Mephisto

Mephisto 0.8.2 is now available on the download page!

Mephisto’s JavaScript is in much better shape, and most of the remaining “tainted string” errors should now be fixed. The default article and comment filter is now Textile (instead of raw HTML), and our gem management has been cleaned up.

Many thanks to the Mephisto contributors brought you this release: Chris Cummer, James McCarthy, Matthias Lüdtke, Sean O’Brien and Gustavo Sales (who wrote the first version of the theme homepage fix).

Thanks also go to Chris Cummer for investigating Mephisto multisite caching issues. For information on setting up multisite, please see Mika Tuupola’s blog post and the thread on the MephistoBlog group. Alternatively, you can disable multisite support in config/initializers/custom.rb.

We’re actively working on a simpler solution for multisite caching. In particular, we’re looking into writing a custom Rack module under Rails 2.3. If you’re interested in helping, please join us on #mephisto. Contributors are always welcome!

A full list of patches appears after the jump.

John Nunemaker, top ruby blogger of 2008, just posted about RailsTips.org’s awesomely expanded footer. If you click through to the full post, you’ll see his custom plugin pulling the most popular articles from his Mint stats.

Mephisto is officially back! The 0.8.1 release features 157 patches since the start of the month, and several major improvements, including:

• Support for Rails 2.2.
• Unit tests at 100%.
• A major security audit.

Major kudos go to Isaac Kearse, who submitted 37 patches, and who has a bunch more pending on the new-plugins branch. Thanks go also to Dann Lynn, George Murphy, James McCarthy and Rick Olson for their contributions, and to all the testers on #mephisto.

This is an experimental release. Please back up your database before upgrading to Mephisto 0.8.1. Mephisto still has some bugs and rough edges left over from 0.8, but we decided to get a release out quickly, so that people could take advantage of the security fixes.

If you use Mephisto plugins, please see the recent post on plugin APIs. The plugin situation is a bit messy, and we apologize for your patience while we figure it out.

If you encounter any problems with 0.8.1, please drop by #mephisto. If you’d like to submit patches, please submit a pull request to emk on github. We’d like to make an 0.8.2 release fairly soon, and your help is always welcome.

Thank you for using and contributing to Mephisto!

Many web applications suffer from security vulnerabilities, including XSS attacks, CSRF attacks, and a whole catalog of other stuff. A typical vulnerability will give an attacker full administrative access to a site.

Rails applications actually tend to have above-average security, thanks to tools like protect_from_forgery. (In fact, quite of few of these tools are actually based on work by Mephisto’s own Rick Olson.) But unfortunately, Mephisto has been around a long time, and it predates many of the excellent Rails security tools.

So the Mephisto team sat down with the excellent Ruby on Rails security guide, and we started auditing Mephisto for security holes.

Our goal: Protect against attackers who don’t have access to /admin. Attackers who do have legitimate access to /admin can launch XSS attacks in a variety of hard-to-prevent ways, so we’re going to trust them not to be too sneaky for the time being.

So far, we’ve found and fixed quite a few issues. You can find a list at the end of this article.

Updating your Mephisto site

You can download Mephisto 0.8.1. We recommend making a backup of your Mephisto database before installing it. You’ll also want to hang onto your themes and public/assets directories.

If you have Mephisto plugins, please see the earlier article on plugin APIs. If you Mephisto is old enough, you may have better luck porting your plugins to the new-plugins branch, which also has a full set of security patches.

Our auditing philosophy

1. If it looks suspicious, fix it.
2. Prefer “brute force” solutions that protect against an entire class of attacks to solutions that require line-by-line auditing.

The OpenBSD team has an excellent security record, largely because they don’t wait to fix things until somebody actually finds a security hole. Instead, they dig through their code and fix bugs. If a bug looks even remotely suspicious, they assume that there’s probably some way to exploit it.

Similarly, whenever possible, we try not rely on the correctness of every view and controller. It’s too easy to leave out an h(...) call in some view. So we prefer “brute force” solutions whenever possible. For example:

• We have a forked version of Shinya Kasatani’s safe_erb that runs under Rails 2.2 and tries to detect missing h(...) calls. This helps protect against XSS attacks.
• We make all our model objects default to “read only” during GET requests. This helps protect against CSRF attacks.

Some of the things we’ve fixed so far

Here’s an incomplete list of the security problems we’ve fixed so far.

