Informescion tecnologi – Page 3

The daily firewall WTF

Everyday is a great day to learn something new…

Sometimes ago I had the incredible luck of supervising the installation of an “application-layer-firewall”.

It is, for those of you who never heard about it, a black-box device, usually using internally lots of open source software but nevertheless sold for big buck$, built to protect web server from being hacked. It achieves this goal by filtering all incoming HTTP requests (possibly outgoing responses, too), and blocking those that look suspicious enough / violate a defined set of rules.
Many of these devices offer a lot of extra functionality, such as providing HTTPS termination for those webservers that do not support it natively, rewriting of incoming requests etc… All in all, very useful boxes.

It is the very principle upon which they are built that left me baffled the first day we tried to configure ours, and it still has me unconvinced, namely that sloppy coding on part of the programmer can be overcome by adding an extra layer of black-box filtering that works without any knowledge of the functions implemented on the webserver.

I have been told umpteen times that the http firewalls follow the 80%/20% rule, warding off common attack vectors such as buffer overflows and escape sequences in urls, and this is useful enough by itself to justify their cost.

But in the modern-day internet, phising, xss and sql-injections attacks are more and more common, and while nobody is interested in defacing your site anymore, a lot of crackers are eager to get to your database where customer credentials are kept. And while http firewalls excel at the former, they are very poor at the latter.

Continue reading The daily firewall WTF

The daily PHP WTF

A couple of days ago I succeeded in the daunting task of bringing a production server to a grinding halt. In fact the server was a sturdy linux box, and despite all my wrongdoings it kept chugging along, but all php services running on top of it where rendered useless (it was the company intranet server, and people where not happy).
Since this is quite an extraordinary event, I thought I might capitalize on the experience gained through this accident and share it for the benefit of future generations.
To make a long story short, here is the sequence of the events that lead to the catastrophe:

I installed on the web server a shrink-wrapped php package, which I shall not name here, without taking the time to sift properly trough the code line by line, but following as carefully as I could the install instructions
After toying around for a while, I decided to implement some new must-have feature, and within a couple of hours had on my hands code that looked good enough on my development box.
So I promptly dumped the code to the production server, and fired up my browser to see the final result, but…
…a nasty php error message greeted me. The code was trying to read from a file descriptor that was not open (in the fact the php variable delegated to hold the file descriptor was not even declared at the point it was used)
The fix was really quick: a close look revealed an error in nesting code blocks, so that code was being executed where it was not supposed to. Hey presto, edit, save, redeploy and test!
And this time, BINGO! the new functionality was fine and dandy. I dashed down the corridor to announce the new amazing functionality to fellow coders, and after discussing it and future evolutions for a while, I packed up and went home, happy and satisfied with my rapid-development skills and the incredibly apt platform that php had once again proved to be

But things are seldom as simple as they seem…
…and I was greeted by angry sysadmins and furious customers the next morning when returning to my cubicle.

The problem had been promptly identified: there was an error log file that kept growing at incredible speed, and it had saturated during the night the /home partition. Since the main website, based on a template engine and php opcode cache, was using the same partition to hold both the compiled templates and cached php scripts, it was having a hard time writing to disk its necessary files.
The sysadmins could not understand what was causing the log to grow indefinitely, but the mere fact that it was the php error log flashed a big nasty disaster sign in my mind. Sure enough, the culprit was to be found in my modifications of the previous day, but how on earth could the application, fixed and tested the day before, have kept running erroneously for the whole night, and still causing damage at early morning?
The worst part of it is the error log was reporting accesses to the web server from my very own development machine, which had been switched off during all that time.
Being well versed in php, I know for a fact that any php script is bound to end within a specified time limit (specified in php.ini that is), or be terminated by the php engine.
It is also very unusual for a script to keep running after the client that requested the web page terminates the http connection, such as when the user hits the STOP button or quits the application.
After a quick and dirty Apache restart, the error log finally showed a normal behaviour, everybody calmed down, and I was left alone with my dark train of toughts: was it possible that I had hit a bug of php, or, heaven forbids, Apache itself? Impossible! The j2ee goblins would have laughed at me for months to come.

