A Lightweight Distributed Bug Tracker
I started using Mercurial to track my code a few months ago, and I absolutely love it. It gives me peace of mind when I make changes, and makes sharing my code between computers and with other people a breeze. Bug tracking is outside the normal realm of Version Control, but I realized the ease with which you can set up Mercurial would make an integrated bug tracker ideal - it lives with the code, and updates with code changes - every revision would not only be a snapshot of the codebase, but also the state of all known bugs.
After looking around at other options, I shelved the idea, unsatisfied with what I'd found, until I came across an elegant little task manager called t. It seemed almost ideal for what I envisioned - lightweight, well suited for tracking with version control, and easy to use. But it lacked some key features I really wanted, so I set about improving on it, and the end result is my new distributed bug tracker, b. While not a replacement for large bug tracking utilities like BugZilla, it's a great little tool for easily bug tracking projects that don't need all the extra fluff such larger projects provide.
This is a mostly useless post, just me playing around with Java Applets and some fun little code I wrote a while back. As a challenge, can you figure out what this applet is doing?
If you guessed "it's a clock!" you're right! After reading this Gizmodo article on a piece of concept art, I decided to make it - in java!
Never Trust Anything User Side - DUR!
I just read this article (Well-Intentioned Destruction) on The Daily WTF talking about a developer's experience where a clients whole system was being deleted randomly and without reason. After lots of hunting and digging around he discovered that a web crawler was accessing links to delete every article it crawled, thinking they were just more links.
They'd never run into this problem before, since they used
header('Location: index.php'); to redirect visitors away from restricted pages if they're not logged in. But the location header does not deny access to the original page, it is simply an HTTP instruction to go to a different page instead. Since any system connecting over HTTP - especially crawlers - have the ability to choose to obey Location headers or not, the Location header cannot be trusted for any kind of security.
What did they need to do to resolve this bug? Well more than likely a deep code analysis with this new knowledge would be wise, but all they have to do to ensure secure data is not being served up is to add
exit; after the header command - this stops the PHP script from executing and therefore outputting any secure data or running any secure commands.
It's interesting to note the different paradigm of thought different people go through, because the WTF blog suggests instead changing the delete command to a POST button, rather than a GET url, so that crawlers won't hit them anymore. That's true, but really disregards the problem entirely. button or link, without a command to stop all execution if the visitor is not authenticated, the security hole remains - modified, but just as big and gaping.
An Easy Fix:
if(!isset($_SESSION['usr_id']) || !isset($_SESSION['usr_name']))
Just Add Salt
I've always been annoyed by websites and systems that have requirements for what kind of password you can use. GoDaddy, for instance, requires its FTP passwords have an uppercase letter and a number or it will not accept your password; and UC Davis requires your password be at least 7 characters long (and strangely, no more than 8). At first glance, this seems like good security practices, preventing users from picking weak passwords. But the fact of the matter is, a properly build system should be just as secure if a user picks a terrible password like apple as if they picked something ridiculous like'@pPl3S4uCe'. This article is an in depth analysis of the several options developers have to safely store user's passwords, and why requiring hard passwords is not the way to go.
So I've had the same looking site for about three years now, and though it's gone through several versions and improvments on the backend, I haven't really done much of anything on the look and feel of it, and I think it's high time I change that. I am, however, not all that great on the design side of web development, so if you have any thoughts - or best of all design skills of your own, I would love to collaberate with you.
I'm not looking to spend large sums of money here, but if you wanted, I would be happy to pay a decently small fee, or even better develop and maintain a site for you as compensation.
You can contact me here or through my contact page if you're interested.
    - Next >>