Archive for the ‘WordPress’ Category.
25th January 2006, 10:38 pm
Before I created the planet (what a funny thing to write :-) I never looked at my RSS feeds, but now they’ve suddenly become very important. And they’re wrong! Or rather, the Etag and Last-Modified headers sent out are false, and so browser and feed aggregators wont be updated as they should.
Take a look at this trace caught with the excellent Live HTTP Headers plugin for Firefox — I’ve removed most of the other headers except for the Etag and Last-Modified headers. First I request Rune’s RSS feed for comments using Shift-”reload” to make Firefox bypass its own cache:
GET /?feed=comments-rss2 HTTP/1.1
Host: kirkebrand.dk
Pragma: no-cache
Cache-Control: no-cache
HTTP/1.x 200 OK
Date: Wed, 25 Jan 2006 21:12:50 GMT
Last-Modified: Wed, 25 Jan 2006 09:14:20 GMT
Etag: "0dfff2fe5ab59c79c6105ac336b388ed"
Status: 200 OK
Bravo! We get the feed back.
I then posted a comment, which should update the feed. Reloading in Firefox looks like this where it does a conditional HTTP request by sending the Etag and Last-Modified headers along:
GET /?feed=comments-rss2 HTTP/1.1
Host: kirkebrand.dk
If-Modified-Since: Wed, 25 Jan 2006 09:14:20 GMT
If-None-Match: "0dfff2fe5ab59c79c6105ac336b388ed"
Cache-Control: max-age=0
HTTP/1.x 304 Not Modified
Date: Wed, 25 Jan 2006 21:13:54 GMT
Last-Modified: Wed, 25 Jan 2006 09:14:20 GMT
Etag: "0dfff2fe5ab59c79c6105ac336b388ed"
Status: 304 Not Modified
Hmm… that shouldn’t have been a 304 Not Modified, but a 200 OK with a new Last-Modified header and a new Etag! The funny thing is that when I press Shift and reload the page I and get the updated feed, but the headers still look like this:
http://kirkebrand.dk/?feed=comments-rss2
GET /?feed=comments-rss2 HTTP/1.1
Host: kirkebrand.dk
Pragma: no-cache
Cache-Control: no-cache
HTTP/1.x 200 OK
Date: Wed, 25 Jan 2006 21:14:08 GMT
Last-Modified: Wed, 25 Jan 2006 09:14:20 GMT
Etag: "0dfff2fe5ab59c79c6105ac336b388ed"
Status: 200 OK
So something is definitely wrong here! I would be happy if some of you could try out the procedure above yourself and report your findings. I’ve seen this problem on my own blog and on Lars’ blog too, so the problem seems to affect version 1.5.2 as well as the new 2.0.
18th August 2005, 02:05 pm
Lately my site has seen a bunch of spam comments about Phentermine, Alprazolam, and other drugs… luckily they have all been caught by the builtin spam filters in WordPress. But what are all those drugs about anyway, and will people really buy drugs from some website (usually with a not so trustworthy name…) found via a link buried deep in a discussion about PHP Shell?!
A quick search on Google explains that Phentermine is used for loosing weight by lowering the appitite, and Alprazolam is used to relieve anxiety, nervousness, and tension. But is there really such a big market for such drugs?
I guess so, just as there has to be a market for all stuff email spam try to sell us. You know, those appliances and drugs that promise to enlarge various body parts in no time! :-)
17th August 2005, 05:46 pm
Another computer related thing needing attention when I got home was
[WordPress][]… version 1.5.2 has just been released to fix yet
another security hole, although their announcement has no
specifics (as usual).
They write “We’re happy to announce that a new version of WordPress is
now available for download.” How can they be happy that a security
hole has been found in their “extremely stable 1.5 series” once
again?! They have released version 1.5.1 (May 9th, renamed to
version 1.5.1.1), 1.5.1.2 (May 27th), 1.5.1.3 (June
29th), and now 1.5.2 (August 14th) in response to security
holes being found.
I think that’s a bit too much for me to call this think “extremely
stable” (I obviously believe that security is an important feature of
a “stable” application.) It’s good that they react to the security
holes and they try to fix them fast, but I don’t like the way they
just write that they have “addressed all the security issues that have
been circulating the past few days”. Some questions immediately
spring to mind:
How many security holes were there?
What was the nature of the hole(s)?
Could they “just” change the database? If so, which parts of it?
Could they upload files to my server? If so, could they overwrite
my previous files?
How can I see in my log files if I’ve been exploited?
Instead of being vague I would like to see specific information about
the problems. Browsing through the changesets doesn’t really help
either, for the WordPress developers seems to make a point out of
obscuring their fixes.
Take this changeset (revision 2779) for example, which committed
on the 1.5 branch two days before the announcement of version 1.5.2
with the innocent message of “Move above”. Some lines are really
moved up a little further in wp-settings.php — they deal with
undoing the work of the infamous register_globals setting in PHP.
But the lines are not just moved, an extra check is added to ensure
that the variable $table_prefix isn’t unset. Why? Is this one of
the security problems they’re talking about? Given the extreme lack
of comments we can only guess…
Or maybe the fix was smugled in with revision 2780, together with
fixes for seven small bugs and feature requests? The change to
wp-admin/users.php in that changeset involve replacing
$id = $_GET['id'];
into
$id = (int) $_GET['id'];
and to my eyes this could be the fix they’re talking about.
Especially since $id is used in an SQL query next… So if this
analysis is correct then WordPress 1.5.2 was sent out to guard against
an SQL injection attack. If anybody else has information about this
then I would of course be interested!
14th July 2005, 01:21 am
I’ve just changed what was supposed to be permanent: my permalink
structure. But fear not, I really believe that cool URLs don’t
change so of course all the old URLs still work! But in case I
messed up anyway, please drop me a mail or leave a comment.
Keeping the old permalinks was easy, I just copied the last five
mod_rewrite rules from my .htaccess file and inserted them
after the block managed by [WordPress][]. By the way, I love my
[SSH][] connection to mgeisler.net: there’s something very cool to it
when you edit your .htaccess file in [Emacs][] on a live site… :-)
8th July 2005, 10:19 am
I’ve added a bunch of XML-RPC services for [WordPress][] to ping when I make new content here. Until now I’ve just been using the default Ping-O-Matic server which sends my pings along to 12 other services — I now have 28 more services on my list to ping!
I wonder how long it’s going to post something now… I’ll be able to tell in a second when I post this :-)