Nweb: a tiny, safe web server (static pages only)

103 点作者 josstin大约 11 年前

20 条评论

kragen大约 11 年前

A few months ago, I wrote httpdito, a tiny web server that serves static pages only. It's about the same amount of code as nweb, but less functionality, and I have more confidence in its security: <a href="http://canonical.org/~kragen/sw/dev3/server.s" rel="nofollow">http://canonical.org/~kragen/sw/dev3/server.s</a>, with README at <a href="http://canonical.org/~kragen/sw/dev3/httpdito-readme" rel="nofollow">http://canonical.org/~kragen/sw/dev3/httpdito-readme</a>. It's 296 instructions.I'm not saying it's secure, but I certainly intended it to be, and it doesn't suffer from the particular problems tptacek, evmar, kedean, and nknighthb identify in nweb. I'd like to think I'm not naïve enough to have written problems like that, but that's probably not true.(I'm pretty sure that "Try my new secure software!" is something that should not be followed with "I wrote it in C!" but usually assembly language is not going to be an improvement. In this case I think it happens to be.)httpdito was discussed on HN a bit before it was finished; for example, it's no longer completely trivial to DoS it, although I could do more to protect it against that.

tptacek大约 11 年前

Adding to what everyone else has said, this also "how not" to write socket code; for instance, the assumption that you can read a whole HTTP request "in one go" with a single large read call is false.Also, casting function calls to (void) is nonsensical.You can perhaps forgive the sprintf() call because, AIX. (Believe it or not, there was a time when snprintf was a portability problem). You can't forgive the log() function that doesn't explicitly bounds check its argument (though it's not exploitable in this code).

评论 #7506144 未加载

评论 #7506772 未加载

评论 #7506068 未加载

评论 #7507352 未加载

chm大约 11 年前

This crowd is always tough to please. There's a description at the top which says, about the 200 loc http server:You can see exactly what it can and can't do.Thank you Mr. Griffiths. Your example will help extend my understanding of an http server, even if I don't intend on writing one. I would never read through the 90 klocs of httpd.

pblakeney大约 11 年前

My C is a little rusty, but it seems like this web server is definitely not safe. The very first function in the code has a local stack variable and uses sprintf() to fill it. That's almost a textbook example of a buffer overflow vulnerability, if I'm not mistaken. Even if they try and compensate for that by checking the data length before it's passed to that function, it's still scary to see someone using sprintf() instead of snprintf() these days. It's like walking a tightrope without a net.

评论 #7505896 未加载

ChuckMcM大约 11 年前

I always enjoy articles that reiterate how the simple stuff really is pretty simple. I like thttpd for that reason, its a really simple (and a bit more featureful) webserver than this one, but not by a lot. Easy to comprehend, easy to keep all the moving pieces in your head in one piece.Folks building embedded stuff have been using this stuff to create their UIs for like forever it seems, and this kind of web server works pretty well in that capacity.[1] <a href="http://www.acme.com/software/thttpd/" rel="nofollow">http://www.acme.com/software/thttpd/</a>

evmar大约 11 年前

This code is really not good, and certainly not worth learning from.It appears that if you request a path like "//etc/foobar" with two slashes at the front it'll allow traversal outside the starting directory, though it's mitigated by checking file extensions.

评论 #7505798 未加载

dfc大约 11 年前

I am always on the look out for a small, lightweight and secure web server for impromptu file sharing. Right now I use publicfile from djb.[^1] My only complaint is that there is no debian package for publicfile so I have to build my own package. I would love to find an equivalent (ftp not necessary) daemon that is included in debian. Is anyone aware of a something in debian repos that I am overlooking?[^1]: <a href="http://cr.yp.to/publicfile.html" rel="nofollow">http://cr.yp.to/publicfile.html</a>

评论 #7506528 未加载

评论 #7505861 未加载

评论 #7506145 未加载

评论 #7506938 未加载

评论 #7506296 未加载

评论 #7506950 未加载

评论 #7506935 未加载

Rzor大约 11 年前

I want to learn a bit about web servers and I think that study the source code of a functional one may worth more than try to build something from scratch at first glance. Since I'm seeing too many comments on the security issues of this particular project, can you guys recommend something more reliable?Thanks in advance.Edit: I "know" C and C++ and would like to remain in one of these languages, if it's not asking too much.

评论 #7506594 未加载

评论 #7507088 未加载

nthitz大约 11 年前

<a href="http://www.ibm.com/developerworks/systems/library/es-nweb/sidefile1.html" rel="nofollow">http://www.ibm.com/developerworks/systems/library/es-nweb/si...</a> Direct link to the (200 lines of) source code. I can't speak to the security, but it is a nice little read.

theboss大约 11 年前

The only thing safer about this that I see is it is extremely small. No high assurance design, etc. What am I missing here that makes them advertise its safety?

rsync大约 11 年前

Does this do SSL ? If not, there is no reason to use this instead of the (excellent) thttpd.thttpd is a very, very nice tool. It's very handy sometimes to just fire up thttpd -d /some/dir because you want to look at the contents of the dir in a web browser but don't want to spin up the whole environment and server, etc.I put thttpd on a lot of informal servers just to have it around when I need something like that...

评论 #7507114 未加载

fmela大约 11 年前

Just because the code is tiny doesn't mean that it is safe. How do we know that the code is not vulnerable to e.g. buffer overflow exploit?

评论 #7505732 未加载

abimaelmartell大约 11 年前

The code is ugly, checkout <a href="https://github.com/cesanta/mongoose" rel="nofollow">https://github.com/cesanta/mongoose</a> (GPL & MIT) or <a href="https://github.com/sunsetbrew/civetweb" rel="nofollow">https://github.com/sunsetbrew/civetweb</a> (GPL)

steventhedev大约 11 年前

If I had infinite time and patience, I'd tinker with this to show the differences in socket code, specifically with the approaches outlined in the C10k document.Although it was largely unfinished, the approach outlined in C10m would be interesting to see implemented here (via the intel user-space driver).

inconshreveable大约 11 年前

For those of you who are interested in a tiny, safe, static file server that provides secure, public URLs from any machine (ngrok-style), I have a simple project called srvdir that will probably be useful to you: <a href="https://srvdir.net" rel="nofollow">https://srvdir.net</a>

评论 #7511185 未加载

stefs大约 11 年前

> if LINUX sleep for one second to ensure the data arrives at the browsercan someone explain that please?

评论 #7507140 未加载

adultSwim大约 11 年前

This is a great example of how to clearly document a project.The technical criticisms are confirmation of that. How many HN submissions to open source projects are as well explained?

jrochkind1大约 11 年前

today i learned: there's still AIX. Huh, really?

评论 #7506433 未加载

Codhisattva大约 11 年前

Not a prank!

评论 #7506726 未加载

reustle大约 11 年前

All you really need is> python -m SimpleHTTPServer