
Show HN: Demo of Wiki and Forum coded in C under 80k - ronsor
http://home.ronsor.gq:12321/cgi-bin/wiki
======
danieltillett
I really think we should stop being so mean to the submitter. Sure the code
might have problems and the whole approach might not be advisable, but I am
sure they have learned a lot from doing this. Ronsor congratulations for
actually shipping.

~~~
speps
I think the negativity comes from the fact this site now linked on the front
page of HN can be hacked to send malicious JavaScript to people...

Also, in my opinon, adding "Demo" means that it shows how to do it, but that's
not clearly not how to do it _properly_.

~~~
danieltillett
Yes it should not be getting the attention it is getting right now, but we can
approach this in a more generous fashion. Let's help rather than ridicule.

------
ronsor
I'll upload the source code tomorrow...

Edit: Its also running on my 4mb flash openwrt router, and has NO dependencies

~~~
sdegutis
Excited to see the code. C isn't known for being great for writing high level
applications like this, so I'm really curious what the source looks like.
Especially since it has _no dependencies_!

~~~
jheriko
you may be surprised how easy it is to write a http server that replies with
html in C... its all just text going over sockets after all.

i did it myself a lot a long time ago by teaching myself, but you are right
that using some full featured server and some high level language targetting
web development has much more convenience, especially if you care about rich
features and security.

~~~
teaearlgraycold
They claim it's got no dependencies though - so somehow they've got their own
sockets implementation crammed in there.

~~~
jheriko
i doubt it tbh, i bet he means no /3rd party/ dependencies other than the ones
that came with the development environment.

the C standard library and the usual set of headers and os functions that you
get in most C environments is not what people tend to mean by dependencies....

~~~
fit2rule
POSIX?

Its quite possible to have a C-based sockets-/signals- handler in a single
source file, say .. 48k lines of code or so. I've seen many robust system
daemons with just such an implementation.

3rd party dependencies are definitely an issue that very few languages have
managed to promote, since languages either want to promote (or demote) such
circumstances as mass-package (i.e. mass usage of the language) in a broad
commercial/industrial/social context.

But its not naive to write such things as a Wiki and a Blog in C. Just ..
dangerous. I imagine there are, however, some good 3rd-party C libraries
available to do less-dangerous implementations, however...

~~~
jheriko
it never seems to actually be posix, but yeah that kind of stuff.

it is interesting stuff.

------
krapp
It looks interesting. Unfortunately, judging from the comments here, it's also
more or less useless. I really look forward to seeing the source code, though,
but the _hard_ part is the part that seems not yet done - which is the
security.

I mean, what even is the point of sending me a file with a txt extension if
you're not sending text headers?

------
dbpokorny
What are your thoughts re: adding memory protection to C? (in other words: add
a distinction between "pointer bytes" and "raw data bytes" and some rules
regarding pointer assignment, arithmetic, and dereferencing that serve to
treat the pointer bytes as protected memory of a "3rd space" that sits between
kernel space and user space; thereby ensuring that a program can only obtain a
pointer to either a stack location (with restrictions) or heap location that
points to a byte in an allocated segment of memory?)

~~~
akkartik
I've actually been building a teaching VM with these properties. You can't
take the address of arbitrary values (so there's no distinction between
lvalues and rvalues), there's no pointer arithmetic (instead you have type-
safe primitives for record access and array indexing), all arrays (including
strings) know their length and bounds-check accesses, and unions behave more
like sum types, always knowing precisely what type they have stored. All these
constraints ensure you can never convert a number to an address, or generate
an address to an illegal value. More info about the goal and rationale:
[http://akkartik.name/post/mu;](http://akkartik.name/post/mu;)
[http://github.com/akkartik/mu](http://github.com/akkartik/mu).

I also recently found out about
[http://eigenstate.org/myrddin](http://eigenstate.org/myrddin) which seems
more mature with _very_ similar goals/aesthetics. I've been digging into it a
fair bit.

Finally, on the extreme other end of the spectrum, there's Rust.

~~~
mtdewcmu
You should call this system "Java". <g>

------
erikb
Now that more than enough people complained about security etc. I also want to
add that a modern wiki doesn't really work with their own grammar anymore.
Consider changing to markdown, restructuredText, MediaWiki, or Atlassian style
(last not really suggested but better than nothing).

~~~
ronsor
I wanted to keep it small, so i didn't use markdown, MediaWiki, etc, since
those are harder to parse

------
zepolen
[http://home.ronsor.gq:12321/pub/ohshitwhoputthishere.txt](http://home.ronsor.gq:12321/pub/ohshitwhoputthishere.txt)

seems that cgi-bin is also writable, can't make the file executable though

[http://home.ronsor.gq:12321/cgi-
bin/ohshit.txt](http://home.ronsor.gq:12321/cgi-bin/ohshit.txt)

------
unboxed_type
It is interesting from performance and low resource consumption point of view.
Great work! I wonder if someone would like to do the same in assembly language
for even more crazy experiment -)

~~~
akkartik
Ask and ye shall receive: [https://new-
hn.algolia.com/?query=Web%20server%20assembly&da...](https://new-
hn.algolia.com/?query=Web%20server%20assembly&dateRange=all)

------
ronsor
During this testing period, I would like to thank everyone who found the bugs
and other issues with it. I am now working on fixing them all.

------
bschiett
this is still an awesome project, unfortunately there will be lots of python
and ruby hipsters here who will dismiss this project... it doesn't matter,
since most software you use is built in C or C++, and that won't change
anytime soon :-)

------
zepolen
Server stopped working after doing this:

/cgi-bin/wiki?../../../srv/www/cgi-bin/wiki\0txt.e

~~~
hoodoof
That was mean.

------
pavement
[http://home.ronsor.gq:12321/cgi-
bin/irc.html](http://home.ronsor.gq:12321/cgi-bin/irc.html)

    
    
      <script type="text/javascript">alert('you guys better watch out for dat XSS and XSRF bidness');</script>
    

Oh god, this shit is sooooo not secure.

~~~
zepolen
well you're missing a </xmp> to get it working

~~~
isKill
Whoops, somehow IRC is kill.

------
bschiett
back in the day people coded demos 4k in size with 3d graphics and music

------
latenightcoding
In for the source code

------
hardwaresofton
Not trying to be snarky, but if the goal was to show why you shouldn't do
something like this, you've succeeded.

Would you consider rewriting something like this in rust or go, and doing a
comparison? I think you would have found things to combat XSS in either of
those languages (safe templating), would be interested to see the
differences... And if any of those languages deliver on their promise to be
safer than C

~~~
ronsor
rust & go do not produce small enough executables for my use case. atleast i
didn't do it using shell scripts.

~~~
hardwaresofton
Have you taken a look at dynamically linked rust/go? Also, go 1.6 is going to
have dynamic linking also.

[http://stackoverflow.com/questions/29008127/why-are-rust-
exe...](http://stackoverflow.com/questions/29008127/why-are-rust-executables-
so-huge)

[https://golang.org/doc/go1.5#compiler](https://golang.org/doc/go1.5#compiler)

