Mango Blog Setup Folder Security
Over the last few days I have found an alarming number of 404 errors in my coldfusion server logs. They all had one thing in common. A missing setup.cfm page. Naturally we don't want 404 error's right? In this case it's a good thing.
It is my belief that someone, or some group of people are testing the security of Mango Blog by looking for the setup directory that comes with Mango blog when you first download and setup your blog. The installation instructions state that once your blog is setup correctly, you should remove the setup folder from the admin, to prevent no-gooders from doing anything malicious to your site.
I went to the mangoblog.org site and took a look at a long list of people in the "Who uses Mango" section of the site and most everyone still had the setup directory intact. I was actually really surprised to see the carelessness of so many people. Especially by a few people that SHOULD know better than that.
What's worse is that I was able to add a new table to one unlucky site by guessing the username, password, and datasource! And it wasn't very hard! How lazy are we people!? Do we have to get hacked before we wise up? This is just plain ridiculous! I am not even a security person and was able to compromise one system in just a few minutes. Imagine what a security expert could do with all their tools and knowledge
Mango Blog owners. Remember you need to delete the setup folder after installation has been verified. It's obvious to me that people are checking for the existence of the setup.cfm so we best be on our toes.
My Solution
Here is what I am proposing as a solution. I am interested in your feedback.
The idea I had was to have the admin overview page check for the existence of the folder and if it finds the setup folder intact it could warn you that leaving the setup folder on the server is a security risk. It should then offer the admin user a chance to delete the folder. I think this is a better method as it provides the blog administrator a good chance to verify that things are working before deleting the folder. It also gives continual reminder to those that forget to delete the folder on their own.
Here is a sample design that I had. Maybe there is a better way to do things. I just thought I would get the ball rolling and see what can be done.
A plugin could easily be built for this, but I honestly feel it should be apart of the core install and not a plugin provided by an end user. That would pretty much defeat the purpose really.
→ Respond NowTags: Mango Blog · Opinions & Rants
Redesigning the Desktop Calendar
Most people use a calendar of one form or another in their day to day lives. With so many people using calendars I am really surprised that nobody has gotten annoyed by their functionality to the point where they felt that they needed to rewrite the way calendars work. Maybe I am alone on this idea but stay with me.
It seems to me that the computer calendar was simply a copy of the old paper calendar. The ones that hang on the wall in your cubical with the last month still in view because you never look at the thing except when you finally remember to flip the thing to the next month. Yeah that one.
It seems to me that when designing the desktop calendar programmers took the tried and true route. They built the calendar to look just like our old trusty friend the paper calendar. Granted they gave us more views like week view, day view, and even year view. But I think their needs to be one more view. "Rolling Month View"
Rolling Month View is for people who like the birds eye view of the month, but also want to see the next three or four weeks in addition to the current week. The problem with the traditional calendar system is that if I am at the end of the current month I have to click over to the next calendar month to see what's going on in two weeks. flipping back and forth counting days, trying not to count those extra days that are dimmed out but added in there to complete the boxes in the grid.
I just want to see what's happening in the next week or two. I never care about what happened last week unless the police are asking me "Where were you on the night of…" Anyway, you get the point.
Below is a screen shot of my calendar for the month of May. Assuming today was the 25th of May, it is nearing the end of the month. Granted I can see a few days ahead, but what if I want to see what's happening the week after? I have to toggle to the next month. Meanwhile the calendar is happy to show me what I did 4 weeks ago. What a waste of space! And totally useless in my opinion.
Rolling Month View might be the solution. It continues to roll the calendar forward a week at a time so you always have the next two or three weeks ahead of you displayed in the familiar monthly grid view.
Here is a very rough screenshot for conceptual purposes. There is probably a nicer way to do the rolling calendar, but this took me all of 1 minute to put together. The point is, it makes sense even if the presentation needs some work.
If your a developer for Apple, or know a developer for Apple, can you please get this worked into the next version of iCal? I will love you long time.
→ Respond NowTags: Design · Opinions & Rants · Software · usability
Don't Reset – Soft Reset
Summary
Soft Reset (for the lack of a good name) is very similar to many of the already popular resets like Meyer Reset or YUI Reset in that the goal it to level the playing field for web developers. What makes this reset different is that it attempts to hone in and reset only the properties that really need to be reset. Leaving some styling to the browser.
My reason for creating this reset is that I wanted a reset that was not overly bloated with unnecessary resets for html properties that I simply didn't use in my layouts. I also didn't think it's necessary to reset every property on the page when sometimes a simple localized class would be sufficient. For example: some sites may only need the main navigation and sub navigation to be reset. Why reset everything only to build it back up for the main content area?
