app.get('/*', function(req, res) { var namespace = req.param('namespace');
if (namespace) { var query = 'SELECT * FROM secrets WHERE key LIKE ? || ".%"'; db.all(query, namespace, function(err, secrets) {
Issue
There's no input validation on the namespace parameter and it is injected into the SQL query with no encoding applied. This means you can use the '%' character as the namespace which is the
wildcard character matching all secrets.
Notes
Code review red flag was using strings to query the database. Additional levels made this harder to exploit by using an API with objects to construct a query rather than strings and by running a
query that only returned a single row, only ran a single command, and didn't just dump out the results of the query to the caller.
query = """SELECT id, password_hash, salt FROM users WHERE username = '{0}' LIMIT 1""".format(username) cursor.execute(query)
res = cursor.fetchone() if not res: return "There's no such user {0}!\n".format(username) user_id, password_hash, salt = res
calculated_hash = hashlib.sha256(password + salt) if calculated_hash.hexdigest() != password_hash: return "That's not the password for {0}!\n".format(username)
Issue
There's little input validation on username before it is used to constrcut a SQL query. There's no encoding applied when constructing the SQL query string which is used to, given a username,
produce the hashed password and the associated salt. Accordingly one can make username a part of a SQL query command which ensures the original select returns nothing and provide a new SELECT via
a UNION that returns some literal values for the hash and salt. For instance the following in blue is the query template and the red is the username injected SQL code:
SELECT id, password_hash, salt FROM users WHERE username = 'doesntexist' UNION SELECT id, ('5e884898da28047151d0e56f8dc6292773603d0d6aabbdd62a11ef721d1542d8') AS password_hash, ('word') AS salt FROM users WHERE username = 'bob' LIMIT 1
In the above I've supplied my own salt and hash such that my salt (word) plus my password (pass) hashed produce the hash I provided above. Accordingly, by
providing the above long and interesting looking username and password as 'pass' I can login as any user.
Notes
Code review red flag is again using strings to query the database. Although this level was made more difficult by using an API that returns only a single row and by using the execute method which
only runs one command. I was forced to (as a SQL noob) learn the syntax of SELECT in order to figure out UNION and how to return my own literal
values.
Before we shipped IE8 there were no Accelerators, so we had some fun making our own for our favorite web services. I've got a small set of tips for creating Accelerators for other people's web
services. I was planning on writing this up as an IE blog post, but Jon wrote a post covering a
similar area so rather than write a full and coherent blog post I'll just list a few points:
The first thing to try is looking for developer help for the web service, specifically if there's a REST-ful URL based API. For example, Bing Maps has great URL API documentation that would be enough to
create an Accelerator.
The Accelerator XML is very similar to HTML forms. If you can find an HTML form for the web service for which you want to create an Accelerator, you can view the HTML source and create an
Accelerator based on that.
I created the FormToAccelerator extension based on the previous idea. You can
use the extension to create an Accelerator from an HTML form, or just use it to create the start of one and edit it manually after.
If the page doesn't use an HTML form, you can start up an HTTP debugger like Fiddler, use the web service from the normal web
page, and then in Fiddler see if you can find a REST-ful looking URL you can use.
When looking to create a preview for your Accelerator, see if the web page for the web service has a mobile version or a version that's intended to embed in other web pages via an iframe. On
this same line, iPhone apps make great Accelerators usually with lovely previews.
If there's no mobile or embeddable version and the only thing wrong with the normal web page for the web service is that the useful information doesn't fit in the preview window then see if you
can find an HTML tag with a name or id near the useful information, and stick a '#' fragment pointing to that tag onto the preview URL template.
Without a reasonable REST-ful API you can use a combination of Google's "site:" and "I'm Feeling Lucky" to find the most relevant page on a particular site.
The value of a name and value pair need not consist of only a single Accelerator variable. You can get creative and put other text in there. For instance, I implemented a Google currency conversion by setting the query to "{selection} in US Dollars".
There's no easy way to use local applications on a PC as the result of an accelerator or a search provider in IE8 but there is a hack-y/obvious way, that I'll describe here. Both accelerators and search
providers in IE8 fill in URL templates and navigate to the resulting URL when an accelerator or search provider is executed by the user. These URLs are limited in scheme to http and https but those
pages may do anything any other webpage may do. If your local application has an ActiveX control you could use that, or (as I will provide examples for) if the local application has registered for
an application protocol you can redirect to that URL. In any case, unfortunately this means that you must
put a webpage on the Internet in order to get an accelerator or search provider to use a local application.
For examples of the app protocol case, I've created a callto accelerator that uses whatever application is
registered for the callto scheme on your system, and a Windows Search search provider that opens Explorer's search
with your search query. The callto accelerator navigates to my redirection page with 'callto:' followed by the selected text in the fragment and the redirection page redirects to that callto URL.
