Sunday, March 31, 2013

Security is a moooooving target

Earlier today, I had a "free heart attack" when a new thread showed up on the PHP Internals list:

[RFC] more secure unserialize()

I love serialize()/unserialize() because it is nice and easy to use. Unfortunately, with ease-of-use comes greater responsibility. In this case, it is important that users can't submit their own serialized data structures to the server. When the server calls unserialize(), it expands out any data type, including objects. Upon destruction of an object, __destruct() is called by PHP automagically, which then executes whatever code is in there. The "free heart attack" I mentioned earlier came from the fact I send serialized data to the SSO client in the encrypted cookie. Fortunately, a look at the encrypted cookie code revealed I had been using json_encode() and json_decode(), which allowed me to breathe a sigh of relief. For now.

This just goes to show that security is a moving target. Or, if you are a cow, it is a mooooooving target. Failure to stay on top of the latest changes on the security front makes systems less secure.

Saturday, March 09, 2013

Just use grep! Don't use find + grep (+ xargs + whatever)...

I've been looking for an alternate to find + grep under Linux so that I can do similar queries to 'findstr' under Windows such as:

findstr /sic:"my_function" *.php

Recursive search for PHP files containing the string "my_function". The typical response to "how to search for some type of file containing some text" under Linux is usually along the lines of:

find "*.php" -exec grep -H "my_function" {} \;

Not only is that cryptic and longer and more difficult to type, it fires off a new, separate process (grep) for every PHP file it finds. I've seen a zillion incarnations of the above. Every time I run that, I end up waiting ten times longer than I would have waited for 'findstr' for the same operation. find + grep performance is terrible. So I said to myself today, "Hmmm...maybe grep has the solution already?" Lo-and-behold, it does:

grep -nir --include="*.php" "my_function" .

-nir is a mashup of the -n (line number), -i (case insensitive pattern search), and -r (recursive) flags. Depending on the system, the -H flag might be necessary as well to get filenames to display. The '--include' thing works around shell limitations that typically cause people to use 'find'. Also, the performance is comparable to 'findstr'. If you don't care about the file type and don't mind scanning images and other binary data:

grep -nir "my_function" .

But the above isn't probably what you stopped by for. I'm mostly posting it as a reminder to myself in the future. The FUTUUUUUUURRRRRE!