Lost!

In an odd twist, Facebook’s code was published in the early morning hours of Saturday…. There are some people that have certain portions of the site and others have nothing posted due to Cease and Desist orders. From what I can tell, more than just one page was published.

The homepage of Facebook, with 24 file Includes, has more functions than I’ve seen in a file in a very long time. I’m also guessing that I only have the Code of the homepage since there is no HTML rendering in the block I have. Then again, with all the functions, they may be printing the HTML out in blocks.

The code was shared, according to a Facebook announcement, through a bug on a misconfigured server. What I think happened was that someone messed with the meta types and instead of running PHP, the server outputted it to the screen when it didn’t know what to do with it.

TechCrunch got an official response and added their 2 Cents into what happened:

“Some of Facebook’s source code was exposed to a small number of users due to a bug on a single server that was misconfigured and then fixed immediately. It was not a security breach and did not compromise user data in any way. The reprinting of this code violates several laws and we ask that people not distribute it further.”. It seems that the cause was apache and mod_php sending back un-interpreted source code as opposed to output, due to either a server misconfiguration or high load (this is a known issue). It is also apparent that other pages have been revealed, and that this problem has occured before, but only now has somebody actually posted the code online.

Unfortunately, the code “leak” is severely bad news for any high-profile website since attackers can now see where to really get a head start attacking the site.

TC also wrote something that I noticed as well (I just woke up, I’m not retyping it dammit):

…the source code reveals a lot about the structure of the application, and the practices that Facebook developers follow. From just this single page of source code a lot can be said and extrapolated about the rest of the Facebook application and platform. For instance, the structure doesn’t follow any object oriented development practices, and it seems that the application is one large PHP file with a large number of custom functions living in the same namespace (they also seem to be using the Smarty templating engine).

I’m almost alright without Object Oriented Programming (OOP), because I also learned without that structure, but I almost expected a larger site like Facebook to have it for speed (sometimes it helps) and maintenance. The other thing that surprised me is that they’re using Smarty. Why have all that overhead of a template engine when you can completely control your template through a single CSS file? I’ve made this argument before and I’m going to make it again - CSS is the best damn template “engine” I’ve seen. I was working on a site before I left my contract that utilized CSS as a template engine and it worked perfectly well.

But, back to the code, it’s not highly organized and not properly taken care of. For instance, '/lib/feed/newsfeed.php' is included twice within the same include block at the top of the page. They also use functions, upon login, for cleaning up certain areas of their sites. As a for instance, according to the comments, if a user has an AIM address in the wrong spot in a table, this function migrates it properly: migrate_screenname ($user); Why migrate it here? Why not run a damn update query against the server and fix it once and for all?

Lastly, (I could continue on, but this post is getting bigger), why would they invoke error messages and turn them off inside code with the following: $disabled_warning = ((IS_DEV_SITE || IS_QA_SITE) && is_disabled_user($user));
tpl_set('disabled_warning', $disabled_warning); If you’re not a code reader, it’s checking to see if the variables for the Development/Testing area is flagged (ie: they’re using their internal servers) to turn on and off errors and such… Good grief says Charlie Brown.

Anyway, hats off to the Facebook admins, they’re going to have their work cut out for them over the next few weeks. I have a feeling this issue will cause more news within the next few days.