Alex Rodriguez

We recently developed an application that requires our partners to incorporate a piece of our html code in their browser page. This component would be responsible for collecting information and posting it back to our site via ajax for validation. The inclusion of our code would be done using server side includes so as to avoid using frames and for security reasons. The end result would be that the partner would send their page with our html component included in it back to the browser; the browser would show the partner url. All in all very unobtrusive.

Once the user enters their information into a form on that page, our script would take over and submit the information to our server, at a different domain, via ajax. Our server would return the result of the validation of the information.

There is only one very big problem with this approach – browsers currently consider such a cross-domain ajax post a vulnerability. Browsers will not allow an ajax post to a domain that is different than the domain currently in the browser location. Check out the same origin policy.

I won’t dive into an argument for or against allowing cross-site ajax posting here, instead I’ll just provide the mechanism we used to perform this post without using the standard ajax method, eg. XMLHttpRequest.

At a high level, what we do is this:

• Capture user input on the client using javascript.
• Construct a url containing our user input validation resource, a random identifier, and the query parameters from the user input.
• Create a new “<script>” DOM node with a src reference to the constructed url. This results in an implicit request being sent by the browser for the javascript source.
• Our server handles the request, validates the input, and returns pure javascript as a response. Embedded in this javascript is a function which will call javascript already sitting on the browser once it is loaded.
• Once the javascript response is loaded into the DOM by the browser, the script is executed – performing whatever processing is necessary at the client.

Below is the main script. This code handles user input and submits the input asynchronously by inserting a new script node into the DOM. This forces the browser to request the src for that script node. On the server, that request is handled, the input is validated, and javascript is returned back to the client which just executes the ‘responseCallback’ method.

Main Script:

Below is the server code that handles the request, validates the input from the client, and returns a response that is basically a javascript file. That javascript file contains a script that calls the ‘responseCallback’ method above with the result of the input validation.

Server Code (Java):

I wanted to convert one of our production machines from Fedora to Ubuntu server. One of the services this machine was running was subversion.

I both tarred up the repository directory and used ’svnadmin dump’ to backup the repository. I scp’ed both files to another server.

Upon recovery I wanted to use the dump but the dump file became corrupted.

Luckily, there’s an easy way to recover from a repository file backup. I just untarred the repository and used

It worked great!

After updating Wordpress and my devformatter plugin, I noticed some errors popping up from the geshi libraries:

This was actually displaying in the blog posts, which is bad for a number of reasons, including security.

You can turn off php error logging by finding your wp-config.php file, usually in your Wordpress document root, and adding the following lines:

After a recent windows update I found my remote desktop was broken. I did some troubleshooting and packet sniffing and still couldn’t track the problem down.

Finally I stumbled upon this post, which fixed my problem.

It turned out that an nvidia driver update broke RDP. Updating the driver to the latest WHQL fixed the problem.

I love windows updates, they usually break more than they fix.

I recently needed to setup TLS for my company’s email server. My primary goal was to reconfigure our sendmail server to negotiate TLS with other email servers that supported it. This would allow us to send secure information via email to company’s that also supported email over TLS.

The first step was to generate certificates. This is easily done with openssl. I already have a key and scripts setup to generate cert requests with all necessary info filled in. The script looks something like this:

Take the output from that certificate request and provide it to your favorite signer to get a signed certificate. Take the key you used to generate the request and the signed certificate and put it somewhere on your server, say /etc/ssl/crt. Also make sure to put the cacerts bundle, or signing certificate chain, in that directory (or any other for that matter).

Next step is to configure sendmail. The following are the changes I needed to make to my sendmail.mc file under /etc/mail:

Most of that config points sendmail to your keys and certificates to be used for server and client mode. The line

define(`confAUTH_OPTIONS’, `A p y’)dnl

tells sendmail to perform smtp authentication after TLS negotiation has completed. The line

define(`confTLS_SRV_OPTIONS’, `V’)dnl

tells sendmail to skip requests for clients’ certificates.

I would like to thank this site and this site for that helpful information.

Next, recompile the config file and restart sendmail with

You can test your server using openssl:

You should see “Verify return code: 0 (ok)” near the end of the output. Type “quit” to end the communication.

To test that sendmail will communicate properly as a client with another server, you can use the great site test.smtp.org.

I use a Squeezebox to distribute my digital audio at home. I noticed an issue in Squeezecenter, the audio server, that can cause duplicate detection of songs in your library. If you have your Squeezecenter detect and parse your playlists, your playlists must reference your music using the same path structure that you use in Squeezecenter.

For instance, in the shot below, I have Sqeezecenter looking for music under the path s:\completed (a mapped network disk). I also have playlists under s:\playlists.

At first, I had my playlists referencing the UNC pathname to my music, so that the mapped drive letter wouldn’t be necessary (as it might be different on different computers). Squeezecenter scanned my playlists and found the file references, but because the pathname was different the software assumed the files were different and indexed them as different files. This resulted in duplicates in my library for all music I had in playlists. To solve this, I just changed the playlist paths so that they matched what I had set in Squeezecenter. A new scan of the library and playlists and Squeezecenter correctly recognized the files as being the same and didn’t produce duplicates.

So in your playlist files, change this:

\\storageserver\Completed\Hard Rock\White Zombie\La Sexorcisto – Devil Music Vol. 1\05 White Zombie – Soul-Crusher.mp3

To this:

s:\Completed\Hard Rock\White Zombie\La Sexorcisto – Devil Music Vol. 1\05 White Zombie – Soul-Crusher.mp3

As an aside, it would be nice to set a UNC network path within Squeezecenter, but it doesn’t currently allow it. I believe an older version did allow you to set your library as a UNC path on the network.

I recently upgraded my bugzilla installation to 3.5 to find my Eclipse-mylyn integration had broken.

After some traffic inspection and a look at buglist.cgi, I found that new code was added to “clean” advanced bug queries. This code cleans the query, then performs a redirect to the new clean query using the correct bugzilla hostname but using the local webserver port. Because I was proxying traffic to my actual bugzilla server through another server on a different port, this redirect was invalid.

I fixed this by commenting out the following code in buglist.cgi:

I’ll try to actually fix the redirect tomorrow to take advantage of the cleanup.