Lon.gs: A URL shortener in C

Is <i>anyone</i> suffering from lack of URL shorteners? Or does anyone really care what their URL shortener is implemented in? Is there even any way that the application code contributes to the request time more meaningfully than the persistence mechanism used?<p>Cool hacks are cool I guess but from the sounds of it, the C code is a bit scary. If you had to build this, why not build it in Rust? At least it wouldn&#x27;t be so terrifying from a security standpoint and you&#x27;d still get whatever performance is supposedly needed.

Looking at the coding patterns used in the C source, I am utterly horrified this is running live on a public facing website.<p>I can see at least one buffer overrun dependent on database contents, and I wouldn&#x27;t be surprised if there&#x27;s public-facing vulnerabilities in this thing, but I don&#x27;t want to spend another 5 minutes looking.

I respect the desire to work on low level language like C. Programmers should not be afraid of it.<p>But that said, building a proper HTTP stack is not trivial.<p>If you want to use C language, then why not create Nginx module?<p>Nginx already solved the hard problems:<p>* HTTP parser<p>* Distribute work via event loop on multiple workers<p>* Useful load balancing strategies (not as great as HAProxy, but i am satisfied with it)<p>* Serious effort in dealing with CVE<p>* Widely used and battle tested<p>Here&#x27;s a fine guide on how to write Nginx module in C: <a href="http:&#x2F;&#x2F;www.evanmiller.org&#x2F;nginx-modules-guide.html" rel="nofollow">http:&#x2F;&#x2F;www.evanmiller.org&#x2F;nginx-modules-guide.html</a>

The C code in the &quot;framework&quot; this thing uses is pretty scary; grep for MAX_BUFFER_SIZE, malloc, strcpy, &amp;c. The header parsing in particular.

hum. I tried to short &quot;<a href="http:&#x2F;&#x2F;lon.gs&quot;" rel="nofollow">http:&#x2F;&#x2F;lon.gs&quot;</a> and then short the result again, now it redirects indefinitely... <a href="http:&#x2F;&#x2F;lon.gs&#x2F;ack" rel="nofollow">http:&#x2F;&#x2F;lon.gs&#x2F;ack</a>

Seems a bit buggy. I shortened &quot;<a href="http:&#x2F;&#x2F;hello.com&quot;" rel="nofollow">http:&#x2F;&#x2F;hello.com&quot;</a>, it returned &quot;lon.gs&#x2F;akm&quot;, and I visited the shortened URL only to be redirected to <a href="https:&#x2F;&#x2F;codeandoando.com&#x2F;integracion-continua-con-drone&#x2F;" rel="nofollow">https:&#x2F;&#x2F;codeandoando.com&#x2F;integracion-continua-con-drone&#x2F;</a>.

Looks like the perfect way to turn URL&#x27;s in to root shells on the hosting server

From <a href="https:&#x2F;&#x2F;www.reddit.com&#x2F;r&#x2F;C_Programming&#x2F;comments&#x2F;4p5ung&#x2F;longs_we_wrote_a_url_shortener_in_c_with_wafer&#x2F;d4iihi7" rel="nofollow">https:&#x2F;&#x2F;www.reddit.com&#x2F;r&#x2F;C_Programming&#x2F;comments&#x2F;4p5ung&#x2F;longs...</a><p><pre><code> $ curl -i http:&#x2F;&#x2F;lon.gs&#x2F;abf HTTP&#x2F;1.1 301 Moved Permanently Location: foo X-Evil-Header: evilvalue </code></pre> there were also examples of XSS and data URIs.<p>(they claim to have fixed this elsewhere in the thread, but I guess some of the &quot;evil&quot; URLs still work)

Some comments about comments and the code: 1. The URL shortener is just a demonstration of the framework being used. For a POC&#x2F;MVP i would not expect it to be the most reliable code on the planet. Im ok with that. 2. The WAFer framework is great idea for bringing a very lite server and minimalist framework to certain devices. This has applications in SBC and IOT devices where all resources are at a premium. 3. Yes the C code might not be perfect but remove any github project that isnt perfect, secure and you wont have many left. The principle objective is &#x27;get it out there&#x27; and let people like the other commenters have their input&#x2F;opinion from which to make it better. 4. The concept and this lite implementation of the idea is hugely useful in certain use cases. Just like nginx is great for general purpose servers. This is almost a C implementation of Bottle for python. 5. nodesocket and chadscira seem to have gotten the point of this and given useful feedback to the authors (Im not one of them in case you were thinking that).<p>So to sum it up - a great post, excellent work with a tool that has a lot of potential for specific scenarios. When deploying if using things like Cloudfare Edge and giving it a bit of Productizing (my day job is as a Product Manager for a global ERP business) then this could be a hit (pun intended :-J ).

