I have a compiled c binary (setch) which takes the parameters HIGH/LOW/OFF so I am trying to execute the command eg setch OFF from javascript/jquery thus:
$.get("cgi-bin/setch.cgi","OFF"); -or
$.get("cgi-bin/setch OFF");
As it's a get then the space is encoded into %20, of course. However the server then tries to execute the command setch%20OFF and returns:
404 Not Found
Without the parameter the program executes and returns my message:
no parameters
ie all paths, permissions etc are OK
Am I trying to do the impossible here? Or am I missing something in the server (lighttpd) config?
Thanks
You want to pass a parameter to a CGI. The way to do that is not to separate them with a space, instead you want to put the parameter behind a "?" character. The HTTP server will then store everything that follows behind the question mark in the QUERY_STRING environment variable that your CGI can then read.
I.e.
$.get("cgi-bin/setch?OFF");
In your C program use getenv("QUERY_STRING") to access the passed parameter.
Check https://en.wikipedia.org/wiki/Common_Gateway_Interface for a list of all environment variables that the HTTP server set for CGI programs. Be sure to treat the values as untrusted data.
Related
I am using SSHJ SFTP library to get file list from SFTP-server.
The connection to server is very slow and there are tens of thousands of files in directory. Often getting file list will end in various timeout / socket errors.
Is there possibility to tell the client to retrieve file list only from eg. ".zip" files so that it would have positive impact on the performance? Pseudo command: sftpClient.ls("*.zip")
I know there is a method List<RemoteResourceInfo> net.schmizz.sshj.sftp.SFTPClient.ls(String path, RemoteResourceFilter filter) which will filter the list, but from what I understand, the filtering would happen only in client side? ie. the client would still receive whole file list and just after then it would be filtered.
Is there any way to achieve this so that server would only return the names requested? Does the SFTP-protocol even support this?
Indeed, the SFTP protocol does not have a way to provide a list of files matching any criteria. It does not matter, what SFTP library you are using.
You would have to use another interface/API if you need the filtered list. If you have a shell access, you might use shell command ls *.zip.
Or build you own (REST?) API.
I'm using Gremlin Server.
I save the contents of the database in an XML file (GraphML) with this line:
g.io(path).write().iterate()
To load the file I use this line:
g.io(path).read().iterate();
And then I get this error:
connection.js:282
new ResponseError(util.format('Server error: %s (%d)', response.status.message, response.status.code), response.status));
^
ResponseError: Server error: For input string: "-2555865115" (500)
This error is coming from gremlin server.
If I search for this value in the XML file (-2555865115) and I remove the last character (-255586511) then the problem is solved.
Why this happens? How can I fix this issue? The database is always saving a file that I have to fix manually.
If I have to change something in the configuration files of Gremlin Server, can you please tell me which file to modify and how? because I never did that before.
I'm using Gremlin server in my local computer just for testing, without any changes.
EDIT:
I changed conf/tinkergraph-empty.properties to this:
gremlin.tinkergraph.vertexIdManager=ANY
gremlin.tinkergraph.edgeIdManager=ANY
gremlin.tinkergraph.vertexPropertyIdManager=ANY
I restarted, but I get the same error when loading the XML file.
Given that removing the last integer from your numerical value solved the problem, I'd speculate you're hitting a limit; specifically, the lowest value an integer can have.
In Java, that value is -2147483647, and that happens to be the language that the default implementation of Gremlin Server is written in. As such, it's likely that the deserialization process is failing while trying to interpret that value as an integer. Since the value is below the minimum value of an integer, and since the error message talks about it being an input string, Integer.parseInt("-2555865115") is probably the call that's failing behind the scenes.
If Gremlin is both serializing and de-serializing the data, it might be a bug in that implementation, and you might want to file an issue. In the mean time, consider implementing and registering a custom serializer to give yourself more control over how the IO process works.
Hello I am trying to read a module with this code:
(: Entry point - must be a read-only query. :)
xdmp:invoke(
'/path/mydocument.xqy',
(xs:QName('var1'), 'test',
xs:QName('var2'), "response"))
I am new in MarkLogic, I am using groovy and the api to connect to it, but also I saw I can invoke the module with this and indeed I did but it returns me
your query returned an empty sequence
I want to know if I can query xs:QName('var1'), 'test', changing test with a wildcard or how can I get all the information from the file called /path/mydocument.xqy?
I tried to use this:
xdmp:document-get("/path/mydocument.xqy)
but it says the file is not found. Although, if I use invoke I can query it, but I don't know what are the values I have to pass. I was wondering if there is something like sql using %% or something to give me all the data.
To answer the first question: "I am trying to read a module "
IF the module is in the database, then you must query the Modules database in which the module resides.
If the module is in the filesystem then you cannot directly access its source as a document but you can by executing xdmp:filesystem-file()
Simplification:
With the Default configuration of the server and REST client, user placed modules are in the "Modules" database and user placed documents are in the "Documents" database. This means, if you do a GET (read a "Document") with no additional parameters, it will return documents from the "Documents" database. Assuming you are using the default configuration for client and server, this would result in the behavior you are seeing. E.g. your Module code is in the Modules database, doing a GET for it by name will search the Documents database and correctly not find it.
You don't mention, and I don't know, the groovy library being used, but the REST API itself and all implementations of general purpose ML REST client libraries I am familiar with have options for overriding the default database with another. If the groovy library supports that, then specify the "Modules" database for your query and it should return the module document. Note: content-type will be application/text not text/xml.
You can simplify things for testing by bypassing the libraries and simply use a browser and try a URL like this http://yourserver.com:8000/v1/documents?uri=/your/module.xqy&database=Modules
Ref: https://docs.marklogic.com/REST/GET/v1/documents
Making the appropriate changes to the path and server for your use.
If you are still confused, then you should start with the basic MarkLogic tutorials and work through them one by one. You will most likely succeed faster by doing this then jumping straight into coding you don't understand yet.
DETAIL:
Note: The default behaviour is to EXECUTE documents when doing a GET call, using the Modules database. Thus doing a GET of http://yourserver:8000/your/module.xqy will EXECUTE it not return its source.
You will notice the REST API has a uri query parameter. This is EXECUTING the REST API code on /v1/documents which in turn will read the document specified by the uri and database parameters and return it.
I guess I can use:
xdmp:invoke(/pview/get-pview-browse-profiles.xqy,
cts:and-query((
cts:element-value-query(
xs:QName("letter"),"*", "wildcarded"),
cts:element-value-query(
xs:QName("collection"),"*", "wildcarded"))))
although it doesn't return anything
System information:
Linux Fedora 26
Mariadb version 10.1.25
I have executed all the statements as described in MariaDB Insert BLOB Image.
In addition I have also disabled selinux.
But load_file still returns NULL without giving an error.
I followed these instructions (https://mariadb.com/kb/en/the-mariadb-library/general-query-log/) to enable general logging but 'queries.log' only reports that the query has been executed without giving information on why it returns NULL instead of the wanted output.
Does Mariadb log the reason for this failure? If so, where?
Verify the rest of the constraints:
LOAD_FILE(file_name)
Reads the file and returns the file contents as a string. To use this function, the file must be located on the server host, you must specify the full path name to the file, and you must have the FILE privilege. The file must be readable by all and its size less than max_allowed_packet bytes. If the secure_file_priv system variable is set to a nonempty directory name, the file to be loaded must be located in that directory.
If the file does not exist or cannot be read because one of the preceding conditions is not satisfied, the function returns NULL.
The character_set_filesystem system variable controls interpretation of file names that are given as literal strings.
You need ALL directories in the path have SET executable bit
In my app I ask users to register using a unique name. The app creates a directory for them with that name that they then can work with, saving files, etc.
I hadn't really thought about screening for other than alpha-numeric for the name. However, I ran across a thread somewhere than said to make sure not to create directory names that match a unix command name.
Is this a legitimate risk? If so, how might one programmatically screen for such an occurrence? I'm also curious how such a scenario might play out to illustrate the problem (exploit?). That last part is academic interest only, of course.
Generally, it doesn't matter(has no obvious security risk). Most softwares, for example shell, search a unix command based on some enviroment variables(like PATH). So even if your created directory matches a unix command like "cd", it can only be used as a parameter to other unix command, like cd cd.
However, if another application search the unix command based on other approaches like searching some directories, it may lead to security breaches.
The only way I can think of that being a risk is if you're going to turn around and process those user names through command-line functions. You would want to be careful to escape the user names anywhere that they could be interpreted as a command...though off the top of my head, with strictly alphanumeric user names, you'd have to go to a lot of trouble to run into such a risk.
If you decided anyway that you wanted to ensure that the username didn't match an application on the path of the creating process, you could shell out from whatever your app environment is, and evaluate the result of which $prospectiveUsername. If it returns anything other than an empty string, you know that the username is an application on the process's path.
NOTE: In the above scenario, make sure you sanitize the username before calling out to the shell command. Otherwise, you do run security risks, if e.g. the user decides to enter her username as "janedoe; rm -rf /".