Urgent : help needed on web server implemenation - C++ Language (Moderated)

C++Talk.NET
C++ language newsgroups

Archives

FAQ

Memberlist

Usergroups

Profile

Urgent : help needed on web server implemenation
Goto page 1, 2 Next

C++Talk.NET Forum Index -> C++ Language (Moderated)

View previous topic :: View next topic

Author

Message

Santhosh Adiga
Guest

Posted: Sun Nov 28, 2004 11:34 am Post subject: Urgent : help needed on web server implemenation

Hi, I am trying to implement a web server in C++. This is my first attempt at network programming so I am having a loot of trouble identifying the right classes, their jobs and their interactions. The aim is to make the web-server extensible, so that it serves static pages now, but can be extended to service dynamic pages later on. I request anyone who has had some experience in this to help me out in this regard asap. Regards Santhosh [ See http://www.gotw.ca/resources/clcm.htm for info about ] [ comp.lang.c++.moderated. First time posters: Do this! ]

Nicola Musatti
Guest

Posted: Mon Nov 29, 2004 9:47 pm Post subject: Re: Urgent : help needed on web server implemenation

[email]kbsadiga (AT) gmail (DOT) com[/email] (Santhosh Adiga) wrote in message news:<b562cc75.0411272230.338c3212 (AT) posting (DOT) google.com>...

Quote:

Hi,

I am trying to implement a web server in C++.
This is my first attempt at network programming
so I am having a loot of trouble identifying the
right classes, their jobs and their interactions.
The aim is to make the web-server extensible, so
that it serves static pages now, but can be extended
to service dynamic pages later on.

I request anyone who has had some experience in this
to help me out in this regard asap.

Why don't you check out ACE: http://www.cs.wustl.edu/~schmidt/ACE.html

Cheers,
Nicola Musatti

[ See http://www.gotw.ca/resources/clcm.htm for info about ]
[ comp.lang.c++.moderated. First time posters: Do this! ]

News Subsystem
Guest

Posted: Mon Nov 29, 2004 9:50 pm Post subject: Re: Urgent : help needed on web server implemenation

On 28 Nov 2004 06:34:43 -0500, Santhosh Adiga wrote:

Quote:

Why are you doing this?

1) You think there might be money to be made.

Apache is better than anything you'll be able to do on your own, and
it's free. Microsoft includes IIS free with their server software.

2) You need a web server and don't want to pay for the software.

See the answer to (1) above.

3) You're doing it as a learning exercise.

If you're asking for help on a self-improvement project, maybe you
should tackle something simpler and work your way up to it (perhaps an FTP
server would be something similar to build on). Alternately, you could
look at the source for some of the open source web servers (e.g. Apache)
for ideas.

4) It's homework.

We don't do your homework.

5) Some other reason.

It might help people to focus their answers on information useful to
you if they know why you're doing it and where you're at in the project.
Questions like "how do I do this?" aren't generally well received.
Questions like "I'm doing this and it's not working, any suggestions?" get
better response.

Also, you may be better off posting this topic in comp.lang.c++ instead of
the moderated group.

--
Greg Schmidt [email]gregs (AT) trawna (DOT) com[/email]
Trawna Publications http://www.trawna.com/

[ See http://www.gotw.ca/resources/clcm.htm for info about ]
[ comp.lang.c++.moderated. First time posters: Do this! ]

James Talbut
Guest

Posted: Tue Nov 30, 2004 11:04 am Post subject: Re: Urgent : help needed on web server implemenation

"News Subsystem" <news (AT) news (DOT) astraweb.com> wrote

Quote:

On 28 Nov 2004 06:34:43 -0500, Santhosh Adiga wrote:
I am trying to implement a web server in C++.
Why are you doing this?
3) You're doing it as a learning exercise.
If you're asking for help on a self-improvement project, maybe
you
should tackle something simpler and work your way up to it (perhaps
an FTP
server would be something similar to build on). Alternately, you
could
look at the source for some of the open source web servers (e.g.
Apache)
for ideas.

