OS-Agnostic Ghostscript Detection

In developing one of my more popular WordPress plugins, Document Gallery, I was faced with a challenge that stumped me for a bit. Recently, some of my users had asked for additional functionality to support auto-generation of thumbnails for the documents in their gallery. These documents could be any number of filetypes, but for this particular post we’ll be discussing PDF thumbnail generation.

PDFs are actually quite simple to thumbnail and the process is well-documented across the web. If I had been content with simply using the PHP Imagick extension to wrap my access to Ghostscript (GS), which does the actual conversion for PDFs, then the process of generating a thumbnail would have been quite straightforward, but I was not content with this solution, the primary reason being inefficiency. The way that Imagick processes PDFs before passing it down to GS is very slow. Thus, I went about setting up a framework to directly execute GS from PHP’s exec() with Imagick as a fallback in the event that I was unable to find a GS executable.

This all should have been quite simple, but it wasn’t. In order to accurately find and execute GS in a platform-agnostic way is actually quite challenging, and surprisingly poorly documented on the web. First, one must determine whether exec() is available. This is quite a convoluted thing to determine in-and-of-itself, but thankfully I found someone else’s solution for this and did not have to develop it myself. Finding the GS executable, however, was another story entirely. Continue reading “OS-Agnostic Ghostscript Detection”

The Importance of Sanitizing Input Strings

As a young programmer, it’s easy for me to forget that, unlike in the academic programming environment, it is vital that I protect my programs against any and all potential attacks. Recently I realized just how easy it is to leave a gaping hole in a program’s security. I am posting this today as both a reminder to myself and a warning to any who might run across it: sanitize your program input!

Recently I was working on a personal project: a little web app that displays the machines in the Computer Science department lab based on active OS (since they are dual-booted with Ubuntu and Windows XP, the OS will regularly change on any given machine). You can see a snapshot of an older version of the map that was released a few months ago here.

The map worked fine, but it had a lot of overhead and required root privileges to run, so I decided to rewrite the backend using netcat instead of my previous solution which utilized nmap‘s OS detection. With netcat’s z flag, determining whether a machine is listening on a given port is trivial and since the labs are all extremely homogeneous it only requires a test of port 22 to determine if the machines are booted into Ubuntu (which will accept SSH connections) or into Windows (which will deny port 22 connections) or offline (in which case the connection will be dropped).

In any event, I wrote a PHP script which accepts three parameters based on the names of the lab machines, “prefix,” “start,” and “end.” If I were to call the script with the following query string: ?prefix=dog&start=1&end=62 then the script would scan the machines between dog01.cs.utsa.edu and dog62.cs.utsa.edu.

In order to make this magic happen, the program must make a shell call to netcat for each machine to be scanned. This can be completely safe, but only if you sanitize your data. Since the prefix will be used in each shell call and, unlike the numeric values for “start” and “end,” will remain static, it is perfect for inserting malicious code by the user. Before I released the script, I did one final sanity check and realized that I had not sanitized this value. Before closing the hole, I decided to play with the exploit a bit and the following is what I did:

First, I considered how the input strings were used in my program. The following string was passed to the shell for each iteration through the machines: /bin/nc -zv -w 1 $mac 22 2>&1| /bin/cat -. The value for $mac was defined as the user-entered $prefix and the sanitized integer value somewhere between $start and $end. As a proof of concept, I decided to do an ls of the /home directory to see who was currently mounted on the web server. Obviously, a user who wanted to do more damage could conceive of much worse things, but I was not inclined to foo-bar the server for the sake of this test.

It turns out, all that was required was to insert the URL-encoded value of “;ls -l /home;” as the value for $prefix. It breaks the netcat call, but that’s OK. The output returned was the following:

total 28
drwx-----x 45 bwright students 4096 Apr 22 12:17 bwright
drwx--x--x 86 drossite students 4096 Apr 28 19:59 drossite
drwxr-xr-x 137 lmaddox students 20480 Apr 25 20:03 lmaddox
sh: 01: command not found

(That last bit about command not found is the shell trying to figure out what to do with the integer that was given after our second semicolon.)

To resolve this security hole, all that is required is a regex replacement of all special characters. In this particular instance, anything other than letters is not going to represent a valid prefix, so, after pulling the prefix from the user, I simply apply the following: $prefix = preg_replace( '/[^a-zA-Z]/s', '', $prefix ). For my specific implementation, I am also able to limit the length of the value passed in (not shown). And that’s it. The program is now secure against malicious users compromising the server, through user input, at any rate.

If you have a similar almost uh-oh, feel free to share in the comments below!

