Posted
by
Nicolas Lara
on
March 22, 2013.
Filed under
code
Reading about the latest vulnerabilities in Rails, got me thinking about a similar issue we have in Python.
It is well known that using pickle on untrusted data is insecure to the point of allowing arbitrary code execution. Or at least it should be.
If we head to the official documentation for pickle we’ll find this warning:
Warning: The pickle module is not intended to be secure against erroneous or maliciously constructed data. Never unpickle data received from an untrusted or unauthenticated source.
Now, how many of us check the official pickle documentation (or the official docs for any other module) every time we’re going to use it? Even if we’ve read that warning before, it’s easy to forget it and mistake pickle for any other serialization format (specially when solving a problem for which pickle is just a tool). We might even be using someone ...
Posted
by
Marco Louro
on
November 2, 2012.
Filed under
code,
django
If you’ve never heard of Selenium, put simply, it’s a tool that allows you to create tests that are run in the browser and interact with your UI in the same way as if you were manually testing your website or app. It’s the de-facto standard to test complex Web UI interactions that usually involve a heavy use of JavaScript, and that’s probably the main use-case for it. Other than that, we also use it sometimes as a helper tool for cross-browser design (CSS) testing by running Selenium tests through different browsers and taking screenshots or recording videos.
Selenium’s been around for a long time now, and is available in various programming languages, but up until Django 1.4 came along you couldn’t have your Selenium tests (easily) integrated with your Django test suite. Since then, a new class named LiveServerTestCase, that your Selenium ...
Posted
by
Graham King
on
September 12, 2012.
Filed under
code
WebRTC, short for Web Real Time Communications, is a specification and project adding JavaScript APIs in the browser to:
1. Access a user’s webcam and microphone: getUserMedia.
2. Connect directly to another browser: PeerConnection and DataChannel.
The main use case is video calling; Google wants to build Talk and Hangouts in JavaScript. The spec provides many more example use cases.
If you have Google Chrome 21+ (latest stable) or Opera 12+, you can try it it now:
Is it ready?
No, but don’t let that stop you. The specification is still evolving, and vendor prefixes are the rule (except in Opera). Right now, you can get video from a webcam reliably in Chrome and Opera.
Web applications have a new input ...
Posted
by
Graham King
on
July 12, 2012.
Filed under
code
This is HTTP
A big friendly unsecured clear-text, line-oriented bear.
This is SPDY
A multi-plexed binary TLS-wrapped protocol from the future.
SPDY (pronounced speedy) is a replacement for HTTP, and feels like a wrapper for it. SPDY is a packet (frame) oriented binary protocol, usually wrapped in TLS (SSL), and as such a little harder to follow than HTTP. Our care free days in the jungle, surviving on the bare necessities and debugging connections with telnet, are coming to an end. In exchange, we get faster loading apps, which are secure by default.
The most important goal of SPDY is to transport web content using fewer TCP connections. It does this by multiplexing large numbers of transactions onto one TLS connection.
– From: http://hacks.mozilla.org/2012/02/spdy-brings-responsive-and-scalable-transport-to-firefox-11/
SPDY should require no changes to a web application, in the same way that you can usually ignore whether your app ...
Posted
by
Peter Baumgartner
on
June 27, 2012.
Filed under
code
One of my recent tasks in Ginger was to ensure that we weren’t leaking referrer URLs when you click on an external link in Ginger. It seemed like an easy task and one that’s probably been solved before. What I found was a trainwreck of solutions and a classic example of the trade-off between security and usability.
The Problem
We use human-readable slugs in our URLs in Ginger. It makes it easy to identify where a link goes just by looking at it. It’s a win for usability. We also allow users to create links to external sites in the messages they create. Another usability win.
The problem is when a user clicks on one of these links, the URL from Ginger could be sent as the HTTP Referrer to the external site. This is bad for security and privacy. Those nice URLs could leak sensitive information ...
Posted
by
Marco Louro
on
December 18, 2009.
Filed under
code,
open source
Etherpad is an amazing real-time collaborative editor with a very low barrier for entry (no logins, no additional software, etc.). In case you missed it, Etherpad was acquired by Google and after a community uproar decided to release their code as open source under the Apache License 2.0.
We were excited to get it up and running for our own internal use. What follows is a step-by-step guide of how we proped it up on our development servers.
Caveats:
- We’re not Java guys, so if there is something we could be doing better, let us know.
- The default setup of Etherpad is RAM hungry. Make sure you have at least 256MB free before you get started.
- Our instructions are Ubuntu/Debian specific, but should be easy to translate to a different distribution.
Step 1: Get the Requirements
mkdir /opt/webapps/etherpad/ && cd /opt/webapps/etherpad/
sudo aptitude install ...
Posted
October 7, 2009.
Filed under
code,
django
In part 1, we showed how we use Fabric to update and deploy Django sites to our development server with a single command. This works great when you only have one developer pushing changes to the server, but what happens when multiple committers need to update the development server?