For the sake of reference HTTP is a heck of a lot simpler than FTP.
Personally I started with SMTP as a client and worked up from there,
but I still wouldn't bother with FTP.
Also, as a systems person, I wouldn't want FTP on my network either.
The only good reason for usig FTP is that it already exists, don't
spread it any further.

I think, never having implement a server, that HTTP 1.0 is about as
simple as it gets, 1.1 is quite a bit more complex.

I hope that this is the reason you are choosing to do this, 'cos
otherwise you are wasting your time.

Good luck.

J.T.
Please reply via the newsgroup.

[ See http://www.gotw.ca/resources/clcm.htm for info about ]
[ comp.lang.c++.moderated. First time posters: Do this! ]

Allan W
Guest

Posted: Tue Nov 30, 2004 11:52 pm Post subject: Re: Urgent : help needed on web server implemenation

Quote:

"News Subsystem" <news (AT) news (DOT) astraweb.com> wrote:

Quote:

3) You're doing it as a learning exercise.

If you're asking for help on a self-improvement project, maybe you
should tackle something simpler and work your way up to it (perhaps an FTP
server would be something similar to build on). Alternately, you could
look at the source for some of the open source web servers (e.g. Apache)
for ideas.

Hi, News.

I agree with James Talbut -- FTP is a LOT more complicated than HTTP.
Perhaps you're thinking about how complicated HTML and various script
languages can be? But a web server doesn't need to understand HTML at
all -- that's the browser's job. And while script languages can usually
be run either server-side or client-side, the first version of a web
server could simply ignore scripting, making all of it work on the
client.

However, I agree that something even simpler might be better. Perhaps
a simple custom-protocol client-server program that allows people to
type messages and shows it at the other end. Sort of a Messanger Lite.
It doesn't get too much simpler than that.

[ See http://www.gotw.ca/resources/clcm.htm for info about ]
[ comp.lang.c++.moderated. First time posters: Do this! ]

Greg Schmidt
Guest

Posted: Wed Dec 01, 2004 9:26 am Post subject: Re: Urgent : help needed on web server implemenation

On 30 Nov 2004 18:52:19 -0500, Allan W wrote:

Quote:

Hi, News.

That appears to be an artifact of an incorrect setup at my normal news
provider, Astraweb. I'm trying a different way of posting this article.

Quote:

I agree with James Talbut -- FTP is a LOT more complicated than HTTP.
Perhaps you're thinking about how complicated HTML and various script
languages can be?

HTTP is simple, yes, but what a server has to do to send the right
response to a simple command may not be. When I posted, I was thinking
of how complex the setup files for Apache are. I guess if you strip the
web server down and disallow name-based vhosts, scripting, SSI,
different MIME types, internationalization, per-directory and per-file
options (a la htaccess), user authentication, URL rewriting, custom
error documents, etc. then yeah it can be pretty simple. But not much
of a web server.

Now, I don't know much about FTP servers, except that they're a whole
lot easier to configure, and they support a number of commands that I've
never once used. Smile

I was thinking that a 95% functional FTP server
would only have to implement a small handful of commands, and the
implementation of each should not be much more difficult than handling
an HTTP GET under all of the restrictions I listed above. The trickiest
bit is probably the control/data channel separation.

So, it seemed to me (and I could well be wrong, since I've never delved
into the internals of the protocol RFCs of either HTTP or FTP, or the
source of an implementation) that getting 95% done on an FTP server
would be much faster than getting 95% done on an HTTP server.

Quote:

However, I agree that something even simpler might be better. Perhaps
a simple custom-protocol client-server program that allows people to
type messages and shows it at the other end. Sort of a Messanger Lite.
It doesn't get too much simpler than that.

Simpler is better is indeed the message I was trying to get across
originally. I may have picked a bad example of "simpler"...

--
Greg Schmidt [email]gregs (AT) trawna (DOT) com[/email]
Trawna Publications http://www.trawna.com/

[ See http://www.gotw.ca/resources/clcm.htm for info about ]
[ comp.lang.c++.moderated. First time posters: Do this! ]

James Talbut
Guest

Posted: Thu Dec 02, 2004 12:54 am Post subject: Re: Urgent : help needed on web server implemenation

"Greg Schmidt" <gregs (AT) trawna (DOT) com> wrote

Quote:

HTTP is simple, yes, but what a server has to do to send the right
response to a simple command may not be. When I posted, I was
thinking
of how complex the setup files for Apache are. I guess if you strip
the
web server down and disallow name-based vhosts, scripting, SSI,
different MIME types, internationalization, per-directory and
per-file
options (a la htaccess), user authentication, URL rewriting, custom
error documents, etc. then yeah it can be pretty simple. But not
much
of a web server.

