You're lucky... or have better hardware. I've got a Thinkpad T43 and about a third of the time it fails to come out of hibernation. Either it freezes on the "resuming windows" screen or I get a BSOD about "invalid queue" or something.
I'd bet that my issue and the Vista issue is hardware or some extra software related anyhow... i.e. not related to the OS.
This is/. and look at the confusion. Can you imagine mom and dad going to the store in a few months and trying to figure this crap out. The Best Buy and Circuit City salesmen are going to have fun...:)
Smarty is pretty useful, imo. I'll agree that it's bloated a little and I'd love to see a "Smarty-Lite" version that gets rid of the fat, though.
No matter what, you have to come up with a templating solution. You can use PHP, of course. Regardless of project size, it's useful, but you end up with raw PHP code in the template. If you're the programmer for each, that's fine, but you don't want to be handing over templates to your designers where they can enter any PHP code and have it executed (or error out your script if they hack something up incorrectly).
Or you can roll-your-own. It's a solution, but now you're screwing the guy that comes in behind you and has to figure out what you did. If you designed it well and commented / documented it, then perhaps whoever's next is set... but how many people can you rely on to do that?
Smarty gives you a decent solution compared to each of the others. You don't have raw HTML in the templates. Designers can have pretty much free reign of the templates and you don't have to worry about them much (it's on them to make them work, right!?). You've also got a documented third-party system that's fairly well known. I guess we could argue over whether it's well documented or not, but it suits my needs (the documentation, I mean).
I'm in no way involved with the development of Smarty, btw. Just a happy user.
Firefox has the same thing. Tools -> Options -> Content -> Advanced button by "Enable JavaScript" and check/uncheck what you want to allow JavaScript to do.
You can adjust browser.tabs.closeButtons in about:config to get the close button to your liking. Options are on each tab, single button on the right or no close buttons at all.
See EnhanceIE.com for some hacks that'll solve some of your issues.
I used to hate tabs when I first started using Firefox, too. I didn't see the point of them. They really grow on you, though. You have have multiple tabs open up for your start pages, middle-click to open links in new tabs, middle-click to close, etc. They really are useful unless you really only go to one or two sites at a time, ever...
If you read farther up, that's because IE7 uses ClearType to smooth out the letters. You can install ClearType as an XP PowerToy from MS, too, so it'll apply system wide (including Firefox).
Surprised on one's mentioned how messed this new Slashdot commenting code is with IE7...
IE7 is far less integrated to the OS like IE6 was. Or at least it seems so. It used to be that you could open web addresses in My Computer and Explorer would "become" IE and navigate to the address. Now, doing the same thing triggers a Firefox window to open and navigate to the address, since Firefox is set to my default browser. Not a bad feature here, but interesting.
Another issue that I personally have, but won't apply to many others, is using a runas shortcut to get to Explorer. I used to have a shortcut that used runas to open IE6 as an administrator. Then I could type "Control Panel" or C:/ and go about my business with an admin window while still logged in as my normal restricted user. Very convenient and I rarely found myself logging on as an administrator to do anything. With IE7, it's merely a browser and you can't (that I've seen) get to the control panel or navigate the file system with it. If you type in C:\ for example, IE7 will open another Explorer window to the C: drive. What's really odd, though, is that this new window opens with the permissions of my restricted user even though the IE7 window was running as an administrator. Usually (or in the past) a window opened would inherit the user permissions of the parent. (FYI, pointing the runas shortcut to Windows Explorer doesn't work, nothing opens.)
Other than those issues, there's really no problems. It's a functional browser and not much else.
What misses the mark, though, is the majority of the add-ons for IE. I got excited once I started reading over the list until I realized most of the were not free. Paying for add-ons? Are you kidding me? Even the ones that are free sound good, but miss the mark when compared to similar add-ons that I'm familiar with.
There's an IESpell add-on that'll spell check text areas for you. Instead of underlining misspelled words like their Office app (and Firefox 2.0) does, you have to click a button to spell check the text areas for you. Functional, but annoying.
