Guy Rutenberg

Security Vulnerabilities in the Imagin Photo Gallery

Following a friend’s request I’ve did a short security review of the Imagin photo gallery couple of weeks ago. I’ve looked at the newest version, v3 beta5, but the vulnerabilities may also apply to older versions. So here they are, from least to most important in my opinion.
Continue reading Security Vulnerabilities in the Imagin Photo Gallery

WordPress Administration over SSL on Lighttpd

In this tutorial we’ll walk through the steps of enabling SSL (https) for the WordPress’ admin panel when using Lighttpd as a webserver. The tutorial consists of two stages, the first is enabling SSL at the Lighttpd level and the second is in the WordPress level.

Continue reading WordPress Administration over SSL on Lighttpd

Building CookieJar out of Firefox’s `cookies.sqlite`

Firefox 3 started to store it’s cookies in a SQLite database instead of the old plain-text cookie.txt. While Python’s cookielib module could read the old cookie.txt file, it doesn’t handle the new format. The following python snippet takes a CookieJar object and the path to Firefox cookies.sqlite (or a copy of it) and fills the CookieJar with the cookies from cookies.sqlite.

import sqlite3
import cookielib

def get_cookies(cj, ff_cookies):
    con = sqlite3.connect(ff_cookies)
    cur = con.cursor()
    cur.execute("SELECT host, path, isSecure, expiry, name, value FROM moz_cookies")
    for item in cur.fetchall():
        c = cookielib.Cookie(0, item[4], item[5],
            None, False,
            item[0], item[0].startswith('.'), item[0].startswith('.'),
            item[1], False,
            item[2],
            item[3], item[3]=="",
            None, None, {})
        print c
        cj.set_cookie(c)

It works well for me, except that apperantly Firefox doesn’t save session cookies to the disk at all.

Kernel Configuration and `nvidia-drivers`

This is more of a note to myself, as I keep forgetting this. The propriety NVIDIA drivers, provided by the x11-drivers/nvidia-drivers dislikes alternatives. It will refuse to build against a kernel with the rivafb (CONFIG_FB_RIVA) and nvidiafb (CONFIG_FB_NVIDIA) built in or built as modules. Both can be found (and unset) under:

Device Drivers
-> Graphics support
   -> nVidia Framebuffer Support
   -> nVidia Riva support

`sudo` for X Programs

By default (at least on my machine), it wasn’t possible to open X applications using sudo. For example sudoing xclock resulted in the following error:

$ sudo xclock
No protocol specified
Error: Can't open display: :0.0

The same error appeared even when I executed xclock after running sudo su.
Continue reading sudo for X Programs

Eject Your Kindle and Reconnect under Linux

I am Your User suggested a method to eject your Kindle in Linux. While his method works, you don’t need to specify the partition number. E.g.

$ sudo eject /dev/sdd

where /dev/sdd is the device file of the Kindle.

But what if you want to reconnect it back without plugging in and out the usb cable? You can add the -t switch.

$ sudo eject -t /dev/sdd

Even though it prints the following error:

eject: CD-ROM tray close command failed: Input/output error

it works, and the Kindle reappears in KDE.

Django Backup Script

This is a backup script for Django projects. It’s able to automate backups to a local folder and a remote FTP server of both the database and files. It somewhat old and has a few limitations, mainly supporting only MySQL and not supporting the new way for specifying databases introduced in Django 1.2.

It’s loosly based on my WordPress backup script and inspired the database settings auto-detection found in the newer Wordrpess backup script.

Usage is simple:

$ django_backup /path/to/my/proj
$ django_backup --db-only /path/to/my/proj

The latter command only backups the database.

The script uses a few configuration variables in the top of the script to set the folder which the local backups are kept in and the remote FTP server settings. The database settings are extracted directly from the settings.py of the backed-up project.
Continue reading Django Backup Script

Searching for Updates without emerge

The normal way to see which installed packages have available updates on Gentoo is running

$ emerge -puv world

And then you usually select the packages you really want to update and emerge them. However this workflow has several downsides:

It’s slow. When portage checks for updates this way it fully resolves all the dependencies. This process is unnecessary, as in many cases you aren’t interested in updating all the packages, furthermore in their dependencies.
It may fail. When portage fails to resolve the dependencies, it will either complain or completely fail. If it complains, it isn’t really that bad, except for the time used for resolving the unanswered dependencies. Sometimes it fails completely (usually when masking is involved) and won’t display any of the available packages, hence leaving the user in the dark (except for some dependency error message).
It displays lot’s of output. Many times you’re not interesting in seeing the dependencies that will be updated if you emerge every package in the world file. It’s just confusing and distract you from the interesting updates for packages in the world file.

The following scripts tries to work around these problems. It works by querying the portage API for the best version available for each package in the world file. If that version isn’t installed it reports that there are updates waiting for that package. The script runs faster then emerge -pvu world and only displays the packages from the world file. If you find a package that you want to upgrade you can emerge it separately to see the required dependencies.

Continue reading Searching for Updates without emerge

Capturing Video and Converting to H.264 using ffmpeg

8-millimeter video tapes seem to slowly fade to oblivion. In order to save old family videos recorded in this format, I’ve decided to digitize them.

After a quick try with vlc, I’ve understood that it wasn’t the right tool for the task. It crashed with a cryptic error message every time I’ve tried to encode H.264 video, and it seemed that it best suited for real time encoding. Doing real time encoding, is sub-optimal as I can’t reach high quality encoding is a reasonable bit rate.

So I looked for another tool and recalled ffmpeg. While ffmpeg provided everything I looked: high quality video encoding using H.264 and stability, it wasn’t an easy start. ffmpeg’s defaults are notoriously ill-chosen. After hours of going through man pages, I’ve managed to capture and convert video tapes into high quality (encoded) digital video.

Basically the process involved capturing the raw video into a temporary file and then preform a two-pass encoding using H.264.
Continue reading Capturing Video and Converting to H.264 using ffmpeg

`spass-2.0` – Secure Password Generator

This is a complete rewrite of my secure password generator. The new version uses my a true random number generator (and here).

The major change was using the new true random number generator in order to ensure strong passwords. Less significant changes include an easy way to specify password’s strips, and some calling convention changes.

Usage examples:

$ ./spass
E5pT35Fg
$ ./spass -l 14
R$tfOm4g_yRQ2J
$ ./spass -s 0-9a-f -l 32
8b5f14a1eeaabe58c2878ab5416a9ebb

Download the tarball spass-2.0.tar.bz2. The program depends on Boost‘s program_options (it was tested against version 1.37 and 1.42 and should work with other versions too).