A lot of that stuff is nothing to do with HTTP itself, it's additional
functionality that the webservers bolt on top of an HTTP service.
As I said before HTTP 1.0 is really quite simple, even including CGI
isn't that complex, but I certainly wouldn't recommend going near HTTP
1.1 (which is where a lot of the things you mention come in) without a
good reason.

FTP, on the other hand, is complex from a networking point of view.
Minimally you have to have multiple network connections open (unless
you only support passive FTP).
You have far more commands to worry about.
But most importantly you have state.

Given that we are continuing on the unsupported assumption that this
is a learning exercise, and further assuming that it's network servers
that he's trying to learn about, I think a basic HTTP 1.0 server a
reasonable target.
Going beyond that is not exercising networking skills.
But I'd start with a simple "echo" daemon/service (depend on your
flavour).
You could extend that to then dump the requests to somewhere on the
server side.
Then you have to move on to parsing the requests and finally to
sending something useful back.
And at some point, hopefully near the beginning, you can consider what
you are doing to make the thing secure.

Quote:

So, it seemed to me (and I could well be wrong, since I've never
delved
into the internals of the protocol RFCs of either HTTP or FTP, or
the
source of an implementation) that getting 95% done on an FTP server
would be much faster than getting 95% done on an HTTP server.
I have, but mainly from implementing clients for specific purposes

rather than servers, and I wouldn't want to bother implementing a
fully fledged server for either for the reasons given previously.
But getting an HTTP server that can respond well enough to be used by
a browser is a worthwhile target.

J.T.
Please reply via the newsgroup

[ See http://www.gotw.ca/resources/clcm.htm for info about ]
[ comp.lang.c++.moderated. First time posters: Do this! ]

kanze@gabi-soft.fr
Guest

Posted: Thu Dec 02, 2004 12:55 am Post subject: Re: Urgent : help needed on web server implemenation

[email]allan_w (AT) my-dejanews (DOT) com[/email] (Allan W) wrote in message
news:<7f2735a5.0411301158.47515199 (AT) posting (DOT) google.com>...

Quote:

Santhosh Adiga wrote:
I am trying to implement a web server in C++.
This is my first attempt at network programming
so I am having a loot of trouble identifying the
right classes, their jobs and their interactions.
The aim is to make the web-server extensible, so
that it serves static pages now, but can be extended
to service dynamic pages later on.

"News Subsystem" <news (AT) news (DOT) astraweb.com> wrote:
3) You're doing it as a learning exercise.

If you're asking for help on a self-improvement project, maybe
you should tackle something simpler and work your way up to it
(perhaps an FTP server would be something similar to build on).
Alternately, you could look at the source for some of the open
source web servers (e.g. Apache) for ideas.

I agree with James Talbut -- FTP is a LOT more complicated than HTTP.
Perhaps you're thinking about how complicated HTML and various script
languages can be? But a web server doesn't need to understand HTML at
all -- that's the browser's job. And while script languages can
usually be run either server-side or client-side, the first version of
a web server could simply ignore scripting, making all of it work on
the client.

However, I agree that something even simpler might be better. Perhaps
a simple custom-protocol client-server program that allows people to
type messages and shows it at the other end. Sort of a Messanger Lite.
It doesn't get too much simpler than that.

If the goal is just a simple protocol, then RFC 862, RFC 863 and RFC 864
(echo, discard, and character generator protocols) would seem to be
indicated; the RFC's for the first two are only about ten lines long.

Seriously, it might be worth implementing these three rapidly in order
to familiarize yourself with your system's interface (sockets, threads)
without having to worry about any other complexities. Beyond that, I'd
just start out incrementally implementing HTTP itself -- just the GET
command, ignoring any header options, for example, and go on from
there. (A trivial implementation of GET isn't much more complicated
than the character generator protocol.)

