EverCrypt—developed and verified by the Project Everest team—offers the same features, convenience, and performance as popular existing cryptographic libraries without the bugs that leave protocols and applications vulnerable. Usable by verified and unverified clients alike, EverCrypt emphasizes both multiplatform support and high performance. We accomplish this by producing both platform-agnostic C code and optimized assembly code for specific hardware targets through the combination of two components of Project Everest: the HACL* cryptographic library developed jointly between Inria and Microsoft Research and the Vale-Crypto library of assembly primitives developed collectively between Microsoft Research and Carnegie Mellon University.

By Jonathan Protzenko, Researcher; Bryan Parno, Associate Professor, Carnegie Mellon University

The verification process is likely more complex than the code itself. Anyway, this is one great step. Read the full article over at Microsoft.

2019-03-15 @ 10:52: Referrer hell Browsers | PHP | Security

Relying on the HTTP referrer is bad. Everyone knows this, but at least the WordPress developers seem to ignore the fact. Also I never understood, why PHP keeps writing HTTP_REFERER with a single “R” in the middle. The correct term would be HTTP_REFERRER.

Anyway, instead of storing the current URL in $_SESSION[‘HTTP_REFERRER’] as one would normally do, WordPress checks for $_SERVER[‘HTTP_REFERER’] instead.

The PHP documentation is very clear on this to not trust this referrer:

‘HTTP_REFERER’
The address of the page (if any) which referred the user agent to the current page. This is set by the user agent. Not all user agents will set this, and some provide the ability to modify HTTP_REFERER as a feature. In short, it cannot really be trusted.

Imagine the following case: you run WordPress from a sub-folder of the root-directory and the referrer is – for whatever reason – set to the web-root of the server, rather than the web-root of your WordPress installation. In fact this is the case on my development machine; I talk about the reason somewhere below.

Now, when you try to delete/recycle a post/page/whatever WordPress checks the referrer in post.php in line 55:

$sendback = wp_get_referer();
if ( ! $sendback ||
	 strpos( $sendback, 'post.php' ) !== false ||
	 strpos( $sendback, 'post-new.php' ) !== false ) {
	if ( 'attachment' == $post_type ) {
		$sendback = admin_url( 'upload.php' );
	} else {
		$sendback = admin_url( 'edit.php' );
		if ( ! empty( $post_type ) ) {
			$sendback = add_query_arg( 'post_type', $post_type, $sendback );
		}
	}
} else {
	$sendback = remove_query_arg( array( 'trashed', 'untrashed', 'deleted', 'ids' ), $sendback );
}

For instance, the code above is taken from WordPress 5.1.1.

So, what happens when the referrer returned by wp_get_referer() contains the wrong URL? You’ll get redirected to anywhere, but the correct location. The only way to somehow fix this without messing with the code is to disable the referrer entirely. You still won’t get to the correct location, but at least you remain inside the WordPress web-root.

Why is the referrer wrong?

As stated above the referrer is set by the user agent (e.g. the browser). It seems like my Waterfox does not set the referrer correctly. For instance, it does not occur in Firefox and Opera. Looking at about:config in Waterfox I found the setting “network.http.referer.trimmingPolicy” being set to “2”. According to this page it will strip the referrer to its origin without any query strings etc.

Setting it back to its default solved the issue, but enables the browser to send the full referrer, which is not desirable by privacy means. On the other hand it did not break any other pages besides the WordPress backend, so I guess it’s time for the WordPress developers to fix their code.

UPDATE: Unfortunately, the following does no longer work with the latest Chromium version. :(
 

So, the autoplay policy for HTML5 videos in Chromium based browsers has been changed some time ago to disallow autoplay if the video contains audio. The intent was to not bother the user with sound being played automatically upon visitin a website, and in turn give him an option to selectively choose to have sound turned on/off for HTML5 videos. Well, I’ve found a nifty workaorund which allows you to play videos with sound automatically.

Create a video element as usual:

<video id="myvideo" src="myvideo.mp4" preload="auto" autoplay loop muted></video>

 

As you see the video is muted and will therefore play automatically in Chromium based browsers.

Now add this small JavaScript to unmute the video:

setTimeout(function() {
	var video = document.getElementById("myvideo");
	video.muted = false;
	console.log('Video unmuted.');
}, 1000);

 

This will unmute the video after one second. Bingo! Works like a charm. :)

Looks like the website of the beloved Gnome Connection Manager seems to be dead. I created a clone of the original code and will implement the fix mentioned here as soon as I find the code. It’s somewhere burried in a bunch of data on a pile of harddisks. What a mess!

I don’t like the WordPress plugin directory, so I publish my plugins only on Github. Grab the latest version here. Feel free to fork this. If you find a bug, please create an issue for that. I will have a look on that as soon as I have time.

Long time no see. Been busy relocating and doing lots of stuff. One thing I created last week is a retro space shooter in JavaScript based on the WADE game engine using a 2d canvas. It’s quite simple and still work in progress (the graphics need a complete rework), but fully working, yet. Check it out here and get the source code from my GitHub repo.

All JQuery dependencies have been removed from this site, and all functions which used it have been rewritten in plain JavaScript. The advantages are less code, higher speed and no need to take care of external libraries any more.

2017-03-07 @ 13:05: Cyanide and Happiness parser Fun | Python

In addition to the Dilbert parser I created a parser for the Cyanide and Happiness comic strips. It’s not optimized; I just created it with the idea in mind to get some results fast. So, I don’t check the webpage of a comic for its next comic id, but just increment by one. If the page doesn’t exist, put that id on the blacklist to skip future processing, otherwise download the comic.

2017-02-16 @ 15:34: Dilbert Parser Fun | Python

Being tired of visiting the Dilbert website, right-clicking the comic and selecting Save Image As … I used Alvaro’s code as a base to begin with. The problem with his script is, that it assumes the file type to be JPEG, while the actual file type of Dilbert comics differs from day to day. Also the script is very slow when checking already downloaded comics. Both issues have been fixed by me. Feel free to check it out in my GitHub account. Create a cronjob to have the script download the latest comic automatically every day. Don’t worry if you don’t have a server to run the cronjob for you. Upon execution the script will automatically download all missing comics besides the latest one.


  • About

    We never asked for this.