Today I release DfontSplitter 0.4.2 for Mac. This is a critical security update that fixes an issue relating to the Sparkle software update framework when the update pages are served over HTTP. As of 0.4.2, the update pages are now, naturally, served over HTTPS. (It was more than five years ago when the last release was made!)

The vulnerability means that in a scenario where an attacker could launch a man-in-the-middle attack during a Sparkle-enabled app’s update detection process, arbitrary JavaScript could execute in the WebView hosting the release notes. Due to the context that the WebView runs in, the app could then be convinced to run local files, expose local files to a remote server and even execute arbitrary code. More details and a full breakdown are at the post on Vulnerable Security.

This update fixes the Sparkle-related security issue by updating Sparkle and requiring HTTPS for all future DfontSplitter app update communications. Due to new build requirements in Xcode 7.2, the application now requires at least OS X Snow Leopard (10.6) and a 64-bit Intel processor.

The automatic updates feature within DfontSplitter should detect the update, but you can also download and install it manually.

Thanks to Kevin Chen for pointing out the existence of the issue with Sparkle and that it affected DfontSplitter. I had somehow missed the original reporting of the vulnerability, so I particularly appreciate Kevin bringing this to my timely attention.

The astute among you may note that in the Info.plist for this update, I explicitly disable the OS X 10.11 SDK’s check for HTTPS forward secrecy in the HTTPS communications to the update server. Once I figure out a cipher suite configuration that I am happy with, and understand, in Pound (my reverse proxy acting as the TLS terminus), I will update the app again to require forward secrecy.

Just a quick note to say that I’m proud to announce the release of some more open source code, as part of my collaboration with Van Patten Media.

The Van Patten Media Labs site has all the details of the Very Simple PayPal Bridge — a simple way to connect to the PayPal API.

Interacting with the PayPal NVP API is something that a lot of e-commerce websites need to do. If you’re writing your own code for a bespoke e-commerce solution, rather than shoehorning in generic ‘Shopping Cart’ software, there is quite a lot to think about in order to communicate successfully with the API and provide a great payment experience for the site’s customers.

The Very Simple PayPal Bridge is a PHP class that, as the name suggests, provides a very simple interface for the PayPal NVP API.

In any situation where you need to interface more directly with the PayPal API, the VSPB provides a clean interface for the other layers of your code, dealing with all of the implementation details of sending requests via cURL, encoding and decoding the arguments, as well as offering full support for graceful error handling with PHP exceptions. It is great as a lower-level component of a wider PHP e-commerce solution.

For more information, see the post on Van Patten Media Labs and check out the code at GitHub!

“What? I thought you updated this yesterday?”

Well, I did. 😛

Hot on the heels of yesterday’s auto-update-capable release, is DfontSplitter for Windows 0.3.1. This version includes a single fix, introducing a new method of avoiding the dreaded ‘corrupt font file’ error. For some unknown reason, sometimes Windows simply will refuse to work with the original fondu output file, but if simply DfontSplitter makes a duplicate of the file, it will happily see it as a TrueType font! It is very odd behaviour, and this fix only works in some cases, but it should reduce the incidence of ‘corrupt font files’ being output from DfontSplitter for Windows. This means users will less frequently have to go through a secondary hoop to get Windows to play nicely with DfontSplitter’s outputs.

Here are the official release notes:

New Features and Bugfixes

• Uses a new method to decrease the incidence of ‘invalid font file’ errors on Windows. More fonts should now convert correctly without requiring further intervention.

Known Issues

• Some fonts still require further conversion after DfontSplitter has created the TrueType font file. FontForge is one option for this.

As always, you can always get the latest and greatest version of DfontSplitter by downloading it from the the DfontSplitter project page.

I have just released a new version of DfontSplitter for Windows, version 0.3. The main change here is a brand new automatic update notification system. Like the Mac version, which uses the excellent Sparkle Framework, users of DfontSplitter for Windows can now keep the application up-to-date without having to manually check the website. This makes my development of the software easier, as I can release smaller feature releases more frequently, rather than large releases that must have a longer lifespan.

Unfortunately, because the automatic update feature is new, previous users of DfontSplitter 0.2 are not going to be notified automatically about this new release. 🙁

If you know any other users of DfontSplitter for Windows, please let them know this update is available so they might have the opportunity to keep up-to-date with this new feature too.

Here are the official release notes for this version:

New Features and Bugfixes

• New automatic update facility, similar to that of DfontSplitter for Mac. Users can now be notified of new releases in the future, which may include new features.

Known Issues

• Some versions of Windows report the TTF files that DfontSplitter creates as ‘corrupt’. Please see this workaround — https://peter.upfold.org.uk/blog/2009/08/23/dfontsplitter-solution-to-windows-corrupt-font-error/

As always, you can always get the latest and greatest version of DfontSplitter by downloading it from the the DfontSplitter project page.

It has been quite a while since this bit of software was updated, but please welcome WPGet 1.0.

As well as the milestone of reaching version 1.0, this version now sports a host of new changes, including:

• Switched over to Perl regular expressions for better forwards compatibility
• Ability to show only posts in a specified date range in WPGet&#8217s output
• Ability to show only posts that match a specific search term in WPGet’s output.
• Support for stripping links out of WPGet’s output.
• Drops support for PHP 4

The best way to install WPGet if you’re setting up a new installation is to use the hosted WPGet Installer. Existing users can upgrade their installations by running only Step 1 (‘set up for the first time’) of the installer and uploading the updated wpget.php file that will be generated.

Alternatively, you may download the installer to run yourself from the WPGet project page (or even perform a manual install if you are proficient in PHP).

The new release is also available at the PHP Classes page for WPGet and at HotScripts.

It has been far too long since I first released SleekTabs, my PHP class which makes it easy to create tabs on your web page.

Finally, after a lot of doing not a lot, and some sporadic bursts of development, I’d like to introduce SleekTabs 0.2. First of all, I want to thank Richard Fitzgerald, who initially contacted me with an idea for this release’s main feature – caching, and has advised me on various things during its development and continues to help me with the project.

Now, let’s take a look at the main features of this release:

• Caching – if you so wish, you can enable caching, so multiple requests for the same tab are fetched from the user’s local cache, rather than resulting in another request to your server.
• IE bug fix – this release works around a bug in Internet Explorer that causes it to undesirably cache the tab results, by introducing a timestamp into the SleekTabs request URI.
• Overhauled example script – the index.php example script included has been completely reworked, fully documented and commented to explain how to implement SleekTabs in your site and how it works.

I really have to apologise for how long this has taken – it’s been literally months since the initial release and this release isn’t exactly groundbreaking. However, it is a step forward in SleekTabs’ evolution and makes the installation and integration process much clearer.

You can download SleekTabs from the project page here and give it a try for yourself. It is also available from PHP Classes. All genuine feedback is appreciated – and if you do use it on your site, thanks!

SleekTabs is licensed under a BSD style licence – see the headers in the files in the download for more information.