published: Sunday 30 August 2020
modified: Sunday 30 August 2020
author: Hales
markup: html
modified: Sunday 30 August 2020
author: Hales
markup: html
Meta: site comments, Minisleep 1.20 released
It's nice to see comments popping up out of the woodwork on my old posts occasionally. I hope to have some more laptop-adventure topics up soon, which will include such fun feats as:
- Blessing and burying my Latitude 3160 laptop, complete with horse dung flinging.
- Getting the dodgiest and cheapest 11.6" I could find at short notice. $120 of Thinkpad x131e 2012-era goodness, complete with government stampings.
- Replacing wifi antennas + coax in said laptop and going around the twist damaging all of my wifi cards.
- UEFI reverse engineering and modification to permit non-whitelisted wifi cards (as well as some humorous boot-splash re-skinning). Perhaps even a light dive into some rather interesting BIOS rev-eng forums of the web.
- Bashing new laptops that only have USB-C or (shock horror, they exist now) laptops that do have USB-A but have little flip-out doors for them.
- Bemoaning the general bad state of 2nd hand laptop pricing and fashion trends in general.
New Minisleep release
Contains a lot of long-overdue fixes that I've had done for a long time, but not released because I wanted to finish the list. David was so excited he joined a different wizarding guild:
Biggest and most notable changes:
CSRF protections
I realised over time this was a big hole in the site protections. You have to manually/actively target someone for this to work (automated attacks are unlikely to be fruitful) but it's still a nasty concept.
Unfortunately these changes mean the administration page is no-longer a standard page, it has to be generated dynamically by the CGI code instead. Not how I envisaged my empire when I first took office, but it's the simplest solution to the problem of providing CSRF tokens before you run important requests.
Better HTTP server support
Esp for users of shared hosting (litespeed). I turns out I had fixed that in this copy of the site, but forgot to port the changes to the main codebase. Woops, now resolved.
Where to from here
Dregs on my todo list:
- Add BASH_COMMAND to trap fail internal line (bash is useful to run Minisleep with because of its better error handling/reporting than many more vanilla POSIX shell)
- Trim extra newline at end of every page edit (this is just plain annoying)
- Add recommendation of wfm cgi filemanager (but first I need to try and fix my patches to fix HTTP headers _and_ problems with the cgi library used are upstreamed. I had a look at that a long time ago, but didn't have time to follow through).
- Add page-delete functionality (dangerous, but perhaps less so now with the CSRF protections.
I'm contemplating writing a miniature forum engine instead of shipping commenting support for Minisleep. I have some crazy ideas for that (databases are for wimps!), might be fun.
Meanwhile I now have to contemplate updating my various sites with this latest version. Vanilla installs are easy, but this site here (halestrom.net) has quite a few deep mods to add the extra features I use on my blog. The CSRF changes mean I might also lose my pretty admin page's ability to be publicly accessed. I'll lurch to that another day.