Autarchy of the Private Cave

favicon.cc has cool real-time previews and allows creating animated favicons.

Update: check the comments below for more online favicon editors/generators!

Yesterday I had a look at mod.email.php – the Email module of ExpressionEngine CMS.

It appears that it is very easy to use ExpressionEngine’s contact form (which uses Email module) to send emails to arbitrary addresses – simply put, send spam using someone’s EE.

And here’s why:

• recipients hidden field is passed to the client; it is encrypted, but with access to the mod.email.php code, it is a matter of several minutes to write your own email-encoding function which will produce a completely valid recipients field
• there’s also XID field, which seems to be unique for each page load

Spamming algorithm is clear, so I won’t elaborate. (I could have missed some session variables, though – didn’t check them.)

This information is valid as of ExpressionEngine 1.6.6, but nothing in the change-logs indicates that this mechanism was modified in the newer versions of EE.

Update: I’ve tested, and this vulnerability does exist. The simplest prevention measure is to enable Captcha for Contact Form.

I’ve notified the developers.

It was only today that I’ve noticed Microsoft Office Live in Available updates (using Microsoft update). Curiosity led me to find out that Office Live is a suite of online word processor, presentation editor, spreadsheet and note-taking software, limited to a 500 MiB diskspace – free, developed by Microsoft. Office Live appears to be built on top of SharePoint.

Main emphasis of their website is on collaboration and access from anywhere to your documents. Although Firefox (together with IE) is listed as a supported browser on XP/Vista/MacOS (Linux is not listed), there is a note that some Office Live features require ActiveX. So Office Live is not really a match for Google Docs in portability (quite expectedly).

An update installs some new menu commands into Office XP/2003/2007, which allow working with Office Live from within your local M$ software.

I wonder if there is already an OO extension which allows working with Google Docs – no more wondering, here it is (thanks Paolo!).

Unix SEX :{ look; gawk; find; sed; talk; grep; touch; finger; find; flex; unzip; head; tail; mount; workbone; fsck; yes; gasp; fsck; more; yes; yes; eject; umount; makeclean; zip; split; done; exit:xargs!!;)} (source: someone’s signature in the Debian mailing lists).

download Unix/Linux command reference by Jacob Peddicord/FOSSwire.com

Came across typealyzer, which allows to “determine” the blog author personality.

Mine is ESTJ – The Guardians:

The organizing and efficient type. They are especially attuned to setting goals and managing available resources to get the job done. Once they´ve made up their mind on something, it can be quite difficult to convince otherwise. They listen to hard facts and can have a hard time accepting new or innovative ways of doing things.

The Guardians are often happy working in highly structured work environments where everyone knows the rules of the job. They respect authority and are loyal team players.

Typealyzer currently supports only English and Swedish blogs.

I’ve seen someone reading my blog from a 320×240 handheld device, and realized that it must be pretty inconvenient. Testing my blog with the help of ready.mobi confirmed my worst expectations with a mobile-readiness score of 1.

I’ve installed and then tested one-by-one a series of WP plugins designed to make your blog mobile-accessible. Testing was done using ready.mobi; all plugins were using default settings – except for viewMobile, which had Images option set to Resize, not Keep As Is.

On Mobilize by Mippin plugin ready.mobi exited with error “Could not retrieve page content”, which is no wonder as Mippin plugin redirects the handheld device’s browser to mippin.com, which converts the page into mobile-accessible form (however, it is indeed strange that mowser.com plugin worked fine, though it is also a redirector). I’ve used mippinmaker to estimate what would my blog look like via mippin – and it appears to me that mippin is using my RSS as the source of content; actually, plugin description explicitly states that. I’m sure this would get real high scores on ready.mobi, but I can’t find the way to test that; thus Mippin plugin didn’t participate in the final feature-based comparison.

viewMobile plugin is a clear winner best by score in “plugins” group – it has the highest scores in the feature table (well, after mowser plugin, which is not a plugin but a redirector to an external service). Also, in addition to “keep as is” and “downsample”, there is an option to “strip” images – I presume that would bring the page size further down. However, viewMobile removes comment forms from posts; at the same time, PDA & iPhone plugin preserves comment forms – thus it is better for my purposes.

The mowser-based service has even higher scores than viewMobile – but is an external dependency. For my blog, I decided to stick to PDA & iPhone plugin. Also, such a low page size (see table) is due to mowser splitting the tested main blog page into two pages – and ready.mobi then only weighs the first (much smaller) page; so there is no benefit in page size when using mowser.

