02.28.07
Posted in POW at 3:21 pm by David Kellogg
I created my first Thunderbird SJS app. This means I ran a server inside Thunderbird and ran a remote command. It’s a little tough going due to a lack of TB documentation, but exciting. Here it is.
test.sjs:
<?sjs
document.writeln("Hello world!");
var mess = Components.classes["@mozilla.org/messenger;1"].
getService(Components.interfaces.nsIMessenger);
mess.launchExternalURL ( "http://www.yahoo.com/" );
?>
Haven’t seen that page lately, huh? Load the page, http://localhost:6671/test.sjs to run this remotely on Thunderbird. Mind spinning yet? The reason to do these crazy things is to open up your email to yourself, remotely from anywhere, without a special client.
Dave
Permalink
02.19.07
Posted in POW at 10:55 am by David Kellogg
POW 0.1.0 (preview) is ready for download. It has some nice features.
- Sunbird Support
- Thunderbird Support
- Flock Support
- HEAD requests
- more MIMEs
- free watermelon
That’s right, you get a free watermelon with this version. New users will see this favicon.ico as a nice gift, or if not, a replaceable item. Sunbird and Thunderbird get to share in the port listening glory. These two lonely fellows need a little connectivity. I have no idea how my users will take up the opportunity to add a webserver where none existed before. I’m hoping for some creativity.
Another addition is better MIME support from the Mozilla engine itself. The old MIME list becomes a list of overrides. The upshot is you have to add almost no new MIME types. The one exception (see above) is favicon.ico, which uses the MIME, “image/x-icon”. Please add it yourself if you upgrade.
One caveat. Thunderbird and Sunbird POW addons should be considered development releases. The default ports conflict. The webserver still starts, I assure you, but the port conflicts may drive you nuts.
Have fun.
Permalink
02.12.07
Posted in Search at 10:11 pm by David Kellogg
The other day, I was listening to Eric Schmidt, CEO of Google, speak at the State of the Valley on February 2. He said something really strange about the LAMP stack.
“The other thing that has happened is a new architecture has emerged which is technically known as LAMP. Linux Apache Mysql PHP, Perl, Python. In the vernacular it’s known as Web 2.0.”
– Eric Schmidt
Really? You can listen to him say these strange pronouncements and more. No, LAMP is not known as Web 2.0. That is confusing a set of sofware, and what can be built on top of it. I do think this CEO has lost touch of the technology that powers the web.
Permalink
Posted in POW at 8:52 pm by David Kellogg
It was a strange weekend as this one man team worked feverishly to douse the flames of security problems. First, from Italy, the disclosure of a directory traversal bug in POW 0.0.7. Strange, since I tested my own code (using Firefox), and many another new server using this fun trick. Better tools are needed to expose this bug.
Just try ‘GET /../../ HTTP/1.0′ and see what happens. Only bad happens. Almost as embarrassing, George from Tenable Security informed me that the wrong page is sometimes delivered to the user. The first bug is fixed in 0.0.9. The second bug fix will come later this week.
This proves the adage of Steve Gibson that only time can prove security, not pronouncements, speculation or even good coding practices.
The good thing is that I built POW with security in mind. SJS files only execute in certain locations. The security holes never worked on password protected sites. I do not eval client data. I accept highly limited input to MySQL.
Others might shy away from disclosure, but really, it’s your software. I’d rather sacrifice numbers of users in exchange for assurance to the users that holes will be fixed quickly. And for speed, I fixed the vulnerability less than 24 hours after it was posted.
Dave
Permalink