Linux File Permissions
Typically, the default permissions for newly created files are readable by everyone and writable by the owner (644 or -rw-r--r--). These permissions are determined by the processes umask, with the default being 022. Since we want multiple committers to be able to write to files on our development server, we need to change that to 002, creating group-writable files (664 or -rw-rw-r--).
The standard way to do this is to add the line umask 002 to /etc/profile. While that works great for interactive shells, it does not get called on non-interactive shells (the kind that Fabric ...
Posted
by
Peter Baumgartner
on
September 22, 2009.
Filed under
code,
django
We’re firm believers in the practices described by the Continuous Integration method of software engineering. Among those are:
- Maintain a code repository
- Automate the build
- Automate deployment
We use git for our code repositories and Fabric to automate our build/deployment process. The tiny bit of overhead it take to write out a Fabric script pays off very quickly against the tedium and error-prone practice of manually building/deploying. In building our “fabfile”, we encountered a couple of issues that took a little head-scratching to work out.
Git and SSH Keys
Git, like Mercurial and others, confirms your credentials via an private/public key pair when used over SSH. We use gitosis to manage our private repositories, so managing everyone’s keys isn’t much of an issue. The problem comes when developers need to start pulling the repository on different machines. Our developers all push to a central ...
Posted
by
Yann Malet
on
September 15, 2009.
Filed under
code,
django
Inspired by Eric Florenzano’s talk, Using Django in Non-Standard Ways (slides in PDF) at DjangoCon and the announcement of Tornado (tornadoweb.org), I decided to try building a small application using the Django Form library and Django ORM inside Tornado. The process proved easier than I expected, especially with Russell Keith-Magee being able to provide guidance on demand.
Step 1: Create Your Database
While Russell explained that it should be possible to get commands like syncdb running outside of a traditional Django project, it was outside the scope of this small experiment. Instead, I created a Sqlite database manually. For those of you that have forgotten how to do this, this will get you started:
# sqlite3 dev.db
sqlite> CREATE TABLE message (id integer primary key, subject varchar(30), content varchar(250));
sqlite> insert into message values(1, 'subject', 'cool stuff');
sqlite> SELECT * from message;
Step 2: Write Your ...
Posted
by
Peter Baumgartner
on
April 17, 2009.
Filed under
code
I’ve always disliked the way named anchors (<a href="#name">...</a>) behave in browsers. It jumps your viewport to a different part of the page, but it’s rarely obvious which section you have landed on. If the page is long enough, the referenced section will start at the top of your browser, but where does it end? If the content is towards the bottom of the page, it may not be at the top of the page, but somewhere in the middle. And what if your content is in two columns? Or a table? What you’ve linked to becomes totally ambiguous.
Sphinx uses named anchors quite a bit, so I wanted something that would improve their usability for Django Best Practices. That’s when I dug up this clever little jQuery snippet from our code vault.
// highlight and fade background on named anchors
// requires jquery.color.js ...
Posted
May 10, 2008.
Filed under
code,
django
Lately, we’ve been taking over projects from people who began building their first site in Django, but either got in over their head or just found they didn’t have the time to continue. As I review the existing code, the first issue I typically see is using the render_to_response shortcut without including the RequestContext, preventing context processors from being used in the templates. The standard symptom is when people can’t access MEDIA_URL in their templates.
Here are a few ways to add RequestContext to your templates.
Option #1: Adding RequestContext to render_to_response
The Django documentation recommends passing RequestContext as an argument to render_to_response like this:
from django.shortcuts import render_to_response
from django.template import RequestContext
def my_view(request):
# View code here...
return render_to_response('my_template.html',
my_data_dictionary,
context_instance=RequestContext(request))
This works, but as you can see, it adds a fair amount of repetitive code to your views ...
Posted
April 8, 2008.
Filed under
code,
django
For those of you that have been hiding under a rock for the last 12 hours, App Engine is Google’s answer to Amazon Web Services. While it is less flexible in some senses (you don’t have a complete OS at your disposal), it does provide tighter integration for web applications and even includes a (somewhat crippled) version of Django out of the box.
I’m pretty excited about this mainly because I’m not a big fan of server administration, so I took a couple hours this morning to test it out. Here are some quick notes:
The Good
The ...
Posted
April 4, 2008.
Filed under
code,
django
One of the things that drew me towards Django was the idea of being able to create reusable applications that would sit on my PYTHONPATH instead of copied across multiple sites. Coming from WordPress, the constant security updates that required me to revisit old projects began to drive me mad.
Trouble in Paradise
With some real world Django experience under my belt, I find myself re-using apps all the time, but not how I originally expected. A fair amount of my client work comes from building content management systems, so I started out building a generic app like flatpages but more extendable and a blogging app. I dropped them in my PYTHONPATH and started adding them to INSTALLED_APPS on my projects.
Over time, they evolved and improved, but they started to handcuff me. I started thinking things like, “This would be a great feature for Project X, but it would ...
Posted
March 25, 2008.
