Path: csiph.com!weretis.net!feeder9.news.weretis.net!usenet.blueworldhosting.com!diablo1.usenet.blueworldhosting.com!peer02.iad!feed-me.highwinds-media.com!news.highwinds-media.com!fx09.iad.POSTED!not-for-mail From: Daniel Newsgroups: comp.infosystems.gopher Subject: Re: NEX References: <8734pd2vb9.fsf@sc1f1dan.com> <87a5je7me3.fsf@sc1f1dan.com> <87ed8no2fp.fsf@sc1f1dan.com> <87a5janyy0.fsf@sc1f1dan.com> <878qyoj3l7.fsf@raspberrypi> <87h6dczbxh.fsf_-_@tilde.institute> Message-ID: <87y16ix60x.fsf@raspberrypi> User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/28.2 (gnu/linux) Cancel-Lock: sha1:/uuSKVh9ISiKYWKSbdx9Q0q860I= MIME-Version: 1.0 Content-Type: text/plain Lines: 137 X-Complaints-To: abuse(at)newshosting.com NNTP-Posting-Date: Wed, 03 Jul 2024 07:56:49 UTC Organization: Newshosting.com - Highest quality at a great price! www.newshosting.com Date: Wed, 03 Jul 2024 00:56:46 -0700 X-Received-Bytes: 5255 Xref: csiph.com comp.infosystems.gopher:685 yeti writes: > "Arti F. Idiot" writes: > >> If you're wanting to play around with Nex I know of two Nex server >> daemons, nexd (Go-based; see nightfall.city for details) and sonexd >> (socat+bash based; see https://rawtext.club/~woog/nex/ for details). > > I think checking for sane paths to avoid serving not so public info is > the only complex part in a NEX server (but there may be libs for that). > Laziness is one of my well known superpowers and I just needed a server > to locally test a NEX plugin for Dillo, so I did not care/test much. > > Maybe I'll restart may hacks somewhen e.g. with a ZIP as pseudo-FS or > some other kind of "naturally" being separated from the main FS. That'd > make it much easier and lots of editors already can "transparently" edit > stuff in archives. > > Reading beyond this line equals signing a NLA (non laughing agreement): Now THAT's funny. But anyway, reading below leads me to think that the NEX protocol is dangerous. Not sure what your scripts do. What are the use cases for NEX anyway? > > > > * NCAT + SH > > /!\ Barely tested, treat it as unsafe. > > Tested on Debian and OpenBSD. > > No automatic directory listings. > > ------------------------------------------------------------------------ > #!/bin/sh -x > ## > ## TIADUNSLFANN Is A Dangerously Unsafe Nex Server Looking For A Nicer Name > ## > ## ncat -l -p 1900 -k -c ./tiadunslfann > ## > > root="$PWD" > alias mute-err='2>/dev/null ' > > IFS='' read request > > if ! realrequest=$(mute-err realpath "$root/$request") > then printf "E: bad request '%s'\n" $realrequest > exit > fi > > case "$realrequest" in > $PWD*) ;; > *) printf "E: bad request '%s' outside doc root\n" $realrequest ; exit ;; > esac > > if [ -f "$realrequest" -a -r "$realrequest" ] > then cat "$realrequest" > elif [ -d "$realrequest" -a -r "$realrequest/index" ] > then cat "$realrequest/index" > else printf "E: bad request, no idea about '%s'\n" "$request" > fi > ------------------------------------------------------------------------ > > > * MicroPython > > /!\ Only minimally tested with MicroPython's ESP8266 and Unix ports, > treat it as unsafe. > > ------------------------------------------------------------------------ > #!/usr/bin/env micropython > ## > ## The Ridiculously Simple MicroPython Nex Server > ## > ## trsmpns.upy.py > ## \ \ > ## \ editors shall read this as Python source > ## but MicroPython != Python > ## e.g. sockets are streams by default > ## > import os, socket > > def main(): > s = socket.socket() > ai = socket.getaddrinfo("0.0.0.0", 1900) > addr = ai[0][-1] > s.setsockopt(socket.SOL_SOCKET, socket.SO_REUSEADDR, 1) > s.bind(addr) > s.listen(5) > > while True: > client_stream, client_addr = s.accept() > req = client_stream.readline()[1:-1].decode() # "/req\n" -> "req" > > while True: ## try and ignore errors. > try: > client_stream.write(open(req).read()) > break ## req was a file > except: > pass > > try: > client_stream.write(open("./"+req+"/index").read()) > break ## req was a dir with index file > except: > pass > > try: ## silently ignore other types than file and dir > client_stream.write("=> ..\n") > for f in os.listdir("./"+req): > st = os.stat("./"+req+"/"+f)[0] & 0xc000 > if st == 0x8000: tc = "" > elif st == 0x4000: tc = "/" > if st: client_stream.write("=> "+f+tc+"\n") > break ## req was a dir without index file > except: > pass > > break > > client_stream.close() > > main() > ------------------------------------------------------------------------ > > > > > * The End. > > Both were fun for my use case, YMMV.