Thursday, December 15, 2016

Approximating GNU parted in Windows

I partition disks in Linux all the time. But, thanks to disk ghosting, I don't do much partitioning in Windows. When I do need to partition in Windows (like external drives), what do I use? Enter the Windows Disk Management Snap-in, diskmgmt.msc, first available in Windows 98.
If you're familiar with GNU parted, this Windows tool will make perfect sense. You see immediately your list of hard drives, their partitions, and can click on them to delete or resize. Click on free space to partition. There are some limitations, though. For example, you can't delete recovery partitions. For that, you can drop to the Windows command line and run diskpart. This tool is like Linux's fdisk.

Thursday, December 8, 2016

Identifying specific vulnerabilities in WordPress, by version

Exactly how vulnerable is your WordPress version? Ask the good folks over at the WordPress vulnerability database who have not only assembled a vulnerability list by version, but also provided a nice API for querying.

# WordPress 4.4.2 vulnerabilities, by type
$ curl -sS https://wpvulndb.com/api/v2/wordpresses/442 |\
  jq -r '.["4.4.2"]|.["vulnerabilities"]|.[].vuln_type' |\
  sort | uniq -c
      1 BYPASS
      1 CSRF
      1 LFI
      1 SSRF
      1 UNKNOWN
      5 XSS
Same thing, but list the titles and take a version as a parameter:
wpvulndb() {
    version=${1:?Check which WordPress version for vulnerabilities (eg 4.8.3)?}
    curl -sS "https://wpvulndb.com/api/v2/wordpresses/${version//./}" | \
      jq -r --arg version "$version" '.[$version]|.["vulnerabilities"]|.[].title'
}

wpvulndb 4.8.3

Wednesday, November 30, 2016

Pasting a remote file into your local clipboard (* mouse not required)

So, I'm updating a configuration file on a remote server (using MobaXterm), and I need to copy the contents into some Trello documentation running in a browser on my local Windows machine.

The old fashioned way to do it is to select it with the mouse (which MobaXterm interprets as copying to my Windows clipboard), then Shift+Insert it into the browser. Well, turns out you can use the command line:

[Bishop@Cygwin]$ ssh user@host "< /path/to/file" | clip

On Windows, clip is a program to read from standard in and put into the Windows clipboard. On Mac OSX, replace clip with pbcopy for the same effect.

You could extend this approach: instead returning the whole file, return the result of a pipe line. Neat. Like magic, no more mouse needed.

Friday, November 11, 2016

Bypassing private and protected visibility in PHP

Members declared protected can be accessed only within the class itself and by inherited classes. Members declared as private may only be accessed by the class that defines the member.

This is true only in an academic sense: code outside the object can still get and set private and protected members. As usual in PHP, all it takes is a little magic.

Wednesday, March 23, 2016

The end of the mouse era

Doug Englebart invented the computer mouse nearly 50 years ago. Before HD, before GPU, before UX, the mouse let people interact with an information rich virtual space with ease.

The generation whose work productivity preceded the mouse are retiring. Today's work force learned young or grew up with computer mice. We are comfortable with them. But the plunging cost of touch screen, the integration of draw-capable technologies in underlying OS, and the rise of hand-held form factor computing all spell the end of the mouse age.

Our generation may find it difficult to imagine a world without mice. But consider, if price were not an object, would you rather have a mouse or a touch screen?

Fundamentally, a mouse is the wrong tool for the job. If you want to select, move, shrink or otherwise manipulate windows, keyboard chords provide the necessary precision and do not change your locus of attention. If you want to scroll, page and cursor keys provide two resolutions of movement. If you want to draw a freehand shape, a touch screen or a digitizing tablet offers measurably better precision.

In the future, we'll see a world without mice. A world with keyboards and touch screens. When economic factors allow cheap, ubiquitous touch input, mice commodity will become a novelty. Good riddance I say.


Addendum
I was just asked how I navigate web pages without a mouse. The answer: vimium. Since I use vi, this is a natural move more me. Props to mjmccull for introducing this extension to me years ago. Read up on vimium in this quick guide.

Bonus
Did you know that Windows+B+Enter opens the Windows system tray? Here's a running list of Windows 10 keyboard shortcuts to help you cut your mouse cord.
Shortcut Key CombinationAction or Effect
Windows+B+EnterRaise the Windows system tray. Use your cursor keys to navigate the tray icons
Windows+Shift+RightMove the active window right. Try also with the left cursor key.