There's an InlineSearch add-on that'll find words as you type, ala Firefox or whoever had it first (I don't care who). However, instead of just searching as you type, you have to press Control-F first to open the search dialog along the bottom of the page. Maybe this is better for some people, but if you're going to copy something and make it different, at least give the option to make it behave like whatever you copied. The other problem with this add-on is that is only installs for the user who runs the.exe file. That sounds good, and similar to extensions on a per-user basis in other browser, except you have to be an Administrator to install the extension. So unless I want to (and I don't) run as an administrator (or mess with file permissions somewhere within "Program Files"), I can't. Functional, but annoying.
There's there's Fiddler which promises to be like LiveHTTPHeaders in Firefox. For the most part it is, but again, it just misses the mark. First, it's just another program and other than capturing HTTP requests that IE makes, I don't see how it's really an add-on for IE. Second, a big feature of LiveHTTPHeaders (and others, I'm sure) is that you can replay HTTP requests after modifying any of the request headers and see the results in the browser. Unless I missed something, Fiddler let's you replay the modified HTTP request, but only shows you the raw HTML response, instead of actually loading it into a browser window. Functional, but annoying.
There are others that are annoying, too, mostly be requiring administrator permissions for some obscure installation folder, but some are good. The NoMoreCookies add-on is useful since IE7's cookie management is non-existent. I did not find any way to delete individual cookies or view their contents. There's a DevToolbar that has some useful features, too.Not that I have a use for them, but there are StumbleUpon and MouseGesture add-ons for IE7, to
BTW, setting browser.tabs.closeButton to 3 in about:config will restore the "old" one close-button configuration. Not sure if that's too annoying for you or not, though.
Just found out about this from a more recent article.:)
Did either of you actually read through the bug report on Bugzilla, or did you just link to something old? The first bug is actually a strict following of the RFC for cookies. Since it can be exploited if web sites do not set and check their cookies correctly, people are expecting Mozilla to have the browser fix it for them.
For just an example of how much of a pain this check is, consider the following from the Bugzilla page. This is just for one domain and the same type of rules would need to be white/black listed within the Mozilla source code in order for any fix to work for this "bug".
> I'm not sure what to do with.jp. Specify that any.jp domain can't set a cookie
> for a parent domain?.jp domain can set cookies for 2nd level domain.
For example, http://www.ntt.jp/ can set for ".ntt.jp" cookie.
Ofcourse, cannot set for ".jp".
But following domains must not be able to set cookie to 2nd level.
For example, http://www.city.shinagawa.tokyo.jp/ can set a cookie
for ".city.shinagawa.tokyo.jp". But must not be able to set for
".shinagawa.tokyo.jp", ".tokyo.jp" and ".jp".
Exceptionally, only following domains should be able to set cookies
for 3rd level.
city.sapporo.jp city.sendai.jp city.saitama.jp city.chiba.jp
city.yokohama.jp city.kawasaki.jp city.nagoya.jp city.kyoto.jp
city.osaka.jp city.kobe.jp city.hiroshima.jp city.kitakyushu.jp
city.fukuoka.jp
(Additionally, city.shizuoka.jp will start in Apr 2005.)
For example, the site "http://www.metro.tokyo.jp/" should be allowed to
set a cookie for ".metro.tokyo.jp". Ofcource, It's not allowed to set
for ".tokyo.jp." and ".jp".
If it says simply, "GEOGRAPHIC.jp" cannot set a cookie to the 2nd and the 3rd
level. However, "(metro|pref|city).GEOGRAPHIC.jp" can set a cookie to the 3rd
level. "XX.jp" cannot set a cookie to the 2nd level. The other ".jp" can set a
cookie to the 2nd level.
The above "XX" are "ad, ac, co, go, or, ne, gr, ed, or lg".
The above "GEOGRAPHIC" are "hokkaido, aomori,... kitakyushu".
That'd be nice. I've got an IBM/Lenovo T43 with a Trackpoint. There is a middle button, but it can only be configured for scrolling or magnifying. If anyone knows of some other drivers that'll allow this button to be "clicked", let me know.
There's a Trackpad, too, but abomination is disabled.
If all of the tabs you want to close are in a row, then yeah, a single button in the same location is great. For myself, though, it's usually a couple of tabs scattered throughout the ones I have open that I want to close. Having the button on each tab makes this easier overall, although I'll admit it took a few days to get used to.
