Blog

Postfix has a useful feature where you can filter mail before delivery based on its header contents. If you add the line

Today’s post is about a bit of a niche issue! Recently I was working on a PHP site that generates spreadsheets in Excel 2007+’s .xlsx format. For years we’ve been using PhpSpreadsheet to generate the spreadsheets. Since I don’t use Microsoft Office, I usually test them using LibreOffice. All seemed well, but in user acceptance testing, users told me that they were getting the following warning when they opened one of the spreadsheets in Excel:

In its default configuration on recent versions of Debian, PostgreSQL creates shared memory segment files in /dev/shm/. Common rootkit detection software such as chkrootkit or rkhunter flags these as potential indicators of infection. The file names are randomly generated, which makes filtering them out a little tricky. Here’s how to avoid the system flagging them up as false positives.

chkrootkit

Open the file /etc/chkrootkit/chkrootkit.ignore and add the following line:

In my security work, I spend a large proportion of my time making sure that user input is properly escaped. This is essential to prevent SQL injection and cross-site scripting (XSS) attacks. Thanks to prepared statements, SQL injection is easy to avoid*, even in old code bases. Unfortunately XSS can be more difficult to catch when dealing with PHP. This is due to the potential mix of single quotes, double quotes, backticks, PHP syntax, JavaScript syntax, and HTML syntax.

Munin is a useful tool for generating graphs of system performance. When setting it up on Debian and Ubuntu, it doesn’t automatically enable monitoring of Apache or MariaDB, but the reason why isn’t easy to spot.

Often I need to access several web apps running on the same hostname, with different usernames. For example, I might need to access webmail, phpMyAdmin, and a wiki all on https://dev.example.com/. For convenience, I usually save the login details in the web browser, but if there are multiple different usernames on the same host then the browser doesn’t know which one to automatically populate into the login field. However, if each login page itself prepopulates the username, then the browser is then able to prepopulate the saved password as well.

If you’re using the native desktop Spotify client on Debian or Ubuntu, you may have noticed that they don’t seem to have figured out how to rotate their apt signing keys automatically. This means that apt updates will periodically fail with the following message:

Recently I was cleaning up some data as part of a data analysis project, and ran into a frustrating problem with stray backslashes in text fields. Here’s how I ended up solving it.

Overview of the problem

Sometimes it’s necessary to load external JavaScript into a React/Next.js system. There are various ways of doing this, but one of the most commonly recommended is via Next.js’s <Script /> component. Today I discovered a strange quirk. If you load the script inside a Next.js <Head /> component, then the onLoad function must be a conventional JavaScript onload function, not a React function. If you try to use a React function, it will not run, but there will be no warnings.

On some of the servers that I maintain, I use monit to monitor the status of key system services. I have it set up to try and automatically restart the service and only notify me if it’s unable to restart it. This helps to keep everything running smoothly without manual intervention.