I decided to look at what I already had available; namely Java. ColdFusion runs on top of Java and it’s possible to create Java objects from within ColdFusion.

I’ll spare you the grueling details, but I did get caught up at one point playing around with the Java keystore and importing my client certificate into that keystore. Using things like keytool and OpenSSL I tore apart and reconstructed my client certificate and my Java keystore. Ultimately I didn’t need to do any of that and should have just left the keystore alone.

The path to enlightenment began when I found an example of Java socket operations using  the javax.net.ssl.SSLContext object. The example code I was looking at used this object to create regular sockets, not SSL-enabled sockets. I looked into this object and found a few more examples using it to create SSL connections. A bit of back and forth between these examples and the online Java API spec resulted in the discovery that I could load a PKCS12 file as a keystore and pass that to the SSLContext object then create sockets from that SSLContext. This looked promising.

After a bit of trial and error I finally had something that worked!

Here’s the relevant portion of code. I’ll go line-by-line afterwards.

<cfscript>
  // 01: create input file stream from certificate
  variables.ksf = CreateObject( "java", "java.io.FileInputStream" ).init( variables.cert_file );

  // 02: create keystore object from certificate
  variables.ks = CreateObject( "java", "java.security.KeyStore" ).getInstance( "PKCS12" );
  variables.ks.load( variables.ksf, JavaCast( "String", variables.cert_password ).toCharArray() );

  // 03: create key manager factory out of keystore
  variables.kmf = CreateObject( "java", "javax.net.ssl.KeyManagerFactory" ).getInstance( "SunX509" );
  variables.kmf.init( variables.ks, JavaCast( "String", variables.cert_password ).toCharArray() );

  // 04: create SSL context object using key manager factory
  variables.sslc = CreateObject( "java", "javax.net.ssl.SSLContext" ).getInstance( "TLS" );
  variables.sslc.init( kmf.getKeyManagers(), JavaCast( "null", "" ), JavaCast( "null", "" ) );

  // 05: get SSL socket from SSL context
  variables.factory = sslc.getSocketFactory();

  // 06: connect to the server via SSL
  variables.sock = variables.factory.createSocket( variables.server_address, variables.server_port);
  variables.sock.startHandshake();

  // 07: create input and output streams to read from and write to the socket
  variables.sout = variables.sock.getOutputStream();
  variables.out = createObject( "java", "java.io.PrintWriter" ).init( variables.sout );
  variables.sinput = variables.sock.getInputStream();
  variables.inputStreamReader = createObject( "java", "java.io.InputStreamReader" ).init( variables.sinput );
  variables.input = createObject( "java", "java.io.BufferedReader" ).init( variables.InputStreamReader );

  // 08: send the HTTP request over the socket
  variables.out.println( Trim( variables.request_header ) );
  variables.out.println();
  variables.out.println( Trim( variables.soap_envelope ) );
  variables.out.println();
  variables.out.flush();

  // 09: read the response from the server
  variables.result = "";
  do {
    variables.line = input.readLine();
    variables.lineCheck = IsDefined( "variables.line" );
    if ( variables.lineCheck ) {
      variables.result = variables.result & variables.line & Chr(13) & Chr(10);
    }
  } while ( variables.lineCheck );

  // 10: close the connection
  variables.sock.close();
</cfscript>

So let’s work through this.

01: The variable variables.cert_file contains the full path to the client certificate. This line opens that file for reading.

02: This creats a java.security.KeyStore object that expects a PKCS12 format and then loads the client certificate into the keystore. Note that the second parameter of the KeyStore.load() method is the password of the PKCS12 file. You must pass this as a character array and not as a string, which is why the password must be cast as a String object whose toCharArray() method is called to obtain that character array.

03: This creates a javax.net.ssl.KeyMangerFactory object which is used by the SSLContext object to deal with the certificates in the keystore. Note that the second parameter of the init() is the password to the certificate in character array format. You must provide the password twice, once when creating the keystore, and then again creating the key manager factory.

04: Here we create the javax.net.ssl.SSLContext object. The getInstance() call tells what protocol to use with this object, in this case “TLS“. (Note: “SSLv3” also works. No idea which one I should be using. If one fails, try the other.) Once the object is instantiated we initialize it with a key manager from the key manager factory. The second and third parameters of the init() method could point to a trust manager and a source of randomness. It doesn’t appear that either is needed (this is what I saw in other examples) so I pass null values. Note that you have to use JavaCast() to pass a null.

05: Get a socket factory object from the SSLContext object. This factory will be used to create individual sockets using the parameters established with the SSLContext object.