Filed under
code,
django
Download django-cpserver Now at GitHub
Background
A few months ago, I got sick of trying to deploy Django sites on my cPanel server and got a VPS at Slicehost. Thanks to SuperJared, setting up Apache/mod_python behind an Nginx frontend was a snap.
I started deploying and migrating sites to the new server and kept an eye on my server resources via Munin. I had about 10 sites running on a 1GB Slice, but the Apache processes were hogging all the RAM. Restarting Apache would bring memory usage down to around 500MB, but within a couple of hours, it would be using all my available RAM, with individual proceesses using as much as 120MB.
I started asking questions and trying different options including mod_wsgi, verifying projects weren’t in debug mode, etc. Nothing made a difference.
CherryPy to the Rescue
I came across Loic d’Anterroches’ script to run Django ...
Posted
March 14, 2008.
Filed under
code,
django
Here’s a little nugget I just posted to Django Snippets. It emulates the behavior of an old Perl script I used way back when, FormMail.pl.
I often find myself needing to build a form whose contents get emailed to the site owner(s). This class let’s you call form.notify() on any form that is a subclass of it to have the fields ordered and sent in a plain text email to all users that are flagged as staff.
from django import newforms as forms
from django.contrib.auth.models import User
from django.contrib.sites.models import Site
from django.core.mail import send_mail
class FormMail(forms.Form):
def notify(self):
"""
Sends an email to all members of the staff with ordered list of fields
and values for any form that subclasses FormMail
"""
site_name = Site.objects.get_current().name
form_name = self.__class__.__name__
subject = '%s %s Submission ...
Posted
March 13, 2008.
Filed under
code,
django
The newforms library is a huge time-saver, but when I first started using it, I still found myself writing tedious repetitve code to get it to function how I wanted. While I could get away with it on smaller sites, I recently built a site with some big forms on it and decided to improve my process.
HTML Rendering
First off, {{ form }} or {{ form.as_p }}, rarely cut it in real world apps. We need to be able to customize our forms to improve the layout or add extra information. I started using inclusion tags to render the form fields and labels. Here is my trivial inclusion tag:
@register.inclusion_tag('_display_field.html')
def display_field(field, alt_label=''):
"""
Print HTML for a newform field.
Optionally, a label can be supplied that overrides the default label generated for the form.
Example:
{% display_field form.my_field "My New Label" %}
"""
if alt_label:
field.label = alt_label
return { 'field ...
Posted
May 4, 2007.
Filed under
code,
subversion
As promised, here is the follow-up to the SVN for Web Developers post, Basecamp integration.
Why?
Transparency is very important to my business. The #1 complaint I hear about web developers is that they rarely meet deadlines and the client has no idea what is happening with the work until one day it magically appears. To combat that, I use Basecamp to lay out milestones for all my projects. I’ve found that even if a project takes longer than a client would like, as long as they can count on a date that it will be delivered, they’re happy.
Milestones are usually pretty spread out and don’t give clients a good idea of what I’m doing day-to-day to meet them. Writing each Subversion commit to Basecamp gives my clients quick access to the current status of their project.
How?
Luckily, all the hard work is done ...
Posted
January 25, 2007.
Filed under
code,
wordpress
Now compatible with WP 2.1!
Get it while it’s hot:
This plugin adds buttons to the WordPress rich text editor (TinyMCE) for pasting in clipboard content as plain text. Don’t trash your layout by pasting in text from Microsoft Word anymore.
Thanks to the TinyMCE paste plugin now being a part of the WordPress distribution, the plugin is now just one file. Extract nds-paste.php and upload it to your wp-content/plugins folder.
If you have a previous version of the plugin installed, delete the nds-paste folder from your plugins directory.
This plugin is only compatible with WordPress versions 2.1 and newer. Here is the 2.0x compatible version.
Posted
August 31, 2006.
Filed under
code,
wordpress
This plugin is currently incompatible with WP 2.1. I hope to update it shortly. Check back here for updates.
Version 0.3 is compatible with WordPress 2.1
This plugin adds buttons to the WordPress rich text editor (TinyMCE) for pasting in clipboard content as plain text.
This solves the problem of users needing to paste Microsoft Word documents, web pages, or any other rich text content into a plain text editor such as notepad to strip out the HTML nasties that have a tendency to ruin a blog’s layout. By using TinyMCE’s paste plugin, the plugin is smart enough to maintain some basic formatting.
Go ahead and take it for a spin. Extract nds-paste folder from the archive and copy it to wp-content/plugins.
nds-paste-0.2.zip
nds-paste-0.2.tar.gz
Developers note: You should be able to use this code to port other TinyMCE plugins ...
Posted
January 10, 2006.
Filed under
code
This is an add-on payment module for Zen Cart that will allow you to accept electronic checks via Authorize.net’s eCheck.net service. It was built using the existing Authorize.net (AIM) module as a template.
This module is released under GPL and is provided on a “works for us” basis. We accept no responsibility for any issues that may arise from using or installing this module.
Zen Cart eCheck.net Payment Module
