Xdebug 2.6
Thursday February 1st, 2018 at 2:04 AM

Derick Rethans
1 Comment

Xdebug 2.6

London, UK
Tuesday, January 30th 2018, 09:11 GMT

I have just released Xdebug 2.6. Xdebug 2.6 adds supports for PHP 7.2 (and drops support for PHP 5), and adds a whole bunch of new features. This article describes these new features.

Garbage Collection Statistics

PHP has a built-in garbage collector, which makes it possible for PHP to free up memory that normally would be lost due to interdependent references. I wrote about the garbage collectors in previous articles.

Xdebug 2.6 provides insight into the runs of PHP's built-in Garbage Collector. There are two new functions: xdebug_get_gc_run_count(), which returns how often the Garbage Collector has run, and xdebug_get_gc_total_collected_roots(), which returns the number of variable roots that the garbage collection has collected.

There is also a new set of settings: xdebug.gc_stats_enable, xdebug.gc_stats_output_dir, and xdebug.gc_stats_output_name. When the statistics collection is enabled by setting xdebug.gc_stats_enable to true, Xdebug will write a file to the configured output directory with a name configured through xdebug.gc_stats_output_name. Just like xdebug.trace_output_name, the latter supports different format specifier to add additional information to the file names.

Instead of recording the Garbage Collection runs for the whole script, you can also selectively record this information by using xdebug_start_gcstats() and xdebug_stop_gcstats().

When PHP's garbage collector runs, Xdebug will write information about each run into a file. The format of the file is:

Garbage Collection Report
version: 1
creator: xdebug 2.6.0 (PHP 7.2.0)

Collected | Efficiency% | Duration | Memory Before | Memory After | Reduction% | Function
----------+-------------+----------+---------------+--------------+------------+---------
    10000 |    100.00 % |  0.00 ms |       5539880 |       579880 |    79.53 % | bar
    10000 |    100.00 % |  0.00 ms |       5540040 |       580040 |    79.53 % | Garbage::produce
     4001 |     40.01 % |  0.00 ms |       2563048 |       578968 |    77.41 % | gc_collect_cycles

For each run, it will write how many roots are collected, and how much % of them ends up getting freed. The duration of the Garbage Collector's run, and the memory usage before and after are also recorded, as well as how much reduction in memory usage this Garbage Collector run created. The last column shows the active function or method name when the Garbage Collection algorithm was run, or gc_collect_cycles() if it was run manually.

Profiler Enhancements

Xdebug's profiler now also collects information about memory usage. This can assist tracking down which parts of your application allocate a lot of memory, and perhaps why some memory is not freed up.

Caveat: As described above in Garbage Collection Statistics, PHP has a Garbage Collector built in, which can trigger at seemingly random times. This will distort the memory information that is recorded in the profiler's output files. In order to get better results for memory profiling, you might want to consider disabling PHP's internal garbage collector.

Additionally, Xdebug will now add a X-Xdebug-Profile-Filename HTTP header for requests for which the profiler is active. This header holds the name of the file that contains the profiling information for that request.

Remote Debugging Improvements

A new protocol feature, extended_properties, has been introduced that IDEs can opt into. When this feature is enabled, Xdebug will send variable names as Base64 encoded data to allow for characters that can not be represented safely in XML.

Another new protocol feature, notifications, has been introduced that IDEs can opt into. When this feature is enabled, Xdebug will send any Notice, Warning, or Error as an out-of-band notification over the debugging protocol to the IDE which can then display this information.

A new setting, xdebug.remote_timeout, has been added to configure how long Xdebug should wait for an IDE to acknowledge an incoming debugging connection. The default value, 200 ms, should in most cases be enough, but can be increased if you have a particularly high latency on your network and Xdebug fails to make a connection due to the low timeout.

A new function, xdebug_is_debugger_active(), can be used whether there currently is an IDE attached to Xdebug through the DBGp protocol.

Xdebug now supports debugging through Unix domain sockets. You can specify Unix domain socket "hosts" with unix:///path/to/sock, with thanks to Sara Golemon.

