Tags: , ,

Seagull 0.6.3 Remote File Disclosure Vulnerability – Please Upgrade

Posted on 25 January 2008 by Demian Turner

Well the title says it all, but I don’t think this is a reason for anyone to have a heart attack, aside from me but I’m recovered now 😉

Please download Seagull 0.6.4 which includes the small fix required to solve the file disclosure problem.  0.6.3 is no longer available.

As the release has only been out <24 hours I doubt there are many production sites running on the vulnerable code, but if you were svn updating a live site, a very bad practice by the way, then svn up again 😉

The problem: very simple, some recent code we introduced to merge, compress and cache CSS and js files was accepting arbitrary paths from GET – ouch.  The checking is now much more stringent.

Thanks to the gentleman over at milw0rm.com who posted the flaw less than 24hrs after the release went out. While he didn’t inform me or anyone I know of, Google alerts notified me of his announcement. In my view this is open source (with a little help from Google) working at its best.

Finally, please note that the title of the exploit article is inaccurate, it claims versions <= 0.6.3 are affected, this is not true, the affected optimizer.php file was only introduced in 0.6.3.

Comments (3)

Tags: ,

New Release of the Seagull framework – 0.6.3

Posted on 23 January 2008 by Demian Turner

Well it took a bit of time but after quite a few months a new release of Seagull is finally out, 0.6.3. Things have been keeping pretty busy with the startup I’m working on, but it’s been a great opportunity to refine some features of the framework and optimise the performance.

The early indications are good, after less than 10 weeks of going live Kindo users are creating up to 20k profiles/day and the server load is staying comfortably below 0.5.

The latest Seagull release has a long list of improvements and new features, now it’s just a case of bringing the wiki documentation up to date to reflect this 😉 Should happen in next few weeks.

Here’s an overview of what’s new:

  • CSS and JavaScript reorganization and optimization
  • emails can now be stored in a queue managed by the db
  • caching support has been extended to include javascript, css, PHP libraries and method calls
  • we integrated Horde_Routes, imo one of the better PHP routes libs available
  • Zend_Cache, which had clearly overtaken Cache_Lite is now wrapped by SGL_Cache, so devs have easy access to a memcached backend
  • Dmitri developed an alternative array-based navigation driver, same flexibility as former driver but lightning fast
  • out-of-the-box RTL support thanks to our work on the Arabic translation of http://kindo.com/
  • the test suite now runs end-to-end in CLI
  • the translation module has been greatly enhanced and was key in allowing us to release 14 languages in 10 weeks, including Arabic, Chinese and Russian
  • full support for stored proc multiple resultsets in the SGL MySQL db driver and for storing DDLs for procs, views, functions, triggers and default or test data in your modules
  • many performance improvements
  • support for multiple attachments in SGL_Emailer

See the CHANGELOG for full details.

Comments (0)

Tags: , ,

Startups powered by Seagull: Podcast.de

Posted on 22 January 2008 by Demian Turner

Thanks to Fabio Bacigalupo for the following article, part of an upcoming mini-series about successful startups built on the Seagull platform.

Running a successful website is a constant balancing act between achieving good performance and scaling smoothly. Read how we have used the Seagull framework to build our portal podcast.de. As a start-up we provide a web-based service to find, comment, play and recommend audio and video podcasts. At the moment the service is intended for a German speaking audience only but we are prepared for internationalisation thanks to Seagull.

Comments (1)

Tags: , ,

Salary Trends for PHP Devs in London, UK

Posted on 18 January 2008 by Demian Turner

Andrew sent over this interesting analysis of salary trends for PHP devs in London, was suprised such detailed info was available.  The only prob is the salary data is quite understated in my experience, advanced devs can easily find gigs for £50-70k, but it’s certainly true that agencies and often employers do very poor jobs differentiating between mediocre and ninja candidates.

Another shocker, for me at least, is while £200/day was quite a typical rate last year for HTML guys who knew a bit of CSS (PHP guys could get £300), this year has seen a significant jump with the frontend guys able to command £300/day.

Comments (3)

PHP constant() bug -> false alarm ..

Posted on 04 June 2007 by Demian Turner

Anyone else think this is a bug worth filing? I’m using PHP 5.2.0 on OS X.

If there weren’t 161 options for bug type in the PHP bug submission page I probably would have filed it by now. Btw there don’t seem do be any similar filed bugs in the last 90 days.

Comments (4)

Senior PHP dev required in London, UK

Posted on 30 April 2007 by Demian Turner

Recently I joined forces with Gareth Knight and Drew Preston, two chaps well-seasoned in London’s technology and web 2.0 circles. Things have developed rather quickly and after just 2 months we’ve moved into our first offices overlooking the Thames at Putney Bridge.

Work has been coming in thick and fast, and even with our rapid dev platform we can barely keep up with demand. So if you are an ambitious, talented, enthusiastic and motivated PHP Developer, please read on.

You will have:

  1. 3+ years PHP experience with an excellent knowledge of object oriented PHP 4/5, MYSQL 4/5, and a good understanding of CSS, xHTML, AJAX and JavaScript.
  2. Apache and MYSQL administration experience would be ideal but not essential, as would experience with the Seagull framework.
  3. Exposure to Open source technologies/frameworks/libraries eg PEAR, prototype, scriptaculous is essential. As is having worked with popular web services (using SOAP, XML etc).
  4. Experience writing/working with CMS, E-commerce systems is beneficial.
  5. You must be able to manage a development environment, be able to accurately quote time for completing required tasks and be comfortable working with Trac and svn.

Please get in touch if you are interested.

Comments (1)

Many new features in latest 0.6.2 release of Seagull Framework

Posted on 27 April 2007 by Demian Turner

Okay … it took a bit of time to get this release
out, 4 months to be exact which broke our monthly release cycle that
has been maintained for several years now. What’s up you ask? Have been
very busy working on a startup venture with some clever guys, more info
to come.

The main focus of 0.6.2
has been managing module resources so that they are completely
independent from the core framework and are easy to install. To that
end, everything a module might need can now be bundled in a single
archive which can be unzipped in the modules directory, and Seagull
will take care of everything else during the install process. Modules
can now additionally contain any template or data resources, which
include HTML, CSS, js and a range of data files. With the possibility
of adding additional include paths, and config or setup files on a
per-module basis, it’s much easier to incorporate advanced features
into your projects without touching the core.

Having said that, now the the 0.6 branch is quite
stable and feature complete we’ll be moving back to trunk and
developing new features that have been in the pipeline for several
months. The main focus will be on further decoupling the core framework
(everything in seagull/lib/SGL) from the bundled modules, and in future
releases all non-core features will be installable on-demand only. The
result will be a much smaller, more manageable core, therefore more
frequent releases, and better choice in terms of extra components for
framework users.

Back in 0.6.2 there has been a lot of work going on
behind the scenes, here are a few highlights from a quick look at the

Comments (2)

PHP Coding Standards – Laying Down the Law

Posted on 20 September 2006 by Demian Turner

There was a fantastic CS helper package released at PEAR this week, PHP_CodeSniffer. The package, which requires PHP5 and is nicely coded, puts a phpcs script in your path so you can pass files or directories to it to get your CS validated.

The results are detailed and processing is surprisingly fast considering how many tokens are being parsed.

[demian@localhost lib]$ phpcs -v SGL.php
Registering sniffs… DONE
Processing SGL.php [2587 tokens in 425 lines]… DONE in < 1 second

Typical CS errors/warnings look like this, I just fixed the errors in this case 😉

PHP_CodeSniffer is a godsend when you’re in the position of having to explain what PHP coding standards are the newbies on average twice/week, and what the difference is between conditional and method bracing, etc, etc.

As we’ve seen ZDE and various other IDEs bundle other PEAR packages with their software like phpDocumentor, I hope this tool too becomes a standard IDE helper in the near future.

