Flyspray Development Blog

Quickly access Flyspray tasks with Firefox

nospam@example.com (Florian Schmitz) — 2007-07-29T07:45:30Z

There is a simple way how you can easily and quickly open a Flyspray task in Firefox you might not know yet.

First, rightclick in the "show task" input box (top right) of Flyspray. Choose "Add a keyword for this search". In the following window, enter any Name and use "fs" as Keyword. That's it. Now you can type "fs 123" in the Location/URL bar to open task FS#123 in your Flyspray installation

In fact, you can also type "fs string" to search for tasks that contain string in its summary.

So long PHP4... GoPHP5

nospam@example.com (Cristian Rodriguez) — 2007-07-06T02:47:20Z

Yup, The time has come, developers agree, It is now official, Flyspray 1.0 (~~to be out by the end of this year~~) will be the last version with PHP4 support, in the future our software will run exclusively on PHP 5.1 or later (including use of features present in PHP 5.2 as well upcoming PHP6), this will help us to cleanup and improve our code significantly and make use of the enormous amount of benefits that PHP5 provides.

We are joining among other FOSS projects like phpMyAdmin, Drupal, Typo3, Symfony to the GoPHP5 initiative so, effectively on February 5, 2008 we will only produce and recieve code contributions that runs in PHP5 and are E_STRICT error mode aware.

However, the last PHP4 releases will still be mantained but only for security bugs or major regressions, no new features. for at least 3/4 months since the 1.0 release, so you have more than a year from now on to upgrade your PHP version.

It is time to move on folks, PHP4 is dead, long live to PHP5.

Update: In fact, already version 1.0 will be PHP5 only. The release date is still unkown though.

Latest bug reports in your website

nospam@example.com (Cristian Rodriguez) — 2007-06-18T08:07:27Z

Just in case someday you want to integrate your latest bug reports in your website, you can do that with this micro RSS reader

PHP:


<?php

$feed = new SimpleXmlElement('http://bugs.flyspray.org/feed.php?feed_type=rss1&project=1', NULL, TRUE);

foreach ($feed->item as $bug) {    
     printf('<a href="%s">%s</a></br>', $bug->link, $bug->title);
}

?>

Replace the URL with the one of your BTS ( PHP5 with SimpleXML required) . Remember to save a cache of your feeds on disk as well, otherwise this will request the file over and over again and will slow down your server significantly if you have enough traffic in your site

0.9.9.2 released

nospam@example.com (Florian Schmitz) — 2007-05-26T07:59:14Z

We are pleased to announce the release of 0.9.9.2. No security fixes this time, but instead a few minor features (changes). We wouldn't do that usually, but we got a very generous donation so we decided to add a little functionality. Upgrading is recommended (don't forget to run the upgrader this time).

I recently have been told that "0.9.9 seems not worth the trouble upgrading to" (from 0.9.8 ). If you think that as well, you should reconsider it. First of all 0.9.9 was virtually a rewrite of 0.9.8 with plenty of changes and hundreds of bug fixes and more importantly, 0.9.8 does contain unfixed security holes. Also, upgrading is not that much trouble in fact unless you discover (yet another) bug in ADOdb's database XML features

09-f9-11-02-9d-74-e3-5b-d8-41-56-c5-63-56-88-c0

nospam@example.com (Cristian Rodriguez) — 2007-05-02T10:33:35Z

Well, looks like "brillant experts" that created a "very secret" copy protection code used this snippet

PHP:


<?php

// next time they "fix" the code, something like this will be used to generate a new one
echo rtrim(chunk_split(md5(uniqid(mt_rand(), true)), 2, '-'), '-');

?>

Some people earns money too easily, why on earth they think a 32 bit hex hash splitted by "-" will be secure enough to be used as a massive copy protection measure is a real wonder to me ...

The entertainment industry should start thinking about adding more value to their products and adapt to the current situation instead of playing this absurd, hilarious game over and over again.

see the digg story http://blog.digg.com/?p=74

Amusing security hole in Shiflett's security guide

nospam@example.com (Cristian Rodriguez) — 2007-04-11T05:51:31Z

Recently, reading a post in Sara Golemon 's blog about the PHP security guide I took some minutes to read the mentioned security article and I almost fall of my chair while looking the example entitled"Browsing the FileSystem" (retrieved at Wed Apr 11 05:47:32 UTC 2007) which features the following code.

