Blog

Since 2023 I've been using Monit running on an old laptop to ping devices on the campus network. If something something important goes offline (eg. a switch or an IP phone) it sends me an email, and it also provides a web interface where my colleagues can see the status to support troubleshooting when I'm unavailable.

I use Draytek's VigorConnect software to monitor and manage wireless access points around the campus where I work. In 2023, I installed it on an old laptop that I repurposed as a Debian server, but VigorConnect  had issue with a memory leak that we never got to the bottom of.

Postfix has a useful feature where you can filter mail before delivery based on its header contents. If you add the line:

header_checks = regexp:/etc/postfix/header_checks

Today’s post is about a bit of a niche issue! Recently I was working on a PHP site that generates spreadsheets in Excel 2007+’s .xlsx format. For years we’ve been using PhpSpreadsheet to generate the spreadsheets. Since I don’t use Microsoft Office, I usually test them using LibreOffice. All seemed well, but in user acceptance testing, users told me that they were getting the following warning when they opened one of the spreadsheets in Excel:

We found a problem with some content in '<filename>.xlsx'. Do you want us to try to recover as much as we can? If you trust the source of this workbook, click Yes.

In its default configuration on recent versions of Debian, PostgreSQL creates shared memory segment files in /dev/shm/. Common rootkit detection software such as chkrootkit or rkhunter flags these as potential indicators of infection. The file names are randomly generated, which makes filtering them out a little tricky. Here’s how to avoid the system flagging them up as false positives.

In my security work, I spend a large proportion of my time making sure that user input is properly escaped. This is essential to prevent SQL injection and cross-site scripting (XSS) attacks. Thanks to prepared statements, SQL injection is easy to avoid*, even in old code bases. Unfortunately XSS can be more difficult to catch when dealing with PHP. This is due to the potential mix of single quotes, double quotes, backticks, PHP syntax, JavaScript syntax, and HTML syntax.

Munin is a useful tool for generating graphs of system performance. When setting it up on Debian and Ubuntu, it doesn’t automatically enable monitoring of Apache or MariaDB, but the reason why isn’t easy to spot.

Often I need to access several web apps running on the same hostname, with different usernames. For example, I might need to access webmail, phpMyAdmin, and a wiki all on https://dev.example.com/. For convenience, I usually save the login details in the web browser, but if there are multiple different usernames on the same host then the browser doesn’t know which one to automatically populate into the login field. However, if each login page itself prepopulates the username, then the browser is then able to prepopulate the saved password as well.

If you’re using the native desktop Spotify client on Debian or Ubuntu, you may have noticed that they don’t seem to have figured out how to rotate their apt signing keys automatically. This means that apt updates will periodically fail with the following message:

GPG error: http://repository.spotify.com stable InRelease: The following signatures couldn't be verified because the public key is not available: NO_PUBKEY ABCDEF1234567890
The repository 'http://repository.spotify.com stable InRelease' is not signed.

Recently I was cleaning up some data as part of a data analysis project, and ran into a frustrating problem with stray backslashes in text fields. Here’s how I ended up solving it.