If you use a mouse with a middle button (I'm on a laptop w/o a mouse), then middle-clicking anywhere on the tab will close it. That's the easiest overall. I wish my laptop had a middle button instead of just a scroll button.:)
/savecred... awesome. Thank you. I've been using runas for quite a while to have shortcuts to a command prompt, file explorer and a text editor from my regular user account. Works great and I rarely ever have to log in as an actual admin.
Although, obviously this password is saved somewhere, right? Any known security issues with having Windows remember the password in this manner? I'm not really too worried about it, though, just curious.
You should teach the idiots how to use the TrackPoint correctly, then. You only need one hand. Index finger is on the TrackPoint and the thumb is on the buttons. You can press any of the three buttons with your thumb and it's easy to hold them down while you're dragging something. The contours on the buttons make it real easy to press, too, not like the sunken buttons on the Dells.
The first thing I did on my Thinkpads was disable the horrible trackpad thing.
But you only made it "safe" to display on an HTML page or within a form on an HTML page. You're right, the options are endless and it's all depends on where the data is going. If all of your data goes to an HTML page or form, sure, you just protected it. If you have DELETE FROM table WHERE id = {$id} and $id can in any way come from user input, running it through htmlentities() doesn't protect you from crap. If you're taking the form data and placing it into email headers at all, you haven't protected anything... although the spam messages would probably come out pretty worthless with everything converted to entities. Still doesn't stop the a malicious user from spamming... Sanitize/validate the data for where it's going and don't rely on a single function to do it all for you.
Sure, all true. But a programmer that lazy is just going to switch everything to $_POST['login'] and drive on with the crappy code. Don't blame register_globals, blame the programmer.
You're embarrassing. This article was about one way to exploit an XSS hole. It's not the only way. If slashdot were vulnerable within their comment system, I would not have to use another site as a part of the exploit. Many sites will take the exploit code, happily store it in the database for you and then run it for every person that views the product page, profile page, etc.
Other similar attacks like this can use unvalidated user input to inject mail headers and data into seemingly unimportant contact forms and use that server to send out spam.
This attack vector had nothing to do with session fixation, though. This attack simply grabs the session ID from the user right before they log in. It lets PHP set the session ID.
Although session fixation is another attack that programmers should account for and fix within their programs.
disable register_globals, use $_GET, $_POST and $_COOKIE instead.
Why? There's no security gained by making this change. Shitty programmers can write shitty, unsecure code with register_globals enabled or disabled. I guess if you make a habit of running just anyone's code on your server, then turning this off may disable a specific vector, but certainly not all of them. The whole "register_globals enabled is bad for security" myth is just that. Bad programmers are bad for security and always will be.
Slashdot Mirror
You're lucky... or have better hardware. I've got a Thinkpad T43 and about a third of the time it fails to come out of hibernation. Either it freezes on the "resuming windows" screen or I get a BSOD about "invalid queue" or something.
I'd bet that my issue and the Vista issue is hardware or some extra software related anyhow... i.e. not related to the OS.
---John Holmes...
This is /. and look at the confusion. Can you imagine mom and dad going to the store in a few months and trying to figure this crap out. The Best Buy and Circuit City salesmen are going to have fun... :)
---John Holmes...
Smarty is pretty useful, imo. I'll agree that it's bloated a little and I'd love to see a "Smarty-Lite" version that gets rid of the fat, though.
No matter what, you have to come up with a templating solution. You can use PHP, of course. Regardless of project size, it's useful, but you end up with raw PHP code in the template. If you're the programmer for each, that's fine, but you don't want to be handing over templates to your designers where they can enter any PHP code and have it executed (or error out your script if they hack something up incorrectly).
Or you can roll-your-own. It's a solution, but now you're screwing the guy that comes in behind you and has to figure out what you did. If you designed it well and commented / documented it, then perhaps whoever's next is set... but how many people can you rely on to do that?
Smarty gives you a decent solution compared to each of the others. You don't have raw HTML in the templates. Designers can have pretty much free reign of the templates and you don't have to worry about them much (it's on them to make them work, right!?). You've also got a documented third-party system that's fairly well known. I guess we could argue over whether it's well documented or not, but it suits my needs (the documentation, I mean).
I'm in no way involved with the development of Smarty, btw. Just a happy user.
---John Holmes...
As if anyone with a windows box has a choice in the matter.