Please comment to share your experience of turning your blog mobile-accessible, or of reading my blog from handheld/mobile devices.

P.S. If you are used to visiting websites and blogs from your handheld device, and those sites/blogs are not optimized for mobile devices, I’d recommend using the free mowser service (though Opera Mini is easier, I guess).

P.P.S. This post wasn’t sponsored by mowser or any other mentioned services

Important update: clearly, viewMobile and any other PHP-level mobile accessibility plugins are incompatible with SuperCache. So either (super) caching, or mobile version – but not both. I’ll have to look into possible solutions.

Update 2

A “clever” solution would be to have a subdomain or even a different TLD domain for the mobile version of the blog (to avoid SuperCache interference – ideally, both database and files would be the same, but some tiny bit of configuration would make all the difference; the easiest tiny bit would be a mod_rewrite rule). Another good solution would be to modify SuperCache’s mod_rewrite rules, so that mobile User-Agents aren’t fed cached versions – and thus viewMobile has a chance to trigger and serve correct version (this solution doesn’t require another domain or subdomain, but is less reliable).

I’ve tried mowser plugin, but it suffers from the same cache interference problem (because it is also PHP-level, and SuperCache works at apache and mod_rewrite level). For the same reason, PDA & iPhone plugin wouldn’t work as well.

For now, I’ve disabled SuperCache (leaving WPCache on), and turned on PDA & iPhone plugin (unlike viewMobile, it does show the comments form below each post). Seems working. Will look into domain/mod_rewrite solutions.

Update 3

SuperCache is back on, except for a list of mobile User-Agents; those User-Agents were also added to SuperCache’s UA exclude list. Thus now if a “normal” browser requests a page, such a request is cached, or a cached page is fed to the browser. If the mobile browser requests a page, it is not fed a cached page even if one exists, and cache page is not created while running WP’s PHP engine. Tested using both built-in browser (I could even fill in captcha while commenting) and Opera Mini on a Samsung phone: seems to work fine. However, all of ready.mobi’s phone emulators for some reason choked on the comment form’s textarea, refusing to display the page. I ignore this but if compliance is important then viewMobile will be a better choice than PDA & iPhone.

Drawbacks of this solution: 1) mobile requests are not cached, 2) if the mobile browser’s User-Agent is not in the list, then it will be fed a standard-looking page, 3) hard to maintain – need to update both the list of UAs in .htaccess and in the configuration of SuperCache.

Better solutions are welcome.

One of my projects – COTRASIF – has grown complex enough to necessitate the use of version control system (VCS).

The most frequently mentioned is definitely SVN (SubVersion).

However, with a characteristic scrupulosity, I decided to run my own comparison of the available tools. I had a look at Darcs, Mercurial, SVN, and Git. Of these, only SVN is not a distributed VCS (but there is SVN addon which adds distributed features to SVN). Unfortunately, I didn’t take any notes during comparison, so there will be no details on how the choice narrowed down to Mercurial vs Git. These dVCSs are quite similar, with the following major differences: Mercurial is better documented and (much?) easier to use than Git; Git is more feature-rich, and Git currently has more add-on modules. Here the differences almost end. I decided that learning curves never were an obstacle, so Git is currently my first distributed VCS of choice (please note: I’ve never before used any version-control systems).

After choosing Git, I had to install Git central repository on a server. (Yes, Git is distributed, but central repository on the always-on server is a convenience worth the trouble; and again, this adds yet another backup copy.)

This is a collection of resources I found useful when setting up my Git repository:

1. Hosting Git repositories, easy and secure way (note: do not create the user manually, installation of gitosis package does that for you automagically).
2. Setting up Git repository on Dreamhost.
3. gitosis: how to add new repository

Some more resources on how to use Git:

1. Git user manual
2. Git guide
3. Git recipes (branching and merging in examples)
4. everyday Git with 20 commands
5. version control with git – tutorial

Update: Git is simple enough to get started in minutes. So far I had only used clone/push/pull/commit/gc commands, but I’m familiar with tag/branch/checkout commands. The drawback of insufficient documentation (as mentioned above) isn’t really a problem now. I’m not using any GUIs for git (as sometimes I’m working on a remote server via ssh), but of the three locally tried GUIs I liked gitk the most; both git-gui and qgit feel less convenient than gitk, but are approximately equal. I wish I had some SVN/Mercurial/Darcs experience to be able to recommend Git – but I don’t have that