Friday, August 31, 2007

Python 3.0a1 has been released!

Congratulations to all Python developers on the release of Python 3.0a1!

My favourite language is on its way to get even better!

Tuesday, August 07, 2007

Crunchy-like sites for javascript and ruby

While I have been aware of the Try Ruby site for quite a while, recently I came across this interactive javascript tutorial. While none of these are nearly as flexible as Crunchy, they are nice resources that are currently available for anyone to try without needing to install anything. It would be nice if I could have a dedicated server running Crunchy in a sandbox so that people could try it out without having to download it.

flat is better than nested?

In the process of making Crunchy more secure, I had extra attention to css files that contained import statements, since these can be used to insert javascript code. I was rather surprised when I looked at www.python.org. First, I noticed the line
  <link rel="stylesheet" type="text/css" media="screen"
id="screen-switcher-stylesheet" href="/styles/screen-switcher-default.css" />
which, in itself, appears rather ordinary. Upon following the link, I found that the content of the css file consists of the single line:
@import url(../styles/styles.css);

In its default security mode, Crunchy just ignores any style information that contains "url(" in it. As a result, when viewed using the default security mode for Crunchy, the python.org site's formatting is lost.

I wonder why the link redirection is used...

Saturday, July 28, 2007

Crunchy Security Advisory

A security hole has been uncovered in Crunchy (version 0.9.1.1 and earlier).

Anyone using Crunchy to browse web tutorials should only visit sites that are trustworthy.

We are working hard at fixing the hole; a new release addressing the problems that have been found should be forthcoming shortly.

-----

The security problem is as follows:

In theory, a web page could contain some javascript code (or link to such code) that would bypass Crunchy's filter to be executed by the browser. If that is the case, the javascript code could be designed to send some Python code directly to the Python backend (i.e. without the Crunchy user pressing a button, or having the chance to view the code to be executed) so that it is executed. Such code could result in deleting the entire files or installing some virus on the user's machine.

At the moment, the risk is pretty low. Crunchy already removes all obvious (and most non-obvious) javascript code, links to such code, etc. The holes found require the use of some uncommon combination of html and css code, with a particular knowledge of Firefox.

(Note that browsers other than Firefox are likely to be even more vulnerable).

Furthermore, Crunchy is not that well known that it is likely to be a target by a cracker that would 1) write a "tutorial" interesting enough to lure current Crunchy users (who, at this point, are likely to include only advanced Python users) and 2) write some fairly involved javascript code to bypass the second security layer (where the commands enabling communication between the browser and crunchy are made up of random string generated uniquely at each new Crunchy session).

If anyone is interested in security issues related to Crunchy, feel free to contact me directly.

Tuesday, July 10, 2007

Rur-ple 1.0rc2 : bug fix for wxPython 2.8

Three changes; a grand total of 3 lines of code. That's all I needed to change to make rur-ple work with wxPython 2.8 (and probably 2.7). It only took me 8 months to get around to fix it due to a combination of lack of time and, when I had time, my obsession with Crunchy.

Speaking of Crunchy, I found a bug today: any Python output that has something like
< ..... >
in it will be such that the stuff between angle brackets will not be shown. This is because the browser thinks it is a valid tag. The first time I noticed it was when I tried to do help(cmp). Then, I was going through "how to think like a computer scientist" (before I point my son to it) and noticed that the exercise with type(...) did not work. So, it is time to do a bug fix release - but no official announcement of this minor release. I'm curious to see if I'll hear from someone about this bug prior to the next "major" release.

Monday, July 09, 2007

New Crunchy (0.9) is out

By now, the official announcement should have made it to many lists. After a mad rush of coding and writing documentation over the past week or so, and implementing lots of new cool features, the new Crunchy is officially taking over from the old one.

I believe that this new version can do much to promote Python usage. If you do agree, please mention it!