There is a Toolkit to Disable Automatic Delivery of Internet Explorer 7 available. And surprise, surprise, it's not actually a link to Opera or Firefox...
---John Holmes...
Firefox has the same thing. Tools -> Options -> Content -> Advanced button by "Enable JavaScript" and check/uncheck what you want to allow JavaScript to do.
---John Holmes...
You can adjust browser.tabs.closeButtons in about:config to get the close button to your liking. Options are on each tab, single button on the right or no close buttons at all.
---John Holmes...
See EnhanceIE.com for some hacks that'll solve some of your issues.
I used to hate tabs when I first started using Firefox, too. I didn't see the point of them. They really grow on you, though. You have have multiple tabs open up for your start pages, middle-click to open links in new tabs, middle-click to close, etc. They really are useful unless you really only go to one or two sites at a time, ever...
---John Holmes...
Second that. I'd love to see that feature.
If you read farther up, that's because IE7 uses ClearType to smooth out the letters. You can install ClearType as an XP PowerToy from MS, too, so it'll apply system wide (including Firefox).
---John Holmes...
Surprised on one's mentioned how messed this new Slashdot commenting code is with IE7...
.exe file. That sounds good, and similar to extensions on a per-user basis in other browser, except you have to be an Administrator to install the extension. So unless I want to (and I don't) run as an administrator (or mess with file permissions somewhere within "Program Files"), I can't. Functional, but annoying.
IE7 is far less integrated to the OS like IE6 was. Or at least it seems so. It used to be that you could open web addresses in My Computer and Explorer would "become" IE and navigate to the address. Now, doing the same thing triggers a Firefox window to open and navigate to the address, since Firefox is set to my default browser. Not a bad feature here, but interesting.
Another issue that I personally have, but won't apply to many others, is using a runas shortcut to get to Explorer. I used to have a shortcut that used runas to open IE6 as an administrator. Then I could type "Control Panel" or C:/ and go about my business with an admin window while still logged in as my normal restricted user. Very convenient and I rarely found myself logging on as an administrator to do anything. With IE7, it's merely a browser and you can't (that I've seen) get to the control panel or navigate the file system with it. If you type in C:\ for example, IE7 will open another Explorer window to the C: drive. What's really odd, though, is that this new window opens with the permissions of my restricted user even though the IE7 window was running as an administrator. Usually (or in the past) a window opened would inherit the user permissions of the parent. (FYI, pointing the runas shortcut to Windows Explorer doesn't work, nothing opens.)
Other than those issues, there's really no problems. It's a functional browser and not much else.
What misses the mark, though, is the majority of the add-ons for IE. I got excited once I started reading over the list until I realized most of the were not free. Paying for add-ons? Are you kidding me? Even the ones that are free sound good, but miss the mark when compared to similar add-ons that I'm familiar with.
There's an IESpell add-on that'll spell check text areas for you. Instead of underlining misspelled words like their Office app (and Firefox 2.0) does, you have to click a button to spell check the text areas for you. Functional, but annoying.
There's an InlineSearch add-on that'll find words as you type, ala Firefox or whoever had it first (I don't care who). However, instead of just searching as you type, you have to press Control-F first to open the search dialog along the bottom of the page. Maybe this is better for some people, but if you're going to copy something and make it different, at least give the option to make it behave like whatever you copied. The other problem with this add-on is that is only installs for the user who runs the
There's there's Fiddler which promises to be like LiveHTTPHeaders in Firefox. For the most part it is, but again, it just misses the mark. First, it's just another program and other than capturing HTTP requests that IE makes, I don't see how it's really an add-on for IE. Second, a big feature of LiveHTTPHeaders (and others, I'm sure) is that you can replay HTTP requests after modifying any of the request headers and see the results in the browser. Unless I missed something, Fiddler let's you replay the modified HTTP request, but only shows you the raw HTML response, instead of actually loading it into a browser window. Functional, but annoying.
There are others that are annoying, too, mostly be requiring administrator permissions for some obscure installation folder, but some are good. The NoMoreCookies add-on is useful since IE7's cookie management is non-existent. I did not find any way to delete individual cookies or view their contents. There's a DevToolbar that has some useful features, too.Not that I have a use for them, but there are StumbleUpon and MouseGesture add-ons for IE7, to
BTW, setting browser.tabs.closeButton to 3 in about:config will restore the "old" one close-button configuration. Not sure if that's too annoying for you or not, though.