Xdebug now enables FD_CLOEXEC on its debugging sockets to prevent them from being leaked to forked processes, thanks to Chris Wright.

Smaller Improvements

A new setting, xdebug.filename_format, has been added to configure how Xdebug will render filenames in HTML-like stack traces. Just like xdebug.trace_output_name, it accepts a set of format specifiers that can be used to include certain aspects of a path. Xdebug 2.6 adds the specifiers below. With a full path of /var/www/vendor/mail/transport/mta.php, the able below lists what each specifier represents:

L

Description

Example

%n

File name

mta.php

%p

Directory and file name

transport/mta.php

%a

Two directory segments and filename

mail/transport/mta.php

%f

Full path

/var/www/vendor/mail/transport/mta.php

%s

Platform specific slash

/ on Linux and OSX, \ on Windows

Xdebug now adds the values of superglobals to the error log as well. Previously, it would only add this information to on-screen stack traces. In order for Xdebug to show this information, you need to configure through xdebug.dump_globals and xdebug.dump.* which superglobal keys you want to see at all.

The %s format specifier is now available to be used with the xdebug.trace_output_name setting. Previously, it was only available for use with the xdebug.profiler_output_name setting.

Trace files generated with xdebug.collect_assignments now also contain assign-by-ref (=&) assignments.

Behavioural Changes

Instead of throwing a fatal error when an infinite recursion (xdebug.max_nesting_level) is detected, Xdebug now throws an Error exception instead.

Conclusion

As you can see, Xdebug 2.6 packs a whole bunch of new features and has been the cumulation of a little over a year's work. Although the majority of the work was done by myself, there were notable contributions by Arnaud Gendre, Benjamin Eberlei, Chris Wright, Emir Beganović, Frode E. Moe, Kalle Sommer Nielsen, Nikita Popov, Sara Golemon, Remi Collet, and Zaid Al Khishman.

During the year I have also launched my Patreon page, in case, you want to contribute for further development of Xdebug. Alternatively, you might want to look at my Amazon wishlist to say thank you.

Flattr this
Read the whole story
chrisminett
2823 days ago
reply
Very useful right now
Milton Keynes, UK
Share this story
Delete

Elon Musk’s Boring Company unveils a flamethrower, starts pre-orders for $500 by Fred Lambert
Monday January 29th, 2018 at 5:02 AM

Electrek
1 Comment

Well, it looks like Elon Musk has officially lost it and he is adding ‘arms dealer’ to his long list of occupations. After joking about raising money for his new startup, the Boring Company, through selling hats, Musk said that their next product (before actual tunnels and electric transportation systems) will be flamethrowers.

Now it looks like he actually did it. more…





Read the whole story
chrisminett
2826 days ago
reply
He's lost it. Or maybe this is just another sign of the evil plan for world domination!? Awesome.
Milton Keynes, UK
Share this story
Delete

The healing hands of customer support get an acronym: Do YOU have 'tallah-toe-big'? by Alistair Dabbs
Sunday January 7th, 2018 at 5:46 AM

The Register articles by Alistair Dabbs
1 Comment

Something for the Weekend, Sir? My computer's crashed! I've lost everythi… oh, never mind, it's working again

"I have something to show you," she purrs, reclining suggestively across the sofa. "Come and have a peek."

Read the whole story
chrisminett
2848 days ago
reply
TALATOBIG
Milton Keynes, UK
Share this story
Delete

Meltdown and Spectre
Saturday January 6th, 2018 at 2:49 AM

xkcd.com
6 Comments and 26 Shares
New zero-day vulnerability: In addition to rowhammer, it turns out lots of servers are vulnerable to regular hammers, too.
Read the whole story
letssurf
2849 days ago
reply
Awesome
Northampton, UK
chrisminett
2849 days ago
reply
Milton Keynes, UK
Share this story
Delete
5 public comments
warej
2843 days ago
reply
Do we just suck at computers? ;)
reconbot
2847 days ago
reply
hammer boom
New York City
taddevries
2848 days ago
reply
Perfect!!!!!!
cjheinz
2849 days ago
reply
Install updates. By all means.
Lexington, KY; Naples, FL
alt_text_bot
2850 days ago
reply
New zero-day vulnerability: In addition to rowhammer, it turns out lots of servers are vulnerable to regular hammers, too.

