Archive for December, 2015

PHP composer and… Bash!

Sunday, December 20th, 2015

Bash bash bash!

It’s been a very long while since I’ve last played with PHP.
I’m not really willing to start a new career as PHP integrator, but it’s still cool to see that the language and the tooling around has evolved quite a lot.

Atwood‘s law states that any application that can be written in JavaScript will eventually be written in JavaScript. One could also say that any language will ultimately get its own package manager (hello npm, NuGet, Maven, …).

So here I am, needing multiple PHP libraries and willing to try a PHP package manager :).

Apparently, composer is the coolest kid around in PHP-land. As you know I still like BASH … on Windows, so here’s a quick guide to get PHP and composer available in your Windows bash universe.

First, you need to download the PHP binaries for Windows; you can get those here (always prefer the x64 version).
Once you have the archive, unzip it where you wish then, in the folder, make a copy of “php.ini-development” and call it php.ini. That’s the configuration file that php will load each time it runs on the command line.

Edit php.ini and in it you need to uncomment the following things (for starters):

  • extension_dir = “ext”
  • extension=php_openssl.dll

With the above, you’ll have SSL support and PHP will know where to find its extensions.

Now, create a folder in which you’ll place PHP extensions. In my case, I’ve created a “php_plugins” folder and placed it right next to the folder containing the PHP binaries (I like to keep things clean).

Next, open up you bash profile and add something along those lines:

alias php7='export PHP_HOME=$DEV_SOFT_HOME/php-7.0.1-Win32-VC14-x64;append_to_path ${PHP_HOME}; export PHP_PLUGINS_HOME=$DEV_SOFT_HOME/php_plugins;'
alias php='php.exe'

Make sure to call ‘php7’ at some point in your profile so that PHP is actually added to your path. Personally, I have a “defaults” alias in which I list all the things that I want to be loaded whenever my shell is loaded:

alias defaults='php7; ...'

# Initialization
defaults # Load default tools

Close and reopen your shell. At this point you should have php at your disposal anywhere you are (eeeewwwww scary :p).

Now you’re ready to get composer. Just run the following command to download it:

curl -sS https://getcomposer.org/installer | php

Once that is done, you should have a “composer.phar” file in the current folder; grab it and move it to your “php_plugins” folder.

Finally, edit your bash profile again and add the following alias:

alias composer='php $PHP_PLUGINS_HOME/composer.phar'

Close and reopen your shell. Tadaaaaa, you can type “composer” anywhere and get the job done.. :)


Security HTTP Headers FTW

Saturday, December 19th, 2015

In the last couple of months, I’ve tried to improve the overall security of this site. I’ve started by putting my server behind Cloudflare to get HTTPS (along with other nice availability/performance improvements). Then I closed my eyes and enabled HSTS. I even dared adding this site to the HSTS preload list (i.e., the list of HSTS-enabled websites loaded in all modern browsers). Weakest-Link-Graphic Today I’m taking this a step further with the addition of some security-related HTTP headers. You might say that this was the very first thing I should’ve done and you’d be right to say so, but here comes :) From now on, if you take a look at the initial response, you’ll see that the following headers (among others) are being sent to you:

...
X-Frame-Options "SAMEORIGIN"
X-Xss-Protection "1; mode=block"
X-Content-Type-Options "nosniff"
content-security-policy: "default-src 'self'; style-src 'self' 'unsafe-inline' https://fonts.googleapis.com; img-src * data:; script-src 'self' 'unsafe-inline' https://ajax.googleapis.com https://apis.google.com https://*.linkedin.com https://platform.twitter.com https://connect.facebook.net;child-src 'self' https://accounts.google.com https://apis.google.com https://platform.twitter.com https://*.facebook.com; font-src 'self' https://fonts.gstatic.com data:; frame-ancestors 'none';report-uri https://www.dsebastien.net/csp_report.php; connect-src 'self'; form-action 'self'; upgrade-insecure-requests; reflected-xss block; base-uri https://www.dsebastien.net; object-src 'none'"

The X-* headers give additional protection against clickjacking, cross-site scripting (XSS) and preventing some user agents from doing mime type sniffing. Those are nice, but the main one is the Content Security Policy (CSP). There are tons of articles about what a CSP is and how to configure one so I won’t go into the details of that. Any security expert will quickly notice that this isn’t the strictest CSP (far from it) because it allows ‘unsafe-inline’ for scripts & styles. The thing is that adding hashes or nonces to all scripts and styles is not an easy thing to do; even less so when you inherit that from many wordpress plugins… Also, some minified code (e.g., jQuery plugins) uses eval (evil?). For now, I’ve decided to lower my security goal. I’ll surely revisit this later though (probably with the new version of the site). Notice that the CSP makes some older HTTP headers redundant (e.g., X-Frame-Options) but I’m still keeping the older variants just for the sake of wider support. These will go away over time. Here are some tips if you want to go about and create a CSP for your site/domain:

  • start with the report-only mode. It’ll only log errors in the console and will not actually block anything; this is a great starting point:
    content-security-policy-report-only: default-src 'none';
  • use tools such as the CSP extension for Fiddler or an online CSP generator
  • once you’ve got rid of all console errors, remove ‘report-only’ to make your CSP effective
  • configure a ‘report-uri’ to be aware of CSP-related issues. Just be careful with this as attackers might probably take advantage of that (i.e., do not mail yourself all violations :p)

More generally, you can use online tools such as this one to review your site’s security headers. If you look at my site there, you’ll see that I could add HTTP Public Key Pinning (HPKP) headers to improve security a bit more. I won’t do it though as I don’t want my site to break whenever CloudFlare decides to present a new certificate in front of my site…

As a side note, if you’re using Apache, you can configure security headers through .htaccess files and the headers module (mod_headers). Here’s an example:


Header always set X-Frame-Options "SAMEORIGIN"
...

I’m sure that this site still has many vulnerabilities, but there aren’t enough hours in the day for me to fix everything at once. I have other improvements in mind, but that’ll be for later! :)


Installing node and npm on Ubutun 15+

Friday, December 18th, 2015

In case you would want to use one of my recent projects (e.g., ModernWebDevGenerator or ModernWebDevBuild) on Ubuntu (or any other OS btw), you’ll need nodejs and npm.

If you’re using ubuntu and go the usual way (i.e., sudo apt-get install…) then you’re in for a bad surprise; you’ll get node 0.1x.y and also a very old npm release.

Actually, the best way to get nodejs and npm on Ubuntu is to use the node version manager (nvm).

nvm can be used to install and keep multiple versions of node in parallel, which is very useful, especially when you have to test your node-based project on multiple versions.

The installation is very straightforward:

curl -o- https://raw.githubusercontent.com/creationix/nvm/v0.29.0/install.sh | bash

After that, close and reopen your terminal. You now have ‘nvm’ at your disposal.

nvm install 4.0
nvm install 5.0
nvm use 5.0

Just with the above, you get two versions of node (along with npm) installed. As you can see, you can use ‘nvm use’ to change the active version easily.

That’s it!


Use bash to decompile Java class files recursively

Tuesday, December 8th, 2015

Here’s a quick one. As you *might* know, I like Bash (even though I’m a Win* user..), so here’s an alias I’ve added recently:

export JAD_HOME=...
append_to_path $JAD_HOME
alias jad='(jad.exe)&'
jadr() { ("jad.exe" "-d" "." "-s" "java" "-r" "**/*.class")& }

With the above, jad will execute ‘jad’ and ‘jadr’ will recursively decompile all Java class files in the current/sub folders.