER_AGENT} GoogleBot
RewriteRule * - [forbidden]
# Or alternately, if you want to let
# Google archive the comments
RewriteRule ^/yer/mt-comments?id=(\d+) \
/mt-linkstripper.cgi?id=$1 [redirect]
I can't remember whether the comments are rendered as static files.
If they are then could also set up a 'special' template that loads
a plugin to do the same thing that the as-yet unwritten
"mt-linkstripper.cgi" does. At which point, the RewriteRule just
points to the new file (which makes your web server happier.)
Prime Minister Poutine : “I will have my money
for my fine and a joint in the other hand.”
Maciej Ceglowski : "...the Getty Center is the
architectural equivalent of a Barry White record."
David Cantrell : File::Find::Rule::Permissions.pm
Doron Rosenberg : The XSLT/JavaScript Interface In
Gecko
It's my birthday!
Best line of the game : "And the world laughs
together",
as yet another Brazilian player takes
a dive and plays the drama queen.
The dictified dictionary.com word of the day is :
exacerbate
Exacerbate \Ex*ac"er*bate\, v. t. [imp. &
p. p. {Exacerrated}; p. pr. & vb. n. {Exacerrating}.]
[L. exacerbatus, p. p. of exacerbare; ex out (intens.) +
acerbare. See {Acerbate}.] To render more violent or
bitter; to irriate; to exasperate; to imbitter, as passions
or disease. --Broughman.
web1913
exacerbate v 1: make worse; "This drug
aggravates the pain" [syn: {worsen}, {aggravate},
{exasperate}] [ant: {better}] 2: exasperate or irritate
[syn: {exasperate}, {aggravate}]
wn
The random pseudodictionary.com word of the day is :
nurple
Feeling rather blue.
ex. I'm feeling rather nurple
today.
The random pseudodictionary.com word of the day is :
connectamazoink
A certain ambiguous something used to connect
something to something else.
ex. "Get the connectamazoink," he said after
dropping the vase.
The dictified dictionary.com word of the day is :
probity
Probity \Prob"i*ty\, n. [F. probit['e], fr. L.
probitas, fr. probus good, proper, honest. Cf. {Prove}.]
Tried virtue or integrity; approved moral excellence;
honesty; rectitude; uprightness. ``Probity of mind.''
--Pope. Syn: {Probity}, {Integrity}. Usage: Probity denotes
unimpeachable honesty and virtue, shown especially by the
performance of those obligations, called imperfect, which
the laws of the state do not reach, and can not enforce.
Integrity denotes a whole-hearted honesty, and especially
that which excludes all injustice that might favor one's
self. It has a peculiar reference to uprightness in mutual
dealings, transfer of property, and the execution of trusts
for others.
web1913
probity n : complete and confirmed integrity
wn
Jason Diamond : Template Languages in XSLT
The random pseudodictionary.com word of the day is :
kabash
Killed, brought to and end,
finished.
ex. The project was finally kabash, and all
were relieved.
The dictified dictionary.com word of the day is :
peccadillo
Peccadillo \Pec`ca*dil"lo\, n.; pl.
{Peccadillos}. [Sp. pecadillo, dim. of pecado a sin, fr. L.
peccatum. See {Peccant}.] A slight trespass or offense; a
petty crime or fault. --Sir W. Scott.
web1913
peccadillo n : a petty misdeed [syn:
{indiscretion}]
wn
Barrie Slaymaker : Bootstrapping AxKit
From the "Step away from the computer" department
:
Hockey Night in Canada
The dictified dictionary.com word of the day is :
maudlin
Maudlin \Maud"lin\, a. [From Maudlin, a contr.
of Magdalen, OE. Maudeleyne, who is drawn by painters with
eyes swelled and red with weeping.] 1. Tearful; easily
moved to tears; exciting to tears; excessively sentimental;
weak and silly. ``Maudlin eyes.'' --Dryden. ``Maudlin
eloquence.'' --Roscommon. ``A maudlin poetess.'' --Pope.
``Maudlin crowd.'' --Southey. 2. Drunk, or somewhat drunk;
fuddled; given to drunkenness. Maudlin Clarence in his
malmsey butt. --Byron.
web1913
maudlin adj : effusively or insincerely
emotional; "a bathetic novel"; "maudlin expressons of
sympathy"; "mushy effusiveness"; "a schmaltzy song";
"sentimental soap operas"; "slushy poetry" [syn:
{bathetic}, {mawkish}, {mushy}, {schmaltzy}, {schmalzy},
{sentimental}, {slushy}]
wn
J. David Eisenberg : An SVG Histogram [in Perl]
Jon Udell : Quick and Dirty Topic Mapping
Andrew Wilson : Mail::Address::Tagged.pm
"This module implements an object
that can generate and validate tagged email addresses. These
are designed to be used primarily in anti-spam applications.
The addresses generated all carry extra information, such as
the date when they expire, who may use them to send you mail
etc. A cryptocraphic hash of this extra information is also
included in in the address. This Hashed Message Authenticaion
Code (HMAC RFC 2104) is your guarantee that the information
contained in the address has not been tampered with."
The Connection : Art Spiegelman and Francoise
Mouly
"[T]he New Yorker's arts editor, have
been living for the past three months on the threshold of
unfamiliar images. In September, downtown New York was
eloquently captured by their collaboration, a black-on-black
New Yorker cover, broken only by one, now-ghostly antenna.
More images have followed, along with despair at their
inadequacy, and triumph at their ability to communicate the
deepest feelings in the simplest way."