In the Windows Search search provider case the same thing happens except the fragment contains 'search-ms:query=' followed by the selected text, which starts Windows Search on your system with the
selected text as the query. I've looked into app protocols previously.
I've hooked up the printer/scanner to the Media Center PC since I leave that on all the time anyway so we can have a networked printer. I wanted to hook up the scanner in a somewhat similar fashion
but I didn't want to install HP's software (other than the drivers of course). So I've written my own script for scanning in PowerShell that does the following:
MODI doesn't seem to be in the Office 2010 Technical Preview I installed first. Installing Office 2007 fixed that.
The MODI.Document class, at least via PowerShell, can't be instantiated in a 64bit environment. To run the script on my 64bit OS I had to start powershell from the 32bit cmd.exe
(C:\windows\syswow64\cmd.exe).
I'm a big fan of the concept of registerProtocolHandler in HTML 5 and in FireFox 3, but not quite the implementation. From a high level, it allows web apps to register themselves as
handlers of an URL scheme so for (the canonical) example, GMail can register for the mailto URL scheme. I like the concept:
Better integration of web apps with your system.
Its easy for web apps to do.
Links to URNs can now take the user to the sites the user prefers for the sort of thing identified by the URN. For example, if I have a physical address in HTML, instead of making that an http
link to Yahoo Maps, I can make the link a geo scheme URI and those who follow the link will get their preferred mapping site that
has registered for that scheme. Actually, looking at the geo scheme's RFC, maybe I'd rather use some other URN scheme to represent the physical location, but you get the point.
However, the way its currently spec'ed out I don't like the following:
There's no way to know if you are the handler for a particular URL scheme which is an important question for web app URL protocol handler authors.
There's no way to fallback to an http URL in the case that a particular URL scheme isn't registered. A suggested solution to testing the registration of a scheme is for browsers to provide an additional script method
to check if a scheme is registered. I don't like the idea of writing script that walks over all my page's links and rewrites them based on that method. I'd much rather see a declarative and
backwards compatible fallback mechanism, although I don't know what that would look like.
There's no way to register for a namespace within the urn scheme URI, the info scheme URI, or the tag scheme URI. I want to register
info:lccn/... (Library of Congress Card Number identifiers) to LibraryThing or Amazon and I want to register urn:duri:... (dated URIs) to the Web Archive, among other things.
And last, although this is nitpickier than the rest, I don't like the '%s' syntax used in the registration method. I'd much rather pass in an URL template, like the URL template used
in OpenSearch. If an URL template is used for matching rather than registering against a particular URL scheme, this could also allow for registering a namespace within a URN. For example
something along the lines of: registerProtocolHandler("info:lccn/{lccnID}", "htttp://www.librarything.com/search_works.php?q={lccnID}", "LibraryThing LCCN")
2008 Apr 3, 6:48The comments have info on URI template for gmail message composition: "https://mail.google.com/mail?view=cm&tf=0&to=`echo $1 | sed 's/mailto://'`"gmailmailurihowtoreferencegoogle
2008 Apr 3, 2:49Looking for URI template to search over my gmail and found it in the comments: "http://gmail.google.com/gmail?search=query&view=tl&fs=1&q=%s"gmailemailgooglereferenceurisearchhowto
2008 Mar 28, 10:07"Trust the open-source lovin' contributors at Wikipedia to be early adopters of Microsoft web technologies. Beginning just a couple of days ago, Wikipedia user "Soum Yasch" began building Wiki
templates to support the new content-subscription featurie8iebrowserwikipediaarticle
When throwing together an HTML page at work that other people will view, I stick the following line in for style. Its IE's error page CSS and contaits a subtle gradient background that I like.
2007 Oct 7, 4:12In a previous post I mentioned an xsltproc like js file I made. As noted in that post, on Windows you can write console script files in
JavaScript, name them foo.js, and execute them from the command prompt. I later found that MSDN has an XSLT javascript sample
which looks similar to mine, but I like mine better for the XSLT parameter support and having a non-ridiculous way of interpreting filenames. The code for my xsltproc.js follows. The script is very
simple and demonstrates the ease with which you can manipulate these system objects and all it takes is opening up notepad.
