Merry Christmas, everyone, PadEdit is back! We’re thrilled to be able to bring you a thoroughly-checked, fully-vetted, overhauled version of the web-based iPad code editor I first released in July. PadEdit is still designed to be a “we know you’re on vacation in Borneo with only your iPad, but this is a people-are-dying emergency” first-responder tool to edit pages directly on your web server.
Version 1.3, in addition to featuring cleaner, better code, includes some slight updates to the UI, and some improvements to quote, bracket, parentheses, and brace balancing in the editor window.
So. What happened?
You may remember a polite fellow that sent a polite email telling me how absolutely awful PadEdit was. To his credit, he later sent an email apologizing for being “overly vicious,” saying he was worried about not being listened to. I feel terrible that his upbringing made him feel that writing an email like that was the only way that he would be listened to. Terrible, really.
Let’s go through his email. Graham was correct on one point: There was a problem with the previous version of PadEdit that, if you knew the URL PadEdit was installed at, you could upload any sort of file you wanted to the server. That’s bad — really bad — and entirely my fault. Thankfully, with the help of Craig Smith, that problem has been fixed. Craig, John Forte, and Brett Terpstra helped find some other problems (mostly unrelated to security) that needed improvement as well.
The concerns voiced in the rest of Graham’s email — according to five different developers I contacted — don’t really apply. Craig summed it up thusly: “With PadEdit, you’re basically going by the assumption that the user is trusted and is allowed to edit whatever they like, and isn’t trying to hack their own server. Graham seems to be looking at the it from the point of view that it’s a web app where the users are untrusted and may be trying to do malicious things with it. With proper authentication protecting PadEdit, [Graham’s concerns] aren’t really an issue.”
I don’t feel bad about withdrawing PadEdit from download for the problems it had, but I do feel a little sheepish for believing the sky was falling, and the world was going to explode because I wasn’t properly securing my software. I’m happy now that I have confidence that this version is not going to be a giant attack vector for any web developer that installs it. But, in the future, I won’t react so strongly to any one email.
That said, if you do find anything wrong with PadEdit, let me know! Version 2 is always on the horizon.