Enjoying Pixies Indie Cindy. Greens and Blues sounds like it's missing from the FLCL
soundtrack or maybe Polaris.
YouTube - June System Update Walkthrough for Xbox One
OneGuide on SmartGlass is coming in the June Xbox One update! The feature I’ve been missing since day one. I don’t think I’m an average Xbox One user.
Stripe's web security CTF's Level 1 and level 2 of the Stripe CTF had issues with missing input validation solutions described below.
$filename = 'secret-combination.txt';
extract($_GET);
if (isset($attempt)) {
$combination = trim(file_get_contents($filename));
if ($attempt === $combination) {The issue here is the usage of the extract php method which extracts name value pairs from the map input parameter and creates corresponding local variables. However this code uses $_GET which contains a map of name value pairs passed in the query of the URI. The expected behavior is to get an attempt variable out, but since no input validation is done I can provide a filename variable and overwrite the value of $filename. Providing an empty string gives an empty string $combination which I can match with an empty string $attempt. So without knowing the combination I can get past the combination check.
Code review red flag in this case was the direct use of $_GET with no validation. Instead of using extract the developer could try to extract specifically the attempt variable manually without using extract.
$dest_dir = "uploads/";
$dest = $dest_dir . basename($_FILES["dispic"]["name"]);
$src = $_FILES["dispic"]["tmp_name"];
if (move_uploaded_file($src, $dest)) {
$_SESSION["dispic_url"] = $dest;
chmod($dest, 0644);
echo "Successfully uploaded your display picture.
";
}
This code accepts POST uploads of images but with no validation to ensure it is not an arbitrary file. And even though it uses chmod to ensure the file is not executable, things like PHP don't require a file to be executable in order to run them. Accordingly, one can upload a PHP script, then navigate to that script to run it. My PHP script dumped out the contents of the file we're interested in for this level:
Code review red flags include manual file management, chmod, and use of file and filename inputs without any kind of validation. If this code controlled the filename and ensured that the extension was one of a set of image extensions, this would solve this issue. Due to browser mime sniffing its additionally a good idea to serve a content-type that starts with "image/" for these uploads to ensure browsers treat these as images and not sniff for script or HTML.
I wanted to ensure that my switch statement in my implementation of IInternetSecurityManager::ProcessURLAction had a case for every possible documented URLACTION. I wrote the following short command line sequence to see the list of all URLACTIONs in the SDK header file not found in my source file:
grep URLACTION urlmon.idl | sed 's/.*\(URLACTION[a-zA-Z0-9_]*\).*/\1/g;' | sort | uniq > allURLACTIONs.txt
grep URLACTION MySecurityManager.cpp | sed 's/.*\(URLACTION[a-zA-Z0-9_]*\).*/\1/g;' | sort | uniq > myURLACTIONs.txt
comm -23 allURLACTIONs.txt myURLACTIONs.txtBut in my effort to learn and use PowerShell I found the following similar command line:
diff
(more urlmon.idl | %{ if ($_ -cmatch "URLACTION[a-zA-Z0-9_]*") { $matches[0] } } | sort -uniq)
(more MySecurityManager.cpp | %{ if ($_ -cmatch "URLACTION[a-zA-Z0-9_]*") { $matches[0] } } | sort -uniq)
My GPS was stolen last night or this morning and I'm missing it already. For instance when I drove to Novus glass repair to get my front passenger window replaced I drove down the wrong road for a while.
When I got out of my apartment this morning there was a police car sitting in my parking lot and the officer asked me: "David? ... What'd you leave in your car?". My face must have changed a lot when I had the following sequence of realizations: (a) a police officer is asking for me by name, (b) I'm not in trouble, (c) my car must have been burgled, and (d) my GPS must be stolen.
The officer was waiting outside my complex because someone had reported my car's broken window to the police in the morning. The officer was very courteous and upon taking my date of birth noted that we were born on exactly the same day. The window's safety glass was shattered and lying in tons of tiny pieces all over the passenger seat, my glove box was open and the middle armrest where I keep my CDs was open. Nothing appears to be missing other than the GPS, the GPS power cable, and the GPS dash mount. Adding insult to theft, the their scattered my CDs throughout my car and didn't take any of them, insulting my taste in music.
My car's window should be repaired now and hopefully the rain that came in through the broken window until I covered it with plastic bags (classy!) didn't do any permanent damage.
Internet Explorer 8 Beta 1 is available now. I can finally talk about some of the stuff I've been working on for the past year or so: activities. Activities let you select a document, some text on a document, or a link to a document and run that selection through a web service. For example, you could select a word on a webpage and look it up in Wikipedia, select an address and map it on Yahoo Maps, select a webpage and translate it into English with Windows Live Translator, or select a link and add it to Digg.
IE8 comes installed with some activities based on Microsoft web services but there's a page you can go to to
install other activities. However, that page is missing some of my favorites that I use all the time, like del.icio.us.
Accordingly, I've put together a page of the activities I use. MSDN has all the info on creating Activities.
Activities are very similar to other existing features in other browsers including the ability to add context menu items to IE. There's two important differences which make activities better. Activities have a preview window that pops out when you hover over an activity, which is useful to get in place information easily provided by developers. The other is that the interface is explicit and takes after HTML FORMs and OpenSearch descriptions. Because the interface is explicitly described in XML (unlike the context menu additions described above which run arbitrary script) we have the ability to use activities in places other than on a webpage in the future. And because activity definitions are similar to HTML FORMs, if your webservice has an HTML FORM describing it you can easily create an activity.
We started at Home Depot because I didn't know better. The screws are all listed in metric sizes which is apparently uncommon and a helpful senior worker forwarded us to McLendons whose stock was better but we were again redirected this time to Tacoma Screw Products.
Tacoma Screw Products is great! See them for your hardware needs first! The store has a back area with every kind of screw ever. I felt a little out of place as as all the customers looked like contractors. The employee who helped me explained the various options I had in screws as the bike instructions weren't as explicit as they could have been. In the end I bought all my screws for only one dollar (much better than $30!) and they all fit correctly.
Some rights reserved