Monday, 20 October 2008

the short tag

Walking to the Amstel Station this morning, the sun was peeping just over the horizon and colouring the sky pink.

sunrise in amsterdam east

By the time I got to work the sun had risen sufficiently to colour the trees.

science park in autumn colours

In the morning colleague D and I started looking for the security hole he claimed he had found in the new web server last Friday. Some PHP scripts were not executed, but showed their content. One of these had the password to a database in its content. Bad news. The strange thing was that only a portion of the PHP scripts were not executed. Finally I put a phpinfo() script in the directory with the non-executing scripts. My script executed… That meant that it wasn't a problem of the web server, but of the non-executing script. I checked the content and immediately D and I shouted at each other "short_open_tag"!

Let me explain (you can skip this part if you're not a geek).

PHP scripts start with a token: <?php
If you set the short_open_tag in PHP's configuration file you can also use the shorter tag <? i.e. you can leave of the word php.

The scripts we were looking at all used the short tag, which in the newer versions of PHP is switched to 'off' by default. This meant that all scripts which use the short tag were not executed by the web server as a script, but served as plain text instead. And this is why we could see the source of the scripts. We changed the configuration to allow short tags and our problem went away.

The funny part here is that we had a security incident because the default of a program was a more secure mode. Usually it is the less secure default modes that bite you!

The rest of the morning D and I spent looking at the rest of the server config. Between the two of us we managed to streamline the configuration and get the server running with the Secure Certificate working for all directories.

In the afternoon I took a photo of the finished ATLAS banner. I hadn't seen it complete yet. The door was now completely covered. I think it looks great. It also looks big…

the finished big banner

Later in the afternoon the CMS consultant, B, dropped in. We'd asked him to come by to solve a few problems we were having with the CMS. B and I managed to get all our problems sorted out in an hour and a half. Clever hacks and black coffee were applied… There was stuff on the list that had been vexing us for a few months. Today was one of those days you're on a roll and everything you touch just works. Brilliant!

frankendael park

I walked home past Frankendael; autumn is really setting in now with all the coloured, dead leaves falling everywhere.

fallen leaves

I dined on the second half of yesterday's Kai Pad med Mamuang.

No comments: