Wapp

A few questions regarding wapp
Login
Hierarchical

A few questions regarding wapp

(1.1) By IRON (iron.udjin) on 2023-04-20 12:30:21 edited from 1.0 [link] [source] 

Hello,

1. Some of static files on my server are in upper case. When I perform request http://127.0.0.1:8080/test.JPG I'm getting error:

invalid request uri: "/test.JPG"
invalid request uri: "/test.JPG"
    while executing
"error "invalid request uri: \"$uri0\"""
    (procedure "wappInt-parse-header" line 15)
    invoked from within
"wappInt-parse-header $chan"
    (procedure "wappInt-http-readable-unsafe" line 27)
    invoked from within
"wappInt-http-readable-unsafe sock8012fbf50"
    invoked from within
"catch [list wappInt-http-readable-unsafe $chan] msg"

Here is patch:
--- wapp.tcl.orig	2023-04-20 15:00:09.000000000 +0300
+++ wapp.tcl	2023-04-20 01:47:35.000000000 +0300
@@ -533,7 +533,7 @@
   dict set W REQUEST_URI $uri
   set split_uri [split $uri ?]
   set uri0 [lindex $split_uri 0]
-  if {![regexp {^/[-.a-z0-9_/]*$} $uri0]} {
+  if {![regexp {^/[-.a-zA-Z0-9_/]*$} $uri0]} {
     error "invalid request uri: \"$uri0\""
   }
   dict set W PATH_INFO $uri0

...but I don't know is it correct solution from the security point of view.

2. I wrote a script for converting images on fly and use it in highload project. Sometimes I have a very huge aamount of open sockets. Is there way to have wapp to listen Unix Domain Socket instead of TCP? It would save TCP open sockets and resouces which spends on network stack. It would be great to make proxy betweem nginx and wapp via unix socket.

3. What is the fastest way to run wapp? CGI, SCGI, HTTP?

4. Sometimes I'm getting errors like:

invalid header line: "sec-ch-us-arch:"
    while executing
"error "invalid header line: \"$x\"""
    (procedure "wappInt-parse-header" line 24)
    invoked from within
"wappInt-parse-header $chan"
    (procedure "wappInt-http-readable-unsafe" line 27)
    invoked from within
"wappInt-http-readable-unsafe sock82931e910"
    invoked from within
"catch [list wappInt-http-readable-unsafe $chan] msg"

Is there way to switch off parsing unknown headers at all (for security and stability)?

Thank you for this beautiful application.

(2) By geoff (geoffrey) on 2023-08-19 03:19:21 in reply to 1.1 [source]

A couple of thoughts from an amateur:

  1. Wapp does need the URL to be lowercase as specified by the regular expression you are altering. You could change the regular expression as you suggested, or you could run a script on your directory to rename *.JPG to *.jpg and so forth.

  2. Wapp uses TCP/IP sockets. The Tcl socket command does not work with Unix domain sockets. It may be possible to alter Wapp to use Unix domain sockets by using (on Linux) socat via the Tcl open command (e.g. something like open |socat ... r+ to open socat as a process you can read from and write to). But not sure if it would work, or how much effort it would be. If thinking about fundamental changes to a simple piece of software you might need to consider whether to choose an alternate technology.

  3. The answer would depend on what you are trying to achieve and may have to be tested. Variables would include what OS you are using, how many processors in the CPU, whether page generation is complicated/CPU intensive, and so on. In SCGI with Wapp, as I understand it, the page generation step is single threaded, but you virtually avoid the interpreter startup cost. CGI can run using multiple independent processes, at a cost of starting wapptclsh or tclsh for each CGI request.

  4. The header regular expression {^(.+): +(.*)$} means that the header must be of the form "header: ", whereas "header:" will not be accepted because it lacks one or more spaces after the ":". You could change wapp.tcl:545-547 to:

    if {![regexp {^(.+): +(.*)$} $x all name value]} { continue }

This would ignore illegal headers of the form "header:".

No warranty implied by these opinions.