Older blog entries for hereticmessiah (starting at number 22)

'Lo, kids! I've got another algorithm I want to idiot check. This one's a way of ensuring that a bunch of data passed in a form can't be tampered with easily.

Ok. Say you're pulling some bunch of data in response to a search from some external source. Some of this data includes things like prices, discounts, and the like. It's not important that this information is invisible to a potential (malicious or otherwise) user, but it's important that it can't be tampered with. Because there's no easy way for the receiving page to validate the data, we need to mark it somehow.

A checksum is out of the question: too easy. However, the software is web-based, so we could store some kind of a hidden key in a session variable. We could then concatenate the contents of each one of the form fields that must not be alterable, and append the hidden key onto the start or end. We could then hash the resulting string to generate a fingerprint to be passed with the form. Checking the code would mean reassembling the string from the form fields and the key, hashing the result, and comparing it to the fingerprint.

The hidden key would have to be something fairly random, like a fairly strong random number generator, or even a UUID. It's not sufficient to use one single static key for the whole application, as this could be too easily found out. Nor is it ideal to have a periodically (regenerated after the application times out from lack of use) refreshed one. Though the latter might suffice, it's still potentially shared between a large number of hosts, and could be cracked by somebody determined enough.

So a session is the only way. This is tied to one client, and even if some kind of attack is made to try to decipher the key, throttling could be put in place to make sure they can't do much, and if they do they'll be noticed.

So, does anybody see any flaws in this? It's a simple enough (and frankly, fairly obvious) scheme. I'd be unsurprised if I'm not the first person to come up with this.

I'd appreciate any feedback.

Ooh! badvogato rated me as master! I'm not sure I deserve it though. And kudos to MartySchrader for certifying me too.

Having has a crappy fortnight struggling to interface with Cendant's Galileo system for work (partly because it's sadistic, and partly because I'm stupid), and a whole bunch of other crappy work-related crap, I'm now sweating like a pig, sitting behind the counter of a boiling hot gaming café. I've been run off my feet all day, and now all I want to do is sleep. Helping out friends sucks! :-)

Meanwhile, I'm finding hacking on the software to drive the FusionWiki site more fun than hacking on the project itself! The small CMS I started hacking together is beginning to take on a life of its own!

Well, I've recertified everybody who I'd given certification to in the past, but, of course, the old certifications I got still aren't showing up. Thanks to gilbou and salmoni for certifying me as Journeyer.

13 Jan 2005 (updated 13 Jan 2005 at 01:57 UTC) »

Something very, very odd's after happening.

Very odd. Worrying, even.

My Advogato account disappeared.

Not completely, mind you.

FusionWiki was still listed with me as lead developer. Quite odd.

So I created a new account under the same name, and lo and behold, all my diary entries were still there.

But all the certification was gone. Disappeared. Kaput.

Any of the certification I'd given to others was gone, and all the certification I'd got was gone.

And all this happened without any notice.

So, did mod_virgule cough up a furball, or did I say something?


30 Dec 2004 (updated 30 Dec 2004 at 07:08 UTC) »

I really need to get my shit together and just do stuff rather than procrastinating all the time. Come to think of it, what am I doing here? I'm supposed to be hacking some webservices together. :-(

Preemptive new year's resolution: cut back on the number of feeds and mailing lists I'm on until I feel I'm productive again. Less bloody browsing! And worship Merlin Mann as the god he surely is. And read Gaping Void a bit more

I've thrown up FusionWiki, my quick hack of a ColdFusion wiki, up on sourceforge. The code is currently crap, but bear in mind that it was originally written in a couple of hours just because I needed a ColdFusion wiki that generated decent markup.

The current codebase is now happily sitting in its CVS repository, and I hope to start doing more work on it soon.

Did I mention that I started working again about a month and a half ago? Probably not. Well, I have.

I. Have. A. Gmail. Account!

As part of Job Search 2004, I’m resubscribing to the Open lists (you’ll know them if you’re an Irish developer) to see what jobs are about. Here goes nothing!

7 Jul 2004 (updated 7 Jul 2004 at 21:14 UTC) »

Woohoo! I’ve got the lads at Digital Crew to set up a datasource for me, so now I can work on getting my linklog up and running. About time too!

I’ve decided I’m going to write that Advogato Poster myself. I found XMLRPC-C back last in June 2003, and I’ve been hacking with wxWidgets recently. The basic app shouldn’t be all that difficult to knock together, I think, but I just need a box to build it all on. Seeing as my project box in college hasn’t been wiped by the admins yet, I think I might do it there.

And meanwhile, having finished my degree, jobsearching in Cork...

13 older entries...

New Advogato Features

New HTML Parser: The long-awaited libxml2 based HTML parser code is live. It needs further work but already handles most markup better than the original parser.

Keep up with the latest Advogato features by reading the Advogato status blog.

If you're a C programmer with some spare time, take a look at the mod_virgule project page and help us with one of the tasks on the ToDo list!