HOWTO fix: bzr join error of “Trees have the same root”

From https://answers.launchpad.net/bzr/+question/71563

you can do it from within Python like this:
>>> import bzrlib.workingtree
>>> bzrlib.workingtree.WorkingTree.open(“subdir2”).set_root_id(“tree_root_subdir2”)

Hopefully I can find this easily in the future (have had to use it before)

xtrabackup bazaar repositories upgraded to 2a format

I have just upgraded the xtrabackup bazaar code repositories to the 2a format. This means that bzr 1.16 is required to access the source code repositories now.

If you get an error like the one below when working with a local branch, you’ll need to run “bzr upgrade” in it (see below for example). For branches on launchpad, you can use the web UI and hit the “upgrade branch” button.

stewart@willster:~/src/percona-xtrabackup$ bzr pull
Using saved parent location: bzr+ssh://bazaar.launchpad.net/%2Bbranch/percona-xtrabackup/
Doing on-the-fly conversion from RemoteRepositoryFormat(_network_name='Bazaar repository format 2a (needs bzr 1.16 or later)\n') to RepositoryFormatKnitPack1().
This may take some time. Upgrade the repositories to the same format for better performance.
bzr: ERROR: KnitPackRepository('file:///home/stewart/src/percona-xtrabackup/.bzr/repository/')
is not compatible with
RemoteRepository(bzr+ssh://bazaar.launchpad.net/%2Bbranch/percona-xtrabackup/.bzr/)
different rich-root support
stewart@willster:~/src/percona-xtrabackup$ bzr upgrade
Upgrading branch file:///home/stewart/src/percona-xtrabackup/ ...              
starting upgrade of file:///home/stewart/src/percona-xtrabackup/
making backup of file:///home/stewart/src/percona-xtrabackup/.bzr
  to file:///home/stewart/src/percona-xtrabackup/backup.bzr.~1~
starting repository conversion                                                 
repository converted                                                           
finished

Joining Percona

As you may have read on the MySQL Performance Blog post – I’ve recently joined Percona. This is a fairly exciting next step. I’ll be in New York for Percona Live next week, where I’ll be giving a session titled “Drizzle 7, GA and Supported: Current & Future Features”.

I’ll write more soon, there’s a lot keeping me busy already!

Drizzle JSON interface merged

https://code.launchpad.net/~stewart/drizzle/json-interface/+merge/59859

Currently a very early version of course, but it’s there in trunk if you want to play with it. Just have libcurl and libevent installed and you can submit queries via HTTP and JSON. Of course, the next steps are getting a true non-sql interface going and seeing how people go with it.

Friendly exploits

If you happen to be friends with me on Facebook you will have seen a bunch of rather strange updates from me last night. This all started with a tweet (that was also sent to Facebook) by a friend who joked about doing something with the <MARQUEE> tag (see http://www.angelfire.com/super/badwebs/ for an example of it and similar things). I saw the joke, as I was reading it through Gwibber or the Facebook website. However…. Leah saw text scrolling over the screen… just like the <MARQUEE> tag actually did.

She was looking at it on her iPad using an app called Friendly.

So I immediately posted a status update: “<script lang=”javascript”>alert(“pwned”);</script>”. This is a nice standard little test to see if you’ve managed to inject code into a web site. If this pops up a dialog box, you’ve made it.

It didn’t work. It didn’t display anything… as if it was just not running the script tag. Disappointing. I soooo wanted it to break here.

I did manage to do all sorts of other things in the Live Feed view though. I could use just about any other HTML tag… including forms. I couldn’t get a HTTP request to my server out of a HTML form in the Live Feed view… but once we did manage to crash Friendly (enough that it had to be force quit on the iPad).

I posted a photo of me holding up the iPad to my laptop web cam to show off the basics:

And then one of what happened when I tried a HTML form (this wasn’t reproducible though… so kind of disappointing):

What we did notice however was that HTML tags were parsed in comments on images too…. which made me wonder… It’s pretty easy to make a HTML form button that will do something… so I posted the same image again with a button that would say “Next” but would take you to a web page on one of my servers instead. It worked! I got a HTTP request! Neat! I could then present a HTML page that looked legit and do the standard things that one does to steal off you.

But I wonder if scripts would work…. so I posted:

Photos are proving more exploitable.... <script lang="javascript">alert("pwned");</script>

and then clicked on the image on the iPad……

Gotcha!

I could from here do anything I wanted.

Next… I should probably report this to the developers…. or steal from my friends and make them post things to facebook implying improper relationships and general things that would get you fired.

I went with the former… but the latter would have been fairly easy as the Facebook page for the app nicely tells me which of my friends use it. I could even target my attack!

So I sent a warning message to friends (the 18 of them who use the Friendly app), sent a “contact the developer” message to the developers, sent out a warning on Twitter and went to bed.

Got an email overnight back from the developer: “We just pushed a server update that solves this issue.”

Now… in my tcpdump while trying some of the earlier things I was just seeing https requests to facebook API servers from the iPad, but I don’t thing I looked too closely at images. I have no idea if they’ve actually fixed the holes and I don’t have an iPad to test it on. If you do, go try it.