Closed Bug 401649 (js-sjs) Opened 12 years ago Closed 12 years ago

JS CGI support in httpd.js

Categories

(Testing :: General, defect)

defect
Not set

Tracking

(Not tracked)

RESOLVED FIXED

People

(Reporter: Waldo, Assigned: Waldo)

References

Details

Attachments

(1 file, 2 obsolete files)

I have a patch for this, but I haven't written a decent set of tests for it yet.  I'm currently using the subscript loader and just saying, "don't do stuff outside the promised APIs", which is technically perfectly fine given that handlers will have full privileges, but I still find it somewhat unsatisfying from a reduce-attack-surface-as-much-as-possible perspective.

This won't fix bug 396226 or make it possible to not block while generating the entirety of a request, because this can be fixed with relatively little code (~15K if I remember right) where that one can't.  It'll just let you dump the request-handling functions you'd use with registerPathHandler in files, so you don't have to have access to the actual server to have dynamic page generation (i.e. exactly the situation Mochitest is in).
Attached patch Patch (obsolete) — Splinter Review
Sadly I don't think I have a way to fully isolate the CGI script execution from the server itself, but since the scripts are privileged anyway it's more an aesthetic concern than anything else.
Attachment #287981 - Flags: review?(cbiesinger)
Alias: js-cgi
Blocks: 405570
Blocks: 398066
Blocks: 411530
I've been seeing more and more backups in testing over this recently; we need to get this in.
Attachment #287981 - Attachment is obsolete: true
Attachment #300588 - Flags: review?(sayrer)
Attachment #287981 - Flags: review?(cbiesinger)
Target Milestone: mozilla1.9beta2 → mozilla1.9beta4
Comment on attachment 300588 [details] [diff] [review]
A file named "foo" shouldn't trigger the "foo" extension handling

>Index: netwerk/test/httpserver/httpd.js
>===================================================================

>+const ScriptableInputStream = CC("@mozilla.org/scriptableinputstream;1",
>+                                 "nsIScriptableInputStream",
>+                                 "init");

These streams might get removed from 1.9, aiui. Let's find out before we add tests that depend on them. Minus for that reason.

Nit: this is totally not a CGI (RFC 3875), even though I understand you meant something more general. Does Server JavaScript lead to an .sjs extension? Anyway, let's call it something else (anything you want).
Attachment #300588 - Flags: review?(sayrer) → review-
(In reply to comment #3)
> >+const ScriptableInputStream = CC("@mozilla.org/scriptableinputstream;1",
> >+                                 "nsIScriptableInputStream",
> >+                                 "init");
> 
> These streams might get removed from 1.9, aiui.

Are you thinking of bug 414901? I'm pretty sure nsIScriptableInputStream isn't going anywhere.
nsIScriptableInputStream is and has been the only way to access stream data for quite awhile; it absolutely is not going away for 1.9.  Note that that definition got moved into the server and *out* of a long-standing, extant test.  Neil's stuff is entirely different from what I use here.

I didn't know there was a full CGI RFC (thought it was at best a quasi-standard), but I don't really have a problem conflating CGI with server-side dynamic content in general (especially when said content has a better, safer, and more secure interface).  In the interests of not getting into too much bikeshedding and as I don't care that much anyway, I switched to SJS.

I've never liked the MozJSHTTP name; httpd.js is much nicer-sounding.  (Holy initialisms, Batman!  [for either name, actually])
Attachment #300588 - Attachment is obsolete: true
Attachment #300858 - Flags: review?(sayrer)
Comment on attachment 300858 [details] [diff] [review]
cgi -> sjs, some driveby renaming

ah, my mistake.
Attachment #300858 - Flags: review?(sayrer) → review+
Alias: js-cgi → js-sjs
Checked in on trunk.
Status: ASSIGNED → RESOLVED
Closed: 12 years ago
Flags: in-testsuite+
Resolution: --- → FIXED
Duplicate of this bug: 369033
Moving httpd.js bugs to the new Testing :: httpd.js component; filter out this bugmail by searching for "ICanHasHttpd.jsComponent".
Component: Testing → httpd.js
Flags: in-testsuite+
Product: Core → Testing
Target Milestone: mozilla1.9beta4 → ---
Version: Trunk → unspecified
...and changing the QA contact as well.  Filter on the string "BugzillaQAContactHandlingIsStupid".
QA Contact: testing → httpd.js
Flags: in-testsuite+
Component: httpd.js → General
You need to log in before you can comment on or make changes to this bug.