This seems like as good a place as any to link to some of my favorite posts:

But here are the most recent pieces...

Fixing a broken Firefox profile via Sync

I've been using Firefox for something like 15 years, so it's no surprise that I eventually ended up with a corrupted profile (perhaps from a sudden shutdown). It was functional 99% of the time, but a few things would break in weird ways, like Local Storage getting cleared periodically for both web pages and extensions. It was subtle enough that by the time I noticed, it was too late to just restore from backup.

The way I eventually fixed it was to use Mozilla's "Firefox Sync" service to copy the data to a new profile. This post describes the steps I took, in case someone else wants to take the same approach.

Read more

URL filtering vulnerabilities in lxml

The lxml toolkit is a library for working with XML and HTML from Python. It includes a utility called Cleaner that supports filtering HTML for dangerous and unwanted elements and attributes, although since early 2022 it has been marked as not suitable for security purposes. Nevertheless, it is still used that way by many projects.

A coworker and I were recently exploring its capabilities. At one point he made a simple mistake that is extremely common in Python, and stumbled onto what I recognized as a vulnerability. Exploring the code more, I found another vulnerability, this one not dependent upon misconfiguration.

(As of this posting, the issues are not fixed and released, but patches are available.)

Read more

Link roundup: Agriculture

I seem to have accumulated some interesting links relating to agriculture, food systems, and general relationship to the land, and I haven't done a link roundup in ages... so today I'll be sharing with you:

  • Landrace gardening
  • A bank that supports local agriculture
  • A blog about apples, agroforestry, pigs, and other topics
  • The benefits of urine as fertilizer
  • A caution on pawpaws

Read more

Playing with Fourier transforms of images

Yesterday I got inspired to start playing around with Fourier transforms of images, and I'd like to share some of the results. Most are intended to just be artistic, although playing around has also given me a little more insight into how the frequency domain relates to to the spatial domain. There's also a git repo so that you can reproduce these images and video yourself, and for many of the images I'll link to the version of the code that produced it.

In many of these, I've transformed a grayscale image to the frequency domain, messed around with the amplitude or phase information, and then transformed it back into spatial. In others, I've just plotted the amplitude or phase, and then sometimes post-processed the plots in GIMP.

I'll start off with one of my favorites so far; many more explorations under the cut.

An animation where I just set all the phase information for a sample photo to a constant angle value, then swept that angle through a full circle over the course of the video.

Warning: This is sort of a stream-of-consciousness post. Feel free to just look at the pretty pictures and skim the text.

Read more

What is a parser mismatch vulnerability?

There's a class of security vulnerabilities that has gotten very little attention until recently but shows up everywhere. In the past I called these dueling parser vulnerabilities, but recently there has been more recognition of this vulnerability class, and the terms parser confusion and parser mismatch have come into use. In this post I'll be using "parser mismatch" because it is the clearest and most descriptive.

Optical illusion, a drawing that can be seen as either a rabbit or a duck
Parser mismatches: Optical illusions for software

Broadly defined

A parser mismatch occurs when you have:

  • Two code locations
  • ...each of which tries to parse the same thing
  • ...but where the parsers disagree on what some inputs mean.

In general, you'll see two kinds of behavior:

  • For "normal" inputs they'll almost always agree
  • For malformed inputs, they'll often disagree, creating the possibility of a vulnerability

Kinda abstract. Let's get more concrete.

Read more

100% whole wheat sourdough: No-knead, overnight, Dutch oven

This is a recipe for a 100% whole wheat sourdough with no extraneous ingredients: Just flour, water, salt, and starter. It does not require any kneading, and instead relies on a low-effort series of tensioning steps over the course of an evening, followed by an overnight proof rise. In the morning it is baked in a Dutch oven.

By the numbers:

  • Active work time is about 30 minutes including all prep and cleanup, assuming a practiced hand. (On top of that, starter maintenance totals about 10 minutes per week.)
  • Start to finish is about 18 hours, but varies based on ambient temperature.
  • In baker's percentages, the recipe is 81% hydration and 1.8% salt.
  • 15% of the total flour is prefermented (that is, is contributed by the starter).

This recipe is best for winter; in a 55–65°F kitchen, a dough started in the afternoon will be ready to proof by bedtime but will not be overproofed by morning. In summer, a different recipe may work better.

I am not a professional baker, and I'm sure this recipe could stand to be improved. (Suggestions welcome, especially if you end up making it!) But this has been my weekly bread for a year now, and I've been quite pleased with the results.

Top view of baked bread
Angled view, showing top and side
Cross-section, showing tight crumb

Read more