Derick RethansPHP Internals News: Episode 24: Fuzzing (22.8.2019, 08:24 UTC)

PHP Internals News: Episode 24: Fuzzing

This episode of "PHP Internals News" is the first part of a longer conversation that I had with Stanislav Malyshev (GitHub, LinkedIn) about security related aspects of PHP development. In this episode, we discuss a fuzzer to test input safety of data coming into PHP.

The RSS feed for this podcast is https://derickrethans.nl/feed-phpinternalsnews.xml, you can download this episode's MP3 file, and it's available on Spotify and iTunes. There is a dedicated website: https://phpinternals.news

Show Notes

Credits

Music: Chipper Doodle v2 — Kevin MacLeod (incompetech.com) — Creative Commons: By Attribution 3.0

Become a Patron!
Link
Evert Pot507 Insufficient Storage (20.8.2019, 15:00 UTC)

507 Insufficient Storage is a status code that’s introduced by the WebDAV, specification. It allows a HTTP server to tell a client that for example their PUT or POST operation couldn’t succeed, maybe because it’s too large to fit on a disk.

Even though it was written for WebDAV, it can be used outside of WebDAV servers though.

Example:

HTTP/1.1 507 Insufficient Storage
Content-Type: text/plain

Wow, that's a big file. Can you store it somewhere else? We're pretty cramped
here.

Many WebDAV clients handle this status pretty well, and will inform the user that a disk is full.

Should I use this?

Even though I think this status is applicable outside of WebDAV, I think the reality is that the usefulness of this status is somewhat limited.

Because 507 is specifically a server-side error, it kind of indicates that the error was server side. Maybe the disk being full was not by design or intentional.

When using a status like this for REST API’s, I feel that it’s probably more likely that you’ll want to return an error when a user ran out of space, and intentionally send back a message to a user telling them ‘YOU ran out of quota’, instead of ‘OUR disk is full’.

If the intent is to inform the user that they exceeded their quota, it’s better to use the more appropriate 413 Payload Too Large.

References

Link
Chris ShiflettDomain Registrars (19.8.2019, 21:07 UTC)

A few years ago, I wrote about domain registrars. Realizing how often people still reference that post, and how old it is, I decided to ask what people are using these days.

There was a lot less variety in the responses than last time I asked. In fact, four registrars accounted for almost all replies I received, even via in-person and private conversations.

Here they are.

Gandi

My personal choice remains Gandi. Their new, JavaScript-heavy website belies the robustness of their platform, but if we judged companies by their websites, most would come up short. (This is why I want to rebuild every website I visit.)

The projects they support can give you a good idea of their principles, which is something that matters to me.

Gandi is committed to being the ethical choice for creating a web presence.

Notable features include:

  • Free SSL certificate
  • Whois privacy
  • DNS management
  • DNSSEC

Gandi is recommended by Derick Rethans, Simon Jones, Seppe Stas, and Graham Christensen.

Hover

Like Gandi, Hover is trying to make the web better.

From podcasts to festivals, we’re proud to be patrons of inspiring projects that help fuel the internet.

Most people who recommend Hover cite their excellent customer service as a reason. They also have a helpful article on how to register a domain name.

Notable features include:

  • Whois privacy
  • DNS management

Hover is recommended by Kyle Meyer, Paul Reinheimer, and Tim Cheadle.

iwantmyname

iwantmyname has an awkward name but a loyal customer base, and they have a wonderful sense of humor. The one-click setup of popular services like Google and AWS is a convenient way to get started quickly.

Notable features include:

  • Whois privacy
  • DNS management
  • Developer API

iwantmyname is recommended by Aaron Gilmore, Dan Duncan, and Chanpory Rith.

Namecheap

Namecheap continues to be a popular choice, and their mission and values are admirable. They even advertise their support for the EFF and Fight for the Future in the footer of every page.

Their domain search is one of the best I’ve seen, with a beast mode that unlocks the full gamut of search options.

Notable features include:

  • Whois privacy
  • DNS management
  • DNSSEC

Namecheap is recommended by Ben Bodien and Jeff Lupinski.

Summary

I hope these recommendations can help you choose the domain registrar that’s best for you, especially if you don’t already own your own domain name(s). As I wrote in a recent article about personal websites on 99U:

Owning your own domain name is important, and if this article can convince you of only one thing, let it be this.

If you have any additions or corrections, please let me know.

Link
Derick RethansPHP Internals News: Episode 23: Deprecated Short Open Tags, again (15.8.2019, 08:23 UTC)

PHP Internals News: Episode 23: Deprecated Short Open Tags, again

In this episode of "PHP Internals News" I chat with George Banyard (Website, Twitter, GitHub, GitLab) about his second RFC "Deprecate Short Open Tags, again".

