Playing with Rails XSS protection
by specialj on Aug.23, 2010, under Ruby On Rails
So in Rails 3 xss is protection is built in. This is good. In fact, I’ve wanted to see this since I first start coding rails in the 1.x days. I have not started any Rails 3 projects yet but I have been playing with enabling this on a Rails 2.3.8 project by using erubis and the rails_xss gem. Switching over I found lots of problems where strings which should be safe are being escaped. Of course I can easily mark the string as safe but I wanted to learn why this was happening. I found that the join method does not seem to keep strings safe.
1 2 3 4 5 6 7 8 | >> ("foo".html_safe + "bar".html_safe).html_safe? => true >> ("foo".html_safe << "bar".html_safe).html_safe? => true >> ["foo".html_safe, "bar".html_safe].join.html_safe? => nil >> ["foo".html_safe, "bar".html_safe].join(''.html_safe).html_safe? => nil |
I’ve also noticed that mail_to does not return an html_safe string. It appears to have been fixed in Rails 3 but not correct in the rails_xss gem.
Kernel patches I’m hoping to see in Ubuntu 10.10
by specialj on Aug.16, 2010, under Sysadmin
I’m planning on buying/building a new computer and I think I will install Ubuntu 10.10 on it. My plan is to use btrfs for the first time. Risky, but I will be taking nightly backups. However, Ubuntu 10.10 is planning on shipping with the Linux 2.6.35 which has a severe btrfs performance regression as documented here:
But besides that I’m also hoping that the I/O performance situation will be improved. It has been very difficult to track down where the bug is but I have certainly experienced it. I haven’t tested the patches but if they work I hope they find there way into Ubuntu 10.10
Using an SSD as a cache device
by specialj on Jul.22, 2010, under Uncategorized
Running SSD’s in RAID can get very expensive very quickly. A more cost effective solution is to have a disk RAID and use an SSD as a cache. I’m not sure if any of these are production ready but all are worth watching:
- zfs-fuse – supports the ZFS L2ARC feature which can be used to setup an SSD as a cache for a ZFS pool. Checksums SSD data and supports multiple devices.
- bcache – a recent project for caching linux block devices. Currently only supports 1 cache device and offers no checksumming.
- flashcache – created and released by and for facebook this at least seems to be in production. documentation is not great however.
Bcache: Caching beyond just RAM
Learned a lot about nested attributes and Rails
by specialj on Jun.04, 2010, under Ruby On Rails
It’s been a frustrating night trying to figure out how accepts_nested_attributes_for, autosave, dirtyness, and Rails versions all fit together. Going to try and summarize my findings and hopefully I’ll get it right.
- accepts_nested_attributes_for turns on autosave
- autosave will cause any loaded associations to be saved when save for the parent object is called
- the key word is “loaded”, so a find with an include will cause the association to be loaded, and thus autosaved (took my a long time to track this down)
- in Rails 2.3.5 the association is saved regardless of dirty state
- in Rails 2.3.8 the association is saved only if dirty
xAuth as an alternative to OAuth
by specialj on Jun.01, 2010, under Web Development
In doing some work with OAuth today I cam across xAuth which is apparently supported by Twitter. Good thing to be aware of:
Pay attention to the default IO scheduler
by specialj on Jun.01, 2010, under virtualization
With recent versions of Ubuntu running as Xen DomU’s I’ve noticed that the default scheduler is deadline. I’ve read documentation that noop should be the preferred scheduler. However, I make use of ionice, as do disk intensive programs such as fcheck. It’s not often noted but ionice only works with the cfq scheduler and because of that cfq is probably the best default for any system.
The desktop I would buy today
by specialj on May.08, 2010, under Hardware
While choosing an SSD may be difficult at the moment, other components for a solid workstation are not. Here’s what I’ve been looking at for the past few months:
Getting more entropy for virtual servers
by specialj on May.04, 2010, under Uncategorized
It is not uncommon for people to have performance problems with the their virtual servers and chalk it up to virtualization as the problem instead of insufficient entropy. Running a mail server or SSL web server are particularly vulnerable to virtual servers without much entropy. I have noticed that my virtual servers have had a lot less entropy in the past 6 months or so. I decided to revisit what simple and effective solutions exist to solve this problem.
My kingdom for the perfect Linux filesystem
by specialj on May.04, 2010, under Sysadmin
It is extremely difficult to keep up with all the filesystems being developed for Linux these days. Clearly, so much activity represents an understanding that the current filesystems do not address the needs of users. However, as is all too often the case, development is extremely fragmented with very small groups each trying to build the 1 true filesystem and thus each effort taking longer than a collaborative project.
What I want from a filesystem: snapshots, replication (local, aka RAID and network), checksums (at least optionally), compression (at least optionally), and some basic intelligence such as when a checksum fails and replication is used to get the data from another replica. Yes, fast error recovery and good performance are important too.
Chromium Extensions
by specialj on Apr.22, 2010, under Uncategorized
- Copy Without Formatting
- FlashBlock (there’s also this FlashBlock, not sure what the practical difference is)
