05.18.07
Posted in POW at 3:15 pm by David Kellogg
Sometime on Sunday, May 13, the 20,000th download of the Plain Old Webserver occurred. POW has come a long way since user zero. Now there is a vibrant user community that is helping to expand the reach of POW beyond the browser to stand-alone applications.
I knew I would use the extension at first, but I did not know POW would make it on dongles to serve quizzes to college students, or there would be a DB manager for it. It looks like my baby is growing up.
Dave
Permalink
04.30.07
Posted in POW at 4:11 pm by David Kellogg
POW 0.1.2 is available. It allows modules from developers to be loaded. Here’s how to create the “hello world” module.
hello.sjs:
<html>
<head>
<title>Hello World!</title>
</head>
<body>
<?sjs
var a = Math.floor(Math.random()*2);
if(a < 1) {
document.writeln("¡Hola, mundo!");
} else {
document.writeln("Hello World!");
}
?>
</body>
</html>
hello.install.sjs
<html>
<head>
<title>Hello POW Module</title>
</head>
<body>
<script>
var pow_installer = {
version: "1.0.0",
name: "hello",
location: "http://localhost/~davidkellogg/xul/pow/modules/hello.zip"
};
</script>
<center>Downloading Pow Module will begin now.</center>
<br/>
If this does not happen, please go directly to <a href="hello.zip">hello.zip</a>.
Once completed please see <a href="http://localhost:6670/modules/hello/hello.sjs">Hello Mundo!</a>.
</body>
</html>
zip hello.zip hello.sjs
Place the hello.install.html file in the same directory as hello.zip.
That’s it!
A few extra notes:
1. Files ending in .install.sjs and .install.html both work as installers.
2. The installer Javascript is never executed by the chrome for security reasons, so formatting counts. Use the pow_installer formatting as shown.
3. File extensions are whitelisted (.js, .html, .sjs, .gif, .jpg, .png). All others must be copied manually. This is a security restriction.
4. Please document your module. We need to keep minimum standards.
5. Further restrictions on eval and file writes may occur. Both may result in security alerts or files that must be copied by hand.
Tell me if there any problems with your modules.
Dave
Permalink
04.23.07
Posted in POW at 4:37 pm by David Kellogg
POW (Plain Old Webserver) 0.1.1 preview is ready for review. Here are the fixes and features.
* Data/DB directory retrieval
* Fixed Windows DB bug
* Supports HTTP 1.1 “Transfer-Encoding: chunked”
* Changed scoping rules to persist only the pow_server object
The last part means that the following will no longer be possible.
Page 1:
var a = 5;
Page 2:
document.writeln(a); // ERROR: a is not defined
The following variable, though, will persist for as long as the server is running:
pow_server.a = 5; // Persists indefinitely
Dave
Permalink
04.20.07
Posted in POW at 8:57 am by David Kellogg
Wow. This is something I did not expect.
I somehow imagined people would download POW, use it for interesting, unanticipated projects and submit some patches.
What actually happened was much better. There is a great deal of interest from Russia. POW wiki pages were translated into Russian. Users ported their JS applications to POW. I will spend a while filtering through their aps to see how they work. Thanks to everyone for creating a community out of nothing. I think now I have to get back to work on scoping bugs/features.
Permalink
02.28.07
Posted in POW at 3:21 pm by David Kellogg
I created my first Thunderbird SJS app. This means I ran a server inside Thunderbird and ran a remote command. It’s a little tough going due to a lack of TB documentation, but exciting. Here it is.
test.sjs:
<?sjs
document.writeln("Hello world!");
var mess = Components.classes["@mozilla.org/messenger;1"].
getService(Components.interfaces.nsIMessenger);
mess.launchExternalURL ( "http://www.yahoo.com/" );
?>
Haven’t seen that page lately, huh? Load the page, http://localhost:6671/test.sjs to run this remotely on Thunderbird. Mind spinning yet? The reason to do these crazy things is to open up your email to yourself, remotely from anywhere, without a special client.
Dave
Permalink
02.19.07
Posted in POW at 10:55 am by David Kellogg
POW 0.1.0 (preview) is ready for download. It has some nice features.
- Sunbird Support
- Thunderbird Support
- Flock Support
- HEAD requests
- more MIMEs
- free watermelon
That’s right, you get a free watermelon with this version. New users will see this favicon.ico as a nice gift, or if not, a replaceable item. Sunbird and Thunderbird get to share in the port listening glory. These two lonely fellows need a little connectivity. I have no idea how my users will take up the opportunity to add a webserver where none existed before. I’m hoping for some creativity.
Another addition is better MIME support from the Mozilla engine itself. The old MIME list becomes a list of overrides. The upshot is you have to add almost no new MIME types. The one exception (see above) is favicon.ico, which uses the MIME, “image/x-icon”. Please add it yourself if you upgrade.
One caveat. Thunderbird and Sunbird POW addons should be considered development releases. The default ports conflict. The webserver still starts, I assure you, but the port conflicts may drive you nuts.
Have fun.
Permalink
02.12.07
Posted in Search at 10:11 pm by David Kellogg
The other day, I was listening to Eric Schmidt, CEO of Google, speak at the State of the Valley on February 2. He said something really strange about the LAMP stack.
“The other thing that has happened is a new architecture has emerged which is technically known as LAMP. Linux Apache Mysql PHP, Perl, Python. In the vernacular it’s known as Web 2.0.”
– Eric Schmidt
Really? You can listen to him say these strange pronouncements and more. No, LAMP is not known as Web 2.0. That is confusing a set of sofware, and what can be built on top of it. I do think this CEO has lost touch of the technology that powers the web.
Permalink
Posted in POW at 8:52 pm by David Kellogg
It was a strange weekend as this one man team worked feverishly to douse the flames of security problems. First, from Italy, the disclosure of a directory traversal bug in POW 0.0.7. Strange, since I tested my own code (using Firefox), and many another new server using this fun trick. Better tools are needed to expose this bug.
Just try ‘GET /../../ HTTP/1.0′ and see what happens. Only bad happens. Almost as embarrassing, George from Tenable Security informed me that the wrong page is sometimes delivered to the user. The first bug is fixed in 0.0.9. The second bug fix will come later this week.
This proves the adage of Steve Gibson that only time can prove security, not pronouncements, speculation or even good coding practices.
The good thing is that I built POW with security in mind. SJS files only execute in certain locations. The security holes never worked on password protected sites. I do not eval client data. I accept highly limited input to MySQL.
Others might shy away from disclosure, but really, it’s your software. I’d rather sacrifice numbers of users in exchange for assurance to the users that holes will be fixed quickly. And for speed, I fixed the vulnerability less than 24 hours after it was posted.
Dave
Permalink
01.28.07
Posted in Coding at 7:44 pm by David Kellogg
The n-squared catastrophe (Metcalfe’s Law) occurs while messaging many other nodes in a cluster. I knew this math since 5th grade at West Elementary.
1 0
2 1
3 3
4 6
50 1225
This is also a game of connect the dots. How many lines are required to connect all dots to all others? n*(n-1)/2.
If there are 4 students in a class they need to pass 6 pairs of notes to each other to communicate. With 50 students, 1225 pairs of notes must trade hands. This is getting out of hand. Soon, instead of performing important tasks, the entire school day is taken up by note-passing. Surely there is a better way.
Computer programmers are slow to learn this lesson. This is mainly a lesson of a multi-node setup. Most coders like to think of complex problems in terms of a single application. A multi-node setup is never like a single application due to the above scaling law. Consider the code.
int count = 0; // a global
That’s all. It’s a global. In a single application, you would not dream of attempting to sync multiple variables, count1, count2, etc. Why would you do this with multiple nodes? The obvious choice in an application is to create a global or static variable. The obvious choice in a multi-node setup is to use a single centralized database. The n-squared catastrophe will kill you otherwise.
Dave
Permalink
Posted in POW at 7:38 pm by David Kellogg
POW 0.0.9 preview is available. It is there if you want to see any next-gen features. Rewrite rules were added. Rewrite rules allow you to rewrite urls on the fly. Most server admins know this through ‘.htaccess’. Here is the new functionality in action.
// htdocs/system/startup.sjs
<?sjs
pow_server.REWRITE_RULES =
[
[ "dog/?(.*)$", "/cat.sjs?q=$1" ],
[ /^\/Jason\/?(.*)$/i, "/cat.sjs?q=$1" ]
];
?>
This results in dog.html pointing to /cat.sjs?q=.html. This cleans up the problem of linking many fake directories to a single script.
Permalink
« Previous entries · Next entries »