Category: Hacking

Combine 2 Django Querysets from Different Models

If you’ve ever tried to concatenating two or more querysets from different models (i.e. combined = queryset1 | queryset2), you’ve hit this lovely error:

Cannot combine queries on two different base models.

The solution to this is to use itertools.

from itertools import chain
result_list = list(chain(queryset1, queryset2))

view raw
query.py
hosted with ❤ by GitHub

This allows you to not only combine the querysets into a single iterable, but it also allows you to sort the entire set by a shared field such as the date created:

from itertools import chain
from operator import attrgetter
# ascending oreder
result_list = sorted(
chain(queryset1, queryset2),
key=attrgetter('date_created'))
# descending order
result_list = sorted(
chain(queryset1, queryset2),
key=attrgetter('date_created'),
reverse=True)

view raw
query.py
hosted with ❤ by GitHub

Apple Pay Website Integration – A Guess

Benedict Evans wrote a great post on Apple Pay and asked the question – what’s next?

Well here’s a guess (pulled from these tweets)…

1/12
I haven’t seen Apple Pay website integration discussed much yet

2/12
So here’s a guess as to how it will work…

3/12
At the beginning of a site’s checkout flow (i.e. before filling out any forms), you’ll click the  Pay button

4/12
The site will ping Apple via the API which will in turn ping your iOS device (similar to 2-factor auth)

5/12
You’ll select the card to pay with and use your thumb to approve

6/12
The site will then receive a payment token to charge the order to

7/12
Ideally the site could then pull your billing / shipping info from Apple to skip those forms as well

8/12
The only step remaining will be to hit the checkout button (perhaps you tap your thumb a second time to confirm)

9/12
Simple, clean and no more credit cards online

10/12
Bonus – an obvious extension is to use the same system for 2-factor auth

11/12
Rather than enter the code shown in Google Authenticator or Authy, just press your finger

12/12
Which begs the question, could you even remove the password requirement?

Using Typekit CDN Web Fonts Locally While Offline (No Internet Connection)

I’ve got an important demo coming up in a few weeks (more on that at a later date) and like any good presenter, I’m going to assume that things won’t work. WiFi will be slow or non-existant (maybe I won’t upgrade to Yosemite just yet), my local web server will mysteriously stop responding and I’ll drop my laptop on the way there.

So at a minimum I’ll need two computers prepped with a site that will run 100% correctly without an internet connection. A backup screencap of the demo is probably a good idea as well.

For the majority of the application, running offline won’t be an issue – point the config files at a local database, turn off the CDN, etc. But there’s one resource that is strictly web-based – Adobe’s Typekit. As of this writing they only provide CDN access to the fonts so you can’t simply download the font files and use them.

Presenting without the fonts is not an option so either I purchase the actual font files for a few hundred bucks or I figure out how to hack Typekit.

Obviously I’m going with option two so here we go…

If you’ve used Typekit before, you’ll be familiar with the following snippet they provide to add fonts to your site.

<script type="text/javascript" src="//use.typekit.net/lfz0vxv.js"></script>
<script type="text/javascript">try{Typekit.load();}catch(e){}</script>

view raw
page.html
hosted with ❤ by GitHub

This JavaScript file is responsible for loading the CSS that contains the font data from Typekit’s CDN (the URL is set in line 9 – “f”:”//use.typekit.net…”). So the first thing to do is download this file and save it locally.

/*
Original
https://use.typekit.net/lfz0vxv.js
*/
/*
* For font license information, see the CSS file loaded by this JavaScript.
*/
if(!window.Typekit)window.Typekit={};window.Typekit.config={"c":[".tk-freight-sans-pro","\"freight-sans-pro\",\"Helvetica\",\"Arial\",sans-serif"],"f":"//use.typekit.net/c/7302fd/1w;freight-sans-pro,1,TJ9:N:i3,TJF:N:i5,TJ8:N:n3,TJB:N:n4,TJD:N:n5,TJG:N:n6/{format}{/extras*}?3bb2a6e53c9684ffdc9a9bf11e5b2a6273d805f491df729128ca517d0b865e0e191e7b5aee445efc6d4ab4dc94e67aefe35eac8915e2de0959b2bb14cb74eb97243001a4e12199258e040dfe98f737ffac5827d670b2821c337b4c001b82bb67b53127b8ef655ac395a8807eadc56b96dfce3ebaeaf23eda54a42b78fd6598bf206c475067f1648d3f4fcce42c1c8687de1fd8c8d7fdc3934dc65b290046cea982d0a7ac4abb5c8f802f88867e69","fn":["freight-sans-pro",["i3","i5","n3","n4","n5","n6"]],"k":"//use.typekit.net/{id}.js","p":"//p.typekit.net/p.gif?s=1&k=lfz0vxv&ht=tk&h={host}&f=10954.13456.13457.13458.13459.13460&a=671597&_={_}","w":"lfz0vxv"};
/*{"k":"1.7.0","created":"2014-01-09T10:53:52Z"}*/
;(function(window,document,undefined){
[JAVSCRIPT STUFF...]
})(this,document);

view raw
lfz0vxv.js
hosted with ❤ by GitHub

The next step is to grab the CSS file that’s specified in the JavaScript file (the use.typekit.net address in line 9).

