-http mode responds to net-eval

Q&A's, tips, howto's
Locked
ralph.ronnquist
Posts: 228
Joined: Mon Jun 02, 2014 1:40 am
Location: Melbourne, Australia

-http mode responds to net-eval

Post by ralph.ronnquist »

Test scenario: running newlisp in -http mode and another newlisp querying it:

Code: Select all

1% newlisp -http -d 19001

Code: Select all

2% newlisp -e '(net-eval localhost 19001 {(exec "ls")})'
More specifically, in the source, I can see that the batchMode logic of executeCommandLine seems buggy; it enters batchMode=2 whenever the input starts with "[cmd]", and this simply bypasses both the command event call, and the HTTP dispatch chain, also including the end case of avoiding evaluation.

I would have liked suggesting a fix, and perhaps it's sufficient to avoid entering batchMode=2 in the case of httpMode&&noPromptMode, but I'm not totally a par with all ramifications of that.

In any case, this really is a show stopper for using it as front-line http request handler.

EDIT: Possibly one can patch this by having an exiting reader-event handler:

Code: Select all

(reader-event (fn (s) (exit)))
This simply closes the connection for any net-eval input, i.e., when the input starts with "[cmd]", and other input (esp. http requests) is processed like before.
Note that this has to be the very last thing on a server definition file.

Lutz
Posts: 5289
Joined: Thu Sep 26, 2002 4:45 pm
Location: Pasadena, California
Contact:

Re: -http mode responds to net-eval

Post by Lutz »

Thanks for catching this bug. In version 10.6.3 http only mode is http only. Older net-eval clients will wait for ever, 10.6.3 net-eval clients will return nil.

http://www.newlisp.org/downloads/develo ... nprogress/

ralph.ronnquist
Posts: 228
Joined: Mon Jun 02, 2014 1:40 am
Location: Melbourne, Australia

Re: -http mode responds to net-eval

Post by ralph.ronnquist »

Hmm. I just downloaded and compiled newlisp10.6.3.tgz from there, and I get

Code: Select all

% ./newlisp -e '(net-eval "localhost" 19001 true)'         
true
I.e., the other process "./newlisp -http -d 19001" responds to net-eval.

This is: newLISP v.10.6.3 32-bit on Linux IPv4/6 UTF-8 libffi, options: newlisp -h
which I just pulled from the inrogress directory. Looking into newlisp.c it looks like "-c" (setting noPromptMode = TRUE) is subsumed by "-http" (which does the same plus httpMode = TRUE).

Lutz
Posts: 5289
Joined: Thu Sep 26, 2002 4:45 pm
Location: Pasadena, California
Contact:

Re: -http mode responds to net-eval

Post by Lutz »

You must run a wrong version. Checked on Windows 7 and OSX and get either nil or a "Socket send failed" error message.

The -c mode answers to both net-eval and HTTPrequests, but the -http mode to HTTP only. Check the relevant code in executeCommandLine() in line 1172:

Code: Select all

if(!batchMode)
    {
    if(logTraffic == LOG_MORE)
        writeLog(command, TRUE);
#ifndef LIBRARY
    if(strncmp(command, "GET /", 5) == 0)
...
...
#endif
    else if(!httpMode) goto EXEC_COMMANDLINE;
    return;
    }
if(httpMode) goto RETURN_BATCHMODE;
There code forces closing the connection and return on httpMode after the goto:

Code: Select all

RETURN_BATCHMODE:
    if(!daemonMode)  exit(1);
    if(IOchannel != NULL) fclose(IOchannel);
#ifndef LIBRARY
    setupServer(1);
#endif
    return;
if httpMode is on it will never execute that other code portion before RETURN_BATCHMODE.

Ps: also try other than true as expression to evaluate, e.g:

Code: Select all

newlisp -e '(net-eval "localhost" 2345 "(+ 3 4)")'
expecting 7 as return.

ralph.ronnquist
Posts: 228
Joined: Mon Jun 02, 2014 1:40 am
Location: Melbourne, Australia

Re: -http mode responds to net-eval

Post by ralph.ronnquist »

yes, I messed up in my downloading.

Doing it right gave me the additional source line of

Code: Select all

if(httpMode) goto RETURN_BATCHMODE;
which makes -http be only HTTP handling, I guess.

Interestingly enough, I realized that HTTP processing is always available, with or without -http or -c. It's even available on the interactive prompt. E.g. you can type

Code: Select all

GET /xxx HTTP/1.1
with two newlines, to trigger the HTTP request handling, and get an error response (unless file xxx is available) and then newlisp exits.

The key for me of course is the restrictive -http mode.

ralph.ronnquist
Posts: 228
Joined: Mon Jun 02, 2014 1:40 am
Location: Melbourne, Australia

Re: -http mode responds to net-eval

Post by ralph.ronnquist »

... it appears this version has lost the HTTP_AUTHORIZATION patch.

Lutz
Posts: 5289
Joined: Thu Sep 26, 2002 4:45 pm
Location: Pasadena, California
Contact:

Re: -http mode responds to net-eval

Post by Lutz »


Lutz
Posts: 5289
Joined: Thu Sep 26, 2002 4:45 pm
Location: Pasadena, California
Contact:

Re: -http mode responds to net-eval

Post by Lutz »

If you are concerned about security, you should also supply a conection timeout when starting a newlisp HTTP only server, e.g:

Code: Select all

newlisp -http -t 500000 -d 80
Without the 1/2 sec timeout, it would be possible to connect without sending any request, effectively capturing the server. This could happen on purpose a because of technical problems in the client after connecting. If no request is coming the server will disconnect after the timeout and wait for a new connection.

ralph.ronnquist
Posts: 228
Joined: Mon Jun 02, 2014 1:40 am
Location: Melbourne, Australia

Re: -http mode responds to net-eval

Post by ralph.ronnquist »

Thanks. Good point. Yes, I'll do that.
Although the particular service is not really public, it's of course publicly available. It's HTTPS by virtue of an 'stunnel' proxying to the firewalled newlisp, so I might need to think about that session timeout as well.

Locked