Bart Verwilst a.k.a Bort :: w3bl0g

Using a system like Symfony for your website creation needs has a lot of advantages, no doubt about that.

But you also need to be aware that you’re unwillingly creating a pattern that can be abused when you aren’t paying attention. I got caught by one of these myself for a few weeks now..

Let me explain.. For a couple of weeks, one of my sites was cursed with some strange voodoo. I had a list of some items on a page, and 1 of these items ( always the same one ) kept disappearing on a daily basis, while i was the only one with access to the database. I was puzzled until some mysql logging cleared things up. Some asian IP was executing my website like this: http://mysite.be/item/delete/id/$nr where $nr are the id’s from the list. ( Basic and easy-to-try standard crud thing, available from most frameworks, so if you know Symfony, you could guess that item had a delete, create, edit, show and list action )

Because the item module was forgotten in my security.yml frenzy, everyone could browse to that URL, and delete my items But why did only one item disappear? Well, the other delete requests were denied because of foreign keys, while the deleted one wasn’t coupled to any other field, so it was successfully removed every time.

Anyways, i plugged the hole with a security.yml as follows:

delete:
is_secure: on
credentials: admin

create:
is_secure: on
credentials: admin

edit:
is_secure: on
credentials: admin

One less thing to worry about

Firefox 3 has new “invalid SSL certificate” warning screens. All fine and dandy, but pretty confusing, and way too much work to allow the certificate.

When you browse to a site with an invalid/unknown ssl certificate ( such as self-signed certificates ), you see this screen:

At first glance, it seemed the site was down, and i checked whether i typed the URL correctly. Yep, it was. Then i reread the message more clearly, and noticed it was in fact the SSL stuffs. This is where your Joe Schmoe and Jane Doe sits in front of the screen, wondering why their beloved site is down, and go on surfing to another place.

To actually allow you to view the site, it gets even more cumbersome. You need to go to 3 obscure steps to allow the page to be viewed, as seen below:

Clicking “Add Exception” brings you to this page:

Next, “Get Certificate” :

And, finally, the last button, “Confirm Security Exception”. And then we are able to see the page we intended to view

Ofcourse, this is just a beta ( 3 to be exact ), so I’m pretty sure some GUI master will improve the situation

For the rest, I’m absolutely LOVING Firefox 3, sure is heading to be a big winner Now if only the plugins/addons follow soon..