Artisan Développeur

Qualité, amélioration continue, agilité.

debian, ubuntu under KVM really slow

0 Comments
Nicolas

I can’t remember where I found this, so, if you are the original author of this solution, say hello, with the original link 🙂

If you install a debian or an ubuntu, you can experience some bad perf.

I use virt-manager to manage my vm’s.

Simple file with some options for the QXL driver fix the problem.

[pastacode lang= »bash » manual= »nano%20%2Fusr%2Fshare%2FX11%2Fxorg.conf.d%2Fqxl.conf » message= » » highlight= » » provider= »manual »/]

Inside the file :

[pastacode lang= »bash » manual= »Section%20%22Device%22%0A%20%20%20%20Identifier%20%22qxl%22%0A%20%20%20%20Driver%20%22qxl%22%0A%20%20%20%20Option%20%22ENABLE_SURFACES%22%20%22False%22%0AEndSection » message= » » highlight= » » provider= »manual »/]

And reboot !

 

How to : elastic search + fosElastica + symfony2 + typehead + bloodhound + elastic suggesters

0 Comments
Nicolas

(POST in BETA version, but I prefer release it, and enhance it later, than never publish ^^)

I want to use Elastic, to manage my search functionality.

It’s a symfony2 project, so I start my research by the integration of Elastic in symfony2, and FosElastica came up.
Thanks to FOS #friendOfSymfony2 people again, and again, your work is amazing !
Also nothing happends here without Elastica

This bundle provides integration with ElasticSearch and Elastica with Symfony2. Features include:

Integrates the Elastica library into a Symfony2 environment
Automatically generate mappings using a serializer
Listeners for Doctrine events for automatic indexing

I assume here, you have already a running symfony2 project, with data on it, I use this setup, to search over user, by name, mail, and over another data named « tags », a kind of internal references to group items.

Steps :

  1. install Elastic
  2. configure Elastic
  3. install FosElastica
  4. configure FosElastica
  5. try with Elastic web interface to confirm 4 firsts sets
  6. add typeahead.js to your page
  7. configure and implement bloodhound and typeahead
  9. Enjoy !

 

1 – Install of elasticsearch :

[pastacode lang= »bash » message= » » highlight= » » provider= »manual »]

apt-get install elasticsearch

[/pastacode]

(If you are under ubuntu use sudo if you not root, tested on ubuntu 15.10 and Debian 8.)

To have elastic working, I’ve to :

[pastacode lang= »bash » message= » » highlight= » » provider= »manual »]

chmod -R elasticsearch:elasticsearch /var/lib/elasticsearch

[/pastacode]

Both debian and ubuntu.

After that, you need to go to :

[pastacode lang= »bash » message= » » highlight= » » provider= »manual »]

cd /etc/elasticsearch/

[/pastacode]

and open « elasticsearch.yml » to configure it.

2 – Configuration

(TODO : CORS config + security)

https://www.elastic.co/blog/found-elasticsearch-security

https://xenforo.com/community/threads/how-to-basic-elasticsearch-installation-debian-ubuntu.26163/

3 – Install FosElastica

with composer :

[pastacode lang= »bash » message= » » highlight= » » provider= »manual »]

php composer.phar require friendsofsymfony/elastica-bundle "~3.0"

[/pastacode]

And enable it :

[pastacode lang= »php » message= » » highlight= » » provider= »manual »]

[/pastacode]

4 - FosElastica configuration :

http://elasticsearch-users.115913.n3.nabble.com/Http-Cors-Setting-td4066032.html

https://www.elastic.co/guide/en/elasticsearch/reference/current/modules-http.html#_settings_3

 

http://twitter.github.io/typeahead.js/examples/
https://www.elastic.co/guide/en/elasticsearch/reference/current/search-suggesters-completion.html
https://github.com/FriendsOfSymfony/FOSElasticaBundle/issues/380
https://github.com/FriendsOfSymfony/FOSElasticaBundle/issues/445
https://github.com/FriendsOfSymfony/FOSElasticaBundle/issues/469
https://github.com/FriendsOfSymfony/FOSElasticaBundle/issues/673
https://github.com/FriendsOfSymfony/FOSElasticaBundle
http://stackoverflow.com/questions/21530063/how-do-we-set-remote-in-typeahead-js-0-10/21533204#21533204

Faster Autocomplete with typeahead.js, Elasticsearch & nginx


http://mycodde.blogspot.se/2014/12/typeaheadjs-autocomplete-suggestion.html
https://www.elastic.co/guide/en/elasticsearch/reference/master/search-suggesters.html
https://www.elastic.co/guide/en/elasticsearch/reference/current/search-suggesters-completion.html

[php] How to manage uploaded images in secure way

1 Comment
Nicolas

I dev lately on an open source project, GRR (https://github.com/JeromeDevome/GRR/), it’s an old resources management script.

Writen a looooong time ago, « old school » code, but functional and pretty complete.

A security researcher , « kmkz » (Bourbon Jean-marie) – twitter: @kmkz_security, has discovered a security flaw which permit to upload a shell using the upload logo functionality.
Just need to rename the image like EvilShell.php.jpg …
The old code, never check if the submitted file have more than one extension, or if it’s an actual image… Just check if the final extension is jpg, gif or png.

After lot of reading about mime type, EXIF code injection, magic bytes, and million of stackoverflow questions, my little function :

https://github.com/nicolas-san/upload

This is a small, not POO, simple function to check :

  • multiple extension (logo.php.png)
  • extension allowed (jpg, png or gif)
  • good mime type with php finfo_file method http://php.net/manual/en/intro.fileinfo.php
  • if image is valid and remove EXIF with one of the imagecreateFORMAT function from GD http://php.net/manual/en/function.imagecreatefrompng.php
  • if target directory is writable
  • if move_uploaded_file pass without error

The idea is to start test with the obvious attempts, remove the EXIF data to be sure and rename the file to avoid long and wired names.

I think I cover all attack vectors with an image, but if you want test it, break it, improve or comment, do it !

[pastacode lang= »php » user= »nicolas-san » repos= »upload » path_id= »upload.php » revision= »master » highlight= » » lines= » » provider= »github »/]