The RSS feed for this podcast is https://derickrethans.nl/feed-phpinternalsnews.xml, you can download this episode's MP3 file, and it's available on Spotify and iTunes. There is a dedicated website: https://phpinternals.news

Credits

Music: Chipper Doodle v2 — Kevin MacLeod (incompetech.com) — Creative Commons: By Attribution 3.0

Become a Patron!
Link
Rob AllenDisplaying exif information in WordPress posts (14.8.2019, 10:01 UTC)

After discovering that WordPress modifies img tags when rendering a page, it crossed my mind that I could display exif information underneath each image on my new photography blog. The basic process is applicable to any manipulation of the content that you would want to do before it is displayed.

To do this, we add a new filter to the the_content hook:

add_filter('the_content', function ($content) {
        // manipulate $content
        return $content;
});

As with all filters, we have to return data in the same format as the first parameter to our function. For the_content, we receive a string which is the post's article text.

The core operation

In my case, all my <img> tags are immediately followed by a <figcaption> tag as I have a caption under each one. I decided to add the exif data within the <figcaption>.

We use regex to find the tags:

if (!preg_match_all( '@img [^>]+><figcaption>[^<]*</figcaption>@', $content, $matches)) {
  return $content;
}

This will store each <img> tag that's followed by a <figcaption> tag into the $matches variable, so we can now iterate over it:

foreach ($matches[0] as $match) {
  // Find the url in the  tag
  if (preg_match('@src="([0-9a-z:/._-]+)@i', $match, $srcList)) {
    $url = $srcList[1];
    if ($url) {
      $postId = attachment_url_to_postid($url);
      if ($postId) {
        $exif = ffp_create_exifcaption($postId);
        $new = str_replace('</figcaption>', $exif .'</figcaption>', $match);
        $content = str_replace($match, $new, $content);
      }
    }
  }
}

This code iterates over each match and finds the url in the src attribute of the image tag. We can then then load the post from that url using the rather helpful $postId = attachment_url_to_postid($url);.

Now that we have an ID, we can create the EXIF caption in a separate function and then finally we append it to the end of the current caption. We do this by simply replacing the closing </figcaption> with our text followed by </figcaption> which is a nice fast operation.

Creating EXIF display string

To create the string of EXIF data, I used a separate function to make it easier.

WordPress has already extracted the EXIF data we require when the image was uploaded into the admin, so we simply need to read it and format it. To get it we do this:

$metadata = wp_get_attachment_metadata($postId);
if (!isset($metadata['image_meta'])) {
  return '';
}
$imagemeta = $meta['image_meta'] ?? [];

$imagemeta is an array of useful characteristics about the image.

We pull the info we care into a set of variables like this:

$camera       = $imagemeta['camera'] ?? null;
$lens         = $imagemeta['lens'] ?? null;
$aperture     = $imagemeta['aperture'] ?? null;
$shutter      = $imagemeta['shutter_speed'] ?? null;
$iso          = $imagemeta['iso'] ?? null;
$focal_length = $imagemeta['focal_length'] ?? null;

if (! ($camera || $lens || $aperture || $shutter || $iso || $focal_length)) {
  return '';
}

(Obviously, if there is no data, there's nothing to do.)

Finally we format it nicely:

$string = '<aside class="exif">';

if ($camera) {
  $string .= '<div><ion-icon name="camera"></ion-icon><span>'.$camera.'</span></div>';
}
if ($lens) {
  $string .='<div><ion-icon name="radio-button-on"></ion-icon><span>'.$lens.'</span></div>';
}

if ($aperture) {
  $aperture = 'f/' . $aperture;
  $string .= '<div><ion-icon name="aperture"></ion-icon><span>'.$aperture.'</span></div>';
}

if ($shutter) {
  $shutter = '1/' . (int)(1.0/(float)$shutter);
  $string .= '<div><ion-icon name="timer"></ion-icon><span>'.$shutter.'</span></div>';
}

if ($iso) {
  $string .= '<div><span class="text-icon">ISO</span><span>'.$iso.'</span></div>';
}

if ($focal_length) {
  $focal_length = (string)(round((float)$focal_length)) . 'mm';
  $string .= '<div><ion-icon name="eye"></ion-icon><span>'.$focal_length.'</span></div>';
}

$string .= '</aside>';
return $string;

We wrap our entire EXIF string in an <aside> tag so that we can style appropriately. Then for each item of data, we display an icon followed by the text information. The icons are Io

Truncated by Planet PHP, read more at the original (another 950 bytes)

Link
Voices of the ElePHPantInterview with Jeremy Mikola (13.8.2019, 15:30 UTC)
Link
Evert Pot506 Variant Also Negotiates (13.8.2019, 15:00 UTC)

In 1998 RFC2295 was published. It’s experimental, and meant to introduce a new way to do content negotiation in HTTP. As far as I personally know, I don’t think it got a lot of traction.

