Events calendar mystery solved

Posted on March 11, 2013 by Wesley Wright

On Mar 4, 2013, at 11:17 AM, Wendy Verrrei-Berenback <wverreib@uvm.edu> wrote:

Disallowed Key Characters: pspw1-8520-PORTAL-PSJSESSIONID
using Firefox 19

The Events Calendar code utilizes a “software framework” (viz.http://en.wikipedia.org/wiki/Software_framework ) called CodeIgnitor. When processing any sort of input (URL, form input via GET or POST, or cookies), CodeIgnitor tries to “sanitize” the input to remove or exclude any data that may be malicious in nature.

In particular, CodeIgnitor goes through every cookie set by ANY application in the uvm.edu domain. Why? Because it can, and cookies are only identified by hostname (catalyst.uvm.edu) or domain name (uvm.edu), not by the application that deposited them. This is a bit of overkill, as we have a lot of applications.  CodeIgnitor took exception to any cookie whose name was NOT constructed solely of the characters a through z, A to Z, 0 to 9, “:”, “_”. and “/” .

Any UVM application using WebAuth — like the mediamanager, was producing a key named

webauth_ct_krb5_krbtgt/uvm.edu@uvm.edu

Sorry, “@”, and “.” disallowed, outside the above set.

PeopleSoft?

pspw1-8520-PORTAL-PSJSESSIONID
pspw2-8520-PORTAL-PSJSESSIONID

“-” disallowed.

I locally extended the CodeIgnitor core Input class to accept “@”, “-“, and “.” when examining cookies (But not when sanitizing URLs or form input). This error should trouble us no more.

Posted in Wes | Tagged , , | Leave a comment

Password Protection tool

Posted on March 11, 2013 by Wesley Wright

Client reported tool (https://www.uvm.edu/htpasswd) wasn’t behaving.

 

Some time ago, the webteam decided to change their convention for providing friendly urls. They create a friendly alias in htdocs, and point it at a folder named website in the owners home directory. For example,

https://www.uvm.edu/~ugrsrch/ , files in /users/u/g/ugrsrch/public_html

https://www.uvm.edu/ugresearch/ , files in /users/u/g/ugrsrch/website

(Never mind that if both folders exist, these are now two distinct websites. Holy broken bookmarks and more, Batman.)

So, the password utility at

https://www.uvm.edu/htpasswd

needed to be updated to recognize the existence and priority of a website folder. this was actually pretty easy. The tricky part is the construction of .htaccess . Given a REMOTE_USER of kapoodle, it is easy enough to generate this, to force SSL:

SSLRequireSSL
ErrorDocument 403 https://www.uvm.edu/~kapoodle

But now our client wants http://www.uvm.edu/MyronKapoodle. How do I infer

SSLRequireSSL
ErrorDocument 403 https://www.uvm.edu/MyronKapoodle

 

turns out not to be an issue: On Mar 6, 2013, at 1:42 PM, Benjamin Coddington <bcodding@uvm.edu> wrote:

Wes, I don’t think you need to worry about forcing SSL for authentication
anymore.  A couple years ago we wrote an apache module that monitors all the
server’s responses looking for the WWW-Authenticate: Basic header, and if
the response would be sent un-encrypted the server instead hijacks the
response and turns it into a redirect to the same location over SSL.

This nicely eliminated the possibility of sending WWW-Authenticate: Basic in
plain text, and I think it also means you don’t have to worry about
SSLRequireSSL and .htaccess-https for authentication purposes.

Posted in Wes | Tagged | Leave a comment

Silk Servers and perl

Posted on January 14, 2013 by Wesley Wright

Jim McGarry, Exam Proctoring center, sent me this question:

 This html has been working for years apparently up to the end of Fall 2012 semester; it calls a program to send email & to create a flat file in the directory it resides in that I download to create forms & update a database.