06: Create a single socket from the socket factory by passing the server address (variables.server_address) and port (variables.server_port) we want to connect to. Then call startHandshake() which will create the connection to the server using SSL.

07: Create objects needed to read from and write to the socket we’ve created.

08: Here we send our SOAP envelope to the server. Note that since we’re doing everything by hand we also have to send the proper HTTP headers. Both the variables.request_header and variables. soap_envelope variables were created using the CFSAVEDCONTENT tag as shown in part 1. You want to create the envelope first so you know the correct content-length value for the HTTP header. Since I decided to stick with SOAP 1.1 the header also contains the SOAPAction field and the content-type is set to text/xml.

Here is an example of how I created the headers:

<cfsavecontent variable="variables.request_header">
POST <cfoutput>#variables.server_request_path#</cfoutput> HTTP/1.0
Host: <cfoutput>#variables.server_address#</cfoutput>
User-Agent: SOAP Washer/1.0
SOAPAction: "<cfoutput>#variables.soap_action#</cfoutput>"
Content-Type: text/xml
Content-Length: <cfoutput>#Len( Trim( variables.soap_envelope ))#</cfoutput>
</cfsavecontent>

Standard HTTP/1.0 headers. You can make the User-Agent field just about whatever you want.

Also worth mentioning is that I didn’t try to combine the two (HTTP headers and envelope) into a single variable. This is because how CFSAVEDCONTENT handles newline characters is different between ColdFusion 8 and ColdFusion 9. By keeping them separate this code is able to operate under either version.

The empty println() commands are there to send a newline. And the flush() call simply sends anything left in the buffers, thus completing the sending of our request.

09: This is where we read the response from the server. The response can only be read one line at a time, so we need a loop to keep reading one line at a time and appending it to the variable where we’ll store the entire response (variables.result).

A tricky thing working between ColdFusion and Java objects is that if you assign the return value of a Java object method to a ColdFusion variable and that return value is null then the ColdFusion variable is unset or deleted. Since the readLine() method returns null when there’s nothing more to read, the only way to know we’ve completed reading the response is to test if variables.line, where we store the return value of readLine(), still exists. If it doesn’t, we’ve reached the end of the response.

10: Close the connection

The ColdFusion variable variables.result will contain the entire response from the server, including the response HTTP headers. Meaning if you want to get a proper XML object from xmlParse() you’re going to need to first strip away those headers.

<cfset variables.temp = REFindNoCase( "content-length: ([0-9]+)", variables.result, 1, "True" )>
 <cfif variables.temp.len[1] GT 0>
  <cfset variables.length = Val( Mid( variables.result, variables.temp.pos[2], variables.temp.len[2] ))>
  <cfset variables.xmlResult = Trim( Right( RTrim( variables.result ), variables.length ))>
</cfif>

This should do the trick. Although you may want to throw in some code to strip out the status code to ensure a good transaction.

And there you have it. Handling transactions with a third-party web site using client certificates under ColdFusion using only native ColdFusion objects.

But I don’t have Acrobat Pro installed on my computer. If the college orders me a copy today we’ll probably have the install DVD  next week, but I don’t want to wait that long.

So what options are at my disposal? Is it possible to link to a specific location inside a PDF without having to create bookmarks inside the PDF?

After scouring the interwebs a bit I find this document on Acrobat Open Parameters.

I can link to a specific page by simply appending to the PDF’s url #page=2 and, magically, Acrobat Reader will load the PDF starting on page 2.

Cool.

But some of the items I’m linking to inside the PDF start halfway down the page. A user clicking on the link might not see the section they’re being linked to within the top area of the page that is visible on their screen and immediately assume they’ve clicked on the wrong thing.

So can we do something more with these URL parameters?

Yes!

The VIEW parameter allows you to define how the PDF is scaled in the browser (fit to window, fit horizontally to window, fit vertically to window, etc.) as well as where on the page to start based on a x,y coordinate system.

In this case I want to set VIEW to FitH (Fit Horizontally) meaning the PDF will size itself so the width of the document is the same as the width of the browser’s viewport. This also allows us to specify a Y component as to the position of the page displayed when the PDF is loaded. Combine this with the PAGE parameter and you can define where in a given page the PDF will start when loaded.

So a link like document.pdf?page=7&view=FitH,300 will load the PDF on page 3 at 300 units down the page.

Now what unit are we talking about? And is 300 units on my screen the same as 300 units on someone else’s screen? I have no idea. The document is light on details, but I believe the coordinate system is based on the parameters of the PDF itself and not the end-user’s screen. So with a little bit of trial-and-error I find just the right number to use with the FitH view and voilà!

