Friday, October 20, 2006

GET urls with side effects can be a security problem.

GET urls with side effects can be a security problem.

For example, imagine the following urls:

paymoney?user=joe&amount=3000.0
deleteSomething?file=important.xls

Now if those urls are protected by a login system, then only those who login can use them right?

Nope. It is easy enough to trick someone into visiting a web page so that those urls are called by their web browser. If that person is logged in when they are tricked, then the action happens. A person can be tricked either by using img, frame, redirect or some other tags or http/html/flash/javascript features.

This is because according to a web browser it is ok to include or link to elements on other pages. In fact that's the whole point of hyper linking.

In this way it uses the authorization of person viewing your well crafted page. You can now create a page so that you can delete files as someone else, or pay any amount of money you want to anyone. Whatever the badly designed GET urls allow you to do.

This can even be done with POST. However it's a little harder.

So lay off the GETs with side effects.

This problem is called Cross-site request forgery




Melbourne Web Developer Written by a Melbourne web developer. Available for your projects - php, mysql, e commerce, javascript, CMS, css, flash, actionscript, python, games, postgresql, xml.

Wednesday, October 18, 2006

CYMK coming to a gimp near you?








I saw this in the latest development release notes of gimp 2.3.12:
"- build a color-managed CMYK color selector if lcms is available"
http://developer.gimp.org/NEWS



So it seems the gimp is getting CYMK support(or has it already). That'll be good for those doing print work that requires it.

Along with the gimps next generation image processing core (GEGL) things are looking good for the gimp. http://www.linux.com/article.pl?sid=06/10/16/1342216 http://www.gegl.org/

I really think the new versions are quite good. With most of the bugs that annoyed me gone, and with new features being added all of the time.

There's still some font handling issues which would be wonderful if fixed. Like rotated fonts, and fonts that can follow a path. However I think those features will appear over time.

This line may be interesting for those python users out there wanting to optimize their image production pipeline... "- many improvements to the Python bindings and the pygimp user interface"

Fetch the gimp. But the gimps sleeping. Go wake it up!



Melbourne Web Developer Written by a Melbourne web developer. Available for your projects - php, mysql, e commerce, javascript, CMS, css, flash, actionscript, python, games, postgresql, xml.

Saturday, October 14, 2006

Making fonts on linux.

To design a font on linux you can use fontforge. http://fontforge.sourceforge.net/

As part of my learning graphical design, I have become interested in finding out how fonts work and how to design fonts. I think learning to design a font will give me insight into other fonts. Much like how learning assembly language gave me insight into how computers work.

Creating a font on linux with fontforge is the way to go I think. I haven't found any other way to create a font on linux yet! It was quite hard to find fontforge for designing fonts on linux too.

It's a time consuming thing - designing a font. That I think will take years to figure out. I don't expect to make a great font, however I think there is room for creativity in fonts yet. So I hope to make something useful and learn something on the way.

I guess I have made bitmap fonts before including the animated one on f0o.com http://f0o.com/. However crude it might be ;)

True Type Fonts .(ttf) fonts contain a virtual machine, much like postscript. With it you can instruct how each character is rasterized. So to make fonts well you need to be able to program this virtual machine. So like many other areas of graphics - a knowledge of programming can help you to design a good font. There are some tools for working with ttf 'hinting' instructions here(including a compiler from a C like language): http://home.kabelfoon.nl/~slam/fonts/