Shorten WordPress’ Jetpack Sharing Links (http://wp.me)

EDIT: I have since developed a more robust solution for using shortlinks in Jetpack. See this updated information in Jetpack Sharing Links Revisited.

When I first decided to use WordPress for my personal as well as professional CMS needs, one of the driving factors behind that decision was the Jetpack plugin, developed by WordPress, which allows off-site (non-blogname.wordpress.com) installations to use many of the fancy features that used to only be available on wordpress.com blogs.

The Jetpack plugin allows you to quickly and easily share to multiple social networks, get site statistics, enhances your site for smartphone viewers, and many other convenient things. The one thing I do not like about the system is how difficult it is to retrieve the shortlinks, which are another fancy feature that Jetpack offers. Unfortunately, the links are only obtainable through the admin side, and not used in Jetpack’s own social sharing buttons (see below). If you try clicking any one of the share buttons at the bottom of this post, you’ll notice the link is to the URL of this page, not the shorter wp.me version which is preferred for sites like Twitter, where every character is a commodity. At least, that used to be the case.

WordPress Jetpack - Sharedaddy
Example of what the Sharedaddy share links look like.

After reporting this for revision a few months ago and getting the run-around, I finally took the time today to make the necessary changes myself. I also submitted a ticket to the WordPress team which *fingers crossed* will result in the change being pushed to all Jetpack users some time in the future. EDIT: This ticket was recently rejected, but that doesn’t stop you from implementing the fix yourself!

In the meantime, anyone interested in implementing the fix themselves…

Continue reading “Shorten WordPress’ Jetpack Sharing Links (http://wp.me)”

WordPress: Now With a Touch of America’s Favorite Yellow Family

The following witty comment was brought to you by my latest WordPress plugin, Hello Simpsons Chalkboard Gag: I am not allergic to long division.

Everything following the colon above was dynamically pulled from a listing of all past chalkboard gags by Bart Simpson. And no, I did not have to sit through the hundreds of episodes, painstakingly writing down each one. Thanks to The Simpsons Archive, I was able to just write a tiny Perl script that parsed their listing of gags from each episode.

Hello Simpson Chalkboard Gag
Created using the Bart Simpson Chalkboard Generator.

This plugin was inspired by two sources. The first was my love of the over-two-decade-old television show and the second was a desire to show something a little more interesting than lines from Hello Dolly in my WordPress admin area. Let me explain: by default, WordPress comes with a plugin that shows a line from Hello Dolly at the top right corner of every page on the administration side of the site (not visible to general viewers of the site).

As fantastic a musician as Louis Armstrong is, he’s just not my cup of tea. Call me uncultured or say that I’m missing out, but I much prefer Bart’s witty, moderately-crude humor. Also, there are only 28 lines in Hello Dolly, meaning only 28 possible headers in my WordPress admin area. Hello Simpsons Chalkboard Gag has 296 possible results as of publishing this, and that number will continue to grow with each new episode.

In addition to changing up the little bit of text displayed on the admin side of the site, I also added the option to include a simpsons shortcode, which is what was used at the top of this post to load one of the chalkboard gags dynamically within this post. This was really an afterthought and the only reason I decided to include it was because the necessary work was already done in handling the primary project, so adding the shortcode was trivial.

Continue reading “WordPress: Now With a Touch of America’s Favorite Yellow Family”

Second WordPress Plugin Goes Live

Prezi Logo
Logo © Prezi Inc. Used with permission.

It is now almost exactly 4 months since I released my first contribution to the WordPress community, the Document Gallery plugin. This new addition to my work, Prezi Embedder, was designed in order to support simple embedding of presentations designed on prezi.com in WordPress installations.

This plugin was designed out of frustration at the lack of support from the Prezi team for WordPress users. Their only official response to the issues with their embed code in WordPress installs is a link to this forum post, where users present some ways to hack together something that used to work. Recently, even the hacks mentioned in the post were disabled, making it impossible to natively embed Prezis.

After reaching this dead end, I also looked briefly for other plugins developed for this purpose. The one plugin I found only had partial support for the Prezi embed options and, in my testing of the plugin, did not handle any size other than the (tiny!) default embed size.

At this point, I gave up on any pre-existing solution and wrote the embed code into a very simple plugin and linked it to the Error: The id attribute provided does not look right. You entered id=. Error: You must, at minimum include an id attribute: [prezi id='<Prezi ID>'] shortcode. Though I initially wrote the plugin for my own use, I ended up submitting it for listing in the public WordPress Plugin Directory.

This release has had a slower pickup in downloads when compared to my first plugin (which hit 300 downloads in under two days), but that is to be expected given its more specific market. Even given this lower interest, it has still been downloaded 70 times in two days, which I am more than pleased with, especially given that it began as just a tool for my personal use.