Thursday, March 3, 2016

Evoking all possible test failure modes in PHPUnit

When you're writing your own PHPUnit test listener, you need a test case that evokes all the different PHPUnit test states. Here's you go:
<?php
class EvokesTest extends \PHPUnit_Framework_TestCase
{
    public function test_pass()
    {
    }

    public function test_fail()
    {
        $this->fail(__FUNCTION__);
    }

    public function test_error()
    {
        throw new \RuntimeException(__FUNCTION__);
    }

    public function test_skipped()
    {
        $this->markTestSkipped(__FUNCTION__);
    }

    public function test_incomplete()
    {
        $this->markTestIncomplete(__FUNCTION__);
    }

    public function test_risky()
    {
        throw new \PHPUnit_Framework_RiskyTestError;
    }
}

Thursday, February 25, 2016

Disabling Plugins in Jenkins

If a plugin upgrade causes problems, Jenkins may not restart. You'll be welcomed by an error message and a stack trace. Don't panic! Go into your Jenkins plugin directory, list files by date, and then disable the most recent ones:
$ cd $JENKINS_HOME/plugins
$ ls -ltr *.jpi
-rw-r--r--. 1 root root   169194 Feb 22 10:12 script-security.jpi
-rw-r--r--. 1 root root   516115 Feb 22 10:12 next-executions.jpi
-rw-r--r--. 1 root root   739004 Feb 22 10:12 email-ext.jpi
$ touch email-ext.jpi.disabled next-executions.jpi.disabled script-security.jpi.disabled
$ service jenkins restart
Files ending in .disabled instruct Jenkins to disable the corresponding plugin. Delete the disabling files until you've found the offending plugin. Then you can go into Jenkins and revert it to an earlier version. Word of advice: Upgrade plugins in small batches. Doing so helps you isolate early problematic plugins.

Thursday, February 18, 2016

Big list of files to edit? vim to the rescue (again)

Did you know that you can treat the text under the cursor as a filename, and open that up for editing right in vim? Here's how:

  • gf will open the filename under the cursor in the current window
  • ^Wf will open it in a split window
  • ^Wgf will open it in a new window

Thursday, February 11, 2016

Thursday, February 4, 2016

Private methods are collaborators in disguise

Private methods cannot be unit tested, only integration tested through whatever public methods call them. I find this unsettling. I want to unit test private methods, so that I know the public methods are composed of independently verified code. What to do?

My first tactic is to avoid private methods. When behaviors are small enough, the need for private methods diminishes.

My second tactic is to promote them to public, but document that they aren't part of the API. This feels like a hack. A trick that's necessary because I've not thought about the design deep enough. I do this more than I like, honestly, because it's so quick and cheap to do.

Today, I thought of another approach that reinforces the first tactic. Maybe the apparent need for private methods is a signal that what I really want is a collaborator. Instead of privately doing a bit of work in furtherance of a class behavior goal, delegate that work to a first-class worker. Example? Sure!

Suppose I'm writing a class to model a web request. Part of web requests are MIME content type headers. These headers have specific formats for which a parser is needed. I could build parsing into my web request class, undoubtedly through several private methods that implement MIME content type parsing RFC 2045. These will be hard to test.

Instead of those private methods to parse the headers, I want to defer the parsing to a first class delegate. An actual, red-blooded class that knows only how to parse RFC 2045. Turns out, open source libraries already exist, and I don't have to do the work. A happy side effect.

Thursday, January 28, 2016

Vim gem: built-in calculation

Vim is my go-to editor. Has been for 20 years. Besides being an all-around awesome editor for composing text, it also has some handy built-ins, like calculations:

  • In insert mode, ^R= accepts a mathematical expression, the result of which will be inserted in place.
  • In normal mode, ^A increments the number at (or to the right of) the cursor by one, while ^X decrements it by one. These accept repeats, so 5^A will add 5 to the number.

Thursday, January 21, 2016

Using vim to replace string functions with their multi-byte equivalent

The PHP INI option mbstring.func_overload override certain string functions (like strpos, substr, etc.) with multi-byte aware implementations. This makes it super easy to migrate a legacy code base to UTF-8, but immediately restricts interaction with vendor products (Symfony, Net_DNS2, etc.).

The proper integration is to manually replace string functions with their multi-byte equivalent. In one legacy code base I'm improving, there are on the order of 10k instances of these functions. I want to change and verify each replacement, but I don't want to type much. Time for some vim-fu:
:argdo %s/strpos/mb_strpos/gc | wn
This performs a confirmed find and replace, writes the change to disk, then moves on to the next file.

Thursday, January 14, 2016

Monday, January 11, 2016

[Proposed] Elephpant Etiquette

Yes, I do believe PHP internals needs a guide to etiquette. But, no, not a code of conduct. Internals is a decades (plural) old cathedral-like meritocracy. There is no benevolent dictator. There is no functional oversight group. No rigorous process (like Go has) will work in the internals ecosystem.

Anthony's draft sets the stage, but I don't think it'll draw the crowds. For that, we need a moderate approach that emphasizes the definition of acceptable behavior while limiting the authoritative scope. Here's my second attempt at a custom-fit "code of conduct" roughly based on the one from Go:

Friday, January 8, 2016

PHP Contributor Etiquette

I was the first to publically +1 the Code of Conduct RFC. I'd love to see a policy that fosters diversity and inclusion, because damn the PHP crowd is startlingly similar. But, after hearing the arguments, I can't endorse the code as written. It's too focused on process and punishment. I believe we need to look at this from a definition of rights and responsibilities. This is my attempt.