I&#x27;m surprised there&#x27;s still any interest in standalone URL shorteners. Didn&#x27;t Twitter make them obsolete when it implemented its own?

CloudFlare is a perfect companion for something like this because you can hard cache the redirects on their edges. I have a few services that run off tiny boxes, and just leverage CloudFlare free edge caching.

Shortened a URL, but service doesn&#x27;t appear to redirect: <a href="http:&#x2F;&#x2F;lon.gs&#x2F;akt" rel="nofollow">http:&#x2F;&#x2F;lon.gs&#x2F;akt</a><p>EDIT: Very strange, the redirect now goes to a URL I didn&#x27;t enter... (<a href="http:&#x2F;&#x2F;www.sadfasdfasfdasdfsadfasd.com" rel="nofollow">http:&#x2F;&#x2F;www.sadfasdfasfdasdfsadfasd.com</a>)

Seems great and performant, but not productized. Seems like things are hard-coded in the c code. For example...<p>What are the api endpoints? docs? Can you view a list of all shortened urls? Can you delete shortened urls?<p>Can you change the base domain of lon.gs?

Website seems down (connection refused). Did you use any network library (aside from native, I mean)?

Perhaps I am the only one, but is anyone interested in the opposite direction, static site generator like CLI app to do short linking?<p>YOURLS was popular for a while, and I tried it, but I was concerned with running a not very popular PHP app even on shared hosting. At least Wordpress gets decent attention. I was worried of people compromising my own YOURLS instance against me.<p><a href="http:&#x2F;&#x2F;www.cvedetails.com&#x2F;vulnerability-list.php?vendor_id=11533&amp;product_id=21232&amp;version_id=0&amp;page=1&amp;hasexp=0&amp;opdos=0&amp;opec=0&amp;opov=0&amp;opcsrf=0&amp;opgpriv=0&amp;opsqli=0&amp;opxss=0&amp;opdirt=0&amp;opmemc=0&amp;ophttprs=0&amp;opbyp=0&amp;opfileinc=0&amp;opginf=0&amp;cvssscoremin=0&amp;cvssscoremax=0&amp;year=0&amp;month=0&amp;cweid=0&amp;order=1&amp;trc=2&amp;sha=59b76e93ee62fd17aa2253076d9777cb4f7d57f6" rel="nofollow">http:&#x2F;&#x2F;www.cvedetails.com&#x2F;vulnerability-list.php?vendor_id=1...</a>

the URL creation and the browsing of a short URL definitely works fast, I guess this being on the front page is a cheap way to verify if the C10k claims are true!

I consider the fact that it is written in C a feature.

Let&#x27;s look at this project as a cautionary tale.

This is broken.<p>Here&#x27;s the short url of <a href="http:&#x2F;&#x2F;news.ycombinator.com" rel="nofollow">http:&#x2F;&#x2F;news.ycombinator.com</a> --&gt; lon.gs&#x2F;amk<p>Going to lon.gs&#x2F;amk redirects me to an overstock.com address for a specific product.<p>The site doesn&#x27;t appear to have been hacked, at least there&#x27;s no affiliate link in the URL I was sent to. It just appears the site is broken.

Oddly, was hoping this was a way to turn URLs into long URLs; 2,083 characters if you want to support all the web clients.

If there are any aspiring crackers looking to bring down their first site, this one should be easier than the average

This does not handle Microsoft office URL pre-fetching...and is written in C...

Wasn&#x27;t there something posted recently about urls that are too short are too easily guessed and that it&#x27;s good to make sure that these short urls are longer?

It seems pretty responsive.

Why would you write something like this in C anymore? If you really need it to have a tiny memory footprint, write it in rust. If you need it to be fast, but can handle a runtime taking care of memory management, write it in go. C is just asking for trouble anymore.

this made my URL longer :&#x2F; lon.gs&#x2F;ae9