I can now link to the Masters of Arts in Teaching program within the Secondary Education section of the catalog. And I did it without having to pay for some bloated Adobe software.

Granted, with named destinations updating the catalog next year wouldn’t require that I touch those links (just the PDFs we get from the publisher) and maybe it’s better from a semantics standpoint, but this was quick and easy.

Will it work with PDF readers other than Acrobat? I don’t know. If you’ve got one installed try it out and let me know. The fact that these “open parameters” have been around since at least Acrobat 6 it’s possible other PDF viewers have incorporated this feature into their application.

But, hey, it works with the most popular and free PDF reader and it didn’t require expensive software to accomplish. That’s good enough for me.

This was born out of an article written by Jakob Nielsen titled “Stop Password Masking“. In it he argues that masking passwords does little to really prevent password theft, but does quite a lot of harm in the form of user errors as they are unable to tell if they’ve made a mistake in typing their password. Security pro Bruce Schneier weighed in as well, initially agreeing with Nielsen, then rethinking his ideas a bit.

I decided to see what we, on the web side of things, might be able to do to make it a little easier on users, but still stay secure.

Sadly this will probably be the last Gargoyles story told in an official capacity. The book’s publisher, SLG, were not able to renew their license with Disney after Disney increased the license fee on Gargoyles. Some rumors are afoot that say if the book sells really well then SLG might decide to take a chance at renewing the license (and risk considerable money if the book doesn’t sell).

But I’ve got a feeling this is going the way of the DVDs, which ended after the first half of season 2 was released 4 years ago and fans were left without the second (and concluding!) half of season 2.

Although it seems Disney is quite good at screwing up quality products other than Gargoyles. For example they’ve yet to green-light a third season of Spectacular Spider-Man. A complete no-brainer and also a show produced by Greg Weisman. Makes me wonder if there’s some sort of bad relationship between Weisman and Disney.

if ( empty( $key ) )

If the $key variable is empty, an error is generated. If $key is not empty it’s passed to a SQL query that looks up the user whose key is being reset. Seems innocent enough, right?

The variable $key is a sanitized copy of $_GET['key']. And what happens if the value passed on the url for key is an array?

Well the sanitization step is a simple preg_replace, like so:

$key = preg_replace('/[^a-z0-9]/i', '', $key);

The PHP documentation states that if the subject ($key) is an array, the return value will be an array as well. It also states that if no matches are found, the original subject is returned. Since $key is empty to begin with, thus no matches will be found, a copy of $key is returned. Essentially $key remains unchanged. So what happens when you pass an empty array to PHP’s empty() function? Well the documentation says it should return FALSE. So what’s the problem?

The problem is the array isn’t really empty. It contains a single node which contains an empty string. So the empty() call returns FALSE, thus no error is generated for an empty $key.

Surely the SQL check will return no entries since there is no key to search for, right?

Wrong. Here’s the code:

$user = $wpdb->get_row($wpdb->prepare("SELECT * FROM $wpdb->users WHERE user_activation_key = %s", $key));

The $wpdb->prepare()  is used to insert values into SQL statements. $key is treated like an empty string. Therefore the SQL that is generated looks like:

SELECT * FROM wp_users WHERE user_activation_key = ''

And that query will return every user who has an empty activation key — that’s everyone not currently trying to reset their password. Since the first row returned is the record that gets reset, you will almost always be resetting the admin account. If you keep making the same request over and over you will eventually wind up resetting the password of every user in the system!

Reset passwords are auto-generated and then e-mailed out to the users. This sort of attack could be used as a weak style of denial-of-service (or pain-in-the-ass attack as I prefer to call it) or an attacker who has access to a victim’s e-mail account (or can packet sniff their e-mail downloading)  could take control of the blog.

A fix is already on the way as you can see by viewing wp-login.php in Wordpress’ CVS. The fix seems simple enough:

if ( empty( $key ) || !is_string( $key ) )

So $key must be a string and it must be empty. Seems very straightforward. Although I would prefer they went the added step of simply modifying the SQL query to check against only those user_activation_code fields that are not empty strings. In other words add something like

$user = $wpdb->get_row($wpdb->prepare("SELECT * FROM $wpdb->users WHERE user_activation_key = %s AND user_activaction_key <> ''", $key));

That would more correctly fix the issue, as it would protect against even those attacks that are somehow able to bypass the initial empty() check.

Wordpress appears to also be adding a username to the password reset request so that simply passing an empty key on the URL and hitting reload a bunch of times won’t result in everyone having their password reset — probably something they should have done in the first place.

