I filed this bug on 11-Apr-2007 (almost two years ago):

Title: Safari doesn't handle HTTP Content-Type header

11-Apr-2007 07:18 AM David Tanzer:
Summary: 
A HTML page which has the extension ".tar.gz" is automatically downloaded, even if the HTTP Content-Type 
header is "text/html". For example, the HTTP Headers for the page 
http://www.apache.org/dyn/closer.cgi/geronimo/2.0-M3/geronimo-tomcat6-jee5-2.0-M3-bin.tar.gz 
(which is a HTML page with the mirror list for the file) is automatically downloaded and NOT displayed as it 
should. The content type for this page is:

Content-Type: text/html; charset=iso-8859-1

Steps to Reproduce: 
1. Open the page http://www.apache.org/dyn/closer.cgi/geronimo/2.0-M3/geronimo-tomcat6-jee5-2.0-M3-bin.tar.gz

Expected Results: 
The mirror list for geronimo 2.0-M3 is displayed

Actual Results: 
The html file is downloaded and saved to the Desktop

Regression: 
N/A

It is still open, and the problem still exists in Safari 3.2.1 (5525.27.1). Good job, Apple.

After a few rants about Apple it's time to tell something positive about them. My Mac Book Pro was in service because of a battery problem for the last couple of weeks. When I told someone who owns a Sony Vaio about that the first thing she asked me was "Did you backup all your data?" and I was like "No, it's a battery problem". She said "You'll see, they'll format your drive" and I said "Well, that's not a Sony notebook I have". Now I got the notebook back and all my data is still here. The battery works fine so far. That's what I call good service. And, by the way, I never really understood why Sony and other Laptop vendors re-install the operating system by default when they should just fix a hardware problem.

... and there are morons who just want to get free Advertising in the Press. Today's example for the latter is Oliver König who has reported a "vulnerability" of Mac OS X (Heise news article here).

The vulnerability he describs is that when an admin uses SSH to connect to a mac and types

sudo osascript -e 'tell Application "Finder" to beep

then a finder window openes with root privileges on that machine. Sooooo, Finder.app does what the Administrator of said machine tells it to do? Really? OMG, what will they invent next!!!1!one!eleven

BTW, what happens when you SSH to a linux box, log in as root and type

/usr/bin/nautilus -display :0

I guess a nautilus window would open with root privileges in the current X server of said machine, but I can't verify that now.

Most readers of my blog know that I am a fan of apple products and I am using them on a daily basis, but lately I am getting more and more annoyed about the business practice apple uses. Especially what they do with the iPhone is really disgusting, and that's why I will not buy an iPhone, even if it is probably the best smartphone at the moment.

What Apple is trying to do with the iPhone is to create a monopoly on the smartphone marked through excessive vendor lock in. After buying an iPhone you are locked to one operator and exactly one tariff model for 2 years. You might say "Well, yes, but that tariff model is not so bad after all..." but before you do this just answer me one question: Why is vendor lock-in a bad thing when Microsoft or Oracle are trying to do it, but when Apple is doing it it's OK? And another question is, will your operator unlock your phone when the contract is over? I think they have to do this here in Austria, although I am not sure.

The next big show-stopper for the iPhone is that you can not develop any applications for it (and I am not talking about some Web 2.0 javascript crap here, I mean real Apps). Yes, that's right, you won't get an SDK from Apple even if you want to pay for it. But that doesn't matter, because if an iPhone user does not use any 3rd party hacks like iPHUC he/she can not install 3rd party applications anyway. So you own probably the most advanced phone and can't do anything with it except what Apple allows you. Great.

And now, just yesterday, Apple announced that you can use custom ringtones for your iPhone. Great feature, right? Yes, but to convert a song you already own to a 30 second ringtone you have to pay another 99 cents. This is just ridiculous.

Sorry for stating some really obvious points in this posting, but I wanted to write down all my concerns in one article. This also includes some old news, I know.

Well, see for yourself. Really, watch the video!

Update: Fixed < and > in the code examples.
Update (2): Here is a posting to an Apple Mailing List which basically describes the same problem. As of now (2007-07-06) there was now answer to this posting.

