Tips – Page 9 – Guy Rutenberg

Preventing Directory Traversal in Python

Consider the following use case:

PREFIX = '/home/user/files/'
full_path = os.path.join(PREFIX, filepath)
read(full_path, 'rb')
...

Assuming that filepath is user-controlled, a malicious user user might attempt a directory traversal (like setting filepath to ../../../etc/passwd). How can we make sure that filepath cannot traverse “above” our prefix? There are of course numerous solutions to sanitizing input against directory traversalthat. The easiest way (that I came up with) to do so in python is:

filepath = os.normpath('/' + filepath).lstrip('/')

It works because it turns the path into an absolute path, normalizes it and makes it relative again. As one cannot traverse above /, it effectively ensures that the filepath cannot go outside of PREFIX.

Post updated: see the comments below for explanation of the changes.

Ubuntu Freezes When Booting with Degraded Raid

I tried testing my software raid (mdadm) setup by removing one of the disks. When I tried to boot the degraded system, the system hanged displaying a purple screen. If I try booting the system in recovery mode, I get the following error:

** WARNING: There appears to be one or more degraded RAID devices ** The system my have suffered a hardware fault, such as a disk drive failure. The root device may depend on the RAID devices being online. Do you wish to start the degraded RAID? [y/N]: — ** WARNING: There appears to be one or more degraded RAID devices **
The system my have suffered a hardware fault, such as a disk drive failure. The root device may depend on the RAID devices being online.
Do you wish to start the degraded RAID? [y/N]:

Galaxy S2 – Clearing Logs on an Unrooted Phone

I have a Samsung Galaxy S2 using an unrooted stock ROM. Lately, I couldn’t update any of my apps, or install new ones as every time I tried it would complain about Insufficient storage available. This was weird, as according to my phone the apps took less than 600MB and still I barely 200MB of free space in my device memory.

Using CyanogenMod’s Apps on Official ROM

Every since I switched back from using CyanogenMod ROM to the official ROM (due to modem problems) I missed some of the custom apps. It turns out to be really install those apps. You just need to download CyanogenMod and extract the relevant APKs from system/app/ and copy over the phone. To install them you’ll need to enable installation of apps from unknown source in Settings->Security. It’s best to get a CyanogenMod version that corresponds to your ROM’s version, but I successfully installed apps also from newer CyanogenMod releases.

Opening `mobi` and `epub` Files in Ubuntu

You can do it with Calibre and specifically with the ebook-viewer program that comes with it. However, for some reason the packagers didn’t ship a desktop file to accompany it, so you can’t just double-click on eBooks and have them opened correctly. This can be corrected by placing a ebook-viewer.desktop file in ~/.local/share/applications:

[Desktop Entry]
Version=1.0
Name=Ebook Viewer
Comment=Display .epub files and other e-books formats
Type=Application
Terminal=false
Icon=calibre
Exec=ebook-viewer %f
StartupWMClass=ebook-viewer
MimeType=application/x-mobipocket-ebook;application/epub+zip;
Categories=Graphics;Viewer;

Quickly Exiting Insert-Mode in Vim

Changing from insert mode to normal mode is usually quick. The other direction is more cumbersome. You either have to reach out for the escape key, or use the Ctrl-[ (which I never got used to).

After seeing a blog post suggesting to map jk to exit insert mode, I was inspired to create my own mapping. I chose kj because it’s faster to type, as typing inwards is faster than outwards (you can check for yourself by tapping with your fingers on your desk). To use it, add the following to your .vimrc:

:inoremap kj <ESC>

Now, whenever you are in insert mode, quickly typing kj will exit insert mode. It will introduce a short pause after typing k, but this is only a visual one, so it doesn’t actually slow you down. kj is one of the rarest bigrams in English, so you’ll almost never have to actually type it inside a text, but if you do, just wait a bit after typing k to type the j.

After writing this post, I’ve came across a Vim Wiki page listing all kinds of ways to avoid the escape key.

I’ve recently published my vimrc, take a look it might give you ideas for other neat tricks.

Downloading Audio/Songs from YouTube

Sometimes you come across a video in YouTube and you want to save its audio. Originally I thought it would take some search for the actual URL of the flv source, then downloading it using wget and finally conversion using ffmpeg. But luckily for me, it turns out there is much simpler way to so so: youtube-dl is small python script that does it all. It will download and extract the audio from a YouTube video without any hassle.

Installation is quick via pip:

$ pip install --user youtube_dl

Note that there is an underscore there instead of an hyphen. youtube-dl is also available in Ubuntu’s repository, however the version there is too old and didn’t work for me. The --user flag tells pip to install it for the current user (I just don’t like installing unnecessary things as root :-)). Now all you have to do is:

$ youtube-dl --extract-audio http://www.youtube.com/watch?v=XXXXXXXXXX

All that is left is to fix the metadata tags of the file with the correct values with your favorite player.