1Password keeps you safe by keeping you in the loop by Jeffrey Goldberg
Wednesday January 3rd, 2018 at 4:53 AM

1Password Blog
1 Comment

This is a story with many beginnings and many threads coming together. The very short read of it is that 1Password’s browser extension has always been designed from the outset to keep you safe from some recently discovered browser based attacks on some password managers.

Researchers at Princeton University’s Web Transparency and Accountability Project were investigating tracking scripts on web pages, and discovered that several of them attack browser-based password managers and extract the email addresses, usernames and sites stored in the browser’s password manager. As I said, 1Password is designed in such a way as to not be vulnerable to the kinds of attacks those scripts used. The scripts that attempt this are from Adthink (audience insights) and OnAudience (behavioralengine).

Whether or not they make malicious use of the passwords they extract, they are certainly learning which sites you have records for in those password managers. I would like to add that we’ve designed 1Password so that we cannot know which sites and services you have logins for.

There is a huge amount to say about the contemptible behavior of these trackers, and I’m hopeful that others will say so clearly. Here, I want to talk more about what all of this illustrates about 1Password’s design and our approach to security.

Saying “no” to automatic autofill

A commonly requested feature is an option that that would have 1Password automatically fill in web forms as soon as you navigate to those pages in your browser. 1Password, instead, always requires that you take some action. Perhaps it is just hitting ⌘-\ or Ctrl-\ or using our Go and Fill mechanism or even setting up a 1Click Bookmark. But whatever of several mechanisms 1Password makes available, you have to tell it that you want it to fill material on the page.

Plenty of you have written in over the years, saying that they would like 1Password to fill in web forms as soon as they get to a page, with no human intervention. We’ve even been told that it is a very popular feature of some other password managers.

It’s not a lot of fun saying “no” to feature requests. But that is what we have done for as long as I can remember. And for the rest of this article, I’m going to draw from something I wrote in our forums back in 2014.

Because of security concerns we are disinclined at this time to offer, even as an option, the feature you (and so many others) are asking for. […] but I do want to give you an overview of our reasoning for what might seem like an odd choice.

Automatically filling a web form with no user intervention other than visiting the page can, if combined with something that works around the anti-phishing mechanism [of 1Password], lead to an attack where lots your usernames and passwords are submitted to a malicious site in a way that is silent and invisible to you.

The longer answer

I will use the terminology adopted by David Silver and co-authors in Password Managers: Attacks and Defenses at the USENIX security conference (2014). In the terminology of that paper, this requested feature is “automatic auto-fill” instead of what 1Password does with “manual auto-fill”. That is, 1Password requires some user intervention before it will fill a form (such as you typing Ctrl-\), instead of simply filling when you visit a page.

Although I am citing material from 2014, this kind of attack had been discussed since at least 2006, noting that

It’s really not phishing, as it doesn’t actually require the user to believe anything, as the social engineering portion of the attack is not there. As such you can steal user information through any page, as long as the automatic form submission requires no user input to fill the form.

This isn’t new.

Why am I now going to talk about phishing?

One of the great security benefits of 1Password is that it helps you avoid phishing attacks. When you ask 1Password to fill information into a page, it will not fill into pages that don’t match the URL of the item.

1Password has a number of mechanisms to prevent filling into the wrong page. That is, if you go to a form at paypal.evil.com 1Password will not fill in a password saved for paypal.com because the domains don’t match correctly. Tricking a person into filling out something like their PayPal password to something that only masquerades as PayPal is called “phishing”. The idea is that it should be harder to trick a password manager than a person. And it usually is. This is one of the many ways in which 1Password keeps you safe.

