Robert Basic's blog

Archive for the 'Software' category

PHP-FPM security limit extensions issue

by Robert Basic on February 03, 2017.

For the first time ever I saw this error:

2017/02/03 11:45:04 [error] 14656#0: *1 FastCGI sent in stderr: "Access to the script '/var/www/web' has been
denied (see security.limit_extensions)" while reading response header from upstream, client: 127.0.0.1, server:
proj.loc, request: "GET / HTTP/1.1", upstream: "fastcgi://unix:/var/run/php-fpm/www.sock:", host: "proj.loc"

I mean… what? security.limit_extensions? I honestly never heard of this before.

The PHP manual describes it as:

Limits the extensions of the main script FPM will allow to parse. This can prevent configuration mistakes on the web server side. You should only limit FPM to .php extensions to prevent malicious users to use other extensions to execute php code. Default value: .php .phar

Basically to avoid executing what an application might consider as a non-PHP file as a PHP file.

OK, cool, but why am I getting this error?

The currently top answer on Google suggests setting the list of limited extensions to an empty string, to practically disable the security.limit_extensions configuration. That fixes the error, but I’m really not comfortable with setting a security related configuration to a blank value, especially when people smarter than me set that configuration to a sane default value.

There must be a better, proper way to fix this, and this does feel like I misconfigured something in the nginx/php-fpm stack.

Accessing a folder as a script?

The Access to the script '/var/www/web' has been denied part of the error messages also looks weird. Why would php-fpm try to access /var/www/web, which is a directory, as a script? Seems like it doesn’t see the actual PHP script, and that sounds awfully similar to that old, dreaded No input file specified error message.

And that one is, in most cases, caused by not including the fastcgi.conf params file in the location block in the nginx configuration files. I double checked the configuration file and yup, I missed to include the fastcgi params file:

server {
    # configuration for the server
    location ~ \.php$ {
        # configuration for php
        include fastcgi.conf; # << I missed this!
    }
}

I restarted nginx and everything works just fine, without touching the security.limit_extensions configuration.

Happy hackin’!

Tags: configuration, fastcgi, limit_extensions, nginx, php-fpm, security.
Categories: Development, Software.

Need help on your PHP projects? Let's talk!

Search and replace in visual selection in Vim

by Robert Basic on January 23, 2017.

The search and replace feature is very powerful in Vim. Just do a :help :s to see all the things it can do.

One thing that always bothered me though, is that when I select something with visual, try to do a search and replace on it, Vim actually does it on the entire line, not just on the selection.

What the…? There must be a way to this, right?

Right. It’s the \%V atom.

Instead of doing :'<,'>s/foo/bar/g to replace foo with bar inside the selection, which will replace all foo occurences with bar on the entire line, the correct way is to use the \%V atom and do :'<,'>s/\%Vfoo/bar/g.

I’m using this approach in the HugoHelperLink fuction of my Vim Hugo Helper plugin.

Happy hackin’!

Tags: replace, search, vim.
Categories: Blablabla, Software.

Need help on your PHP projects? Let's talk!

XFCE4 desktop zooming with the keyboard

by Robert Basic on January 19, 2017.

XFCE4 has a zoom feature available when the desktop composition is turned on. By default, holding the Alt key and scrolling up or down the mouse wheel, I can zoom in or out the entire desktop. Once zoomed in, it follows the mouse pointer as to which part of the desktop to show.

I prefer doing as much as possible from my keyboard, and to use the mouse only when necessary.

I don’t care much for desktop composition, the transparent windows and animations are not my thing.

Toggle desktop composition

Given that desktop composition is required for the zooming feature, I want it enabled only when I want to use the zoom feature itself.

Using the following command, I can toggle the composition on and off:

xfconf-query --channel=xfwm4 --property=/general/use_compositing --type=bool --toggle

xdotool to fake the mouse

xdotool is a nice little program that fakes keyboard and mouse input, among other things.

Using that, running the following command from the terminal, zooms in:

xdotool keydown Alt click 4 keyup Alt

and this command zooms out:

xdotool keydown Alt click 5 keyup Alt

Just to make all this even easier, I put these commands in a couple of bash scripts and added them as keyboard shortcuts.