/*
Original
https://use.typekit.net/c/7302fd/1w;freight-sans-pro,1,TJ9:N:i3,TJF:N:i5,TJ8:N:n3,TJB:N:n4,TJD:N:n5,TJG:N:n6/d?3bb2a6e53c9684ffdc9a9bf11e5b2a6273d805f491df729128ca517d0b865e0e191e7b5aee445efc6d4ab4dc94e67aefe35eac8915e2de0959b2bb14cb74eb97243001a4e12199258e040dfe98f737ffac5827d670b2821c337b4c001b82bb67b53127b8ef655ac395a8807eadc56b96dfce3ebaeaf23eda54a42b78fd6598bf206c475067f1648d3f4fcce42c1c8687de1fd8c8d7fdc3934dc65b290046cea982d0a7ac4abb5c8f802f88867e69
*/
/*{"c":"2014-10-30T14:18:23Z","s":"prod-origin-fd43d310","v":"9b86fd"}*/
/*
* The Typekit service used to deliver this font or fonts for use on websites
* is provided by Adobe and is subject to these Terms of Use
* http://www.adobe.com/products/eulas/tou_typekit. For font license
* information, see the list below.
*
* freight-sans-pro:
* – http://typekit.com/eulas/000000000000000000010b59
* – http://typekit.com/eulas/000000000000000000010b5d
*
* (c) 2009-2014 Adobe Systems Incorporated. All Rights Reserved.
*/
@font-face {
font-family:"freight-sans-pro";
src:url(data:font/opentype;base64,[…FONT DATA…]);
font-style:italic;font-weight:300;
}
@font-face {
font-family:"freight-sans-pro";
src:url(data:font/opentype;base64,[…FONT DATA…]);
font-style:italic;font-weight:500;
}

view raw
fonts.css
hosted with ❤ by GitHub

UPDATE: It appears that Typekit has changed the way the CSS file is loaded. You’ll need to use a tool such as Chrome’s network inspector to retrieve the full URL to the file. It will look something like this:

https://use.typekit.net/c/7302fd/1w;freight-sans-pro,1,TJ9:N:i3,TJF:N:i5,TJ8:N:n3,TJB:N:n4,TJD:N:n5,TJG:N:n6/d?3bb2a6e53c9684ffdc9a9bf11e5b2a6273d805f491df729128ca517d0b865e0e191e7b5aee445efc6d4ab4dc94e67aefe35eac8915e2de0959b2bb14cb74eb97243001a4e12199258e040dfe98f737ffac5827d670b2821c337b4c001b82bb67b53127b8ef655ac395a8807eadc56b96dfce3ebaeaf23eda54a42b78fd6598bf206c475067f1648d3f4fcce42c1c8687de1fd8c8d7fdc3934dc65b290046cea982d0a7ac4abb5c8f802f88867e69

Now we’ve got the two files necessary to render the fonts, but we need to do a couple things before they’ll actually work.

First we need to update the HTML snippet to point to our local JS file.

<script type="text/javascript" src="{% static 'offline/typekit.js' %}"></script>
<script type="text/javascript">try{Typekit.load();}catch(e){}</script>

view raw
page.html
hosted with ❤ by GitHub

Next edit the JS file so that it points to the local version of the CSS file (specifically, set the following to your local path – “f”:”/offline/fonts/”).

/*
* For font license information, see the CSS file loaded by this JavaScript.
*/
if(!window.Typekit)window.Typekit={};window.Typekit.config={"c":[".tk-freight-sans-pro","\"freight-sans-pro\",\"Helvetica\",\"Arial\",sans-serif"],"f":"/offline/fonts/","fn":["freight-sans-pro",["i3","i5","n3","n4","n5","n6"]],"k":"//use.typekit.net/{id}.js","p":"//p.typekit.net/p.gif?s=1&k=lfz0vxv&ht=tk&h={host}&f=10954.13456.13457.13458.13459.13460&a=671597&_={_}","w":"lfz0vxv"};
/*{"k":"1.7.0","created":"2014-01-09T10:53:52Z"}*/
;(function(window,document,undefined){
[]
})(this,document);

view raw
typekit.js
hosted with ❤ by GitHub

The important thing to note here is that I haven’t pointed directly to the CSS file (i.e. “f”:”/offline/fonts.css”). Unfortunately the JS file adds a slash to that URL based on some regex which prevents it from loading (i.e. /offline/fonts.css/).