For the kinds of attacks we’ve been talking about, the malicious web page content needs to trick or by-pass the password manager’s anti-phishing mechanism. If a malicious script on MyKittyPictures.org is going to try to grab PayPal credentials, then it is going to have to fool the password manager into thinking that it is filling in a place that matches paypal.com.

We work very hard to make 1Password do the right thing in such cases. 1Password’s anti-phishing mechanisms work very well at preventing it from filling into the “wrong” web forms. But because of the nature of the HTML, iFrames, protocols, javascript, iFrames, conventions, page designs, and iFrames, the defenses that we (and everyone) have to use are messy and involve a series of rules and exceptions and exceptions to those exceptions. (Did I mention that iFrames are a trouble spot?) It is exactly the kind of thing that we know can go wrong.

So the question we’ve had to ask ourselves is if the anti-phishing mechanisms are strong enough to mean that we never ever have to worry about 1Password in data to the wrong place. We needed to decide whether the tools available for that defense are strong enough to allow us to build a mechanism that meets our standards. Unfortunately they don’t, and so we insist on another line of defense.

Invisible forms

The fields in which usernames, passwords, credit card numbers, and so on get filled won’t always be visible to you. Any page could have a form on it that you don’t see. If the designer of the form is attempting to trick a form filling mechanism, there is no way that 1Password could actually check to see if the fields really are visible.

So if the anti-phishing mechanism can be tricked, then when you visit a malicious web page (including those that have malicious tracking scripts on them) you could have your private information silently and invisibly stolen if automatic auto-fill were in place.

Sweep attacks

The malicious form could be designed to reload itself spoofing a different password each time. So that is, a single malicious injection point could trick your automatically auto-filling password manager into giving up your passwords for many different sites. David Silver referred to these as “sweep attacks”, and that is what it appears that these advert trackers are doing.

At this point, I have not fully studied their scripts to know the precise mechanisms they used, but it certainly is some form of sweep attack.

Doing good and doing no harm

Here is where I go off on a bit of a philosophical abstraction. As I’ve said, I don’t believe that a password manager can offer 100% absolute protection against phishing. But suppose there is one attack out of a million in which it fails to protect against phishing. If you use 1Password, you are much safer against the other 999,999 attempts and you are no worse off than you would be without it. Even in that one in a million case, using 1Password doesn’t add to your risk.

But now contrast that with a situation with a password manager that does allow automatic autofill. A password manager that can be subject to a sweep attack enables a kind of attack that wouldn’t be possible without the use of a password manager.


If you are using a password manager that allows for automatic autofill, turn that feature off. If you are using a password manager that doesn’t allow you to turn that feature off, switch password managers. And when you consider making such a switch, please remember that we’ve never allowed automatic autofill at any time in our more than 10 year history. We believe that you have to be in the loop when it comes to giving your secrets to anyone else. That design philosophy helps keep you safe and in control.

It ain’t over till it’s over

I’m sure that there will be more news to come over the next few days or weeks about the extent of these malicious trackers and precisely which password managers were affected. So please follow in comments for more information.

Read the whole story
chrisminett
2852 days ago
reply
Exploit is similar to the issue we've been having with Chrome overwriting the user's entry
Milton Keynes, UK
Share this story
Delete

Thanks to Google Maps It's Impossible to Hide the Millennium Falcon
Thursday November 9th, 2017 at 5:38 PM

FAIL Blog
1 Comment
Thanks to Google Maps It's Impossible to Hide the Millennium Falcon

It's a little unsettling how effective modern technology is at finding things that are supposed to be kept secret. 

Luckily, in this case, it's the harmless discovery that the Millennium Falcon, used in the upcoming Star Wars film, has been hidden behind some shipping containers on a golf course. 

We can't help but feel that the discovery of the spacecraft is eerily reminiscent of the scouting methods used in WWII before bombing raids of airfields. 

Submitted by:

Read the whole story
chrisminett
2906 days ago
reply
Well hidden
Milton Keynes, UK
Share this story
Delete
Next Page of Stories