over 3 years ago

歐付寶有個機制檢查 POST 內容是否可信,先是把表單所有的資料串起來,然後以 url encode 以後,再用 MD5 跟一組共同秘密加密起來。要是你產生的值跟他伺服器產生的一樣,就算認證通過。

最近發現如果表單有值是 & 或是 < 的話,認證就會失敗。

因為之前也有發生括號符號我們有轉成 %28 但是他們那端沒有轉,導致認證失敗的錯誤。所以我自己也測試了兩種情況:把 & 轉成 %26 或是不轉。兩種情況都認證失敗。

所以就寫信問客服並附了以下的 form 當參考:

<input id="TradeDesc" name="TradeDesc" type="hidden" value="&lt;&amp;" />
<input id="CheckMacValue" name="CheckMacValue" type="hidden" value="4A573F3F559226072079E3758B3D8E1A" />

結果來回了幾封信確認後,客服給了我以下答覆:

<input id="TradeDesc" name="TradeDesc" type="hidden" value="&lt;&amp;" />
一般來說POST資料時不會post到html編碼
請勿使用html encode,
另外,TradeDesc 及 ItemName 請避免使用特殊符號等字元以及html tag 等符號
請您再試試
THX.

當下就有點怒的回信,因為 html 裡面把 & 都轉成 &amp; 是基本知識了,瀏覽器 POST 資料出去時應該會自動轉回 & ,金流端不會接收到 &amp; 這種 escape 字串。而沒有對 < 作 escape 的話,瀏覽器能不能運作都是問題呢。

API 文件並沒有標明不能特別限制特殊符號,經過測試其他特殊符號都可以使用。但是就只有 <& 不行。是說這兩個符號也沒有特殊到哪裡去,要是英文商店用個 & 字元也是很正常的吧。

所以就回了信,說明 &amp; 這 html encode 不會對你們公司 server 收到的資料有所影響,並附上我產生認證碼的每個步驟,希望對方工程師能發現是哪個步驟開始相異。

結果對方客服就給我一個跳針回應:

TradeDesc 及 ItemName 請避免使用特殊符號等字元
THX.

明明是可以解決的問題(只修改我方程式),但是卻直接用這種方式迴避。到底客服有沒有把我的提報轉給工程師呢,或者工程師因為什麼原因不想研究這個問題呢?我原本只是想改善開源的 active_merchant_allpay 串接介面,但是這樣的回應~還是不要熱臉貼冷屁股好了。

 
over 3 years ago

ActiveMerchant is a very useful library for connecting to payment gateways. However it is also quite dated, with many flaws, and lack of proper documentation in one part (offsite-payment). In my experience, I feel it can be improved in the following ways:

The name "integration" in confusing, and makes it diffcult to search online. The gem should be split into two, one for on-site payment (gateway/billing module), and one for off-site payment (integration/Billing::Integration module). This is because the two are very different ways of paying. It can be confusing when you search for solutions but it turns out to be not what you want. Seems Shopify is alreadying doing that, splitting the offsite-payment module into its own gem. Good move!

The semantic of common fields in form helper need to be defined. Otherwise implementors will choose different names for the same concept, greatly reducing the interchangeability between gateways. Some consistency issues should also be fixed. For example in Paypal we pass our order id as the "order" field, and Paypal notification will return that as item_id attribute. This mismatch is confusing.

The gross() currently does not specify a return type. Paypal returns a string. Base class says it should "the money amount we received in X.2 decimal". Though there is a amount() method for returning a money object, the gross() method should still specify the return type to avoid inconsistencies when switching gateways.

The base framework code should be separated from gateway implementations. Users usually just want two or three gateways out of the 50 implementations. Having a separate repository per gateway also makes it easier to document gateway specific changes and settings in separate readme files.

There should be a check() method in the notification. It acts as the central method to check if the notification is valid. Currently there are many which implemented the acknowledge() function. However not all providers provide an API to verify the notification. With the generalized check() method it can call acknowledge() if it is implemented.

Adding hooks for form helper would be helpful. Many gateways require post-processing such as adding a checksum field. A hook would allow the interface to automatically call these post-processing instead of the developer having to remember calling them in view.

 
over 3 years ago

看到一篇文章(http://yihui.name/en/2013/10/markdown-or-latex/),分析寫作時該選擇 Markdown 或是 LATEX 呢。

Markdown 跟 LATEX 其實要解決的是不同的問題,也就是你要產生需要排版有頁數的實體文件,還是就只是一長串的文件?

LATEX 要解決的一個核心問題就是必須解決分頁時放置圖片或是表格的問題。如果沒有分頁,那麼這些東西自然依照文字排放往下排即可,可是因為這些東西要是正好排在分頁邊緣時,不能腰斬只顯示一半。此外,因為分頁所以排版上也冒出許多限制,這些都是 LATEX 的強項。

所以分辨的原則就是,如果你需要產生有分頁的文件,而且有許多漂移元素時,就選 LATEX 吧。不然就選你感覺比較舒服的即可,因為簡單的文件是可以簡單轉換格式的。

 
over 3 years ago

TrueCrypt 是一個開源免費的加密軟體,能製作加密過的虛擬硬碟,供使用者存放資料。

就在昨天五月二十四號,它的官網突然開始轉址回 sourceforge ,並宣布自己的加密有被破解的風險,而 TrueCrypt 本身的開發也終止,主要原因是因為微軟已經停止 XP 的支援,而其之後的各個作業系統都有 TrueCrypt 的替代品。比如說 Windows 使用者應該轉向使用微軟的 BitLocker。而最新的版本7.2也公開,這是一個只能解密不能加密的版本,意在讓使用者解密後轉移資料至其他軟體。

官網紅色大字「WARNING: Using TrueCrypt is not secure」十分格格不入。

先前四月的時候 TrueCrypt 的程式碼被第三方做了基礎檢查檢查,結果並無發現有後門(網站)。所以在現在突然宣布自己不安全還蠻匪以所思的。

TrueCrypt 本身雖然是開源軟體,不過似乎沒人知道後面的作者到底是誰。所以也引來許多陰謀論,比如說 TrueCrypt 本身是就是美國政府旗下製作的陷阱。或者這是作者跟NSA妥協下的結果。到目前為止似乎沒人能證明這不是網站被駭客修改。不過由於這次的改變十分細緻,比如說程式碼換了授權,而且還做了修正變成只能解碼。所以感覺不像是外來駭客會作的事情。

 
over 3 years ago

獨立安裝 solr 不難。
用 Chef 獨立安裝 solr 有一點點難。
用 Chef 裝出一個跟中文分詞套件 mmseg4j 能夠合的 solr 可真是地雷不少。

--

使用到的 cookbook:

cookbook 'hipsnip-jetty', git: 'https://github.com/hipsnip-cookbooks/jetty.git'
cookbook 'hipsnip-solr', git: 'https://github.com/hipsnip-cookbooks/solr.git'

設定:

default_attributes(
  java: {
    jdk_version: "7"
  },
  jetty: {
    port: "8983",
    version: "9.0.3.v20130506",
    link: 'http://eclipse.org/downloads/download.php?file=/jetty/9.0.3.v20130506/dist/jetty-distribution-9.0.3.v20130506.tar.gz&r=1',
    checksum: "eff8c9c63883cae04cec82aca01640411a6f8804971932cd477be2f98f90a6c4"
  },
  solr: {
    version: '4.3.1',
    checksum: '99c27527122fdc0d6eba83ced9598bf5cd3584954188b32cb2f655f1e810886b'
  }
)

這些是 Bert 大大測試出來 OK 的結果。他沒成功試出 opscode 官方版的 cookbook 的搭配。

這裡說一聲,Solr跟mmseg4j的搭配很挑的。
經過測試,Solr 4.2.1 跟 mmseg4j 1.9.1 2.0.0 2.0.1 都不相容。
Solr 4.3.1 也跟 2.0.1 不相容。
建議你先用以下嘗試出的結果。有美國時間再嘗試其他的組合。

接著請把 mmseg4j 的檔案下載下來:

正體中文版的字典檔(units.dic跟words.dic)可以從這裡抓: http://function1122.blogspot.tw/2010/10/mmseg4j-java-55.html
1.9.1的程式從這邊抓:https://code.google.com/p/mmseg4j/downloads/list

然後寫個 recipe 上傳這些檔案到遠端:

directory "#{node['solr']['home']}/lib" do
  owner 'app'
  group 'app'
  action :create
end

%w{mmseg4j-core-1.9.1.jar mmseg4j-solr-1.9.1.jar mmseg4j-analysis-1.9.1.jar}.each do |name|
  cookbook_file "#{node['solr']['home']}/lib/#{name}" do
    owner "app"
    group "app"
    source "solr/#{name}"
  end
end

directory "#{node['solr']['home']}/dic" do
  owner 'app'
  group 'app'
  action :create
end

%w{units.dic words.dic}.each do |name|
  cookbook_file "#{node['solr']['home']}/dic/#{name}" do
    owner "app"
    group "app"
    source "solr/dic/#{name}"
  end
end

然後就是設定 solr schema等等:

solr_schema (與sunspot搭配所以直接修改 text fieldType):

<fieldType name="text" class="solr.TextField" omitNorms="false">
  <analyzer>
    <tokenizer class="com.chenlb.mmseg4j.solr.MMSegTokenizerFactory" mode="complex" dicPath="/usr/share/solr/dic"/>
    <filter class="solr.StandardFilterFactory"/>
    <filter class="solr.LowerCaseFilterFactory"/>
  </analyzer>
</fieldType>

我用了絕對路徑指定字典檔,因為相對路徑不知道為何無用。

solr_solrconfig 添加:

  <lib dir="/usr/share/solr/lib/" regex=".*\.jar" />

因為 mmseg4j 我放在那裡。

然後就開始 cook 吧。

安裝途中要是發生問題是 jetty user logged in,那就手動登入用 pkill -KILL -u jetty 把他踢出吧。
hipsnip-solr cookbook 也要用新一點的,才會自動幫你把 logger lib裝好。

希望你裝的成功。

為了測試 solr 是否出現問題,我們在 vagrant 內暫時允許 solr web admin 頁面接收請求:

sudo ufw allow 8983

這樣你就能從 http://33.33.33.10:8983/solr/ 檢查 solr 設定是否正確。

選擇你的 core 裡面的 Analysis ,輸入「美國是按流量收費所以高速上網容量都會有所限制」,並選擇 type Text (注意不是 field Text),應該會有出現把「美國」分為一個詞成功。要是分成「美」「國」那就是沒抓到字典檔。

所有出現問題時都去 /var/log/jetty 下面找最新的 log 研究。

我在 local 用 vagrant 裝都沒事,但是在 production 上硬是發生 solr 還是使用舊的 4.2.1 版本。最後我把下面資料夾都刪掉:

- /usr/local/solr
- /user/share/solr
- /tmp/jetty*
- /tmp/hsperfdata*

然後把 Rails 之前有用到的 sunspot-solr gem 改為只在 development 讀取。

 
over 3 years ago

陽明大學的禮堂很大,大家都能很悠閒地找個地方坐下,但是缺點就是太暗。

  • 投影主螢幕太暗,尤其是跟旁邊的推特牆比的時候,要看很吃力。
  • 講台上的人很少打光,常常處在背光面,我想攝影師應該也很辛苦才拍的出清楚又光線夠的講師演講照。
  • 講台下不想聽的人要寫程式也因為沒有光線很容易眼睛酸痛。
  • 無法轉換氣氛,導致會場有點悶悶的,也容易想睡。

第一天午餐供應很慢也吃不飽,好家在第二天就換成便當了。不過該場地要吃飯座位也不夠,許多人只能站著吃也是很麻煩。作對照組,2012年的場地則是好的不得了,因為就是在正式的飯廳裡面用餐,桌子夠食物也夠。

同步口譯很棒,我看很多外國人都受惠了。

最後的最後因為COC事件導致結束的有點尷尬,好險沒有外國參與者爆料在國外的論壇,爭議止於在國內的圈圈。

辛苦了慕凡(籌辦人)跟所有工作人員,希望下次能辦的更讚。啊下次準備排練一下開場白跟結尾會更畫龍點睛唷。

 
over 3 years ago

之前一直使用 phpmyadmin 作偶爾需要的資料庫修正,不過多裝個 PHP 在 Rails 網站有些雞肋,而且設定 https 也要多花心神,所以就開始研究使用 Mac 上的 sequel pro 連結到資料庫直接進行操作。

我使用 chef 的 mysql cookbook ,其預設使用伺服器的 ip 位置作為 bind_address,但是我似乎無法作連結,所以我設成 localhost:

override_attributes(
  mysql: {
    bind_address: 'localhost'

使用 sequel pro 時,當我在連線頁面時選擇 ssh 選項會有個 bug ,就是我無法選擇 ssh user,輸入框被蓋掉了。所以你按了 ssh 之後,先填個名字,再按 Add to Favorites,下面的輸入框才會冒出來。

MySQL Host: 127.0.0.1
SSH Host: 你 server 的地址
SSH User: 你的 ssh user id
其他有的沒的自己填。
就能連上去了。

 
over 3 years ago

https://github.com/Shopify/active_merchant/
ActiveMerchant 本身有內建以下介面:
HiTrust(安心付)跟 Paypal

https://github.com/xwaynec/active_merchant_allpay
歐付寶介面
綠界跟歐買尬合作後,綠界 Ecbank 也停止註冊並且把顧客導到歐付寶了。

https://github.com/GoodLife/active_merchant-smile_pay
SmilePay 訊航科技介面

 
almost 4 years ago

Yahoo Mail redesigned its web interface on October 8, 2013. The new interface relies heavily on AJAX techniques, which improved its response time a lot. However the new interface also has several bugs, and Yahoo seems to remain oblivious from them. Here I describe the spam button bug, and how ineffective the customer support system is.

Not-Spam buttom marks something as spam

If you view a mail inside the spam folder, try hovering the cursor over the "not spam" button, you will see the tooltip message "Move selected conversation to Spam folder".

Note that this only happens in mail view page, not in the spam folder listing page.

Once you clicked on the "Not Spam" button, we get transferred back to the spam listing page. After a few seconds, a blue popup will appear at the buttom of the page, saying "Your message has been placed in the Spam folder and sent to Yahoo! for further investigation".

And refreshing the listing page, you see that unspammed email is still there.

Once again, this only happens in the mail view page, not the listing page.

Why do I care?

I am a web app programmer. I see that 90% of the spam reports come from Yahoo Mail, and most of the reports are from new user registration confirmation emails. I asked some users, and they said that they merely clicked "not spam" button in the registration email.

The faux spam reports is troublesome for us, because we use Sendgrid emailing service. It has a reputation score. If a spam report is received by them, our reputation drops. When the reputation drop too much, we will be blocked by Sendgrid from sending emails.

The 'Not Spam' bug is bad, because once a user clicks it, Yahoo believes deeper that we are spammers, and our emails will more likely land in their spam folder, which results in more users clicking on the 'no spam' button. It is a snowball effect.

Unusable customer support

I tried to report this issue, but I couldn't find a way to contact to a real person from Yahoo. I found this bug report at Yahoo Feedback. It was reported on October 14th 2013. However the admin closed the issue because:

Because this forum is intended to gather feedback/suggestions for Yahoo! Mail, if you continue experiencing this problem, please contact Customer Care by going to:
https://io.help.yahoo.com/contact/index?y=PROD_wieuowiuero&locale=en_US&page=contact&srcContact=acct_care#comm-form
Thank you for using Yahoo! Mail!

I went to that suggested link, which is a Yahoo Help page regarding Yahoo Account issues. I was given two choices: by email or by community.

I choose the email, filled up my questions.

I later received an automatic feedback email, however its title seems to suggest the category used is incorrect:

Title: Hacked accounts : spam is being sent from my account [Incident:140108-069640]
Content:
Thanks for contacting Yahoo Customer Care.
Your Incident ID is: 140108-069640
If you're reporting abuse, thanks for improving our community (it means a lot to us). We'll dig in to your report and take care of this. We may contact you if we need more information to complete our investigation.
If you aren't reporting abuse but are trying to ask a question or get help, we'll get back to you as soon as possible.

Later a second email came:

The first step to resolving issues with your internet browser is to make sure you are using the current version. You can download and install the latest versions of Firefox, Safari, or Internet Explorer at the following links:
If updating to the latest browser version does not resolve your issue, try clearing the cache and cookies in your browser. If you do not know how to do this, please visit the Clear Cache and Cookies Wizard.

This is not related to my bug report at all. Also I missed 72 hours deadline to reply back because I was busy, so the issue was closed.

The second option is to ask for help from the "Community". However no one seems to be using it, as the last post was posted in 2012.

In the email interface, there is a Help link in the config menu. It direct us to the FAQ page. I clicked "Contact Customer Care". There I choose "Errors" -> "My issue does not appear in the list", and I am given the outdated "Community" link again, this time redirected to Yahoo Answers. I don't think bug reports goes there.

Conclusion

Hopefully someone in Yahoo can see this, and fix this problem. We see that the web interface is broken. We also see that the dev/testing team is broken too, not able to discover/fix the bug for more than 3 months. Lastly Yahoo really need to improve its customer support system.

Update 2014/2/12

I resend an email to Yahoo Customer Care, and after a few replies, the Taiwanese branch managed to understand the bug. They told me on 2014/01/23 that they have reported this to the team, and I am still waiting for their reply.

Update 2014/2/24

This morning I checked and found out that the bug has been fixed. The "Not Spam" button is no longer acting as the "Spam" button. Thanks.

 
about 4 years ago

Eager loading 是 Rails 解決 N+1 問題的方法,用 includes 方法就能在讀取資料庫資料時順便把 association 也讀進來。

不過 includes 是得在讀取之前就先下的指令,而我卻有時候卻只有一堆已經讀進來的 Active Record 物件,想要只用一次 sql query 把每個物件自己的 association 都讀進來,是該怎樣作呢?其實對一個陣列的 ActiveRecord 我們可以這樣作:

posts = [a, b, c] # some AR Post objects
ActiveRecord::Associations::Preloader.new(posts, :comments).run()