One important point, to be considered even when implementing the trivial
protocols, is how to isolate the system dependent parts. In the trivial
protocols, about 90% will be system dependent. Whereas the more
advanced protocols often won't use anything system dependent that wasn't
present in one of the trivial protocols.

--
James Kanze GABI Software http://www.gabi-soft.fr
Conseils en informatique orientée objet/
Beratung in objektorientierter Datenverarbeitung
9 place Sémard, 78210 St.-Cyr-l'École, France, +33 (0)1 30 23 00 34

[ See http://www.gotw.ca/resources/clcm.htm for info about ]
[ comp.lang.c++.moderated. First time posters: Do this! ]

Allan W
Guest

Posted: Thu Dec 02, 2004 4:19 am Post subject: Re: Urgent : help needed on web server implemenation

Greg Schmidt <gregs (AT) trawna (DOT) com> wrote

Quote:

Now, I don't know much about FTP servers, except that they're a whole
lot easier to configure, and they support a number of commands that I've
never once used. Smile

You could perhaps implement 10% of an FTP processor easily, the part that
handles commands which do not involve file transfer, such as logging in
with or without authentication, DEL and REN commands, and so on.

The file transfers themselves are incredibly complicated, yes because of
the control/data channel separation. The client requests a download;
the server replies with a port number; the client starts to LISTEN on
that port; the server finally connects to that port, and only then does
any information get transferred. I think the protocol was set up this
way to allow an FTP client to request that host A send data to host B.
I'm not aware of any FTP implementation that actually does this.

I don't want to get any farther off-topic, so I'll just sum up by
saying that FTP is very complicated. Even SMTP (Email) would be
simpler.

However, perhaps TELNET is a better choice. There's only one channel
from client to server, the data passed through is all printable text,
and you don't have to synchronize sent and received messages. It
wouldn't have to be a traditional TELNET processor that gives access
to the underlying operating system; you could program a TELNET server
that responds to simple commands. In essence, all of the MUDs
(Multiple-User Dungeons) work this way. Maybe a TELNET multi-user
BlackJack server would be an interesting challenge!

[ See http://www.gotw.ca/resources/clcm.htm for info about ]
[ comp.lang.c++.moderated. First time posters: Do this! ]

Ben Hutchings
Guest

Posted: Fri Dec 03, 2004 2:27 pm Post subject: Re: Urgent : help needed on web server implemenation

[email]kanze (AT) gabi-soft (DOT) fr[/email] wrote:

Quote:

allan_w (AT) my-dejanews (DOT) com (Allan W) wrote in message
news:<7f2735a5.0411301158.47515199 (AT) posting (DOT) google.com>...
Santhosh Adiga wrote:
I am trying to implement a web server in C++.
This is my first attempt at network programming
so I am having a loot of trouble identifying the
right classes, their jobs and their interactions.
The aim is to make the web-server extensible, so
that it serves static pages now, but can be extended
to service dynamic pages later on.
snip
If the goal is just a simple protocol, then RFC 862, RFC 863 and RFC 864
(echo, discard, and character generator protocols) would seem to be
indicated; the RFC's for the first two are only about ten lines long.

Seriously, it might be worth implementing these three rapidly in order
to familiarize yourself with your system's interface (sockets, threads)
without having to worry about any other complexities. Beyond that, I'd
just start out incrementally implementing HTTP itself -- just the GET
command, ignoring any header options, for example, and go on from
there. (A trivial implementation of GET isn't much more complicated
than the character generator protocol.)
snip

A trivial implementation of GET *is* a serious security hole though.
I suggest that even a first implementation of GET should be checking
for filename components like "..". On Windows there is a long list of
device names to check against too, since their names can be used in
any directory and even with extensions (an MS-DOS 2 compatibility
kluge that MS still hasn't got round to dropping).

