I want to host a website on Boomla where the user can enter program code and a client-side compiler compiles it. The compiler uses eval() internally, which I cannot work around, so I absolutely need it enabled.
The default Content-Security-Policy rules do not allow eval, and it is not allowed to enable it with .ContentSecurityPolicy either.
You can now use the Content-Security-Policy rule script-src 'unsafe-eval'.
Original answer: Correct, it's impossible right now. Let me get back within a day, I have already been considering to enable it on demand (make it configurable).
Related
I'm trying the WiseGuy sample app in Java and can get Alexa to say "knock knock" but then the light turns off and that's it, I don't get to say "who's there".
Same issue with my own skill, even though I'm using newAskResponse(). Is there anything else I need to do?
Thanks!
Etienne
Fixed it by using the jar file produced by Maven instead of directly using the source code. Not sure why that makes a difference.
When you face issues like this, don't forget, you can use the skill configuration "Test" tab, to test the skill, to make sure it's not an interpretation problem (which can happen often).
Also, if doing that still gives you a response that you are not expecting you can copy that intent request:
And that past it on your lambda function event Test, there you will be able to see a more detail "debug" and if you are still not sure, make sure you do a few prints to at least pin point where the issue is:)
This may be better servered on ServerFault, however, I'm evaluating nginx to determine if it's able to solve a particular problem.
Problem
I want to use nginx response caching with FastCGI Cache. But I need to set the cache key with a value from a cookie. The problem is the cookie needs to be decrypted before I can get the value to use it in the cache key.
What I Know
I know how to configure nginx as a cache (fastcgi_cache). I also know I can set and use a custom variables in the cache key (fastcgi_cache_key). However, I don't know how to call a custom function to decrypt the cookie. I know nginx has the concept of modules. I have also noticed integration with Lua.
Question
Provided my decryption is available as C code, can I access this external code from the nginx configuration and use its return value?
As long as your code is in C, easiest solution would be to write simple nginx module which provides a variable with the decrypted value. Relatively simple example of how to provide a variable may be found in ngx_http_secure_link_module.
The Lua module can indeed help you if compiled it with LuaJIT.
Look here for a simple example of how to interact with cookies: http://mailman.nginx.org/pipermail/nginx/2011-January/024798.html
Now with LuaJIT you could use the FFI to call your C decryption code: http://luajit.org/ext_ffi.html
Another possibility would be to do it all in C, which may be faster but would probably be more work.
I'm currently writing a little commercial PHP Script which would be a VPN (PPTP) manager, in command line.
Actually, it's a socket server which is waiting for commands like "create", "suspend", "unsuspend", "changepassword"... Then it parses the PPTP files and modify them.
The thing is that I will have to give the PHP files which are so simple that they ONLY need php5-cli to be installed (and no apache, nothing else), I need to protect it from being read (actually, it's only 1 file, which is an entire class. The rest can be clear).
I want the system to be lightest as possible, that's why there is no need of GUI, web-server, curl, *sql...
I thought about IonCube, but it's very expensive and can't be used on with cli scripts because it needs a loader, which is loaded by apache. This is the problem of every encoder I think.
I thought about HipHop PHP (From Facebook), but it's hard to understand how to use (because I can compile my sources, but the user guide says how to launch our clear source with it :/ ).
So, I'm here to get help about that. I have some PHP-cli scripts, which must run in command line, which don't need a webserver to work, and I only need (as it's a commercial product) to protect my sources from reading and illegal ditribution (it will be easy to bypass the licence system). This file is simply a PHP class.
Thanks.
-- Edit --
Precisly, I want to make it paid by month, 6 months, year. If it's clear, then everybody will be able to comment the licence check, and have it for free. I love the opensource, for proof, I've written 3 classes for this project, a debug/warning/error manager with output handling (stdout/stderr/logfile) and a Socket class, which you just have to include and extends from, and you have a complete server (and you just have to implement needed functions, the server will call the "received commmand"(), and I don't want to obfuscate these 2 classes.
As to ionCube, there is an online encoder available that does a one-time encode of your script for just a few bucks, depending on the size of your codebase. If you write your own licensing mechanism, you could be able to use that. Besides, your statement about the ionclube loader is incorrect, no apache necessary, it's just a module that can be loaded in php.ini. IonCube is - in my opinion - a good choice.
Do take your time to really ask how much protection you need. A computer will always understand how to interpret your code, so eventually a human being will be able to peek inside, if he really wants to.
If the ionCube loader isn't an option on your clients, there are several 'obfuscators' for PHP out there that will probably stop the "quick peekers" from understanding the code in less than one hour. These obfuscaters won't encrypt your code, but they will make it less readable by changing all your variables, functions and class names into some arbitrary hashes, and remove all your comments and whitespace. They don't need anything on the server to be run, but in the end your PHP code will still be just the same.
I'm creating a regular windows application that will be distributed to several users on my department. I'll need to include some connectivity passwords on the App.config file, and I obviously don't want end-users to just fire up notepad and look at the passwords.
Several articles point on how to encrypt/decrypt configuration sections, but it appears you have to share/ship some keys with the deployable solution.
Is there a simpler way, to just cipher some of the settings so that they are not user-readable, but that don't require extra steps or files when redistributing the program? Great plus would be that accessing the configuration settings is still transparent inside the .NET code. I could always just create a custom method to salt/cipher the string and in my custom code decrypt it, but I'm wondering if there's something simpler.
Any answers or links to articles on how to do this are greatly appreciated. Thanks
If you are trying to encrypt your connection string in your App.Config/Web.Config, you can do so using the Configuration class:
Configuration config = ConfigurationManager. OpenExeConfiguration(ConfigurationUserLevel.None);
ConfigurationSection section = config.GetSection("connectionStrings");
if (section != null)
{
if (!section.IsReadOnly())
{
section.SectionInformation.ProtectSection ("RsaProtectedConfigurationProvider");
section.SectionInformation.ForceSave = true;
config.Save(ConfigurationSaveMode.Full);
}
}
There are two methods: RsaProtectedConfigurationProvider and DPAPIProtectedConfigurationProvider
See this --> http://www.codeproject.com/KB/cs/Configuration_File.aspx and http://msdn.microsoft.com/en-us/library/89211k9b(VS.80).aspx.
In short, cryptography isn't a magic wand that can magically fix an insecure program.
An attacker will try to obtain passwords from memory using a Debugger while the application is running. The passwords will also exist in the binary and these can be easily obtained. The use of any encryption can be bypassed because the password must be in plain text at the time of use. Any time memory is used it can also be observed with a debugger.
The answer lies in anti-debugging: http://www.codeproject.com/KB/security/Intro_To_Win_Anti_Debug.aspx
More advanced windows Anti-Debugging:
http://www.veracode.com/blog/2008/12/anti-debugging-series-part-i/
http://www.veracode.com/blog/2008/12/anti-debugging-series-part-ii/
http://www.veracode.com/blog/2009/01/anti-debugging-series-part-iii/
http://www.veracode.com/blog/2009/02/anti-debugging-series-part-iv/
Either way, the encryption and decryption of the application configuration file is pointless as the .EXE can be examined by Reflector!
Sure you can obfuscate the code but that will make debugging a nightmare in a production environment where a strange unknown/undiscovered bug crept in as you would not be able to tell what/where/why/how to monitor for a strange bug that will only show up in release as the stacktrace and error messages would be obfuscated also...
That is something to bear in mind about and a potential pitfall...the user may not be tech savvy, but sure they could in theory, ask a friend/relative/partner to hack/break it without your knowledge..This answer is not meant to put you off, and hope you don't feel offended by my answer...
Hope this helps,
Best regards,
Tom.
I have an IE instance embedded in my C application using COM. With IWebBrowser2.Navigate I can pass headers to be sent along with the request, except apparently "Accept-Language". It seems the language settings from IE itself always override the value I pass in for that header. Is there any way around this?
I don't think IE allows you to customize the settings so much. Never used it in C, but Delphi has a wrapper class to IWebBrowser2 (TWebBrowser), and most settings used by the component are global. I mean, the same for standard IE and embedded IE.
Maybe you can change it on Internet Options or even modify some registry keys, but be aware that it will also apply globally (embedded or not).
Have you tried callling SetThreadLocale? Maybe IE ignores the header in favor of the user's language settings.