PHP:


<?php

echo "<pre>\n";

if (ini_get('safe_mode'))
{
    echo "[safe_mode enabled]\n\n";
}
else
{
    echo "[safe_mode disabled]\n\n";
}

if (isset($_GET['dir']))
{
    ls($_GET['dir']);
}
elseif (isset($_GET['file']))
{
    cat($_GET['file']);
}
else
{
    ls('/');
}

echo "</pre>\n";

function ls($dir)
{
    $handle = dir($dir);

    while ($filename = $handle->read())
    {
        $size = filesize("$dir$filename");

        if (is_dir("$dir$filename"))
        {
            if (is_readable("$dir$filename"))
            {
                $line = str_pad($size, 15);
                $line .= "<a href=\\\"{$_SERVER['PHP_SE LF']}?dir=$dir$filename/\\\">$filename/</a>";
            }
            else
            {
                $line = str_pad($size, 15);
                $line .= "$filename/";
            }
        }
        else
        {
            if (is_readable("$dir$filename"))
            {
                $line = str_pad($size, 15);
                $line .= "<a href=\\\"{$_SERVER['PHP_SELF']}?file=$dir$filename\\\">$filename</a>";
            }
            else
            {
                $line = str_pad($size, 15);
                $line .= $filename;
            }
        }

        echo "$line\n";
    }

    $handle->close();
}

function cat($file)
{
    ob_start();
    readfile($file);
    $contents = ob_get_contents();
    ob_clean();
    echo htmlentities($contents);

    return true;
}

?>

Gotcha ?? , see the function ls() it uses PHP_SELF without any sanitization hence we can:

CODE:

http://example.com/script.php/%22%3E%3Cscript%3Ealert('xss')%3C/script%3E%3Cfoo

So, this guide comes with a free XSS hole

Nobody can claim to write perfect code, I expect applications (even my own apps) to have holes but I certainly expect security guides to be better reviewed. Please fix your broken guide. (s/PHP_SELF/SCRIPT_NAME/g) thanks.
Update: I have been pointed by the author of this guide that the mentioned code is supposed to be an attacker tool, what a surprise !! of course I know it **may** be, but that is no excuse to have buggy examples.
People uses security guides as a "good programming" example no ?... you will probably not believe me, but I have seen this very same code in real life only slightly modifed to browse a single directory-

Welcoming CAPTCHA

nospam@example.com (Florian Schmitz) — 2007-03-28T16:38:39Z

Is there a better way to subtly scare away visitors?

if you are interested in the URL, follow the link...

Post release and 0.9.9.1

nospam@example.com (Florian Schmitz) — 2007-03-16T12:17:00Z

Apparently the 0.9.9 release went very well. We didn't discover any severe (functional) bugs yet, but thanks to reports on the mailing list and in our forum, which seems to be pretty well accepted by now, we spotted some bugs and problems. Since 0.9.9 is maintained (in opposite to 0.9.8 ) we now released 0.9.9.1 which includes all those fixes. This time we also tracked the changes
Please note that an important security issue has also been discovered (thanks again to Stefan Esser) and fixed, thus we urge you to upgrade to the new version in your own interest

The release took a while longer than intended because of a server outage. The reason was our own Flyspray. What happened? One problem was (or rather still is) a bug (or, until we know more a change) in PHP 5.2.1 which causes problems with Jabber connections and made our server have (too) many unclosed connections, another problem were really slow queries in Flyspray. Our own Flyspray did in fact never get a correct database upgrade (I'd say due to the laziness of the previous maintainer ^^) so many important indices were missing which resulted in a lot of work for our SQL server.

BTW, if you are interested in always having the most stable version of Flyspray, you can safely use the latest code from our SVN repository (branches/0.9.9/) which is the basis for new bug fix releases, you don't have to wait for new releases.

If you are interested in new features, you should try the current trunk. In particular FS#218 is done, which adds the possibility to add and delete custom fields. The upgrader also got some improvements, so this time you probably will not have to fear that you can't upgrade your development version anymore when you don't remember the revision number. It should now be able to upgrade from any revision to any version.

Themes again: Recently Flyspray got the first 0.9.9 compatible custom theme! Tristan made a "high density" theme:

A short while after that, we also got an update of the "clean theme" from Paul.

I'll use this as occasion to once again point out that we need someone who creates a fabulous new theme for 1.0
If no one offers to do this, we might start a design contest with a higher reward...so if you got curious check FS#937.

So what is the schedule for 1.0? Well, there is none - at least no dates. We have a TODO list with lots of stuff on it, but we still have some other tasks to tackle for 1.0. It will probably take a while...maybe even a year or longer again (all depends on how many new developers join), but as mentioned earlier 0.9.9 will be maintained during that time.

On a side note: this post has been drafted on Feb 26th, so you can see how much longer the release took...

RC1 released

nospam@example.com (Florian Schmitz) — 2007-01-27T11:42:46Z

Here you go: http://flyspray.org/beta

All bug reports go to the mailing list preferably

Not long now!

nospam@example.com (Florian Schmitz) — 2007-01-20T22:00:22Z

You remeber this heading? This has been said about a year ago by our former project manager Tony. Well, this time we are close. The installer and upgrader have just been finished.