var createNewXMLObj = function() {
var result = new ActiveXObject("MSXML2.FreeThreadedDOMDocument");
result.validateOnParse = false;
result.async = false;
return result;
}
var args = WScript.arguments;
var ofs = WScript.CreateObject("Scripting.FileSystemObject");
var xslParams = [];
var xmlStyle = null;
var xmlInput = null;
var inputFile = null;
var outputFile = null;
var error = false;
for (var idx = 0; idx < args.length && !error; ++idx)
if (args.item(idx) == "-o") {
if (idx + 1 < args.length) {
outputFile = ofs.GetAbsolutePathName(args.item(idx + 1));
++idx;
}
else
error = true;
}
else if (args.item(idx) == "--param" || args.item(idx) == "-param") {
if (idx + 2 < args.length) {
xslParams[args.item(idx + 1)] = args.item(idx + 2);
idx += 2;
}
else
error = true;
}
else if (xmlStyle == null) {
xmlStyle = createNewXMLObj();
xmlStyle.load(ofs.GetAbsolutePathName(args.item(idx)));
}
else if (xmlInput == null) {
inputFile = ofs.GetAbsolutePathName(args.item(idx));
xmlInput = createNewXMLObj();
xmlInput.load(inputFile);
}
if (xmlStyle == null || xmlInput == null || error) {
WScript.Echo('Usage:\n\t"xsltproc" xsl-stylesheet input-file\n\t\t["-o" output-file] *["--param" name value]');
}
else {
var xslt = new ActiveXObject("MSXML2.XSLTemplate.3.0");
xslt.stylesheet = xmlStyle;
var xslProc = xslt.createProcessor();
xslProc.input = xmlInput;
for (var keyVar in xslParams)
xslProc.addParameter(keyVar, xslParams[keyVar]);
xslProc.transform();
if (outputFile == null)
WScript.Echo(xslProc.output);
else {
var xmlOutput = createNewXMLObj();
xmlOutput.loadXML(xslProc.output);
xmlOutput.save(outputFile);
}
}
2007 May 11, 8:55Last time, I had written some resource tools to allow me to view and modify Windows module resources in my ultimate and noble quest to
implement the XML content-type fragment in IE7. Using the resource tools I found that MSXML3.DLL isn't signed and that I can replace the XSLT embedded resource with my own, which is great news and
means I could continue in my endevour. In the following I discuss how I came up with this replacement for IE7's XML source view.
At first I thought I could just modify the existing XSLT but it turns out that it isn't exactly an XSLT, rather its an IE5 XSL. I tried using the XSL to XSLT converter linked to on MSDN, however the resulting document still
requires manual modification. But I didn't want to muck about in their weird language and I figured I could write my own XSLT faster than I could figure out how theirs worked.
I began work on the new XSLT and found it relatively easy to produce. First I got indenting working with all the XML nodes represented appropriately and different CSS classes attached to them to make
it easy to do syntax highlighting. Next I added in some javascript to allow for closing and opening of elements. At this point my XSLT had the same features as the original XSL.
Next was the XML mimetype fragment which uses XPointer, a framework around various different schemes for naming parts of an XML document. I focused on the
XPointer scheme which is an extended version of XPath. So I named my first task as getting XPaths working.
Thankfully javascript running in the HTML document produced by running my XSLT on an XML document has access to the original XML document object via the document.XMLDocument property. From this this I can execute XPaths, however there's no builtin way to map from the XML nodes selected by
the XPath to the HTML elements that I produced to represent them. So I created a recursive javascript function and XSLT named-template that both produce the same unique strings based on an XML node's
position in the document. For instance 'a3-e2-e' is the name produced for the 3rd attribute of the second element of the root element of the XML document. When producing the HTML for an XML node, I
add an 'id' attribute to the HTML with the unique string of the XML node. Then in javascript when I execute an XPath I can discover the unique string of each node in the selected set and map each of
them to their corresponding positions in the HTML.
With the hard part out of the way I changed the onload to get the fragment of the URI of the current document, interpret it as an XPath and highlight and navigate to the selected nodes. I also added
an interactive floating bar from which you can enter your own XPaths and do the same. On a related note, I found that when accessing XML files via the file URI scheme the fragment is stripped off and
not available to the javascript.
2007 Apr 8, 3:05Shortcut Tag?
I just saw this on another user's delicious links: a link to ESV search that's
tagged with, among other things, "shortcut:esv". When viewed on del.icio.us there's a text box that lets you search using that link. I hadn't seen this before, but it seems pretty cool and I'm
surprised I hadn't seen it previously. A delicious post with such a tag ends up looking like the following: I tried searching for information on this and I've found other delicious users doing the same thing,
but nothing about the tag itself. If you know any information especially official information from del.icio.us itself please post links in reply to this post. So without further preface here's what
I've learned about the del.icio.us shortcut tag.
How-to
To get a search box in your del.icio.us links make a post that satisfies the following requirements:
One of the tags must begin with the text 'shortcut:'. You can have more text following that in the tag if you like but it must at least start with 'shortcut:'.
The 'url' you post must be a shortcut url rather than an actual URL. It must contain a '%s' with a lowercase 's'. When you enter text into the textbox on the del.icio.us page the text will
replace the '%s' after being percent-encoded. For example 'http://www.google.com/search?hl=en&q=%s' is the shortcut url for Google and if you type 'foo bar' into the textbox the URI you will
navigate to would be 'http://www.google.com/search?hl=en&q=foo%20bar'.
Complaints
This is neat but I do have a few complaints:
The text from the textbox is percent-encoded before replacing the '%s'. Most sites use application/x-www-form-urlencoded
which encodes spaces as '+' rather than '%20'.