1. The Mephisto session secret is generated for each site, and no longer stored in config/environment.rb. This prevents attackers from forging session cookies and gaining full administrative access to any Mephisto site. (commit)
2. We’ve enabled protect_against_forgery for the accounts controller and for all the administrative controllers. This helps prevent CSRF attacks, which can be used by hostile sites to perform administrative actions. (commit)
3. We’ve upgraded to the latest Rails HTML sanitizer. This helps prevent XSS attacks, which can be used by attackers to steal cookies and gain administrative access. (commit)
4. We’ve inserted quite a few h(...) calls to help prevent XSS attacks. Most of these were only available to users with /admin access, however. (commit) (commit) (and many more)
5. We replaced many regexes of the form /^...$/ with regexes of the form /\A...\z/. Among other things, this change fixed a nasty XSS attack that could be exploited simply by posting a comment. (commit)
6. We fixed a tricky XSS attack against the comment error form. (commit)
7. We fixed a potential issue with empty or nil login tokens. I don’t know whether there was any way to exploit this. (commit)
8. We made records read-only by default during GET requests, helping to protect against CSRF attacks. (commit)

We also added patches to help protect against session fixation, <img src=... />-based CSRF attacks, and a number of other possible issues. And since Mephisto now supports Rails 2.2.2, you can also take advantage of the latest Rails security fixes, too.

One debugging tip: If you see an error like ActionView::TemplateError (attempted to output tainted string), you’ve run afoul of SafeERB and you probably need to insert an h(...) somewhere. Don’t hesitate to ask for help on #mephisto.

Many thanks go to Isaac Kearse, Dan Lynn, Rick Olson and Courtenay Gasking for fixing regressions introduced by the security patches, and to the folks on #mephisto for testing and bug reports!

Mephisto supports several different kinds of plugins, including:

1. FilteredColumn plugins. These add new <macro:*> forms for use in articles. Two good examples are filtered_column_code_macro and filtered_column_haskell_macro.
2. Custom Drop classes. These add new commands to Mephisto’s Liquid templates. For example, this drop adds an RSS feed sidebar to a site.
3. True Mephisto plugins. These plugin extend the actual Mephisto interface. A popular example is mephisto_contact_form.

3 APIs for true Mephisto plugins

Here’s where things get a bit complicated. Mephisto’s plugin API has changed several times. This doesn’t really affect FilteredColumn plugins, or custom drops, but it does mean that “true” Mephisto plugins are only compatible with specific versions of Mephisto.

There isn’t a lot of documentation for any of these 3 incompatible plugin APIs. So I can try to explain the history here, but I may make some mistakes. Thanks go to Sven Fuchs and Isaac Kearse, who explained all this to me. Any remaining errors are my own.

1. The original plugin API. This was a simple, declarative plugin API used in older versions of Mephisto. It made some plugins extremely easy to write, but it apparently didn’t offer an easy way of defining new controllers. You can find some notes by James Crisp on this API.
2. Sven Fuchs’ engines-based plugin API. Sven Fuchs overhauled the original API, and based it on Engines. For more details, see the porting notes for this API. You can find this API on Mephisto’s master branch.
3. Isaac’s Kearse’s new engines-based plugin API. Isaac Kearse is trying to combine the best features of the two earlier APIs. For some example code, see his updated version of the Mephisto feedback plugin. You can find this new plugin API on Mephisto’s new-plugins branch. Ideally, it should be extremely easy to port original-style plugins to this new API.

I’m leaning towards merging Isaac Kearse’s new API to the master branch, but he and I would like to solicit feedback from the Mephisto community first. Do you run lots of Mephisto plugins? Do you know what API they’re based on?

In the long run, we’d like to have an extremely stable plugin API, preferably based on the integrated Engines support in Rails 2.3. But we’re still figuring out how to get there. So thank you for your feedback and advice!

The development version of Mephisto now runs under Rails 2.2.2.

Particular thanks go to Isaac Kearse, who fixed scores of test-case failures and bugs. Thanks also go to James McCarthy and George Murphy for their patches, and to Rick, for his invaluable advice and support. This was a round-the-clock effort: I’d wake up in the morning and find a whole stack of patches waiting to be merged.

Here’s what we still need to do before releasing Mephisto 0.8.1:

1. We need to finish going through the interface, and fix any regressions that we find.
2. We need to test Mephisto with Phusion Passenger and other deployment environments.
3. We need to make sure the plugin system is still working.

If you’d like to check it out, please see the installation instructions for Edge Mephisto. Many thanks to everybody for their help!

Greetings! I’ve been doing some maintenance work on Mephisto. The current development version now supports Ruby 1.8.7 and Rails 2.0.5. The unit tests all pass, and model_stubbing has been ripped out and replaced with machinist. I want to thank Rick Olson, Sven Fuchs and Peter Suschlik for all their help.

There are several things that we should probably do before making a Mephisto 0.8.1 release:

1. Test the new Mephisto on a variety of different systems.
2. Merge any bug fixes that people want to get into trunk.
3. Fix some JavaScript issues with the asset manager.

If you’d like to try out the development version of Mephisto, please back up your database and see the installation notes on my github wiki. Better yet, make a copy of your database and run Mephisto somewhere that won’t interfere with your current site. Remember, this version of Mephisto is development software, and it may break in a variety of exciting ways.

If you’d like to submit bug fixes, please send me a push request on github (or point me at your git repository). This is an excellent time to get your least favorite bugs fixed once and for all.

Thank you for helping out with the development and testing of Mephisto!

