I've been struggling for a while with a strange bug that I'd like to share. I had two web applications protected with an apache module called mod-auth-openid, which provides an authentication using openid. Here is the sequence diagram for one authentication :

On the first web application, everything was running fine, but on the second one, I had to wait between 1 and 10 minutes to have access to the web application. It was clear that the problem was lying between steps 3 and 8, and it was also clear it was totally random.

So I had my two applications hosted on two servers, both running under debian. One was using lenny (debian 5.0) and the other one debian etch (debian 4.0). As the module was not up to date on etch, I'd been porting it because I was missing some features provided by newer versions. At first sight, I wasn't expecting that the problem was lying there, but several hours of deep inspection at other places led me to the conclusion that it was something related to debian and mod-auth-openid. I then started to put debugs everywhere in the module to see what was taking so long. It appeared that calls to the function true_random() were blocking on etch, not on lenny. There were about ten calls to this function, between each call I had to wait about 10 seconds to 1 minute. Here is the function :

/* true_random -- generate a crypto-quality random number. Taken from apr-util's getuuid.c file */
int true_random() {
#if APR_HAS_RANDOM
  unsigned char buf[2];
  if (apr_generate_random_bytes(buf, 2) == APR_SUCCESS) {
      return (buf[0] << 8) | buf[1];
  }
#endif
    apr_uint64_t time_now = apr_time_now();
    srand((unsigned int)(((time_now >> 32) ^ time_now) & 0xffffffff));
    return rand() & 0x0FFFF;
}

So why did it take so long on etch? Actually, apr_generate_random_bytes (which resides in libapr) is using /dev/urandom on lenny, whereas on etch it uses /dev/random. Reading in /dev/random is blocking and may take a while before sending random characters, depending on environmental noises. You can try this funny behavior by doing the following :

$ cat /dev/random
Move your mouse to make noise!

The more you move your mouse, the more you read. With /dev/urandom, you don't have to wait (you can try to cat it if you are a real warrior). So the more the server was busy, the less the user had to wait, not really common eh? This change appeared on lenny to fix some issues with other modules.

It might seem trivial to retrieve boolean settings from php's configuration with the use of ini_get(). As an example, we will try to know if php is running in safe_mode or not. There is a ini directive for this, which can be defined in php.ini or in httpd.conf .

in php.ini :

safe_mode = 0

in httpd.conf :

php_admin_value safe_mode 0

Now, let's try to guess its value from a php script.

The wrong but obvious way

if (ini_get('safe_mode') == false) {
     echo "Safe mode disabled\n";
}

This seems to work in Pokemon if you are a dojo master, but not in real life.

The problem

Here is an extract of the documentation of ini_get() :

A boolean ini value of off will be returned as an empty string or "0" while a boolean ini value of on will be returned as "1". The function can also return the literal string of INI value.

Which basically means nothing. After some tests, here is an understandable summary of its real behavior :

• If your setting is defined in php.ini, an empty string is returned when the setting is disabled, the string "1" is returned if enabled.
• If your setting is defined somewhere else, let's say in your httpd.conf, the exact string is returned.

As a result, a call to ini_get("safe_mode") may return any of the following if safe_mode is enabled :

"true", "truE", "trUe", "trUE", "tRue", "tRuE", "tRUe", "tRUE", "True", "TruE", "TrUe", "TrUE", "TRue", "TRuE", "TRUe", "TRUE", "yes", "yeS", "yEs", "yES", "Yes", "YeS", "YEs", "YES", "on", "oN", "On", "ON", "1", "2", "3", "42", ...

If safe_mode is disabled, any of the following :

"false", "falsE", "falSe", "falSE", "faLse", "faLsE", "faLSe", "faLSE", "fAlse", "fAlsE", "fAlSe", "fAlSE", "fALse", "fALsE", "fALSe", "fALSE", "False", "FalsE", "FalSe", "FalSE", "FaLse", "FaLsE", "FaLSe", "FaLSE", "FAlse", "FAlsE", "FAlSe", "FAlSE", "FALse", "FALsE", "FALSe", "FALSE", "no", "nO", "No", "NO", "off", "ofF", "oFf", "oFF", "Off", "OfF", "OFf", "OFF", "", "0", "HEY I CAN PUT STRING AND IT'S FALSE", "REALLY?!", "OH SHIT YEAH, COOL IDEA", ...

You might think that these values are evil, without any meaning, it would be totally stupid to enter such values yeah? The probability it might be raised if fairly low, let's just use the buggy obvious way.

Actually these are really logical when drunk. When you realize your sysadmins are often drunk, or that they simply prefer to enter "On" instead of "1" as it's easier to understand, you might have to change your strategy.