The installer helps you to install 0.9.9, the upgrader can upgrade any Flyspray version from 0.9.7 (probably 0.9.6 too) to 0.9.9. It will also be used to upgrade from one development version to another.

Now we will test it a little more and fix a few remaining issues, then we'll release the first (and hopefully last) release candidate of Flyspray 0.9.9 for public testing. If no serious problems arise, we can expect a release next month

If you'd like to help testing, you can already grab the lastest development version and either upgrade (/setup/upgrade.php) or install (/setup/index.php) it with the new scripts. More infos here: http://flyspray.org/development

Development status update

nospam@example.com (Florian Schmitz) — 2007-01-10T17:44:00Z

It's been more than 1 year and 2 months now since 0.9.8 has been released. So you might ask what has changed since then. Well, you should rather ask "what has not changed". That would be the documentation. It's still outdated

I'll give you a little gist. First of all our team has changed significantly. Our project manager (Tony Collins) had to leave the project for personal reasons, one of our PHP developers (Mac Newbold) has to few free time to work on Flyspray, as has Pierre who's been doing a great job one year ago "refactoring" Flyspray. Anders Betnér and Konrad Roziewski have also stopped working on Flyspray. So who is left? That's me and Christian (aka judas_iscariote). As you see we are not very well manned right now. Anyway, we managed to get a lot of stuff done over the time.

During the 0.9.9 development we introduced a templating engine, a new translation system, improved the search feature significantly, made multiple assignees possible, improved the feeds, extended the task list, implemented a voting feature and a roadmap, added dokuwiki as syntax plugin, developed the delete feature, unlimited depth of categories, tightended security and a lot more.
We even implemented tasks which were originally planned for 1.0 like improved error messages and the possibility for anonymous users to read their opened tasks any time.
We also added some important bug fixes. The dependeny graphs will now work for more people, since using a public dot-server is possible. The scheduler should work better now as well. The Jabber support (a feature which was one of the reaosns why Flyspray was actually created) has also been fixed. Our old library had very broken and ugly code, but not until we developed our very own Jabber library we found out that primarily the missing support for SASL authentication (used by all major Jabber servers) caused our library to fail. Unfortunately all other Jabber libs out there didn't have SASL authentication either. So now have a very clean, much faster and working (well, it's very new so it will probably have a few bugs left) Jabber library. It might be of note for other projects too.

Unfortunately we had to remove the XML-PRC API because fixing it up for 0.9.9 wasn't possible for us with just 2 developers who have to work on every part of Flyspray.

In total, we closed about 500 bugs (heh, this reminds me of bugzilla search links which developers sometimes include in their blog posts. If you klick on them you only get a "Please wait ..." page. At the beginning I really did wait, but I eventually realised that I would never see a single bug. This link is real though :-p) since 0.9.9 and made ca. 600 revisions in our SVN repository (compared to about 400 revisions from 0.9.4 to 0.9.8, over 0.9.5, 0.9.6 and 0.9.7). We probably changed a few thousand lines of code, but I don't have any statistics on that

The webpage might also be worth a note. We got a new one (regarding layout) and also a new domain, flyspray.org. Some content has been updated, but for the most part it didn't change.

Now, what are we waiting for?

If you installed our latest beta or development versions, you'll probably have noticed that setup is a little complicated. This is because we don't have an installer or update yet, which is the only requirement left for the release. So until it is finished, we'll continue fixing bugs for 0.9.9. Probably the notifications will be rewritten before, then you'd have the choice between active (instant) and passive (scheduler) sending of notifications, which applies to both email and Jabber notifications.
Also, we started development of 1.0 a while ago, so you will find a few minor new features there, like CSV export of the task list and an improved user and group management. So if you want to try something even more cutting edge than our 0.9.9 development version, you might want to try our 1.0 development version (only minor DB changes necessary, compatible to 0.9.9dev). By the way, we are still looking for a skilled designer, so don't hesitate if you'd like to join.

When will it be ready?
I don't know. Probably in Q1/2007. But as always, it's done when it's done. So far my little summary, I could have gone on

We have our own filters Pierre ..

nospam@example.com (Cristian Rodriguez) — 2006-12-22T21:12:30Z

First post ever, Welcome to the flyspray development blog !!

Today a post by Pierre-Alain Joye , PHP core developer, points us to "how bad" is a piece of code we use in flyspray, that comes from Serendipity (this very same blog you are reading now ) .

Some points:

has changed the default filter and the user can't use .htaccess to set a different one

short

PHP:

<?php

$search_html = filter_input(INPUT_GET, 'search', 
                         FILTER_SANITIZE_SPECIAL_CHARS);

?>

PHP:

<?php

// A lot of more intuitive eh ? ;--)
$search_html = Get::safe('search');

?>

very seriously

Why ext/filter