 

 

 

Now when I try to execute it I get

 

 

 

 

 

 

Scott Dellinger, Systems Architecture & Administration, Enterprise Technology Services, made note

The old server at cgi.uvm.edu was retired at the end of 2012.  This was announced in November and December to the it-announce and it-discuss mailing lists used to disseminate such information, though it does not appear you currently subscribe to either.  (You might wish to do so, in order to ensure you see IT service announcements.)  We also directly contacted script owners whose scripts we could determine were being actively used, though most of the remaining contents on this server were only being spammed anymore and so this was difficult to identify.  I’m sorry you were not aware of the change. It looks like your script is a derivative of FormMail.  We have a copy of FormMail running on a supported server, available on scripts.uvm.edu (see http://www.uvm.edu/it/utilities/formmail.html for details).  If this will work for you, then moving to use that would probably be your easiest option.  If not, then we have a new CGI hosting service that could be an option, though it works a little differently.  Just let us know and we’ll be glad to help.

Turns out ,Jim already has a “silk” server at

http://epc.w3.uvm.edu

created last October. See here and here.

the Bformmail2.pl script he was using had some additional features not found in formmail.pl He had a copy of this on backup drive, loaded it on his server. Nothing happened.

 

Apparently, form POST variables are not appearing in perl %ENV hash. I was able to prove this with this here link and this perl

#!/usr/bin/perl
use Data::Dumper;
use CGI;
print “Content-type: text/htmlnn”;
$query=CGI->new;
print “

";
print Dumper $query;

But no, say Ben:

Use $fcgi, as if it was an automagically created instance of CGI (because it is):

#!/usr/bin/perl
use Data::Dumper;
print "Content-type: text/htmlnn";
print "
";

The fcgi stuff on the server is setting up CGI, and is persistent across requests.  The requested perl script is executed per-request from a persistent fcgid handler

Oh, the fun we have.

 

Posted in Wes | Tagged | Leave a comment

Gund Back

Posted on January 14, 2013 by Wesley Wright

Taylor Ricketts returned:

So we’re adding to our publications database, and now including books and book chapters.  These have slightly different formatting conventions than journal articles (e.g., we need to list the publisher, there is no journal title, etc.). So I’m writing to see if you can format some types of references differently than others.   For example, here is a book reference now on the publications webpage:

Kareiva, P.; Tallis, H.; Ricketts, T.; Daily, G. C.; Polasky, S.. (2011) Natural Capital: Theory and Practice of Mapping Ecosystem Services. Pages 392;

It’s formatted by listing the same fields, in teh same order, as all of the others.  But we’d like it to be treated like a book, and look like:

Kareiva, P.; Tallis, H.; Ricketts, T.; Daily, G. C.; Polasky, S.. (2011) Natural Capital: Theory and Practice of Mapping Ecosystem Services. Oxford University Press, New York. Pages 392;

The difference is that the ‘publisher’ and the ‘place published’ fields have been inserted, with the appropriate punctuation around them.

I had to edit the ingestion script. dSpace recognizes a smaller set of metadata tagged fields than EndNote. In EndNote, Journal Article titles are stored in tag, while Book publisher appears in and publisher location in . I needed to map all three of these in to dSpace’s tag, concatenating the latter two:

Reaktion Books, London, UK.

Posted in Wes | Tagged , , | Leave a comment

Big Blue Button users Pintauro, Henry, Atwood, Exler

Posted on January 14, 2013 by Wesley Wright

Stephen J. Pintauro, Ph.D., Department of Nutrition and Food Sciences, wrote:

I would like to try using BigBlueButton in my NFS 243 (Advanced Nutrition) class this semester.  I mostly want to have my TA try it as a way of holding regular “help sessions” for the class.  I set up a meeting on the BigBlueButton@uvm website and watched the tutorials.  It all looks very straightforward.  Once I login, I can enter my NFS 243 meeting as a moderator.  But how do I add my TA as a moderator?

Wow. Good question.

As of now, they’ll have to use the Guest Moderator password.

The canned Drupal Module for BBB did not anticipate this scenario: only ‘moderate my own meetings’ and ‘moderate ALL meetings.’ I have done a lot of hacking at this module, so it me be possible for me to add something like an “additional moderators” field — but certainly not before classes start.

While exploring this option, I also discovered a misconfiguration in the “restrict to netIDs’ feature. It wasn’t restricting. Now, I think it is.

More recently, I tested audio connections with our own Justin Henry. We were first stymied by bad UVM/New England internet failures. Next day, network problems abated, but Justin, while audible, kept going silent until he toggled his mike off and on . Today, I tested with Dr. Vickie Backus, from her home in Starksboro, VT. Audio performance was flawless over the course of several hours. Something’s hosed on Justin’s end.

