Forum

Hiawatha version: 6.15
Operating System: Puppy Linux 4.3pre-beta

Hi, I'm one of the developers of Puppy Linux. I'm working on the upcoming version 4.3, and I am reintroducing QUISP into Puppy. Previously we used Nullhttpd for QUISP, also Abyss has been used successfully. But now Hiawatha is our default web server.

I am testing the QUISP database system in Puppy Linux. QUISP runs as a CGI and I am using Hiawatha version 6.15.

One of the QUISP examples fails, Hiawatha gives "403 permission error" message. The example includes a multi-line text-entry box and I found that is what upsets Hiawatha. If I only have one line in the text-entry box, it works, and looking at Hiawatha's 'access.log' file:

127.0.0.1|Sat 01 Aug 2009 23:49:34 +0800|200|1289||GET /cgi-bin/quisp.bin?rtn=art_saver&formmode=update&id=301&artist=Person+Mr&title=Aussie+Outback&format=woodcut&year_created=2009&frame=big+frame&size=200+x+500&img1=myimage.jpg&img2=&img3=&textdesc=dinki+di+outback+scene+painting&current_value=234 HTTP/1.1|Host: 127.0.0.1|User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.8.1.22) Gecko/20090728 SeaMonkey/1.1.17|Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5|Accept-Language: en-us,en;q=0.5|Accept-Encoding: gzip,deflate|Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7|Keep-Alive: 300|Connection: keep-alive|Referer: http://127.0.0.1/cgi-bin/quisp.bin?rtn=art_form&id=301&formmode=update

...the text in the text-entry-box is "dinki di outback scene painting".

Now submitting with multiple lines in the text-entry-box:

127.0.0.1|Sat 01 Aug 2009 23:50:11 +0800|403|0||GET /cgi-bin/quisp.bin?rtn=art_saver&formmode=update&id=301&artist=Person+Mr&title=Aussie+Outback&format=woodcut&year_created=2009&frame=big+frame&size=200+x+500&img1=myimage.jpg&img2=&img3=&textdesc=dinki+di+outback+scene+painting%0D%0Asecond+line+of+description&current_value=234 HTTP/1.1|Host: 127.0.0.1|User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.8.1.22) Gecko/20090728 SeaMonkey/1.1.17|Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5|Accept-Language: en-us,en;q=0.5|Accept-Encoding: gzip,deflate|Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7|Keep-Alive: 300|Connection: keep-alive|Referer: http://127.0.0.1/cgi-bin/quisp.bin?rtn=art_form&id=301&formmode=update

...the text-entry box has
"dinki di outback scene painting
second line of description"
and you can see that %0D%0A is used for the line break, and this is what upsets Hiawatha.

This example does work with some other web servers, such as Abyss, so is this then a bug in Hiawatha?

I would greatly appreciate if you could give this some attention, as I am keen to have a fully working QUISP in the 4.3beta1 release that I hope to upload soon.

Regards,
Barry Kauler
puppylinux.com/blog

With those extremly long URLs, it looks like you've got one ugly program there. The Quisp programmer should know POST was invented for that.

Nevertheless, by default Hiawatha doesn't allow characters with ASCII value below 32 in the URL. This is for security reasons. Properly designed webapplications don't need such characters in the URL and only hackers will use such characters in the URL.

Hiawatha has a hidden setting to allow such 'dangerous' characters in the URL:

SecureURL = no

Hugo,
Thanks for your reply -- whenever I find some area of difficulty on Hiawatha, I find that you have already thought of it and have it covered!

I'll pass on this information to the QUISP developer. Actually, he hasn't worked on it since 2006, but if he knows that someone is going to put it into a distro as the default database system, he might be motivated to work on it some more.

I probably should start another thread, but there is still one issue with Hiawatha that is a bit of a problem. I'm using Hiawatha in Puppy to drive PPLOG which is a Perl script. The problem is that I could not get Hiawatha to handle to different CGI systems on a per-directory basis. That is, I can specify the CGI handler as /usr/bin/perl but not on a per-directory basis. QUISP is a binary executable, so I don't want that cgi-handler variable.
What I'm doing is using two different httpd.conf files, but that means PPLOG and QUISP cannot run concurrently.

...probably you have already thought of this too, and I have overlooked something! In that case, thanks for your patience!

Regards,
Barry Kauler

I don't understand your CGI problem. If PPLOG is a Perl script and QUISP a binary, there shouldn't be a conflict. If both have a different extension, just configure Hiawatha that way.

CGIextension = cgi,bin
CGIhandler = /usr/bin/perl:pl

That should do it.

I read your blog and saw you sometimes have a little problem with Hiawatha. I'd like to respond to your 'grumble grumble'. Hiawatha was build to be a secure webserver. Not only have I put lots of work in building a secure program but also gave a lot of thoughts to how a webserver should work.

Although computers are complex devices, a lot of work has been put in making those devices usable by almost everybody. That's nice, but it also resulted in that a lot of people claim they are good at programming the computer, while in fact they are really bad programmers. While Apache is a webserver which focusses on serving all kinds of applications, even the crappy ones, Hiawatha focusses on security. If you have a well written application, you find almost no trouble in having it served via Hiawatha. If you have badly written applications (like QUISP with the large URLs), you find Hiawatha complaining and even refusing things. Many decisions I made according to Hiawatha, I've based them on more than two years of security auditing work, most of it was auditing web applications. So, things that Hiawatha can't do are there for a reason. So, if someone is having trouble getting a badly written application online via Hiawatha, I have no intention in 'fixing' Hiawatha. They should just use another webserver.

I hope you don't think that I sounds arrogant. I'm not arrogant, I just try to build a secure webserver from a scientific and academic point of view. You could say that I have the unrealistic and impractible intension of recreating the Web, from a technical point of view. But this time, it must be a secure Web.

Hugo,
Yes, your dedication to making Hiawatha very secure is one of the reasons I am using it. I could have used Nullhttpd, which we previously used for QUISP, but it does apparently have some security issues.
My "grumble grumble" was because I was messing around for a very long time fiddling with file and directory permissions, because I thought that was the problem.

I think Hiawatha is a beautiful web server, and it is my choice as "the" web server for Puppy.

Hugo,

To add to what Barry said, after we switched to Hiawatha for Puppylinux.ca, we have started to see a great control over bandwidth. Thanks to the ban options available with Hiawatha. This is indeed a great webserver.

Thanks!