So rather than figure out what to edit in the JS, I simply set up a new view in Django to serve the file at a path with a slash at the end (i.e. “f”:”/offline/fonts/”).

from __future__ import absolute_import
from django.views.generic import TemplateView
class FontsView(TemplateView):
template_name = 'offline/fonts.css'
content_type = 'text/css'

view raw
fonts.py
hosted with ❤ by GitHub

With that in place, I can now run the site completely offline without depending on Typekit’s CDN for font delivery.

And one last note, don’t forget to set Typekit to allow your local domain as explained here.

rsync to AWS EC2 Using PEM Key

I ran into a situation today where I needed to have a master EC2 instance sync its files to an array of other EC2 instances. Using SSH and rsync makes this trivial except for one thing, how to connect using the PEM file instead of a username / password combo.

The trick is to pass the PEM file to SSH using the rave parameter:

rsync -rave "ssh -i /path/to/EC2_KEY.pem" /path/to/local/files/* EC2_USER@EC2_INSTANCE:/path/to/remote/files

view raw
sync.sh
hosted with ❤ by GitHub

Other than everything works the same as typical rsync.

Where is Xcode 6.1?

As of this morning the version of Xcode in the Mac App Store is still 6.0.1 and the Xcode downloads page in the developer center says available shortly.

But if you’ve upgraded to Yosemite and are using a package manager such as Homebrew, you’re required to have 6.1. So now what?

Simply head over to the main downloads page in the developer center and grab both Xcode 6.1 and the command line tools.

CVE-2014-6271 – Vulnerability in Bash

There’s a very nasty vulnerability in Bash that allows code execution via remote attackers:

GNU Bash through 4.3 processes trailing strings after function definitions in the values of environment variables, which allows remote attackers to execute arbitrary code via a crafted environment, as demonstrated by vectors involving the ForceCommand feature in OpenSSH sshd, the mod_cgi and mod_cgid modules in the Apache HTTP Server, scripts executed by unspecified DHCP clients, and other situations in which setting the environment occurs across a privilege boundary from Bash execution.

To test if you’re vulnerable, simply execute this:

env x='() { :;}; echo vulnerable' bash -c "echo this is a test"

If the output includes the word “vulnerable,” then your system is vulnerable.

Amazon will be doing a massive restart of all EC2 instances this weekend (starting Friday and running through Sunday) to patch all affected systems. Managed services including RDS, ElastiCache, and RedShift will also be affected.

Instance types that will NOT be impacted:

  • R3
  • T1
  • T2
  • M2
  • HS1

AWS plans to stage the reboot process so that each region will have only one AZ patched each day. Additionally, AWS states that it will not patch instances in multiple regions at the same time within the same AWS account.

More info here:

https://securityblog.redhat.com/2014/09/24/bash-specially-crafted-environment-variables-code-injection-attack/
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-6271
https://alas.aws.amazon.com/ALAS-2014-418.html

Google’s Chrome 39 Sunsetting SHA-1

Google has announced that they are sunsetting SHA-1 (as used in certificate signatures for HTTPS) with Chrome 39 in November 2014. SHA-1 root certificates are not affected by this plan.

Most providers are offering free upgrades to SHA-2 certificates so be sure to contact yours to see if you qualify.

More info can be found on Google’s security blog.

Setting S3 Cache Metadata

By default Amazon’s S3 doesn’t set any Cache Control headers. Even worse, the only way to set them via their S3 management console is file-by-file.

Not exactly scalable.

Until they give us a quick and easy way to do this, here’s a simple Python script using Boto (thanks to Blackpawn).

Note that the script iterates over every object in your buckets, so if you have a ton of objects, it may not be the solution for you.

from boto.s3.connection import S3Connection
connection = S3Connection('aws access key', 'aws secret key')
buckets = connection.get_all_buckets()
for bucket in buckets:
for key in bucket.list():
print('%s' % key)
if key.name.endswith('.jpg'):
contentType = 'image/jpeg'
elif key.name.endswith('.png'):
contentType = 'image/png'
else:
continue
key.metadata.update({
'Content-Type': contentType,
'Cache-Control': 'max-age=864000'
})
key.copy(
key.bucket.name,
key.name,
key.metadata,
preserve_acl=True
)

view raw
s3.py
hosted with ❤ by GitHub