How To Fix WordPress 2.8.3 Password Reset Vulnerability

August 11, 2009 by Jonathan Grenier

Laurent Gaffié posted an exploit for versions of Wordpress up to and including 2.8.3 (the current version as of now). The exploit is basically that if you pass an empty array as the “key” on a reset password query, the code passes the empty() check in wp-login.php and the password is reset thus completely bypassing the usual security protection of WordPress. It’s not too bad since the password is sent to the admin email and not displayed on the screen, but it can still be annoying.

While we wait for an official patch from Wordpress that I’m sure will be coming very soon, there’s a very easy way to fix it. Simply edit wp-login.php and add this line after line 186 (after the line that says global $wpdb):

if (is_array($key)) return new WP_Error('invalid_key', __('Invalid key'));

This simple fix should do the trick. If the key is an array, the function will simply alert the user that the key is invalid, which is what it should do.

Techniconseils Sponsors The iPhone Dev Camp

August 5, 2009 by Jonathan Grenier

For a while now we’ve been looking at the iPhone platform as one of our next big focus point (our first app is coming soon, we’re waiting for Apple) but today we have some great news.

Starting today, Techniconseils is sponsoring the iPhone Dev Camp Montreal, presented by the Club Mac de Montreal. On the first wednesday of every month, we’ll be at McGill University presentating the latest news and giving how-tos not to mention drinks and food to the developers community around town.

The Dev Camp has its own web site at http://iphone.lcmm.qc.ca. If you tweet about it, make sure to use the tag #idcmtl.

Techniconseils Now an Official Android Developer

January 27, 2009 by Jonathan Grenier

We’ve been registered as an iPhone developer for several months now, but yesterday we submitted our application to be an Android developer (and got accepted of course, everybody is). A nice dev unit is on the way and Techniconseils’ first mobile application will be published on both platforms.

We’ll have more news on what we’re doing in the next few weeks but suffice it to say the word social might appear in quite a few places.

We’ll also have some news about SocialFusion, about Twitter / Delicious mashup service soon.

The Business Of Mobile Applications

January 8, 2009 by Jonathan Grenier

18 months ago, when Apple decided to enter the cell phone market, we knew they would have a big impact on that industry. Apple is well known to be the company that sets its own standards and elevates the bar when it comes to user experience and the first version of the iPhone did not disapoint in that regard. Some of those innovation, like at-home activation unfortunately didn’t stick, but many did.

One thing we didn’t expect though, was that a year later Apple would be revolutionizing the market again, this time with the iTunes Application Store. Ever since the store went online in mid 2008, it has become the new standard every other manufacturer are rushing to get up to. While it’s nice for Apple (we’re big fans) to set the bar again, what especially nice is that the market for custom application is enormous right now. Even ridiculous and useless apps are making tons of money nowadays and Apple is proving that even a 0.99$ application can be quite worthwhile. The gaming market in particular seems to be exploding with sales being quite encouraging and businesses like NGcomo making a name for themselves after only a few short months of existence.

With the economy being what it is, a business model centered on selling micro applications for less than 2$ makes a lot of sense to me. It’s not about making a lot of money on one license, it’s about selling a ton of licences of a software you created in a matter of weeks (instead of months or years) for a few dollars.

Accessing instance variables outside of an object

November 19, 2008 by Jonathan Grenier

Ruby on Rails makes good use of Ruby’s instance variables (@variable) to make variables set in a Controller available all the way down to the View and the Helpers. It’s very useful because it works really well… until you try to create a new FormBuilder helper. In that case, you are subclassing the ActionView::Helpers::FormBuilder class and thus, you do not have access to the variables set in the Controller. So, how can you do this then?

Ends up Ruby has a way around this. Any object in Ruby has a few methods to help out in that case. If you run:

MyObject.public_methods

You’ll get a long list of methods that you can call. Among those, you’ll see a few that are interesting:

  • instance_variable_defined?
  • instance_variable_get
  • instance_variable_names
  • instance_variable_set
  • instance_variables

With this, you can then do instance_variable_get(“@myvar”) to get the value of the @myvar instance variable. In the case of a FormBuilder subclass though, you’ll need to use the @template variable to get access to the “view” object first. You’d do this like this:

@template.instance_variable_get('@language')

We’ll be talking about how to create a FormBuilder helper soon.

Removing accents in a Ruby String

October 29, 2008 by Jonathan Grenier

With Ruby on Rails, it often seems the developers thought of everything because there’s a ton of helpers to do most common tasks. One thing that’s clearly missing though is a way to remove accents from a string. I’m not talking about escaping characters, I’m talking about converting the accented characters to their base letter (i.e. “éàû” should become “eau“).

I’ve spent a bit of time today thinking about the best way to do this. Once again, Ruby’s awesome flexibility means we can actually extend the standard String class and add a method to it. In a Ruby on Rails project, we add this library to the lib directory, add one line to the environment.rb file and we’re good to go.

Head over to the Remove Accents From A Ruby String script page to see all the details and to download the script you can use in your Ruby (and Rails) projects. With it, you’ll be able to simply do:

"été".removeaccents

Yes, that simple. I’ve also added another method to prepare a string to be used as part of a URL. Rather than escaping characters, it converts them using removeaccents and it calls a few additional methods to make sure the string is ready.

"été".urlize

We’ve published the script under a creative commons licence. Use it, abuse it, modify it and make sure to send back your changes so we can have a great version to share with everyone.

Welcome to the techniconseils blog

September 18, 2008 by Jonathan Grenier

Hello everyone and welcome to our little corner of the Web. We are Techniconseils, a Montreal-based company that specializes in Web 2.0 sites and Web Applications. Wow, that does sound corporate, doesn’t it ? Let’s try it again. I’m Jonathan Grenier, a Montreal-based web programmer that’s been creating Web Sites and Web Applications for over 13 years now and I’m one of the cofounders of Techniconseils. On this blog, we’ll discuss the latests trends and fads of the Web development world and hopefully give you a few tips and pointers to help you out along the way as we encounter problems and find the solutions when dealing with our customers’ sites.

Creating a Web application is becoming both easier (thanks for some fabulous libraries and frameworks) and much harder (so many technologies and buzzwords out there!). Add to this the multiplication of devices (iPhone and PSP come to mind) and it’s getting a little crazy out there. I’m hoping this blog will be a good place to exchange solutions and tips on all those technologies. Make sure to check out our scripts section for a good place to find already made scripts for your site.

So welcome aboard, thanks for stopping by and I hope to see you soon with our next post.