Later, Gary Atwood Library Assistant Professor Dana Medical Library penned:

I had never heard of BBB, but it certainly seems like a pretty cool product.  I would love to come over and meet with you for a little tour/demo if you have some time. Just let me know of a day/time that works for you.

It might help if you know a little bit more about where I’m coming from.  One of the groups that I’m supposed to work with are our medical students who are out on clinical rotation at 3 different hospitals in Maine, Connecticut, and Florida.  Obviously, these folks can’t come to the library to sit in on any workshops that we have to offer so I’m trying to find a way to reach out to them and web conferencing seems to be the way to go.  I have a small amount of experience running webinars from my former position, but I’m no expert (although I’d like to become one).

So, what this all means is that the webinars that I’m looking to offer this spring are really big experiments.  I don’t even know if I’ll have anyone sign up, but I’m looking at offering two different ones.  One would be very PowerPoint oriented and the other would be more sharing-my-browser oriented.  Just to be on the safe side, I’d probably cap registration at 6-10 people because I’ll be the only person running this and will have to keep track of chat and monitor tech issues.

I don’t know if that helps you or not, but as I said, I’d love to learn more about this if you have some time.

He came over, we talked and demoed, with help from Dr. Backus in Starksboro. Gary is hooked.

 

Finally, Steve Exler, EPSCoR reports they  are having their 2nd BBB webinar on January 22nd at 2:45

Posted in Wes | Tagged , | Leave a comment

Lab images:CTL 303, CMD

Posted on January 14, 2013 by Wesley Wright

Updated 20 machines in Baily-Howe 303 to latest and greatest. Process uncannily smooth.

 

Meanwhile, David Trautman ran update process on CMD machines and reported Adobe After Effects is crashing upon startup on all the machines. I backed off a couple of Adobe CS6 update transcripts (removed transcripts adobe_cs6.03U_master.T and adobe_cs6.04U_master.T from command file adobe_cs6_master.K) as a temporary fix. Machines will need to be re-imaged. David Ran the updates, After Effects still crashes on start up. Also noticed that Adobe Audition is doing the same thing.

 

My office test machines works fine, so I guess I need to  pay a housecall

Posted in Wes | Tagged , | Leave a comment

Conference call/screen share with TextHelp / Read&Write

Posted on December 17, 2012 by Wesley Wright

Spent close to an hour with Mike and Jessica from TextHelp regarding Mac and Win “installers,” remembering of course that calling them such is a kindness.

Short story: they feel our pain.

Longer Story: include some sort of instructions to,  say, drag the RWG folder out of Downloads and into Documents, create manually a shortcut on the desktop. Include their text support phone #.

The actual developers live in Ireland, where things are different. A true installer may be forthcoming someday real soon now. Or not.

On the Mac side, there is a newer version that Mike thinks is more Mountain Lion/GateKeeper friendly. H will be sending updated DVDs both Mac an PC next week.

Posted in Wes | Tagged | Leave a comment

Lab Images

Posted on December 17, 2012 by Wesley Wright

A major time suck getting Zotero and various preferences right, but mission accomplished, at least in terms of preparing the image. Now being tested by CTL staff.

Met with new guy  David Trautman <dtrautma@uvm.edu> from library who is going to take over CMD and A206. Seems to be a unix head, so he should work out fine.

Posted in Wes | Tagged , | Leave a comment

Lab images

Posted on December 7, 2012 by Wesley Wright

After some good progress, a hidden monkey wrench was discovered in the works. It was discovered when the latest updates to MS Office 2011 yielded immediate crashes trying top open any office app.

Problem traced down to a mismatch of an outdated RadMind MacOS application (the transcript editor) and low-level radmind CLI tools. The transcript editor was mangling symbolic links in transcript file, rendering transcripts for maybe 1/2 dozen applications potentially broken.

Workaround is to use TextWrangler exclusively for transcript editing, which is not a big deal; however, creating transcripts for simple self-contained applications will no longer be a quick and simple drag-and-drop operation.

 

 

Posted in Wes | Tagged , , | Leave a comment

Lab images

Posted on November 26, 2012 by Wesley Wright

Trying to stay on top of these before January refresh. CMD done, pending any future apple updates. currently working on CTL

Posted in Wes | Tagged , | Leave a comment