JJP's junkyard

\[x = {-b \pm \sqrt{b^2-4ac} \over 2a}\].

It appears that procedures described in the Access Security Guide for the HP ProCurve 2510G-24 (J9279A) are misleading. I found several requests for help online on this topic regarding HP ProCurve devices with similar documentation.

Furthermore, while testing, I discovered that step-by-step following the procedure actually allows password access when selecting ‘none’ as the secondary login authentication method, possibly leading you to a security breach. Thus, one should test:

1. that one gets access with a legitimate key,
2. that one does not get access if he owns only illegitimate keys,
3. that one does not get access if he owns no key.

In cases 2. and 3., you should definitely get no password prompt.

I had the following requirements (among others not mentioned here):

– ssh clients get access only through public keys,

– managers get access directly as managers (and do not need to explicitly move to enable level),

– operators get access directly as operators (and cannot move to enable level).

The following configuration tested successfully on default config:

crypto key generate ssh rsa
copy tftp pub-key-file <IP_of_your_TFTP_server> <Path_of_the_managers_public_keys_file> manager
copy tftp pub-key-file <IP_of_your_TFTP_server> <Path_of_the_operators_public_keys_file> operator
ip ssh
aaa authentication ssh login public-key none
aaa authentication ssh enable public-key none

Misstepped on this issue whilst attempting to conjure up a feed with a query string such as blabla.php?foo=bar.

The error message title-mentioned may actually be the conclusion of different conditions, so the following may or may not be applicable for you.

The ‘=’ char in the query string is converted to ‘%3D’ by SimplePie_IRI::replace_invalid_with_pct_encoding(); dunno whether the feed provider should accept PCT encoded query string, but it fails miserably in my situation nonetheless. So added ‘=’ in the list of authorized chars in SimplePie_IRI::replace_invalid_with_pct_encoding() invocation in SimplePie_IRI::set_query(), just as it is already done in SimplePie_IRI::set_host() and SimplePie_IRI::set_path().

Here attached the according patch.

--- simplepie.inc.old	2011-02-10 12:53:00.000000000 +0100
+++ simplepie.inc	2011-02-10 12:53:17.000000000 +0100
@@ -12151,7 +12151,7 @@
 		}
 		else
 		{
-			$this->query = $this->replace_invalid_with_pct_encoding($query, 'ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789-._~!$\'()*+,;:@/?');
+			$this->query = $this->replace_invalid_with_pct_encoding($query, 'ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789-._~!$\'()*+,;:@/?=');
 		}
 		$this->valid[__FUNCTION__] = true;
 		return true;

Got busy with SimplePie today.

Background reference: I discovered SimplePie this morning as an alternative for MagpieRSS (yeah, I acknowledge I’m late on this), with which I had issues with HTTPS’ transfered feeds.

Unluckily, SimplePie proved to have issues with HTTPS too. During my tests, such protocol access resulted in the error message mentioned in the title of this post.

It appears that this is a real bug in SimplePie.

At one point, a hostname value is computed in order to be used by fsockopen(). PHP manual states that “ssl://” or “tls://” may be prepended to hostname value in order to use SSL/TLS with this function. In simplepie.inc, this newly computed hostname value is further used in HTTP’s HOST header, hence the server spits out an HTTP error, and such response is not likely to provide in the end a suitable input for the XML parser.

The following patch corrects this bug. I double-checked any side-effects.

--- simplepie.inc.old	2011-02-10 12:53:00.000000000 +0100
+++ simplepie.inc	2011-02-10 15:45:31.000000000 +0100
@@ -7733,14 +7733,15 @@
 				$url_parts = parse_url($url);
 				if (isset($url_parts['scheme']) && strtolower($url_parts['scheme']) === 'https')
 				{
-					$url_parts['host'] = "ssl://$url_parts[host]";
+					$fsock_host = "ssl://$url_parts[host]";
 					$url_parts['port'] = 443;
 				}
 				if (!isset($url_parts['port']))
 				{
+					$fsock_host = $url_parts['host'];
 					$url_parts['port'] = 80;
 				}
-				$fp = @fsockopen($url_parts['host'], $url_parts['port'], $errno, $errstr, $timeout);
+				$fp = @fsockopen($fsock_host, $url_parts['port'], $errno, $errstr, $timeout);
 				if (!$fp)
 				{
 					$this->error = 'fsockopen error: ' . $errstr;