:)
Just found out about this from a more recent article.
---John Holmes...
Did either of you actually read through the bug report on Bugzilla, or did you just link to something old? The first bug is actually a strict following of the RFC for cookies. Since it can be exploited if web sites do not set and check their cookies correctly, people are expecting Mozilla to have the browser fix it for them.
For just an example of how much of a pain this check is, consider the following from the Bugzilla page. This is just for one domain and the same type of rules would need to be white/black listed within the Mozilla source code in order for any fix to work for this "bug".
---John Holmes...
There's always Ctrl-W, I guess. :)
---John Holmes...
That'd be nice. I've got an IBM/Lenovo T43 with a Trackpoint. There is a middle button, but it can only be configured for scrolling or magnifying. If anyone knows of some other drivers that'll allow this button to be "clicked", let me know.
There's a Trackpad, too, but abomination is disabled.
---John Holmes...
If all of the tabs you want to close are in a row, then yeah, a single button in the same location is great. For myself, though, it's usually a couple of tabs scattered throughout the ones I have open that I want to close. Having the button on each tab makes this easier overall, although I'll admit it took a few days to get used to.
:)
If you use a mouse with a middle button (I'm on a laptop w/o a mouse), then middle-clicking anywhere on the tab will close it. That's the easiest overall. I wish my laptop had a middle button instead of just a scroll button.
---John Holmes...
/savecred... awesome. Thank you. I've been using runas for quite a while to have shortcuts to a command prompt, file explorer and a text editor from my regular user account. Works great and I rarely ever have to log in as an actual admin.
Although, obviously this password is saved somewhere, right? Any known security issues with having Windows remember the password in this manner? I'm not really too worried about it, though, just curious.
Thanks.
---John Holmes...
You should teach the idiots how to use the TrackPoint correctly, then. You only need one hand. Index finger is on the TrackPoint and the thumb is on the buttons. You can press any of the three buttons with your thumb and it's easy to hold them down while you're dragging something. The contours on the buttons make it real easy to press, too, not like the sunken buttons on the Dells.
The first thing I did on my Thinkpads was disable the horrible trackpad thing.
---John Holmes...
What other models/vendors are available that are as durable as a Thinkpad and cheaper?
But you only made it "safe" to display on an HTML page or within a form on an HTML page. You're right, the options are endless and it's all depends on where the data is going. If all of your data goes to an HTML page or form, sure, you just protected it. If you have DELETE FROM table WHERE id = {$id} and $id can in any way come from user input, running it through htmlentities() doesn't protect you from crap. If you're taking the form data and placing it into email headers at all, you haven't protected anything... although the spam messages would probably come out pretty worthless with everything converted to entities. Still doesn't stop the a malicious user from spamming... Sanitize/validate the data for where it's going and don't rely on a single function to do it all for you.
---John Holmes...
Sure, all true. But a programmer that lazy is just going to switch everything to $_POST['login'] and drive on with the crappy code. Don't blame register_globals, blame the programmer.
---John Holmes...
Umm...no. Go back and read the article again.
You're embarrassing. This article was about one way to exploit an XSS hole. It's not the only way. If slashdot were vulnerable within their comment system, I would not have to use another site as a part of the exploit. Many sites will take the exploit code, happily store it in the database for you and then run it for every person that views the product page, profile page, etc.
Other similar attacks like this can use unvalidated user input to inject mail headers and data into seemingly unimportant contact forms and use that server to send out spam.
---John Holmes...
This attack vector had nothing to do with session fixation, though. This attack simply grabs the session ID from the user right before they log in. It lets PHP set the session ID.
Although session fixation is another attack that programmers should account for and fix within their programs.
---John Holmes...
Uhm... no. Do you want me to read it again? Is there something I should look for in particular?
Why? There's no security gained by making this change. Shitty programmers can write shitty, unsecure code with register_globals enabled or disabled. I guess if you make a habit of running just anyone's code on your server, then turning this off may disable a specific vector, but certainly not all of them. The whole "register_globals enabled is bad for security" myth is just that. Bad programmers are bad for security and always will be.
---John Holmes...