The 'canadian', features a helmet of fine bacon
and a chin-strap of sausage links."
via
mesh
Graham Klyne : "I've found it easier to use Notation 3
[1] to create arbitrary RDF content
"in a text editor, then use cwm [2]
to convert it to RDF/XML. For example, my current WebWho
profile source is at [3], which generates the RDF/XML [4]."
see also :
RDF::Notation3.pm
Brian Wilson : Mail Management With Mime::Tools
"Recently I had a thought: Why not
save any attachments and make them immediately available on
the Web server? Then by replacing the attachment with the
appropriate URL in the outbound email message, each message
recipient could decide whether or not to download the files."
see also : Using Perl to
send email (and attachments) with Outlook
The dict-ified dictionary.com word of the day is
billet
| source : web1913 | Billet
\Bil"let\, n. Quarters or place to which one is assigned, as
by a billet or ticket; berth; position. Also used fig.
[Colloq.] The men who cling to easy billets ashore.
--Harper's Mag. His shafts of satire fly straight to their
billet, and there they rankle. --Pall Mall Mag. | source :
web1913 | Billet \Bil"let\, n. [F. billette, bille, log; of
unknown origin; a different word from bille ball. Cf.
{Billiards}, {Billot}.] 1. A small stick of wood, as for
firewood. They shall beat out my brains with billets. --Shak.
2. (Metal.) A short bar of metal, as of gold or iron. 3.
(Arch.) An ornament in Norman work, resembling a billet of
wood either square or round. 4. (Saddlery) (a) A strap which
enters a buckle. (b) A loop which receives the end of a
buckled strap. --Knight. 5. (Her.) A bearing in the form of
an oblong rectangle. | source : web1913 | Billard \Bil"lard\,
n. (Zo["o]l.) An English fish, allied to the cod; the
coalfish. [Written also {billet} and {billit}.] | source :
web1913 | Billet \Bil"let\, n. [F. billet, dim. of an OF.
bille bill. See {Bill} a writing.] 1. A small paper; a note;
a short letter. ``I got your melancholy billet.'' --Sterne.
2. A ticket from a public officer directing soldiers at what
house to lodge; as, a billet of residence. | source : web1913
| Billet \Bil"let\, v. t. [imp. & p. p. {Billeted}; p.
pr. & vb. n. {Billeting}.] [From {Billet} a ticket.]
(Mil.) To direct, by a ticket or note, where to lodge. Hence:
To quarter, or place in lodgings, as soldiers in private
houses. Billeted in so antiquated a mansion. --W. Irving. |
source : wn | billet n : for military personnel (especially
in a private home) v : provide housing for, of military
personnel [syn: {quarter}, {canton}]
Le Devoir : Internet donne un second souffle à
l'espéranto
"L'anglais de base est facile, sa
phonétique ne l'est pas. On entend très bien les accents des
gens quand ils parlent anglais, pas en espéranto. Et ce n'est
pas une langue neutre: elle est le symbole d'une identité,
d'une culture, et elle marque une supériorité. Pensez-vous
que vous discutez d'égal à égal dans un congrès international
où se trouvent des Britanniques ou des Américains? L'anglais
est la deuxième langue de tous les autres qui doivent, eux,
faire des efforts, se concentrer. Avec l'espéranto, tout le
monde est logé à la même enseigne: tous doivent l'apprendre.
C'est la langue de l'égalité, qui ne nuit à aucune langue
nationale."
James Spahr : NewsFeedsPalm
"is a very simple tool for Radio
Userland. It publishes your Userland On the Desktop content
to a website that is ideal for Avantgo Channels. It basically
puts Userland On the Desktop on your Palm."
David Helder : DiaWebLog
"is an interface between IRC and a
web log. The DiaWebLog consists of items. An item consists of
a title, url, and comments. Items are posted and edited by
member of the IRC channel by interacting with the
DiaWebLogBot."
Sightings : stop, art
The dict-ified dictionary.com word of the day is
effusive
| source : web1913 | Effusive
\Ef*fu"sive\, a. Pouring out; pouring forth freely. ``Washed
with the effusive wave.'' --Pope. {Effusive rocks} (Geol.),
volcanic rocks, in distinction from so-called intrusive, or
plutonic, rocks. -- {Ef*fu"sive*ly}, adv. --
{Ef*fu"sive*ness}, n. | source : wn | effusive adj 1: uttered
with unrestrained enthusiasm; "a novel told in burbly panting
tones" [syn: {burbling}, {burbly}, {gushing}] 2:
extravagantly demonstrative; "insincere and effusive
demonstrations of sentimental friendship"; "a large gushing
female"; "write unrestrained and gushy poetry" [syn:
{emotional}, {gushing(a)}, {gushy}]
Prompted by all the talk about using Movable Type as an open relay for spammers, I decided to poke at the actual code and see what was going on.
There really isn't anywhere that Movable Type should be disabling taint mode but if I had to list things in order of importance, the mt-send-entry.cgi script would be near the top.
The script is potentially handing off to the sendmail program whose entire existence has been marked by security exploits. There is nothing to suggest that more won't be found in the future. Relying on sendmail to test for Potential Badness being passed by a ne'er do well via the Internet is wishful thinking, at best, and just plain crazy, at worst.
In fairness, the Movable Type mail widget tries to load Mail::Sendmail which does some basic sanity checking and, drumroll, untainting on the stuff you pass it. On the other hand it is not part of the core libraries shipped with Perl, nor is it in Movable Type's extlib directory which is a mystery since two thirds of it's dependencies are part of and the other third has no non-standard requirements itself.
Untainting email addresses can be brain-crushingly difficult and inaccurate and the last thing you want to do when you're selling a computer widget for non-techincal people is start spewing errors where there are none. But not only did the Movable Type kids disable the
-Tflag on the mt-send-entry.cgi script they don't appear to have ever done any kind of untainting on thetoandfromparameters. Hello? Is anyone home?I find this especially discouraging because one of the first things I did when Movable Type was released was send Ben code to at least try and untaint email addresses .