So there it is. Patch your Wordpresses, either by manually editing wp-login.php or waiting for the official patch to come out sometime later this week.

It appears that there is a new Flash vulnerability that can take over your computer. Awesome.

So how does one protect themselves from such a thing? Well, you could install noscript. It’s a plugin that will disable JavaScript, Flash and other embedded objects from web sites until you explicitly set permissions to enable them for that web site. Noscript won’t save you from web sites that you’ve already set permissions for — so it’s not a catch-all, but it will save you from links to web sites you’re unsure about. And it has the nice side-effect of disabling any JavaScript-powered advertisements.

What this means for you, the web developer, is that it’s time to start assuming the first time people access your web site they will have Flash, JavaScript, etc. disabled. This means you need to make sure your site is still accessible even under those conditions. Otherwise the user will have no reason to trust your web site if he or she can’t access it in the first place. If they don’t trust it they’ll never (well, they SHOULD never) enable script and emedded objects to run from your domain. Thus you will lose customers.

HTML, CSS and text. That should be the core of every web site. Flash and embedded objects to enhance the site, but not to provide the only means to access your content.

That is unless you’re one of a few embedded object kind of web site, like YouTube. But for the majority of us, that won’t be the case. And even so, you can always provide download links to the videos if the user doesn’t have Flash enabled to view them from within your web page.

<strong>TL;DR: Web sites should be accessible even without JavaScript and Flash.</strong>

Well I don’t have Illustrator installed and the only version the office has is old and, from my experience, not very responsive. So I set out to find a free alternative. Enter Inkscape. Inkscape is a free, open source vector graphics program that you can use on Windows, Mac, and Linux platforms (and is probably portable to others should you be into that sort of thing).

I’ve been using it for just the day and I’m already in love. The controls are intuitive. There’s a ton of power in just the mouse commands. I hardly need to touch the keyboard for anything (hiding and unhiding the guides I’ve created). Working with layers may feel a bit odd; it’s nothing like Photoshop or Gimp in terms of the UI. But after a few hours I find myself right at home.

It’s native format is SVG, which open standards people will love. But if that’s not your thing you can save is most major vector graphic formats (eps, pdf, etc). You can also export the work as a bitmap and tweak it as needed in your favorite graphics editor.

This is a great application. I suggest you give it a try if you’re ever in the market for a vector graphics format.

Working on a new layout that I’m going to use as a new WP layout for this blog. I’d originally intended it to be a separate, new layout, but now I think I’ll publish it was a WP layout instead. After it’s been up here for a bit and the bugs ironed out. Hope to install the first version of this template in the next week or two.

Here’s a little tip for web designers. Sometimes I’ll find myself wanting to produce “previous” and “next” links to appear at the bottom of a web page used to manage some kind of database-driven content. The links would obviously point to the previous and next records in the database.

To style this I sometimes prefer to have the links centered on the page with a bit of a gap between the two links. Why centered and not at the far left and right edges? I don’t know. Visual preference that fits better with the layout and style perhaps, but I tend to operate more on gut feeling with a layout.

Now in the past I’d simply make a paragraph tag with text-align:center set and then a bunch of &nbsp; characters to add some space. Now if the text should ever wrap because the viewport is too small then the effect breaks horribly. Also, the text would center based on the center of all the text, and would NOT center on the gap between the two links. The illusion breaks very quickly if these previous/next links include a variable width bit of text like, say, the title of the previous/next record. The position of the gap starts moving from record to record. Ick.

« Previous             Next »

So here’s a new way to do this. Simply create two paragraphs. Float them to either side. Set a width of, say, 40% for each. Right-align the left-float and left-align the right float. Now you’ve got a gap (20% the page width in this case) between the two links, they’re centered to the page based on the gap, the gap’s location won’t change from page to page, and if the text wraps the visual structure is retained.

Now there’s no great reveal here, is there? It’s a pretty basic and simple trick. But I find my mind will sometimes approach a problem from a direction that makes it difficult to see the obvious. So I like to see these simple tips from time to time, because once in a while it’ll be a trick I’d never considered before.

For now, please forgive any errors or problems you might encounter. This server is a bit fresh and may need a bit of time to ripen into delicious fruit. Pineapple!

In the coming days (this month at least) we’ll be switching blog servers and software here. The URL should stay the same, but this site will be moving to a new physical box and to Wordpress.

I’ve played with Wordpress enough to see that it should have no problems importing old entries from this old version of MT we’re using now. Don’t know how this will affect RSS/ATOM feeds (for the few that use them).

So, heads up guys!