New webserver


#1

Im designing a webserver as my first project on Ruby

I need help with this line

fileLine.sub(/..//, ‘’)

this is to remove any “…/” that occur due to users trying to brake in,
or by accident :wink:

However, this only removes the first instance of the …/ how do I remove
every instance?

Many thanks

Stuart


#2

gsub


#3

On 6/5/06, Stuart B. removed_email_address@domain.invalid wrote:

However, this only removes the first instance of the …/ how do I remove
every instance?

I think you’re looking for gsub.

Cheers,
Ed

Encontrá a “Tu psicópata favorito” http://tuxmaniac.blogspot.com

Thou shalt study thy libraries and strive not to reinvent them without
cause,
that thy code may be short and readable and thy days pleasant and
productive.
– Seventh commandment for C programmers


#4

Hi Stuart,

not sure if it is a good idea to handle security on this level, but
you can try gsub instead of sub to replace all occurrences.

Cheers,
Mariano


#5

Thanks all, this worked fine

def self.path(path)
fileLine = path[1].strip
fileLine = fileLine.gsub(/.//, ‘’)
fileLine = fileLine.gsub(//./, ‘’)
fileLine = fileLine.gsub(/\/, ‘’)
fileLine = fileLine.gsub(/.{2,}/, ‘’)
fileLine = fileLine.gsub(//{2,}/, ‘’)
fileLine = “/srv/www/htdocs/” + fileLine
return fileLine
end

Is there a way of making it look prettier?

I’m trying to stop people using the address bar to access parts of the
system the should not

Many thanks all

Stuart


#6

On Jun 5, 2006, at 10:45 AM, Stuart B. wrote:

return fileLine
end

Is there a way of making it look prettier?

I’m trying to stop people using the address bar to access parts of the
system the should not

Many thanks all

Stuart

def self.path(path)
[/.//, //./, /\/, /.{2,}/, //{2,}/].each do |exp|
fileLine.gsub!(exp, ‘’)
end
“/srv/www/htdocs/” + fileLine
end


#7

On Jun 5, 2006, at 9:45 AM, Stuart B. wrote:

return fileLine
end

Is there a way of making it look prettier?

Perhaps:

def self.path(path)
path.first.strip.
gusb(…).
gsub(…).

end

Again, Ruby naming conventions are file_line, not fileLine. Have to
start adopting typical Ruby style so you can get Rubyists interested
in your web server.

James Edward G. II


#8

Stuart B. wrote:

return fileLine
end

Is there a way of making it look prettier?

I’m trying to stop people using the address bar to access parts of the
system the should not

In addition to what others have said, have a look at File.expand_path.


#9

Stuart B. wrote:

Is there a way of making it look prettier?

I’m trying to stop people using the address bar to access parts of the
system the should not
Stuart,

why do you try to solve this problem on the string level?

Wouldn’t it make more sense to rely on the OS authorization scheme?
On Unix you can set permissions on files and directories. You can also
start a server using chroot so that nobody can break out (i.e. go up) of
the designated directory/sandbox.

If you go for the string way, you might need to check if different
encodings of URIs can bust you regexps.

Cheers,
Mariano


#10

-----Original Message-----
From: removed_email_address@domain.invalid
[mailto:removed_email_address@domain.invalid] On Behalf Of Stuart B.
Subject: New webserver

Im designing a webserver as my first project on Ruby

I need help with this line

fileLine.sub(/..//, ‘’)

If you want to write a http server, read the http specification and go
from there. Trying to sanitise a url with regexs WILL leave you with
security holes. If you’re writing anything for which there’s a
specification, read the specification carefully and implement
(preferably test-first) from that. The specification writers are much
smarter than you, and will have thought of many things that you will not
think of until it’s too late.

Regexs are GREAT for all sorts of string manipulation tasks, but they’re
the wrong tool for parsing even a mildly complex language. Parse the
input using a proper parser.

That said, as long as you never, ever plan on exposing this thing to the
public internet, have fun learning.


#11

Hi all, not to worry, I’ll start a new thread with this one as its going
off subject

Many thanks

Stuart


#12

Thanks everyone for your help

I have another question, Can I use Ruby threads to have more then 1
server process running on the same port

something like

require ‘socket’
port = (ARGV[0] || 80).to_i
server = TCPServer.new(‘localhost’, port)
threads = []

10.times do |i|
threads[i] = Thread.new {
while (session = server.accept)
puts “Request: #{session.gets}”
session.print “HTTP/1.1 200/OK\r\nContent-type: text/html\r\n\r\n”
session.print “

#{Time.now}

\r\n”
session.close
}
end

Would this produce 10 processes that could take independent connection?