Upgrading PCRE From 7.8 to 8.13 on a Centos 6.3 VPS

A simple guide to upgrading PCRE from 7.8 to 8.13 on a Centos 6.3 VPS.

Linux penguin Tux

This is actually relatively painless processes

We check the current version installed and what is running with PHP. We then remove the existing PCRE package whilst leaving any dependencies. After that we add a new repository and install the the version of PCRE. Finally we check the installed version and the the version used with PHP.

Check which version you have now:

# pcretest -C
PCRE version 7.8 2008-09-05
Compiled with
  UTF-8 support
  Unicode properties support
  Newline sequence is LF
  \R matches all Unicode newlines
  Internal link size = 2
  POSIX malloc threshold = 10
  Default match limit = 10000000
  Default recursion depth limit = 10000000
  Match recursion uses stack

Check which version is used in PHP

# php -i | grep PCRE
PCRE (Perl Compatible Regular Expressions) Support => enabled
PCRE Library Version => 7.8 2008-09-05

Search for all rpms of PCRE

# rpm rpm -q --queryformat "%{name}.%{arch}\n" pcre

Remove legacy version of PCRE leaving all dependences

# rpm -ev --nodeps pcre

Add a new rpm repository

# nano /etc/yum.repos.d/utter-ramblings.repo

Include the following

name=Utter Ramblings

Install only the pcre package

# yum --disablerepo=* --enablerepo=utter-ramblings install pcre pcre-devel
Loaded plugins: fastestmirror, priorities
Determining fastest mirrors
utter-ramblings                                          | 2.3 kB     00:00 ... 
utter-ramblings/primary_db                               | 112 kB     00:00     
Setting up Install Process
Resolving Dependencies
--> Running transaction check
---> Package pcre.x86_64 0:8.13-1.jason.2 will be installed
---> Package pcre-devel.x86_64 0:8.13-1.jason.2 will be installed
--> Finished Dependency Resolution

Dependencies Resolved

 Package          Arch         Version              Repository             Size
 pcre             x86_64       8.13-1.jason.2       utter-ramblings       562 k
 pcre-devel       x86_64       8.13-1.jason.2       utter-ramblings       438 k

Transaction Summary
Install       2 Package(s)

Total download size: 1.0 M
Installed size: 3.0 M
Is this ok [y/N]: y
Downloading Packages:
(1/2): pcre-8.13-1.jason.2.x86_64.rpm                    | 562 kB     00:01     
(2/2): pcre-devel-8.13-1.jason.2.x86_64.rpm              | 438 kB     00:01     
Total                                           369 kB/s | 1.0 MB     00:02     
warning: rpmts_HdrFromFdno: Header V3 DSA/SHA1 Signature, key ID 0d4306ef: NOKEY
Retrieving key from http://www.jasonlitka.com/media/RPM-GPG-KEY-jlitka
Importing GPG key 0x0D4306EF:
 Userid: "Jason Litka (http://www.jasonlitka.com) <jasonlitka@verizon.net>"
 From  : http://www.jasonlitka.com/media/RPM-GPG-KEY-jlitka
Is this ok [y/N]: y
Running rpm_check_debug
Running Transaction Test
Transaction Test Succeeded
Running Transaction
Warning: RPMDB altered outside of yum.
** Found 10 pre-existing rpmdb problem(s), 'yum check' output follows:
grep-2.6.3-3.el6.x86_64 has missing requires of libpcre.so.0()(64bit)
httpd-2.2.15-30.el6.centos.x86_64 has missing requires of libpcre.so.0()(64bit)
httpd-tools-2.2.15-30.el6.centos.x86_64 has missing requires of libpcre.so.0()(64bit)
less-436-10.el6.x86_64 has missing requires of libpcre.so.0()(64bit)
php-5.3.3-27.el6_5.x86_64 has missing requires of libpcre.so.0()(64bit)
php-cli-5.3.3-27.el6_5.x86_64 has missing requires of libpcre.so.0()(64bit)
2:postfix-2.8.4-12052415.x86_64 has missing requires of pcre
2:postfix-2.8.4-12052415.x86_64 has missing requires of libpcre.so.0()(64bit)
psa-mail-driver-common-11.0.9-cos6.build110120608.16.x86_64 has missing requires of libpcre.so.0()(64bit)
sw-cp-server-1.0-8.201205141805.centos6.x86_64 has missing requires of libpcre.so.0()(64bit)
  Installing : pcre-8.13-1.jason.2.x86_64                                   1/2 
  Installing : pcre-devel-8.13-1.jason.2.x86_64                             2/2 
  Verifying  : pcre-devel-8.13-1.jason.2.x86_64                             1/2 
  Verifying  : pcre-8.13-1.jason.2.x86_64                                   2/2 

  pcre.x86_64 0:8.13-1.jason.2        pcre-devel.x86_64 0:8.13-1.jason.2       


Finally check if you have the new version

# pcretest -C
PCRE version 8.13 2011-08-16
Compiled with
  UTF-8 support
  Unicode properties support
  Newline sequence is LF
  \R matches all Unicode newlines
  Internal link size = 2
  POSIX malloc threshold = 10
  Default match limit = 10000000
  Default recursion depth limit = 10000000
  Match recursion uses stack

Check that PHP has been updated to use the new version

# php -i | grep PCRE
PCRE (Perl Compatible Regular Expressions) Support => enabled
PCRE Library Version => 8.13 2011-08-16

Security hole found in Foursquare

I’ve just found what I believe to be a security hole on the social location site foursquare.com. This security hole will allow an attacker who has access to a compromised mailbox to impersonate the foursquare user without changing their password.