Hats off to Squiz for putting PHP_CodeSniffer together.

Comments (5)

Seagull 0.6.0 Released

Posted on 23 August 2006 by Demian Turner

After 3 release candidates stable version 0.6.0 of the Seagull framework was released last week, download it here.
Blame it on the heat wave this summer in the UK, we broke our "1
release per month" mantra for the first time in 3 years, but I think
the results were worth waiting for.

There are various formats of the release available:

  • the minimal, weighing in at 2MB – just the framework and core modules
  • developer at 3.4MB – includes 14 modules, the unit and web test runner, documentation, all libs, examples

A pearball will shortly be released in which the PEAR libs are
obviously not bundled, and if you exclude the somewhat weighty tinyFCK
libs, this version of Seagull will go out at 504kb, addressing some
complaints that have been voiced about package size 😉

Aside from the improved stability and bugfixes you’d expect in an even-numbered release, some notable new framework features in 0.6.0 are:

  • automated module installation for admin users, and improvements to the module generator wizard
  • module config files now have a GUI interface for editing (Julien Casanova)
  • additional
    checks in the installer for open_basedir restriction, allow_url_fopen
    problem in XML_Parser handled, and additional authentication checks
    (Steven Stremciuc)
  • improved wizard functionality based on PEAR’s HTML_QuickForm_Controller (Malaney J. Hill)
  • SQL parsing improved, more unit tests added (Randy Casburn)
  • nice CAPTCHA component (Steven Stremciuc)

On the CMS side of things, module improvements include:

  • a new default theme by Julien Casanova, and a contributed theme by Neil Mather
  • RSS blocks are now configurable (Werner Krauss)
  • admin screens added for FAQ, Guestbook, Newsletter modules (Matt Flaherty, Rares Benea)
  • Upgraded TinyFck to 0.12 (Elijah Insua)
  • updates in many of the translations

In community news quite a bit has been happening too:

And forgive me for leaving the trendiest thing for last, there’s a
bunch of new AJAX modules that are near completion, these will be
announced shortly.

Comments (1)

PHP Shell Gets Even Better

Posted on 15 June 2006 by Demian Turner

As recently commented, PHP has been in great need of a decent shell environment for some time now and, as users of Python and, even better, Ruby’s irb will maintain, access to all the language’s constructs and libs at the commandline is a great timesaver and should be a standard feature for all scripting languages.

Luckily for PHPers Jan Kneschke has come to the rescue and implemented PHP Shell in userland PHP, which provides many of the features that come by default in the aforementioned languages’ interactive shells. If your PHP is compiled –with-readline support even better, standard up-arrow command history is available, as is the ability to backspace into the code you have written but not yet executed.

What is newsworthy about PHP Shell is that it has recently was made available as a PEAR lib, so it’s just a matter of

$ pear install PHP_Shell-alpha

and then execute the php-shell.sh script which is discoverable in your PATH if you’re using Linux (or there is a cmd equivalent for Windows users still on the dark side).

Although the docs section of PHP_Shell is still empty at the PEAR site, a README is available with the package with all the basic info you will need, or just type ‘?’ at the command line once interactive script is running.

I personally think this is one of the more exciting PEAR releases to come about in a long time. Not to diminish the importance of the steady and voluminous release of packages enjoyed by the PEAR project (and more so by PHP users) over the last months, but PHP Shell is something I will use on a daily basis as part of earning my living as a programmer, along with phpDocumentor, PEAR::Log and Mail and many of the bread and butter packages required for any decent web app.

At a time where the trend is to move away from PEAR, or to rewrite many of the PEAR libs from scratch instead of improving existing work (ezComponents, Zend Framework), I tip my hat to the hard working PEAR community and wish the project the continued success it deserves, despite current fashion trends.

Comments (10)



Demian Turner's currently-reading book recommendations, reviews, favorite quotes, book clubs, book trivia, book lists



PHPkitchen recommends you also check out the following sites :

Accounting for Small Businesses

FreeAgent sign-up