As if not updating my blog for months at time wasn’t enough, I also maintain a wiki that gets even less attention 
The software powering the wiki is Dokuwiki – a fantastic wiki software that’s very feature-rich (thanks to a plugin architecture) but very lightweight (everything is maintained in text files!)
There is however one mild annoyance – Dokuwiki insists on adding a Meta-header advertising the version number and there’s no direct way of turning this off:
Luckily there’s a plugin that can help – the metaheaders plugin. Unfortunately, the plugin does not ship with a configuration UI and the documentation on the plugin page is sparse. In order to disable the “generator” meta that Dokuwiki adds, here’s what you need to do:
1. Create a file called metaheaders.conf.php in the Dokuwiki conf directory. If you are using the dokuwiki package in Debian, the metaheaders.conf.php needs to go into the /etc/dokuwiki directory.
2. Add the following lines to the metaheaders.conf.php file:
<?php
$clear[] = array ( 'name' => 'generator' );
3. Clear the dokuwiki cache – you can do this by issuing a touch command on each txt file in the pages directory under /path/to/dokuwiki/data/pages (or /var/lib/dokuwiki/data/pages in Debian). Or, you can take the nuclear option and remove the cache directory entirely (/var/lib/dokuwiki/data/cache in Debian). Either way, once you’ve done this – you can trigger a full refresh of the page in your browser and check the page headers:
Talk about shooting your mouth off
A while back I had made a long-ish post about the Recent comments feed on Flickr and how the lack of authentication could allow people to see your non-public photos.
Well I recently had posted some photos to my Flickr photostream, that were in fact marked as private (for friends & family only) and one of them recently attracted a comment.
Guess what – they never showed up in my RSS reader. That’s when I took a closer look at the description for the recent comments feed, and I realized it says “All comments posted to your public photos and/or sets.”
D-oh! So that’s how Flickr is overcoming the lack of authentication issue. Private photos and messages never appear in RSS.
I’m partly relieved and partly annoyed. Relieved – since that means your private photos are still private. Annoyed – because this means there is a chance that someone might miss these comments. Since you have to log into Flickr to see these comments, if you happen to be one of those Flickr “superstars” who attract lots of comments right off the bat, there is a good chance comments on private photos will get lost.
Anyhoo, just wanted to say “my bad, my bad!”
On a bit of a RSS trip here aren’t we? 
Anyway, this is something I came across a few weeks back and it’s been bugging me ever since.
Since everyone likes a stroke (and I’m no exception) – I have subscribed to the feed for comments on my photos at Flickr. Now, the RSS feed for the recent comments takes the following format:
http://api.flickr.com/services/feeds/activity.gne?user_id=<Your Flickr ID>&format=rss_200
The Flickr ID in the above link is a 12-character alpha-numeric string that every Flickr User gets when they register for the first time.
Unfortunately, there is no authentication on this particular RSS feed – which means that if you know a user’s Flickr ID, you can easily see all the comments that any one makes on that individual’s photos.
The Flickr ID is incredibly easy to find as well – if you haven’t picked a “easy name” for your Flickr photostream – it directly appears on your photostream. Even otherwise, the Flickr API provides this information readily and there are Greasemonkey scripts out there that make this a single right-click.
So what’s the problem you ask? Anyone can see those comments anyway – sheesh! Well yes, anyone can see the comments on your public photos, but by reading your recent comments feed they can see comments on any private photos as well, i.e., those photos which you have marked as family/friends only.
Further more, the recent comments feed provides the URL for the medium size of your private photos. Downloading the original resolution images is then trivial – merely requiring replacement of a “_m” in the URL with a “_o”.
The creep factor just increased substantially didn’t it?
Now by default, using the RSS format means that no authentication mechanims are supported directly. Basic authentication can be used (which would take the format http://username : password@api.flickr.com/services/feeds/activity.gne?user_id=<Your Flickr ID>&format=rss_200), but this isn’t directly supported by the protocol.
On the other hand, the ATOM format does support authentication (see the RFC) and Flickr infact uses ATOM for all photostream RSS feeds. So why not switch the private feeds to ATOM as well?
For the oldest reason in software development: security is just not sexy – so something like this is always going to fall to the bottom of the pile.
Right upto the moment when some-one abuses this loop-hole that is. And the Flickr forums go up in flames (as they have tended to do fairly regularly these days).
Here’s hoping this gets patched soon – oh and could I get a pony with that?
Update: I spoke to soon. Flickr does in fact protect your private photos. See this follow-up post.
WordPress Blog » WordPress 2.1.1 dangerous, Upgrade to 2.1.2 [via MetaFilter]
Apparently, crackers managed to break into a WordPress server and add malicious code to the 2.1.1 build of WordPress that allows for remote PHP execution.
This is probably one of the most sophisticated types of security attacks – embedding trap doors in trusted builds. And extremely worrying for the open source movement if it takes off.