The right but not so obvious way

That's quite a huge mess, but here is a better solution :

function ini_get_boolean($setting)
{
       $my_boolean = ini_get($setting);

       if ( (int) $my_boolean > 0 )
	     $my_boolean = true;
       else
       {
    	     $my_lowered_boolean = strtolower($my_boolean);

	     if ($my_lowered_boolean === "true" || $my_lowered_boolean === "on" || $my_lowered_boolean === "yes")
	            $my_boolean = true;
             else
   	       $my_boolean = false;
       }

       return $my_boolean;
}

if (ini_get_boolean('safe_mode') === false) {
     echo "Safe mode disabled\n";
}

Two years ago I was discovering a French speech made by Benjamin Bayart about the evolution of Internet : "Internet vs Minitel 2.0". The main idea of the speech is that despite its nature, the Internet is evolving to a centralized place, where services are at the center of the network. You read your mails on google, you put your movies on youtube, you put your life on facebook, ... When you are using internet, you are a dumb terminal feeding and consuming centralized services. This idea has haunted me for a while, but I've done nothing to change my way of using Internet, until recently.

As I can't host my own data on a computer that I can physically access (I don't control my Internet connection, and I don't have an enough stable situation to be sure that what I host will be there in 6 months), I've decided to move everything to a server. I'm aware this is not the best answer, as I'm still depending on OVH. At least, I have a better control of my data and I know there is no kind of magic operating on the background, more, that shouldn't be too hard to move from the server to something home hosted.

I've started to remove and replace one by one what I was using. The first step was getting rid of Google Reader, the next step will be gmail (quite harder). I hope to be able to host everything myself one day, but I think it might take a long time before having a stable situation.

I've just found a counter-strike movie I had made something like 3 years ago when I was found of gaming and moviemaking, that was before discovering the magic world of unix and segmentation faults :-) . The movie had been lost for a while but someone has recently uplodaded it, and an article has has been written on moviemaking.fr

The full movie can be downloaded from the ftp of moviemaking.fr. The format really sucks (wmv), I wasn't aware of what open formats really were at that time.

I've found a comic I made two years ago. I know it's pretty crappy, but I remember having fun doing it, I'll probably give this another try sooner or later.

I recently went through a deep problem with two PHP scripts in what at first sight looked like a bug. Basically, I wanted a script a.php to update some $_SESSION values of another script b.php using the same session file. As I didn't wanted to have a heavy dependance between both scripts, I ended up using CURL, and calling b.php from a.php.

a.php:

session_start();

if (($ch = curl_init("http://localhost/b.php"))) {
      foreach ($_COOKIE as $key => $value) {
           $cookie = $key . "=" . $value . "; path=/";
           curl_setopt($ch, CURLOPT_COOKIE, $cookie);
     }
 curl_exec($ch);
 curl_close($ch);
}

echo "My pokemon is " . $_SESSION['pokemon'] . "\n";

b.php:

session_start();

$_SESSION['pokemon'] = 'pikachu';

Both scripts are hosted under the same domain and on the same host so as to share session files. Guess what? It times out.

What actually happens is that the PHP process handling a.php waits for the process handling b.php to finnish (through the CURL request). Both processes use the same session file, unfortunately, between a session_start() call and a session_destroy() call (implicitely made at the end of the execution of the script), the session file is locked, leading here to a nice deadlock.

I've had to work on a repository hosted on xp-dev, it's a repository hosting provider with a free offer, just like github, but with crappy adverts everywhere if you don't pay 5$ per month. I must admit that I seriously considered the question, as their adverts are sometimes really annoying.

Fortunately, the code for adverts is not obfuscated, so it's quite easy to get rid of them with a greasemonkey script, and I've made a little one using jQuery :

// @name           XP-DEV advert remover
// @description remove annoying adverts on xp-dev
// @include        http://www.xp-dev.com/*
// ==/UserScript==

var GM_JQ = document.createElement('script');

GM_JQ.src = 'http://jquery.com/src/jquery-latest.js';
GM_JQ.type = 'text/javascript';

document.getElementsByTagName('head')[0].appendChild(GM_JQ);

function GM_wait()
{
    if (typeof unsafeWindow.jQuery == 'undefined')
        window.setTimeout(GM_wait,100);
    else {
        $ = unsafeWindow.jQuery;
        letsJQuery();
    }
}

GM_wait();

// Using jQuery is not mandatory 
// but in case adverts evolve, that may be helpful

function letsJQuery()
{
    $(".adblock").hide();
    $(".strong").each(function () {
            var that = this;
            var pattern = "Remove these advertisements";

            if ($(that).html().indexOf(pattern) >= 0)
                $(that).parent().hide();
        });
}

First post to see if everything is fine :-)

Next week I will review a book called “Unity Game Development Essentials“, which deals with development of games using the Unity engine. As I love game development and JavaScript, this will be for me a really interesting occasion to discover how such an engine works.

Here are the points covered by the book :

• Kick start game development, and build ready-to-play 3D games with ease
• Understand key concepts in game design including scripting, physics, instantiation, particle effects, and more
• Test & optimize your game to perfection with essential tips-and-tricks

I hope to learn a lot from this book about JavaScript as I have never used this language outside web applications.