Now I have Super C to toggle the desktop composition, Alt + to zoom in and Alt - to zoom out.

Happy hackin’!

Tags: accessibility, compositing, desktop, keyboard, mouse, xfce4, zoom.
Categories: Blablabla, Software.

Need help on your PHP projects? Let's talk!

Force Python version in Vim

by Robert Basic on January 12, 2017.

Vim can be compiled with Python support. Vim can be compiled with both Python 2 and Python 3 support.

At the same time.

But not really.

Vim can have both of them, but use only one at a time. If you start using one version, there is no way to switch to the other one.

The silly thing is that if you simply ask Vim which version does it support, the first one asked and supported is going to be the one loaded and used. Trying to use the other one from that point will result in an error.

if has('python')
elif has('python3')
endif

Guess which one is loaded? Python 2.

Try calling Python 3 and ka-boom!

:py3 print('hello')
E836: This Vim cannot execute :py3 after using :python

Switch the order around:

if has('python3')
elif has('python')
endif

And now? Yup, Python 3.

Why is this ridiculous? Because if you have a bunch of Vim plugins loaded, the first one that asks for a specific Python version wins! Reorder the plugins and suddenly a different Python version is loaded.

Gotta love the software development world.

Luckily, this can also be used to fix the problem itself.

How?

Force one of the Python versions from the top of your .vimrc file:

if has('python3')
endif

Now you can have a little bit of sanity and be sure what Python version is Vim going to use. Of course, doing this might break plugins written solely for Python 2, so do it at your own risk.

Happy hackin’!

Tags: python, vim, vimrc.
Categories: Development, Software.

Need help on your PHP projects? Let's talk!

Issues with Vagrant after upgrading to Fedora 25

by Robert Basic on December 24, 2016.

Fedora 25 was released over a month ago, so I decided it was time to upgrade from 24.

Using the dnf plugin system-upgrade the entire process went smooth. The Fedora Magazine, as always, has a nice post on how to upgrade.

So far I ran into only a couple of minor issues with Vagrant.

The first one, which isn’t really a problem, is that Vagrant got downgroaded to version 1.8.x from 1.9.1 which I had installed in Fedora 24. The fix for that is easy, just install the new version again:

robert@odin ~$ sudo dnf install ~/Downloads/vagrant_1.9.1_x86_64.rpm

The second issue was that, well, vagrant didn’t really want to work. When trying to run vagrant up it would spit out the usual kernel module is not loaded error.

The provider 'virtualbox' that was requested to back the machine
'default' is reporting that it isn't usable on this system. The
reason is shown below:

VirtualBox is complaining that the kernel module is not loaded. Please
run `VBoxManage --version` or open the VirtualBox GUI to see the error
message which should contain instructions on how to fix this error.

Running VBoxManage --version provided a helpful message, for once:

robert@odin ~$ VBoxManage --version
WARNING: The vboxdrv kernel module is not loaded. Either there is no module
         available for the current kernel (4.8.15-300.fc25.x86_64) or it failed to
         load. Please try load the kernel module by executing as root

           dnf install akmod-VirtualBox kernel-devel-4.8.15-300.fc25.x86_64
           akmods --kernels 4.8.15-300.fc25.x86_64 && systemctl restart systemd-modules-load.service

         You will not be able to start VMs until this problem is fixed.
5.1.10r112026

Looking at the list of installed packages with dnf list installed I saw that both the akmod-VirtualBox and the kernel-devel packages are installed.

Running the next command fixed the issue:

robert@odin ~$ akmods --kernels 4.8.15-300.fc25.x86_64 && systemctl restart systemd-modules-load.service
Checking kmods exist for 4.8.15-300.fc25.x86_64            [  OK  ]

VBoxManage shows no warnings any more:

robert@odin ~$ VBoxManage --version
5.1.10r112026

and Vagrant works just fine again.

Happy hackin’!

Tags: akmod, fedora, vagrant, vboxmanage, virtualbox.
Categories: Development, Software.

Need help on your PHP projects? Let's talk!