WP Super Cache 1.3.2

WP Super Cache is a full page caching plugin for WordPress that will speed up your website.

This is a security release and any users of the plugin should update as soon as possible. This release and the last 2 (1.3 and 1.3.1) address the following issues:

  • A visitor to a website using WP Super Cache can remotely execute code by way of a specially crafted comment left on the blog. The comment may even be moderated and it will still cause a problem. If you allow untrusted user content on your site through other means it should also be filtered in a similar way. See the function no_mfunc_in_comments for the existing filter. This will be mitigated in the next release by using a security keyword in the mfunc/mclude/dynamic-cached-content tag.
  • An XSS vulnerability was found in the plugins settings page of the plugin. This has been fixed as well.

The dynamic cached content features are now disabled by default as they should really have been a long time ago. This was announced in the Upgrade Notice of the previous release so hopefully site owners will be prepared for it. If you depend on this feature you can enable it again on the Advanced Settings page. I would encourage you to use Javascript instead for any dynamic features or use a short cache expiration time.

Support for the mobile theme in Jetpack has been added in this release by way of a helper plugin. If you enable this feature in Jetpack you should visit the Plugins tab of WP Super Cache and enable the Jetpack plugin there. Caching will be changed to PHP mode, and mobile device support enabled but you may have to manually remove the WP Super Cache mod_rewrite rules in the .htaccess at the root of your site.

I would like to thank WordPress.org user kisscsaby for finding the mfunc problem in WP Super Cache and W3 Total Cache and Frank Goossens for his help fixing it.

Edit: I should have stated this above. I did not know about the issue with mfunc until 3 weeks after kisscsaby posted it to a public forum. I don’t read every post on the support forum unfortunately and the user did not email me. I released version 1.3 within a day of hearing about the problem. Unfortunately the XSS vulnerability became known 24 hours after that requiring another release within 36 hours of the previous one. When it became clear that mfunc could be exploited still I released version 1.3.2

I’m leaning towards removing the mfunc/mclude/dynamic-cached-content feature completely. It’s only used by a tiny minority of users (who will be inconvenienced, sorry) but it’s dangerous code to have in the plugin.

Portals in the Sea

portals-in-the-sea

Garrettstown Beach in Co Cork boasts a number of attractions. Chief among them are the waves loved by surfers in one area and a long sandy beach next door.

There are also a few Ingress portals there and I managed to capture some of them. The two in the sea only have a couple of resonators and not the full complement of eight because I was standing at the bottom of the sea wall with my hand outstretched trying to reach them. After almost getting caught by a sudden wave I beat a hasty retreat.

2013-04-14-7438-m
When the tide goes out however I’ll be back!

Who gets your data after death?

I have to admit that filling in the inactive account settings for my Google account gave me the shivers. There’s not much that would stop me logging into my Google account for more than 3 months. It would have to be one of the following:

  • Trekking through a rainforest pursued by secret agents monitoring all radio communications.
  • Lost on a desert island with only 80’s computer equipment to keep me amused.
  • In a coma after a botched attack by terrorists who are hell bent on killing open source developers.
  • Dead.

None of the above are very appealing options but at least one is as inevitable as, err, taxes, so it must be faced.

I added a trusted contact and was then presented with a popup asking for a subject and email body. Writing that was unsettling but I hope more services do something similar. I’ve heard too many horror stories about Facebook accounts that have been frozen on the death of an account holder.

You can choose what data is or isn’t shared with a contact. Included is Latitude, which has tracked my whereabouts for the last 2 years and will continue to do so. It makes me wonder how my descendants will cope with the deluge of information. It may very well end up as an anonymous zip file on someone’s computer I guess.

The list won’t be frozen in time either. Do I add my siblings? What about my son when he’s older? What age? I should set a calendar reminder for his 18th birthday. I’ll have to warn those trusted contacts because Google sends an email and a text message when the account goes inactive. Like a letter from the grave.

Raiden, it’s not quite the same on Android..

I pumped insane numbers of 10p coins into the Raiden arcade machine twenty years ago. Over the years I’ve played the dire PC conversion in the late 90’s (argh, it used midi music) and played the arcade version a few times in MAME but the Android version holds up well against the arcade original. It’s a bunch of fun too and it’s part of the Humble Bundle now!