How to do this:

  1. Get hold of someone’s mailbox
  2. Go to the change password form on Foursquare
  3. Fill out the targets email address and press submit
  4. When the reset password email is sent to the mailbox copy the reset link and delete  the email – You don’t want the target to know that you have requested a password reset on their behalf
  5. Go to the link you copied. Click on the arrow in the top right (by the persons name as shown below).  Boom you haven’t altered the password and yet you can impersonate the user.
If you have someones mailbox then you impersonate them on foursquare

Impersonating a Foursquare user without resetting their password.


I was able to do everything a logged in user could do including altering the  users settings, viewing their user ID and changing their privacy settings. There is no check to see if the hacker has actually logged in or if they have completed the password reset.

This worries me as I am not a hacker. In fact I came across this issue by accident when I forgot my own password. I have worked in places that would not tolerate how open this back door is. The questions that spring to mind are 1) if this simple check is not in place then what other security measures are they lacking and 2) When was Foursquares last pen test.- Why should a user find this instead of a professional pen tester.

I have tried this on my own account from two computers.  Both of which allowed me to get in and alter things.

How to Fix it

  1. Check that the password has been successfully reset before allowing the user to do anything else.
  2. Remove the dropdown menu until a user has actually logged in
  3. When a user wants to change any personal settings about their account get them to include their current password in the request.

Edit: Foursquare has got back to me via Twitter https://twitter.com/4sqSupport/status/313701576789327872. Hopefully they will sort the issue

Bjarne Stroustrup: Why I Created C++

C++ is a statically typed, free-form, multi-paradigm, compiled, general-purpose programming language.

Bjarne Stroustrup is the creator of C++ and in this video he discusses the various reasons why he created the C++ programming language. Bjarne saw a gap in the programming landscape between hardware based languages and human level applications. He combined the data abstraction concepts of Simula and the low level hardware tasks of C which resulted in a high level, abstract and efficient language which is know today as C++.

Adding arrays together while preserving keys in PHP

PHP Hypertext Preprocessor

In this post I will demonstrate how to add arrays together without losing or reassigning the array keys in PHP. This is handy if you want to combine two arrays which have defined keys.  For example lets say you have the following arrays:

[crayon lang=”php” url=”http://blog.peterfisher.me.uk/wp-content/syntax-examples/adding-arrays/two_arrays.txt” /]

If you use the php function array_merge the array keys will be renumbered like so:

[crayon lang=”php” url=”http://blog.peterfisher.me.uk/wp-content/syntax-examples/adding-arrays/array_merge_output.txt” /]

As you can see the keys are be reindexed and start from 0. The solution is not to use any of the PHP inbuilt functions but  simply use the plus symbol (+) to add both arrays together.

[crayon lang=”php” url=”http://blog.peterfisher.me.uk/wp-content/syntax-examples/adding-arrays/array_plus.txt” /]

This gives us the desired output of:

[crayon lang=”php” url=”http://blog.peterfisher.me.uk/wp-content/syntax-examples/adding-arrays/output.txt” /]


jQuery 2.0 drops support for IE 6 to 8

Javascript Script Tag

JavaScript – Not to be confused with Java (programming language).

jQuery is one of the most popular JavaScript frameworks used amongst web developers.  Many well known web sites such as Google, Microsoft, Amazon and Twitter use this framework to handle client sided user interactions.  Like many open source frameworks of this size,  any decisions that its community agree on has the potential to impact a large amount of websites.

Recently the jQuery team posted on their blog that they are dropping support for Internet Explorer versions 6, 7 and 8 in jQuery 2.0 which is said to be released in 2013 – 2014.  The current version of jQuery is at 17.x and in subsequent versions of the framework they intend to lay the foundations to allow this to change to happen.

Now this doesn’t mean that jQuery will completely stop supporting older versions of the IE browser.  They have said that they will continue support in version 18 of the framework.  This will mean that the jQuery team will have to maintain two branches of the codebase.  One for 2.0 and one for 18.x

This is a good thing because:

  1. Large portions of jQuery source code handles backwards compatibility for legacy browsers. This is no longer required in jQuery 2.0 so the size of the framework should be smaller.
  2. The 2.0 team can concentrate on building new features whilst not having to worry about legacy browser support. This should mean we see a ramp up of new features.
  3. As the framework will be lighter it will load faster. Which is great new for mobile development.
  4. This will encourage sites and companies to drop support for older browsers. jQuery has a big following with big sites.  I hope that when the question ‘Do we support IE6 – 7′ comes up in a dev room the answer will be along the lines of ‘Well the latest jQuery version doesn’t so we should follow suit’.