Securing Access to phpMyAdmin on Lighttpd via SSH

phpMyAdmin lets easily manage your MySQL databases, as such it also presents a security risk. Logging in to phpMyAdmin is done using a username and password for the database. Hence, if someone is able to either eavesdrop or guess by brute-force the username and password could wreak havoc of your server.

A possible solution to the eavesdropping problem, is to use SSL to secure the communication to the phpMyAdmin. However, SSL certificates don’t present any method to stop brute-forcing. To prevent brute-forcing attempts, you could limit access to your IP address. However, most of us don’t have static IPs at home. The solution I came up with, kinds of combines both approaches.

Instead of using SSL to encrypt the data sent, I’m using SSH and instead of limiting access to my IP address, I’ll limit access to the server’s IP address. How will it work? First we start by editing the phpMyAdmin configuration for lighttpd. This usually resides in /etc/lighttpd/conf-enabled/50-phpmyadmin.conf. At the top of the file you’ll find the following lines:

alias.url += (
        "/phpmyadmin" => "/usr/share/phpmyadmin",
)

These lines define the mapping to the phpmyadmin installation, without it the phpMyAdmin wouldn’t be accessible. We use lighttpd’s conditional configuration to limit who is able to use that mapping by changing the above lines to:

$HTTP["remoteip"] == "85.25.120.32" {
        alias.url += (
                "/phpmyadmin" => "/usr/share/phpmyadmin",
        )
}

This limit access to the phpMyAdmin only to clients whose IP is the server’s IP (of course you’ll need to change that IP to your server’s IP). This stops curtails any brute-forcing attempts, as only someone trying to access the phpMyAdmin from the server itself will succeed.

But how can we “impersonate” the server’s IP when we connect from home? The easiest solution would be to use to the SOCKS proxy provided by SSH.

ssh user@server.com -D 1080

This will setup a SOCKS proxy on port 1080 (locally) that will tunnel traffic through your server. The next step is to instruct your browser of OS to use that proxy (in Firefox it can be done via Preferences->Advanced->Network->Connection Settings, it can also be defined globally via Network Settings->Network Proxy under Gnome). This achieves both of our goals. We are now able to connect to the server while using its own IP and our connection to the server is encrypted using SSH.

This method can be used to secure all kinds of sensitive applications. We could have achieved the same thing by using a VPN, but it’s more hassle to setup compared to SSH which is available on any server.

Manually Install SSL Certificate in Android Jelly Bean

Apparently it’s pretty easy, but there are some pitfalls. The first step is to export the certificate as a DER encoded X.509 certificate. This can be done using Firefox (on a PC) by clicking on the SSL’s lock sign in the address bar, More Information -> View Certificate -> Details -> Export. The exported certificate needs to be saved on the root directory of the internal storage of the phone, with *.cer extension (or *.crt). Other extensions will not work.

Afterwards, on the phone, click on “Install from device storage” under Settings->Security->Credential Storage. If you did everything as you should at the previous step, it will display the certificate name, and ask you to confirm its installation. If you’ve exported the certificate as the wrong format, gave it the wrong extension or placed it somewhere else than the root of the internal storage, it will display the following error:

No certificate file found in USB storage

If you see it, just make sure you are exporting the certificate correctly and saving it at the right place.

More details: Work with certificates (Geared towards Galaxy Nexus, but should apply to any Android 4.0 and above.

Updated Aug 2015: Fixed a broken link.

Installing Citrix Receiver on Ubuntu 64bit

It’s a hassle.

The first step is to grab the 64bit deb package from Citrix website. Next install it using dpkg:

~$ sudo dpkg --install Downloads/icaclient_12.1.0_amd64.deb

This results in the following error:

dpkg: error processing icaclient (--install):
 subprocess installed post-installation script returned error exit status 2
Errors were encountered while processing:
 icaclient

Which can be fixed by changing line 2648 in /var/lib/dpkg/info/icaclient.postinst:

         echo $Arch|grep "i[0-9]86" &gt;/dev/null

to:

         echo $Arch|grep -E "i[0-9]86|x86_64" &gt;/dev/null

And then execute

~$ sudo dpkg --configure icaclient

Credit for this part goes to Alan Burton-Woods.

Next, when trying to actually use the Citrix Receiver to launch any apps, I’ve encountered the following error:

Contact your help desk with the following information:
You have not chosen to trust "AddTrust External CA Root", the
issuer of the server's security certificate (SSL error 61)

In my case the missing root certificate was Comodo’s AddTrust External CA Root, depending on the certificate used by the server you’re trying to connect to, you may miss some other root certificate. Now you can either download the certificate from Comodo, or use the one in /usr/share/ca-certificates/mozilla/AddTrust_External_Root.crt (they are the same). Either way, you should copy the certificate to the icaclient certificate directory:

$ sudo mv /usr/share/ca-certificates/mozilla/AddTrust_External_Root.crt /opt/Citrix/ICAClient/keystore/cacerts/

These steps got Citrix working for me, but your mileage may vary.