Tuesday, October 16, 2007

Lua Lua, Everywhere!

Lua is now embedded in AOS, it was a lot easier than I thought. The code is ANSI C so I embedded it into a DLL with ability to dynamically load Lua libraries. I added it to the templates which now behave similar to JSP pages with Java embedded in them. For example:


<>Page for %[LUA]{{{
}}}[LUA]%< /sometag >

Since you can combine a set of templates to make a full page, you can have a common header/footer/etc pages that are shared by many other pages. And here aos.emit() extracts from the XML model the cookie named username and
using alibrary.print() function writes it to the output stream.

It's very easy once you get used to Lua (and in spirit of C almost everything is defined via libraries); so getting used to it is actually very easy. Try it out: http://www.lua.org/ and if you are not completely satisfied, I'll refund your ... umm... it's free!

Monday, July 23, 2007

The benefits of PHP and testing

I have never liked PHP as a language due to the extremely high number of exploits floating around on the web, but recently I found it to be quite useful as a QA tool. My application server is constantly getting hit with bots that are looking for one PHP exploit or another. They range from core PHP attacks on admin functionality, help system, proxy functionality and other random PHP scripts that ship with various versions (most trying to run some shell command). On top of that there are a lot of PHP 3rd party programs (forums, blogs, etc) that either open more holes or re-expose existing ones. I worry about any site running PHP, they are exposing themselves to a lot of support and maintenance hassles.

However, this is good for me. I get so many hits from bots (and sometimes script kiddies) looking for various holes in PHP that the requests are often malformed, formed incorrectly, contain invalid data, etc; not to mention the constant port scans from not so nice scanners that don't always follow TCP/IP standards (but that's all good, more fodder). This constant assault provides ways I can fix unexpected and often incorrect behavior on my server that results from inexperienced web hackers or automated bots.

To be fair, I do get a rare MS exchange hole where the Authorize header is extra long (for IIS) and tries to exploit the mail server hole. I have written my HTTP parser to be quite heavy duty so it's just a blob of data and if it is too long it will be discarded looking for next CRLF (instead of trying to read it into a fixed buffer which is how a lot of buffer overflow attacks are done).

Long live PHP in all of its poorly coded glory.

Sunday, March 04, 2007

And then there was 1.0

I have finally met the 1.0 milestone (albeit still beta).

The biggest change are:
- added HTTP 1.1 pipelining (IE7 still doesn't support it, but the browsers that do benefit from much better performance)
- upgraded to the latest sqlite3 (with source), gdlib and mysql includes
- sped up he execution by converting the 3 separate execution queues in 1, which is not as complex as I thought it would be and is way faster (getting single digit millisecond execution times on semi-complex calls on an ancient pre-millenium computer).
- ran lint on the code and cleaned up a bunch of stuff
- added event visitor and improved administration, with this I can track any request through the execution path to determine if there were any problems (I like it a lot, but may add a way to turn it on/off to speed things up more, performance at this point is not an issue, but more is always better)

Things to do:
- finish gzip code (compression only works on mozilla, IE is behaving strangely)
- write more sample applications (need to finish the blog and forum examples)
- externalize DB queries to be database specific in a resource file (it is very easy to switch databases, but the SQL format varies ever so slightly)
- add asymmetric static content cache in case the server is used as HTTP/HTTPS server (which is does very well but caching would make it even faster).
- add ability to view server logs via administration interface (not urgent since you can always just open the file yourself, but a convenient feature)

Overall the server is stable and very fast, which is the goal of this project. Once I have more functionality added I will start thinking about how to release it.