As that old Jedi saying goes, use the source, Luke.

Continue reading The daily PHP WTF

Call by name and PHP

A little while ago, the question of allowing named parameteres in function calls was raised on the JSON-RPC mailing list.

As you might or might not know, named parameters (as opposed to positional parameters) are used by many database programming languages, and in some languages not really database related. The main advantage of using named parameters is that you can choose which parameters to pass to a function, omitting all the ones you do not need. PHP, with default parameter values, does something similar, with two small catches:

the parameters have to be passed to the function in the same order that they were declared (this is, imho, not a big problem in most situations)
given a function with 3 parameters, of which only the first is manadatory, the caller is not allowed to omit the parameter that occupies position 2 if he wants to specify the parameter at position 3. He can of course attain the same effect by specifyng the default value for parameter 2, but that means that he must know that value.

Named parameters are useful e.g. when a function takes a very long list of options, most of which are not compulsory.

The “php way” of doing this usually involves declaring a function as accepting a single parameter of type array, and passing all the options as key=>value pairs. The downside is that this forces the coder implementing the function to write quite a bit of code to validate all the options received.

By taking advantage of the introspection capabilties offered by PHP 5, it is possible to ease this burden. I have whipped up this code snippet that migth come handy in situations where a lot of call-by-name is used.

There are some caveats to take into account:

Despite the function working on php 5 only, it does not make use of exceptions, and relies on php 4 error mechanism instead
hell might freeze over when you try it on functions that accept parameters by reference (or return by ref)

Enjoy

/**
* Call a user function using named instead of positional parameters.
* If some of the named parameters are not present in the original function, they
* will be silently discarded.
* Does no special processing for call-by-ref functions...
* Cannot be used on internal PHP functions.
* @param string $function name of function to be called
* @param array $params named array with parameters used for function invocation
*/
function call_user_func_named($function, $params)
{
  // make sure we do not throw exception if function not found: raise error instead...
  // (oh boy, we do like php 4 better than 5, don't we...)
  if (!function_exists($function))
  {
    trigger_error('call to unexisting function '.$function, E_USER_ERROR);
    return NULL;
  }
  $reflect = new ReflectionFunction($function);
  if ($reflect->isInternal())
  {
    trigger_error('cannot call by name internal function '.$function, E_USER_ERROR);
    return NULL;
  }
  $real_params = array();
  foreach ($reflect->getParameters() as $i => $param)
  {
    $pname = $param->getName();
    if ($param->isPassedByReference())
    {
      /// @todo shall we raise some warning?
    }
    if (array_key_exists($pname, $params))
    {
      $real_params[] = $params[$pname];
    }
    else if ($param->isDefaultValueAvailable()) {
      $real_params[] = $param->getDefaultValue();
    }
    else
    {
      // missing required parameter: mark an error and exit
      //return new Exception('call to '.$function.' missing parameter nr. '.$i+1);
      trigger_error(sprintf('call to %s missing parameter nr. %d', $function, $i+1), E_USER_ERROR);
      return NULL;
    }
  }
  return call_user_func_array($function, $real_params);
}

PHP Day 2006

I participated to the italian PHP day 2006, giving two talks. Met a lot of nice people, weather was excellent and food fantastic. Lots of interesting talks, both at the conference and at the restaurant.
Here are a couple of pictures taken at the event.
These are the slides (in italian, of course – PDF format) of my talk about php for webservices.
Those are the slides of the talk about php usage in the enterprise context (at SEA airports) I gave together with Elena Brambilla.

Tutorial on new features of the php-xmlrpc library

I found at last a little bit of time to write a nice tutorial about the new, wonderful capabilities of the phpxmlrpc library.

You can find it here