inopinatus

Aug 2, 2017 - 2 minute read - Security

Shell command execution vulnerability in Subl, a third-party Sublime Text URL handler

This is an advisory regarding a vulnerability I’ve discovered in a third-party add-on for the Sublime Text programmer’s editor. I am not a vulnerability researcher; I just happened to read the source code out of curiosity and alarm bells immediately rang. I was using this add-on myself, having been recommended to it via the Ruby community. I don’t actually know how popular it is. A hundred users? Or thousands? Or more?

Jul 25, 2017 - 2 minute read - Development

The hokusai gem

Today I published the hokusai gem, a small Rails add-on for making templates from data. I was using the capability already for my main site, but extracted and gemified it after this discussion on the GoRails forums led me to think others might find it useful. Usually when someone talks about templates in an MVC system they are referencing the view layer. However in this case, the templates are built for “stamping out” new copies of model data structures.

May 5, 2017 - 2 minute read - Development

Undocumented UJS changes when upgrading to Rails 5.1

I was pleased to see Rails 5.1 drop jQuery as a dependency. As a result the Unobtrusive JavaScript (UJS) driver has been rewritten to operate without jQuery. For most remote forms and links, this drop-in replacement might just work straight away. However, for those hooking into UJS more tightly, there are some gotchas. These aren’t difficult changes but they’re undocumented, and since UJS no longer comes as a separate gem (it is now built into Action View) they’re slightly harder to investigate.

Jan 24, 2017 - 5 minute read - ideas

Thoughts on fixing email forwarding

This article proposes a new internet mail feature. I haven’t worked on any details of design or implementation yet, but I wanted to publish my motivation and initial thoughts. The problem After hanging around the Internet for the better part of three decades I have more email addresses than I can remember. None of us want to have loads of mailboxes to check. Back in the day we could forward one mailbox to another, and that was all the implementation needed to simplify matters.

Oct 27, 2016 - 2 minute read - DevOps

IPv6 timeouts with OS X Server

Recently enabled IPv6 on your local switched network? Getting odd timeouts connecting to an OS X Server? Here’s (possibly) why: the out-of-the-box server configuration is firewalling link-local IPv6 traffic. To diagnose this in my network I used ssh, since it’s easy to use and has good verbose output. So turn on secure shell conncections if you haven’t already. Server -> Settings -> Remote access -> Secure shell connections. Now from a neighbouring device, first confirm that IPv4 ssh to the server is working e.

Feb 16, 2016 - 3 minute read - DevOps

Notes from a PostgreSQL RDS upgrade

So I recently received an RDS maintenance notification: From: Amazon Web Services, Inc. Subject: Upgrade now available for your Amazon RDS PostgreSQL database instances Dear Amazon RDS Customer, A system update is now available for any Amazon RDS PostgreSQL database instances you created before 13 October 2015. We recommend installing this update to take advantage of several performance improvements and security fixes. You may choose to install this update immediately, or during your next scheduled maintenance window.

Nov 7, 2015 - 1 minute read - Security

Apple ID password rant

The theatrical demand from OSX and iOS for constantly re-entering the Apple ID password is a substantial enemy of security. I just upgraded two laptops, a server, an iPhone, and restored an iPad. I think I had to enter the same passwords six times per device. In general use they’re no better, regularly nagging for a password for piddling tasks like updating an app or downloading a song. For me with separation-of-concern accounts and 20+ character generated passwords this is a major annoyance, especially on a tablet keyboard.