Mephisto 0.8, “Drax”, is out, and the source is now hosted at our friends, Github.

There are many fixes, rewrites and improvements in the codebase, and development is actively continuing! Rather than talk about what’s new, I’m going to gush about git. We’ll cover what’s new in a future post.

Git, and github, allow for truly distributed development, and is a big deal for Mephisto development – as you can see in this graph of activity:

You can download release 0.8 from tarball or git checkout, or live on the edge.

The best thing about using Github is that you can easily fork Mephisto for yourself, or see what other people are working on and help them out. The idea of an ‘official’ repository becomes murky; the canonical repository in distributed source control is more of a convention.

Jon Baker wrote a great article on creating Mephisto themes. There’s also a nifty Liquid for Mephisto PDF cheatsheet by George that was released on the same day.

Finally, who posted as Dr Acula in the previous post? Totally awesome…

I’ve just added the over eager Mark Dagget to the Mephisto Core Team. He’s the author the open source project RAM (Ruby Asset Manager), as well as Pledgie. His main task is keep Mephisto on life support, starting with adding his unreleased but excellent Exception Notifier plugin.

I’m not sure how many other large sites use Mephisto, but I managed to deploy it to the-leaky-cauldron.org the other day (after lots of heavy modding to get things like polls and article ratings working). Leaky gets about 3 million unique visitors a month – and with 9,000 articles and over 300,000 comments (not all of which have converted yet) I thought I’d let you know. —Mephisto group message by Nick Poulden.

I’m not sure, but I think that’s one of the largest Mephisto installations around. Great job, Nick Poulden!

James Crisp wrote a nifty Contact Feedback plugin for Mephisto for the new Thoughtworks Studios site. The plugin looks nice, and fills a common need in Mephisto. Also, the Thoughtworks Studios site is extremely well-done. I had seen it before, but didn’t realize it used Mephisto. Major kudos to James Crisp and Thoughtworks!

For anyone that asks: it looks like the main difference between this, and my own feedback plugin is that mine doesn’t send emails. It stores them in the DB and lets you browse in the admin. Nice since your inbox doesn’t get the spam, but I’ve been finding that I often forget to check it :)

Is Mephisto dead? I see much more Typo activity recently than Mephisto. It’s the same with most open-source Rails apps. Development is cyclothymic – people get excited in the beginning, then slow down (or completely stop) – probably work on some “for pay” project, then get excited again (when the paid project is completed maybe?), then slow down again and so on. Substruct, Collaboa, Typo, RadRails, Project RIDE-ME, Active Merchant and many others… I don’t see this happening in Java world and I miss the “die hard” Java enthusiasm in the Rails community. —Nikolay Kolev, comments on previous article

Nope, it’s been on hold since the end of 2006. Mephisto has a tiny development team, and we’re both busy trying to launch a web service. We have 0 funding, so we’ve basically been devoting our “OSS project time” (and “sleep time”) towards Lighthouse instead.

I’ve found that most of the ‘successful’ open source projects have some source of real funding. Either there’s a company that needs the product enough to fund/hire the team, or they make enough through custom installs or commercial versions. Other than a handful of small consulting gigs and some donations, Mephisto has been purely a labor of love for us.

What’s going on right now:

• I’m entertaining the idea of extending to the core team, but I don’t feel there’s been anyone that seems interested in devoting the time.
• However, I’m thinking seriously of extracting a few things out as “official plugins” and opening up access on those small areas. The current candidate is XML-RPC support.
• There’s a small 0.7.4 update with a few security issues and annoying bugs fixed
• There’s an edge version with some notable new features (plugin admin, plugin support for RHTML/HAML templates, and soon: a multi-site admin)
• Once Lighthouse goes out of beta, we’ll have an official bug tracker.
• Core team doesn’t haven’t to mean “svn commit access” either. It could also mean “ticket overlord” or something.
• DNS info is currently being transferred to moniker…

However, Justin and I are committed to keeping Mephisto true to its roots. We’re not going to turn it into another bloated CMS, or a community blogging tool. It’s also not a kickstart to your rails app development. It’s strictly going to remain a kick ass publishing tool. Further features/integration should be done through the power of hyperlinks or APIs (exposed through custom Liquid drops).

Saimon has posted a mephisto_i18n plugin, as well as the first part of a companion tutorial for globalizing your Mephisto site.

Pascal just unleashed another Mephisto Theme Gallery, with a nice new theme ported from Wordpress: Cutline (side note: it’d be nice if we could link to themes directly somehow).

One neat feature is that Pascal provides some of the themes in alternate formats, such as RHTML, Erubis, and HAML. He took a bit of encouragement from me and managed to refactor the Liquid support in the edge version of Mephisto. It now supports custom template renderers in the form of plugins, with renderers for (you guess it, true believer!) RHTML, Erubis, and HAML.

On another note, one of the few original Mephisto themes, Skittlish, gets a Wordpress makeover.