Here's a copy of the announcement I sent to various lists:

Crunchy 0.9 has been released. It is available at http://code.google.com/p/crunchy

What is Crunchy?

Crunchy is a an application that transforms html Python tutorials into interactive session viewed within a browser. We are not aware of any other application (in any language) similar to Crunchy. Currently Crunchy has only been fully tested with Firefox; we know that some browsers simply don't work with it. Crunchy should work with all operating systems - it has been tested fairly extensively on Linux, Windows and Mac OS.

What is new in this release?

Crunchy has been rewritten from scratch from the previous version (0.8.2), to use a custom plugin architecture. This makes easier to extend and add new functionality. Rather than list the differences with the old release, it is easier to list the essential features of this new version.

1. Crunchy can work best with specially marked-up html tutorials. However, it can now work with any html tutorials - including the official Python tutorial on the python.org site. Html pages can be loaded locally or remotely from anywhere on the Internet. Crunchy uses a combination of Elementtree and BeautifulSoup to process html pages. Non W3C-compliant pages can be handled, but the visual appearance is not guaranteed to reproduce that normally seen using a browser.

2. Crunchy can insert a number of Python interpreters inside a web page. In the default mode, it does that whenever it encounters an html [pre] element which is assumed to contain some Python code. These interpreters can either share a common environment (e.g. modules imported in one of them are known in the other) or be isolated one from another.

3. Crunchy adds automatic css styling to the Python code - you can look at the official Python tutorial using your browser (all Python code in blue) and compare with what Crunchy displays to give you a good idea.

4. Instead of inserting an interpreter, Crunchy can insert a code editor that can be used to modify the Python code on the page and execute it. The editor can be toggled to become a fairly decent syntax aware editor that can save and load files.

5. Crunchy has a "doctest" feature where the code inside the [pre] is taken to be the result of an interpreter session and the user has to write the code so as to make the interpreter session valid; this is useful in a teaching environment. Messages from the Crunchy's doctest are "friendlier" for Python beginners than the usual tracebacks.

6. Crunchy has a small graphics library that can be imported, either inside an editor or an interpreter, to produce simple graphics (even animations!) inside the browser.

7. For the user that needs better quality graphics, Crunchy supports programs (such as matplotlib) that can create image files; by executing the code, the image produced is loaded inside the browser window. In this capacity, Crunchy could be used as a front end for libraries such as matplotlib.

8. Crunchy supports code execution of files as separate processes, making it suitable to launch gui based application from the browser window.

9. Crunchy's interpreter has an interactive "help" feature like many python-aware IDEs.

10. Crunchy includes a fairly comprehensive tutorial on its own use, as well as a reference for tutorial writers that want to make their tutorials "crunchy-friendlier".

11. As a security feature, crunchy strips all pre-existing javascript code from an html page before displaying it inside the browser window.

Bug reports, comments and suggestions are always welcome.

André Roberge, for the Crunchy team.

Sunday, June 24, 2007

Fun with the new Crunchy

Since the new Crunchy can work with files that have no Crunchy-specific additional markup, some neat experiments are possible, in addition to playing with the official Python tutorial with a Python interpreter embedded on the web page that I mentioned in my last post. For the curious among you, here's something else to try.

Assuming you have the latest (version 0.2) alpha release of the new Crunchy, edit the file vlam.py, replacing "interpreter" by "editor" at lines 108 and 109. Then, launch Crunchy and click on the "tests" link. On the following page, click on the "Loading arbitrary tutorials" link. Then, in the box for loading remote tutorials, enter the address of the Python cookbook (http://aspn.activestate.com/ASPN/Python/Cookbook/).
The formatting will be off, but you can select your favorite recipe. When you do this, you can edit the code and execute it right on the page. Often, all you need to do is to replace __name__ == "__main__" by True and you are ready to try the examples, modifying them at will.

In the near future, Crunchy will provide an easy way to select which interactive element (Python interpreter or editor) is to be inserted by default, without having to edit the code by hand.