At the moment I am experimenting a little bit with Drag and Drop in Java Swing. What I want to do is drag some files from the finder to a JPanel, but my application only supports certain file types. So the idea was that I reject the drag (or the drop) if the file list contains unsupported file types, like:

public void dragEnter(DropTargetDragEvent e) {
	DataFlavor[] dataFlavours = e.getCurrentDataFlavors();
	for(int i=0; i<dataFlavours.length; i++) {
		if(dataFlavours[i].isFlavorJavaFileListType()) {
			List fileList = (List) e.getTransferable().getTransferData(dataFlavours[i]);
			//iterate the file list, and if all file types are supported do
			e.acceptDrag(DnDConstants.ACTION_COPY);
			//else do
			e.rejectDrag();
		}
	}
}

But we don't get a file list here, only the following error message:

2007-06-15 13:39:10.315 java[18163] CDataTransferer_dragQueryFile: plist not a valid NSArray (error XML parser error:
Unexpected character U at line 1
Old-style plist parser error:
    Unexpected ';' or '=' after key at line 1
[java-err] ).

It looks like you have to accept the drop before you get the file list, so you can't do the verification in the dragEnter method, but the following code works:

public void dragEnter(DropTargetDragEvent e) {
	e.acceptDrag(DnDConstants.ACTION_COPY);
}

public void drop(DropTargetDropEvent e) {
	DataFlavor[] dataFlavours = e.getCurrentDataFlavors();
	for(int i=0; i<dataFlavours.length; i++) {
		if(dataFlavours[i].isFlavorJavaFileListType()) {
			try {
				e.acceptDrop(DnDConstants.ACTION_COPY);
				List<File> fileList = (List<File>) e.getTransferable().getTransferData(dataFlavours[i]);
				//Iterate the file list...
			} catch (UnsupportedFlavorException e1) {
				// handle the exception
			} catch (IOException e1) {
			// handle the exception
			}
		}
	}
}

Felix von Leitner (Fefe), a so-called "Security Expert" and well known Apple-hater, writes in his blog that Thor Larholm (another "Security Expert"? I don't know...) has found a remote code execution exploit in the first public beta of Safari 3 for Windows. Ok, bad enough. Felix von Leitner then concludes that this is another example of Apple writing bad and insecure code.

First of all I want to note that we are talking about the first public beta of a program which didn't exist in this form so far, and I hope Mr. Larholm has reported the bug to Apple (as he should when he is participating in a Beta program). But let's come to the root of this code execution problem: It is how Windows handles URLs: It passes the complete URL to the protocol handler as a command line argument. Which looks like another security hole in the Windows API if you ask me. And then Mr. Larholm complains that Apple did not work around this problem: "When Apple released Safari for the Windows platform they neglected to implement a proper level of input validation for these arguments, which means that you can break out of the intended confines and wreak havoc."

So, yes, probably Apple should work around such gaping holes in the Windows API, but then again we are talking about the first f***ing beta version! Software comanies release beta versions to find exactly these kinds of problems! And by participating in a beta program you should know about the risks of using a not fully tested software product.

These poorly researched and biased stories are the reason why I stopped reading Fefe's blog a long time ago.

I just uploaded UnitC 0.2. The code for converting the units has been improved, and the units array is now greatly simplified. I also have added quite a lot of new units, but the accuracy is not too high in some cases. Again, please help me by sending me corrections or updates for the Units array. And if you have an idea for a Logo for this widget, please feel free to email me your idea or the logo as PNG. You can download the new version at the Quick Unit Converter project page.

I have started to write a little dashboard widget to convert units. I know the dashboard already has a unit converter, but i don't really like it b/c I don't like selecting things from drop-down lists. My unit converter widget has only one text field, in which you enter a string like "1cm in m" and then press Enter to get the result. For example, if you want to know how many pixels at 300dpi are used in 12pt, you can enter "12pt in px300".

There are not very much supported units at the moment, and the accuracy of the conversion is not good enough yet. You can download the first version of this dashboard widget at the project page of the widget.

I installed the new Release Candidate of the Parallels Virtual Machine on my MacBook Pro. It has some cool new features, like starting windows apps from the Mac OS system dock, the command+[cvxs] shortcuts are working, and windows from WinXP can be displayed just like mac windows (and not within the VM window).

I then downloaded a MacOS theme for WinXP and installed it in the VM, because it was a little bit disturbing to have WinXP decorated windows mixed with the normal OSX windows. BTW, the OSX theme for WinXP can be found here.

So here is the screenshot of WinXP and Mac apps running on my machine (click to enlarge). Pretty cool, ey?