Traditionally, when a HTTP client wants to do content-negotation, they will send one or more accept headers:

GET / HTTP/1.1
Accept: text/html; image/png; text/*; q=0.9
Accept-Language: en-CA; en
Accept-Charset: UTF-8
Accept-Encoding: gzip, brotli

RFC2295 intended to introduce a new way to do this, with a lot more flexibility and features. The RFC talks about selecting specific variants not just based on mimetype, but also HTML features a browser supports, color capabilities, screen resolution, speed preference, paper size for printers and even selecting content for specific devices like VR goggles and PDA’s.

An interesting feature is that it can also return a list of urls for specific variations, changing the HTTP model a bit by giving every representation and variant their own url, and returning all this in with a 300 Multiple Choices response.

An example of such a response (from the RFC):

HTTP/1.1 300 Multiple Choices
Date: Tue, 11 Jun 1996 20:02:21 GMT
TCN: list
Alternates: {"paper.1" 0.9 {type text/html} {language en}},
{"paper.2" 0.7 {type text/html} {language fr}},
{"paper.3" 1.0 {type application/postscript}
{language en}}
Vary: negotiate, accept, accept-language
ETag: "blah;1234"
Cache-control: max-age=86400
Content-Type: text/html
Content-Length: 227

<h2>Multiple Choices:</h2>
<ul>
  <li><a href=paper.1>HTML, English version</a>
  <li><a href=paper.2>HTML, French version</a>
  <li><a href=paper.3>Postscript, English version</a>
</ul>

The RFC introduces a new error code: 506 Variant Also Negotiates. To the best of my understanding, this error returned when a server is misconfigured and a ‘negotiating resource’ is pointing to another resource that doesn’t serve a representation, but instead also tries to negotiate.

I can imagine that a negotiating resource could for example point to itself, or sets up something like a redirection look. I think 506 is a specific error that a server could return for this case.

Should you use this?

I often include a section that answers whether you should use this status code. In this case, I think it’s better to dive into whether you should support the negotiation feature.

The issue with the feature is that it never left the experimental phase, and as far as I know got very little adoption. It was defined before HTTP/1.1 was finalized, and for all intents and purposes I think it can be considered dead.

However, it solves a couple of really interesting problems that aren’t solved

Truncated by Planet PHP, read more at the original (another 1323 bytes)

Link
Voices of the ElePHPantInterview with Matthew Turland (13.8.2019, 11:53 UTC) Link
Derick RethansPHP Internals News: Episode 22: PostGreSQL Escape Character (8.8.2019, 08:22 UTC)

PHP Internals News: Episode 22: PostGreSQL Escape Character

In this episode of "PHP Internals News" I chat with Matteo Beccati (LinkedIn, Twitter, GitHub) about his "Escape PDO "?" parameter placeholder" RFC.

The RSS feed for this podcast is https://derickrethans.nl/feed-phpinternalsnews.xml, you can download this episode's MP3 file, and it's available on Spotify and iTunes. There is a dedicated website: https://phpinternals.news

Credits

Music: Chipper Doodle v2 — Kevin MacLeod (incompetech.com) — Creative Commons: By Attribution 3.0

Become a Patron!
Link
PHP: Hypertext PreprocessorPHP 7.4.0beta2 released! (8.8.2019, 00:00 UTC)
The PHP team is glad to announce the second beta release of PHP 7.4: PHP 7.4.0beta2. This continues the PHP 7.4 release cycle, the rough outline of which is specified in the PHP Wiki. For source downloads of PHP 7.4.0beta2 please visit the download page. Please carefully test this version and report any issues found in the bug reporting system. Please DO NOT use this version in production, it is an early test version. For more information on the new features and other changes, you can read the NEWS file, or the UPGRADING file for a complete list of upgrading notes. These files can also be found in the release archive. The next release would be Beta 3, planned for August 22nd. The signatures for the release can be found in the manifest or on the QA site. Thank you for helping us make PHP better.
Link
LinksRSS 0.92   RDF 1.
Atom Feed   100% Popoon
PHP5 powered   PEAR
ButtonsPlanet PHP   Planet PHP
Planet PHP