I recently watched the following great talk on hacking laravel apps.

Towards the end of the talk Antti shows how it is possible to potentially gain root access to a server if your scheduler is running as root too.

As soon as I saw it I know I had a couple of apps where this vulnerability could have been exploited and so went to patch them straight away.

Whilst I knew what needed to be done I wasn’t 100% on how exactly I’d add an entry into another user’s crontab that wasn’t my own or root.

Turns out it was quite simple, acting as root use the -u argument to specify the target user.

1
sudo crontab -e -u www-data

In the above example the crontab for the user www-data would be opened. Since my php-fpm instance is run by www-data and therefore has access to all the application code already this made sense to me.

Hopefully I’ll never make this mistake again. If you haven’t already seen Antti’s talk above I’d highly recommend doing so asap!

Continue reading

For one of my recent projects I wanted to make use of the free allowance that AWS gives for SES.

One of the conditions of the SES allowance was that your calling app needs to be hosted on EC2.

I’ve not used EC2 before so I figured this would be a good way to dive into it.

Whilst I would never usually install software like composer on a production server, this was purely to test things out.

So after signing up for AWS and creating a local ubuntu server on an EC2 t2micro instance then cloning down the project I ran composer install to come across the following message:

1
2
3
4
5
6
7
8
9
10
composer install
Loading composer repositories with package information
Updating dependencies (including require-dev)

mmap() failed: [12] Cannot allocate memory

mmap() failed: [12] Cannot allocate memory
PHP Fatal error: Out of memory (allocated 822091776) (tried to allocate 4096 bytes) in phar:///usr/local/bin/composer/src/Composer/DependencyResolver/Solver.php on line 223

Fatal error: Out of memory (allocated 822091776) (tried to allocate 4096 bytes) in phar:///usr/local/bin/composer/src/Composer/DependencyResolver/Solver.php on line 223

822091776bytes is over 800mb of memory being consumed by composer.

Continue reading

Introduction

I recently build my first site with Jigsaw and deployed it on Netlify.

As part of that project I had to get some data from the Instagram API and present a feed of the latest 5 images on the site.

Rather than dealing with CORS errors in javascript I wondered what I could get away with in PHP during the build phase on a statically generated site.

Would I be able to:

  • Query some form of public json endpoint
  • Find the urls for the latest 5 images
  • Download them locally resize them for efficiency
  • Display them using Jigsaw
Continue reading
  • page 1 of 1
Author's picture

Talv Bansal

Full Stack Developer, Part Time Photographer


Head of Software Engineering


Remote