--
Ben Hutchings
Beware of bugs in the above code;
I have only proved it correct, not tried it. - Donald Knuth

[ See http://www.gotw.ca/resources/clcm.htm for info about ]
[ comp.lang.c++.moderated. First time posters: Do this! ]

Branimir Maksimovic
Guest

Posted: Sat Dec 04, 2004 9:53 am Post subject: Re: Urgent : help needed on web server implemenation

[email]kbsadiga (AT) gmail (DOT) com[/email] (Santhosh Adiga) wrote in message news:<b562cc75.0411272230.338c3212 (AT) posting (DOT) google.com>...

Quote:

Well, if you figured out how to handle comunication and all
other complex stuff (like server architecture),
organising your program in modular manner is simple.

You just need two classes.
This is from real server:
class BaseService{
public:
BaseService(VMP_CONF* cf):cf_(cf){}
virtual bool process(CHTTPDRequest* req, CHTTPResponse* res)=0;
virtual bool cleanup(CHTTPDRequest* req, CHTTPResponse* res)=0;
virtual const char* description()const=0;
virtual bool synctype() const { return true; }
virtual bool usethread() const { return false; }
virtual ~BaseService(){}
protected:
VMP_CONF* cf_;
};
//...........
class HttpServer:public CHTTPBase
{
public:
//.............
void ProcessRequest(); // uses BaseService interface
// which encapsulates proc. of static/dynamic pages, etc
//.............
};

Greetings, Bane.

[ See http://www.gotw.ca/resources/clcm.htm for info about ]
[ comp.lang.c++.moderated. First time posters: Do this! ]

Branimir Maksimovic
Guest

Posted: Sun Dec 05, 2004 4:08 am Post subject: Re: Urgent : help needed on web server implemenation

Ben Hutchings <ben-public-nospam (AT) decadentplace (DOT) org.uk> wrote

Quote:

kanze (AT) gabi-soft (DOT) fr wrote:
[email]allan_w (AT) my-dejanews (DOT) com[/email] (Allan W) wrote in message
news:<7f2735a5.0411301158.47515199 (AT) posting (DOT) google.com>...
Santhosh Adiga wrote:
I am trying to implement a web server in C++.
This is my first attempt at network programming
so I am having a loot of trouble identifying the
right classes, their jobs and their interactions.
The aim is to make the web-server extensible, so
that it serves static pages now, but can be extended
to service dynamic pages later on.
snip
If the goal is just a simple protocol, then RFC 862, RFC 863 and RFC 864
(echo, discard, and character generator protocols) would seem to be
indicated; the RFC's for the first two are only about ten lines long.

Seriously, it might be worth implementing these three rapidly in order
to familiarize yourself with your system's interface (sockets, threads)
without having to worry about any other complexities. Beyond that, I'd
just start out incrementally implementing HTTP itself -- just the GET
command, ignoring any header options, for example, and go on from
there. (A trivial implementation of GET isn't much more complicated
than the character generator protocol.)
snip

A trivial implementation of GET *is* a serious security hole though.
I suggest that even a first implementation of GET should be checking
for filename components like "..". On Windows there is a long list of
device names to check against too, since their names can be used in
any directory and even with extensions (an MS-DOS 2 compatibility
kluge that MS still hasn't got round to dropping).

well, something like this must be used:

namespace {

// function names are same to honor developers of apache server

void ap_getparents(char *name)
{
int l, w;

/* Four passes, as per RFC 1808 */
/* a) remove ./ path segments */

for(l = 0, w = 0; name[l] != '' Wink

{
if(name[l] == '.' && name[l + 1] == '/' && (l == 0 || name[l - 1] == '/')
l += 2;
else
name[w++] = name[l++];
}

/* b) remove trailing . path, segment */
if(w == 1 && name[0] == '.')
w--;
else if(w > 1 && name[w - 1] == '.' && name[w - 2] == '/')
w--;
name[w] = '';

/* c) remove all xx/../ segments. (including leading ../ and /../) */
l = 0;

while(name[l] != '') {
if(name[l] == '.' && name[l + 1] == '.' && name[l + 2] == '/'
&& (l == 0 || name[l - 1] == '/')) {
register int m = l + 3, n;

l = l - 2;
if(l >= 0) {
while(l >= 0 && name[l] != '/')
l--;
l++;
} else
++l;
}

/* d) remove trailing xx/.. segment. */
if(l == 2 && name[0] == '.' && name[1] == '.')
name[0] = '';
else if(l > 2 && name[l - 1] == '.' && name[l - 2] == '.'
&& name[l - 3] == '/') {
l = l - 4;
if(l >= 0) {
while(l >= 0 && name[l] != '/')
l--;
l++;
} else
l = 0;
name[l] = '';
}
}

void ap_no2slash(char *name)
{
char *d, *s;

s = d = name;

