Skip to content

Instantly share code, notes, and snippets.

@miyagawa
miyagawa / text.md
Last active Aug 29, 2015
Plack::Middleware::Session::Cookie vulnerability
View text.md

Aug 11, 2014

Plack::Middleware::Session::Cookie 0.21 has a security vulnerability where it allows an attacker to execute arbitrary code on the server, when the middleware is enabled without a secret.

If you use Plack::Middleware::Session::Cookie, you're required to pass a secret option to the middleware. The value of the secret key must obviously be kept private.

  • Version 0.22 is released today, which gives you a big WARNING when it is enabled without a secret set.
  • Version 0.23 TRIAL is released, which refuses to run without a secret set, giving an error message on the startup. This will become a non-trial release in a few days.

Solution

View carton2.md

Carton

  • carton install
    • Install modules locally
    • Collects artifacts (metadata)
    • Dumps versions to the snapshot file
  • carton install --deployment
    • Recreate CPAN mirror from the snapshot
    • installs modules with cpanm
View gist:6d1eadf7d08725723e06
➜ cpanminus git:(devel) ✗ perl -Ilib script/cpanm.PL --info App::cpanminus@1.7006
---
filtered:
query:
nested:
path: module
query:
custom_score:
metacpan_script: score_version_numified
query:
@miyagawa
miyagawa / a.md
Last active Aug 29, 2015
Upgrade cpanm to the latest without the current cpanm
View a.md

cpanm 1.7008 had a packaging error where it might not run if you don't have the latest Parse::CPAN::Meta in your perl library paths. 1.7008 was available only for 20 minutes on PAUSE and the issue has been fixed on 1.7009. If you're one of the few people who has got 1.7008 from PAUSE and got a non-working cpanm, you can do the regular "first installation" method to get the fixed version.

  • curl -L cpanmin.us | perl - App::cpanminus
  • plenv install-cpanm
  • perlbrew install-cpanm
View gist:cd1e17732b1dc4434939
➜ cpanminus git:(devel) grep JSON/PP.pm /Users/miyagawa/.plenv/versions/5.8.9/lib/perl5/**/.packlist
/Users/miyagawa/.plenv/versions/5.8.9/lib/perl5/5.8.9/darwin-2level/auto/ExtUtils/MakeMaker/.packlist:/Users/miyagawa/.plenv/versions/5.8.9/lib/perl5/5.8.9/JSON/PP.pm
➜ cpanminus git:(devel) PLENV_VERSION=5.8.9 perldoc -lm JSON::PP
/Users/miyagawa/.plenv/versions/5.8.9/lib/perl5/5.8.9/JSON/PP.pm
➜ cpanminus git:(devel) PLENV_VERSION=5.8.9 cpanm --reinstall JSON::PP
Successfully reinstalled JSON-PP-2.27203
1 distribution installed
View gist:841a7cad13475dea96af
➜ ~ grep -irl miyagawa /System/Library/Perl/
/System/Library/Perl//5.12/pods/perlhist.pod
/System/Library/Perl//5.16/CPAN/HTTP/Client.pm
/System/Library/Perl//5.16/pods/perl5140delta.pod
/System/Library/Perl//5.16/pods/perlhist.pod
/System/Library/Perl//Extras/5.12/darwin-thread-multi-2level/DBI/Changes.pm
/System/Library/Perl//Extras/5.12/darwin-thread-multi-2level/JSON/Syck.pm
/System/Library/Perl//Extras/5.12/PPI.pm
/System/Library/Perl//Extras/5.12/Test/Requires.pm
/System/Library/Perl//Extras/5.12/URI/_punycode.pm
@miyagawa
miyagawa / podcast-feed-agents.pl
Last active Aug 29, 2015
Analyze podcast feed clients
View podcast-feed-agents.pl
#!/usr/bin/env perl
use strict;
use warnings;
use JSON;
my $matching_path = qr!^/rebuildfm!;
my @UA = (
[qr/^Podcasts?\/\d/ => "Apple Podcasts"],
[qr/^iTunes\/[\d\.]+ \(Macintosh/ => "iTunes (OS X)"],
View Rakefile
desc "Set up nginx redirects"
task :redirects do
system "bundle exec jekyll build"
system "scp _site/redirects.conf root@#{HOST}:/var/www/cache.rebuild.fm/"
system "ssh -l root #{HOST} 'nginx -t && nginx -s reload'"
end
View a.diff
diff --git a/Rakefile b/Rakefile
index ca4af4d..0ba34e1 100644
--- a/Rakefile
+++ b/Rakefile
@@ -214,16 +214,11 @@ def next_episode
}.max + 1
end
-desc "ping updates to FeedPress"
+desc "ping updates to Superfeedr Hub"
View upload.rb
desc "upload to SoundCloud"
task :scupload do
require 'soundcloud'
ep = ENV['EP'] or raise 'EP is required'
token = ENV['SOUNDCLOUD_TOKEN'] or raise 'SOUNDCLOUD_TOKEN is required'
media = "_media/podcast-ep#{ep}.mp3"
client = SoundCloud.new(access_token: token)