Goals
- Reset common html elements while leaving some items alone
- Slim down the reset by omitting HTML 5 specific elements
- Reduce the need to build up elements when the browser default is acceptable
- Add a reusable class to deal with list that need to be reset
reset.css
/* Soft Reset */
body, div, dl, dt, dd, h1, h2, h3, h4, h5, h6, pre, code, form, fieldset, legend, input, textarea, p, blockquote, th, td { margin:0; padding:0; }
table { border-collapse:collapse; border-spacing:0; }
fieldset, img { border:0; }
h1, h2, h3, h4, h5, h6, address, caption { font-style:normal; font-size:100%; font-weight:normal; }
caption, th { text-align:left; }
ol.listreset, .listreset ol, ul.listreset, .listreset ul, .listreset li { margin:0; padding:0; list-style:none; }
Usage
For the most part SoftReset works exactly the same as other resets. The biggest difference is that I abstracted the ordered and unordered list resets into a separate class. Simply apply the class to any list that you need to reset like a navigation for example. Here is an example of how I would use it.
<ul class="navigation listreset">
<li><a href="">Home</a></li>
<li><a href="">Blog</a></li>
</ul>
Why Create The .listreset Class?
Reusing classes are performance freebies. If you follow the concepts around Object Oriented CSS (OOCSS) you will already know that abstracting these bits of code can greatly improve your application performance. Where as performing a full reset, to build it up again is a big performance drain. If your using a css framework, chances are, your breaking down and rebuilding lists so often, that this single class can save you hundreds of lines of code on a larger site.
Samples And Testing
The YUI 2 reset already had a very comprehensive HTML test page. I ran my reset against it to see how it did. I also created my own HTML test page with many of the same elements with a few additional ones.
NOTE: Use Firebug to turn the reset off and on.
YUI HTML Test Page | My Test Page
Feedback
Since this is just something I am dabbling with, I would appreciate your feedback on this. Maybe it's a good idea? Maybe It's a stupid idea? I urge you to download a copy of the soft reset css and try it out for yourself. See if it works for you. If you have suggestions for improvements I would like to here them in the comments bellow.
→ Respond NowTags: Code · CSS
Reconnecting Mac OS X 10.6.3 to Windows Shares
When Apple released their update for 10.6.3 it caused mac's to stop seeing or being able to connect to windows shared drives on the network. If you had a shortcut saved, you could still connect to those windows shares, however if you lost your shortcut—or were starting fresh—it seamed there was nothing you could do.
Previous versions of OS X showed your windows computers in your sidebar listed in the "SHARED" section. But not in 10.6.3. The other method of connecting to shared drives is to go to the "GO" menu and select "Connect to Server" (CMD-K) type in the IP address and hit Connect. For some reason Apple has defaulted the connection type to afp, which is a mac networking protocol. This results in an IP address like afp://192.168.0.10 That will not work for connecting to windows shares.
The solution is simple, change the afp:// protocol to smb:// and life will be good.
→ Respond NowTags: General · Software
Open links in a new window
If you perform a search for "open links in new window" you will typically find two groups of people. Ones the hate it when links open in a new window, and ones that hate links that don't open in a new window. It seems that people are pretty picky (and vocal) about the manor in which links open. Oddly enough searching for a good solution proved more difficult than I thought.
Basic Criteria
Because people are so particular about their links opening in new windows. I wanted to give users an option to open linked pages they way they want them to work. A preference toggle of sorts. I also wanted to default option to xhtml valid and it has to be accessible in it's default state or with javascript turned off.
Thanks to a friend and fellow web developer Andy Ford, who helped me with the final piece of the puzzle to make this work.
The Code
The code is pretty straight forward. We have a form with a checkbox with with text that reads something like "Open links in new window" This works as the preference toggle. If the box is checked do some dirty and non valid stuff to the code to make it work.
See a demo of this script here
<form name="targeter">
<input type="checkbox" name="targetbox" id="tcheck" onclick="targetLinks(this.checked);">
<label for="tcheck" style="cursor: hand;">Open links in new window</label>
</form>
<script language="JavaScript">
function targetLinks(boNew) {
if (boNew)
where = "_blank";
else
where = "_self";
for (var i=0; i<=(document.links.length-1); i++) {
document.links[i].target = where;
}
}
</script>
I thought this was a bit easier to implement than most of the solution I found out there that required you to add a new class to the link. Some people suggested using rel="external" on the links. My response to this is simple. Not all links that need to open in a new window are external. Adding rel="external" is not semantic so I would prefer not to add that markup to my code in that way.
I am sure there is a better way to make this work. But this is what I scabbed together. If you have a better way, I would be interested in knowing about it.
→ Respond NowTags: Code · usability