#ifdef HAVE_UNC_PATHS
/* Check for UNC names. Leave leading two slashes. */
if(s[0] == '/' && s[1] == '/')
*d++ = *s++;
#endif

while(*s) {
if((*d++ = *s) == '/') {
do {
++s;
} while(*s == '/');
} else {
++s;
}
}
*d = '';
}

} //namespace

Greetings, Bane.

[ See http://www.gotw.ca/resources/clcm.htm for info about ]
[ comp.lang.c++.moderated. First time posters: Do this! ]

kanze@gabi-soft.fr
Guest

Posted: Mon Dec 06, 2004 9:36 am Post subject: Urgent : help needed on web server implemenation

[email]bmaxa (AT) volomp (DOT) com[/email] (Branimir Maksimovic) wrote in message
news:<88cdcbb3.0412041612.35238288 (AT) posting (DOT) google.com>...

Quote:

Ben Hutchings <ben-public-nospam (AT) decadentplace (DOT) org.uk> wrote in
message
news:<slrncque15.5st.ben-public-nospam (AT) decadentplace (DOT) org.uk>...

[email]kanze (AT) gabi-soft (DOT) fr[/email] wrote:
[email]allan_w (AT) my-dejanews (DOT) com[/email] (Allan W) wrote in message
news:<7f2735a5.0411301158.47515199 (AT) posting (DOT) google.com>...
Santhosh Adiga wrote:
I am trying to implement a web server in C++.
This is my first attempt at network programming
so I am having a loot of trouble identifying the
right classes, their jobs and their interactions.
The aim is to make the web-server extensible, so
that it serves static pages now, but can be extended
to service dynamic pages later on.
snip
If the goal is just a simple protocol, then RFC 862, RFC 863 and
RFC 864 (echo, discard, and character generator protocols) would
seem to be indicated; the RFC's for the first two are only about
ten lines long.

Seriously, it might be worth implementing these three rapidly in
order to familiarize yourself with your system's interface
(sockets, threads) without having to worry about any other
complexities. Beyond that, I'd just start out incrementally
implementing HTTP itself -- just the GET command, ignoring any
header options, for example, and go on from there. (A trivial
implementation of GET isn't much more complicated than the
character generator protocol.)
snip

A trivial implementation of GET *is* a serious security hole though.
I suggest that even a first implementation of GET should be checking
for filename components like "..". On Windows there is a long list
of device names to check against too, since their names can be used
in any directory and even with extensions (an MS-DOS 2 compatibility
kluge that MS still hasn't got round to dropping).

well, something like this must be used:

Well, the code you posted seems like a good example of how not to write
modern C++. I certainly wouldn't write anything like that in new code
(char*, rather than std::string, for example).

And I'm not sure it addresses the problem. It converts URL's to a
canonical form, and if I've understood it correctly, it surpresses
descentes in the directory structure; on the other hand, if the comment
concerning 1808 is correct, it maintains all of the mechanisms necessary
for CGI and such.

A much simpler solution for starters would be to simply not allow dots
in the filename; for Windows, you'd probably have to have an additional
list of filenames which you simply block ; alternatively you could
simply maintain a list of acceptable filenames, and reject anything not
in the list. (This list could be read from a configuration file, and
could be automatically generated by means of something like ls -lR piped
to a small program in awk.)