Oh yeah, it’s not quite the same on an Android device. It’s a hell of a lot cheaper and possibly easier. There’s no way I could move the ship around as quickly as I could by dragging a finger across the screen. Great stuff!

Cyanogenmod 10.1: the Jelly Bean update for my Samsung Galaxy S II

cyanogenmod

I’ve had a Samsung Galaxy S II since around August 2011, and while the S3 has of course tempted me the cost of the device and/or monthly commitment was too much. I’m hoping that the release of the S4 will see a price cut in the older phone! I also feel the SGS2 is a “good enough” phone for most of the things I want it to do so there was that too.

Meanwhile my S2 has been rooted for a long time but I was running an old version of Android, Ice Cream Sandwich. There’s supposed to be a galaxy s ii Jelly Bean update sooner or later but because of all the tinkering I’ve done to my phone any previous OTA update always fails. Meanwhile, installing Cyanogenmod 10.1 was almost as easy as following the instructions here.

The hardest bit was getting an updated ClockworkMod Recovery on there. In Windows, Heimdall refused to see the phone, or reported an error, “libusb error: -12” or “failed to initialize protocol” even after running the included zadiag.exe. I tried it in Linux too but had similar problems until in frustration I disconnected the phone and put the Macbook to sleep. When I tried it again 5 minutes later it worked and squirted a new CWM down into my phone!

With that in place my phone wouldn’t boot, if I didn’t go into Recovery mode it just showed a black screen. No matter as I had everything backed up with Carbon backup. I removed the SD card and copied the latest nightly firmware and gapps on there. Booted into Recovery, factory reset, flashed those zip files, did a dalvik clear just in case and rebooted into Jelly Bean, Android 4.2.2! Once I logged into Google it started downloading all my apps again and with Carbon I was able to restore the settings of all my apps.

Photosphere isn’t included in this rom but I found it here in a flashable zip. Here’s what it looks like when I used it on Patrick’s Street, Cork today. iOS has a similar functionality I guess as I’ve seen a few colleagues from working waving their iPhones around while at meetups! The camera on the SGS2 is frankly rubbish but Pixlr Express does a good job of making photos look a lot better.

How does it perform? Very well for the most part.

  • I noticed that if I tether my Nexus 7 with a wifi hotspot then I will sometimes have to bring up an Internet app on the phone to wake up the 3G connection.
  • I noticed two Maps processes going a bit loopy when GPS was disabled and I had launched Ingress. GPS is disabled now and the phone is fine. Odd.
  • As a result of restoring settings from Carbon backup, Greenify had a list of apps to hibernate but because I hadn’t run it interactively then it hadn’t been granted superuser privileges. My phone got really hot as I guess the app was trying to hibernate the Facebook app repeatedly. TouchPal kept closing too but clearing the cache fixed it. Those aren’t Android problems, just a side effect of the restore process and insufficient error trapping in the apps. I’ll contact the authors about those (admittedly obscure) issues.
  • Sometimes there’s an odd slowdown in the UI. Ingress was dog slow for about 30 seconds but then it righted itself and it’s definitely faster than ICS.

I love Google Now! I wish the monthly activity card displayed in Km instead of miles. I like the new mini settings but wish that GPS was there to save me having the Power widget on a secondary homescreen. Photosphere is pretty cool. I wish Chrome had browser extensions so that Lastpass could build support for it. I haven’t yet noticed any huge difference in battery consumption. I don’t care if the FM radio doesn’t work, I never used it. Podkicker and Tunein Radio take care of any audio. The Apollo music player is nice, but doesn’t play very nicely with MP3s that don’t have tags. I had to fix some rips I made recently of CDs as they were coming up as from Unknown Artist, even though the files were in artist/album directories. All the other MP3 players I tried did the same however.

CM 10.1 has an auto update feature that John reminded me of. I haven’t enabled it yet though. I need to do more research and find out how it works and whether it will clobber my app settings and data.

If you have an SGS2 you should definitely give Cyanogenmod 10.1 a spin. I remember the first time I upgraded my original SGS to CM7 and the problems it had with camera support but I didn’t have any similar problems this time. CM10.1 will give it a whole new lease of life!