--
James Kanze GABI Software http://www.gabi-soft.fr
Conseils en informatique orientée objet/
Beratung in objektorientierter Datenverarbeitung
9 place Sémard, 78210 St.-Cyr-l'École, France, +33 (0)1 30 23 00 34

[ See http://www.gotw.ca/resources/clcm.htm for info about ]
[ comp.lang.c++.moderated. First time posters: Do this! ]

Branimir Maksimovic
Guest

Posted: Wed Dec 08, 2004 10:08 pm Post subject: Re: Urgent : help needed on web server implemenation

[email]kanze (AT) gabi-soft (DOT) fr[/email] wrote:

Quote:

bmaxa (AT) volomp (DOT) com (Branimir Maksimovic) wrote in message
well, something like this must be used:

Well, the code you posted seems like a good example of how not to
write
modern C++. I certainly wouldn't write anything like that in new
code
(char*, rather than std::string, for example).

You are absolutely right, but sometimes string is not necessary.
I use string wherever memory management is required.
In this case contents of vector can be used too.
Also, I cutted some lines from following segment, so now this is ok:
/* c) remove all xx/../ segments. (including leading ../ and /../)
*/
l = 0;

while(name[l] != '') {
if(name[l] == '.' && name[l + 1] == '.' && name[l + 2] == '/'
&& (l == 0 || name[l - 1] == '/')) {
register int m = l + 3, n;

l = l - 2;
if(l >= 0) {
while(l >= 0 && name[l] != '/')
l--;
l++;
} else
l = 0;
n = l;
while((name[n] = name[m]))
(++n, ++m);
} else
++l;
}

Quote:

And I'm not sure it addresses the problem. It converts URL's to a
canonical form, and if I've understood it correctly, it surpresses
descentes in the directory structure; on the other hand, if the
comment
concerning 1808 is correct, it maintains all of the mechanisms
necessary
for CGI and such.

It simply converts relative to absolute path by stripping
all ocurrences of ".." and "." from path. In that way it disables
nasty tricks of going out of document root hierarchy.

Quote:

A much simpler solution for starters would be to simply not allow
dots
in the filename;

But lot's of file names has extensions. Example given follows simple
algorithm represented in rfc 1808. Filename is not a problem
,rather path to file name, and directory name can contain dots too.
That would be too restrictive.

for Windows, you'd probably have to have an additional

Quote:

list of filenames which you simply block ;

yes. I'v seen GET /NULL.printer statements issued to server. Guess
that's some program randomly searching for vulnerability in IIS.

alternatively you could

Quote:

simply maintain a list of acceptable filenames, and reject anything
not
in the list. (This list could be read from a configuration file, and
could be automatically generated by means of something like ls -lR
piped
to a small program in awk.)

That wouldn't be convenient as list can be pretty long.
--
Greetings, Bane.

[ See http://www.gotw.ca/resources/clcm.htm for info about ]
[ comp.lang.c++.moderated. First time posters: Do this! ]

kanze@gabi-soft.fr
Guest

Posted: Fri Dec 10, 2004 1:51 am Post subject: Re: Urgent : help needed on web server implemenation

Branimir Maksimovic wrote:

[...]

Quote:

alternatively you could simply maintain a list of acceptable
filenames, and reject anything not in the list. (This list could be
read from a configuration file, and could be automatically
generated
by means of something like ls -lR piped to a small program in awk.)

That wouldn't be convenient as list can be pretty long.

Convenience and safety are often contradictory. In this case, I don't
think that the convenience issue is too serious, since it would be
relatively simple to generate the list automatically.

Of course, it's a fairly simplistic solution -- I wouldn't recommend it
if you are implementing the next Apache. (Extending it to support CGI
and JSP is an exercise left to the reader:-).) On the other, it's
simple
enough that there's even a chance of implementing it without any bugs.
A
bugs, of course, are a security risk.

Without knowing the why's of the project (and to start with, why they
aren't using Apache, instead of writing something themselves), it's
hard
to say more.

--
James Kanze GABI Software http://www.gabi-soft.fr
Conseils en informatique orientée objet/
Beratung in objektorientierter Datenverarbeitung
9 place Sémard, 78210 St.-Cyr-l'École, France, +33 (0)1 30 23 00 34

[ See http://www.gotw.ca/resources/clcm.htm for info about ]
[ comp.lang.c++.moderated. First time posters: Do this! ]

Display posts from previous:

	C++Talk.NET Forum Index -> C++ Language (Moderated)	All times are GMT Goto page 1, 2 Next
Page 1 of 2

You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum