kristopherWindsor

*bump*

My script seems to work, if someone connects to the script a few seconds after I call socket_accept. But if I wait 20 seconds or so before launching the client, then the client doesn't connect properly, and the script ends about 5 seconds later. That is, whether the client connects 20 seconds after the script calls socket_accept, or 2 minutes after, the script doesn't terminate until shortly after the client tries to connect. And the script isn't supposed to be terminating. I have turned all the error reporting on, but I get no error when it terminates, and I know my script isn't ending properly. If I connect quickly, the script runs and terminates properly. Any ideas why the client needs to connect quickly for this to work, or how it can be fixed? Here's my script FWIW: <?php // (C) 2009 Kristopher Windsor error_reporting(E_ALL); $MAX_CLIENTS = 8; $clients = array(null, null, null, null, null, null, null); // sockets; null -> not open; client set to null if error $connection = array(); function start () { set_time_limit(60 * 10); echo '<html><body>'; echo 'Kristopher Windsor\'s game server v1.0<br><br>'; } function finish ($m) { die("$m<br>The server has finished. If it completed successfully, it will restart automatically.</body></html>"); } function open () { global $clients, $connection; echo 'Opening port ' . $connection['port'] . ' on ' . $connection['ip'] . ' (timestamp ' . time() . ')<br>'; $connection['socket'] = socket_create(AF_INET, SOCK_STREAM, 0); if ($connection['socket'] === false || !socket_bind($connection['socket'], $connection['ip'], $connection['port']) || !socket_listen($connection['socket'], 3)) finish('Error: the port is in use (the server is probably already running)'); echo 'Waiting for clients<br>'; for ($i = 0; $i < $connection['clients']; $i ++) { $clients[$i] = socket_accept($connection['socket']); dispatch('Player ' . ($i + 1) . ' of ' . $connection['clients'] . ' connected'); } echo 'Clients connected<br>'; } function close () { global $clients, $connection; socket_shutdown($connection['socket'], 2); socket_close($connection['socket']); } function relay () { global $clients, $connection; foreach ($clients as $c => $oneclient) { if ($oneclient == null) continue; socket_clear_error(); $chunk = socket_read($oneclient, 1024); checkconnection($c); if (trim($chunk) == '') continue; $chunk = str_replace("\n", ' ', $chunk); $chunk = str_replace("\r", ' ', $chunk); $message = explode(' ', $chunk); foreach ($message as $i => $m) if (trim($m) != '') dispatch(($c + 1) . trim($m)); } } function dispatch ($m) { global $clients, $connection; echo "Sending message: $m<br>"; foreach ($clients as $c => $oneclient) { if ($oneclient == null) continue; socket_clear_error(); socket_write($oneclient, $m . "\n", strlen($m) + 1); checkconnection($c); } } function checkconnection ($c) { global $clients, $connection; if ($clients[$c] == null || socket_last_error() != 104) return; socket_close($clients[$c]); $clients[$c] = null; dispatch('Player ' . ($c + 1) . ' closed the connection'); dispatch('END'); } function connectedclients () { global $clients, $connection; $r = 0; foreach ($clients as $c => $oneclient) if ($oneclient != null) $r ++; return $r; } start(); if (!isset($_GET['port']) || !isset($_GET['clients'])) finish('Please specify the port and clients.'); $connection['ip'] = "...[removed]..."; $connection['port'] = $_GET['port']; if ($connection['port'] < 1000 || $connection['port'] > 50000) finish('Please select a better port number'); $connection['clients'] = $_GET['clients']; if ($connection['clients'] < 1 || $connection['clients'] > $MAX_CLIENTS) finish('Please select a better number of clients'); open(); do { relay(); usleep(1000 * 1000 / 50); // 50th of second } while (connectedclients() > 0); close(); finish('<script>setTimeout(\'location.href = "server.php?port=' . $connection['port'] . '&clients=' . $connection['clients'] . '"\', 5000)</script>'); ?>

Oh, well in that case, how is XSS possible on my site? All inputs are restricted to a whitelist of characters. I have two user accounts on this server, and their names follow the same naming scheme I have seen on other servers. Meaning, you could guess the user names without trial and error, so the user names are not secret, so this is not a problem. ;-)

While the spam check is predictable and therefore avoidable, only a bot written for this particular site would get in. The odds that a random spam bot would enter data of the appropriate lengths, and attach a file, and specify a .jpg file extension, and select the correct 1 of 7 options in the spam bot are very low. If someone will spend enough time spamming my site with a custom bot, they could just do it in person, and there is no way to stop that. I suppose if I ever want to offer this page to a large (potentially spamming) audience, I will need to require user registration. I don't understand what the problem with this is, although it is new to me. If you go there, it just says, "You don't have permission to access /~root on this server." If you replace "root" with the name I use for FTP login, it serves the contents from the main http://windsorfamilyfarm.com/ site. So what is the problem? It doesn't look like any confidential info is exposed from this.

Fixed!

The site is: http://pics.windsorfamilyfarm.com/index.php You can upload a picture here (no registration required): http://pics.windsorfamilyfarm.com/upload.php Each picture has some tags. The tags are listed on the index page. If you click on a tag, it will show all the pictures with that tag. The pictures are randomly placed, but should not overlap (unless the aspect ratio causes the JS to miscalculate the height of the picture). I hope it works well.

It looks like your code is dying somewhere, maybe because one of the data files you are trying to read is not formatted properly, or you do not have permission to write to a file that you are trying to write, etc.

I applied this suggestion, and also fixed a logout bug that I found fixing this. I am not sure how to fix this. If each character in the filename is being converted to a 4 digit number, this is automatic in PHP. I just use $filename = $_POST['filename']; and then replace odd characters with underscores. My code did not convert special characters to 4 digit codes. If there is an easy way to fix this then I will do it.

Definitely. I downloaded the file through FTP, and it is just a small Perl file. I uploaded it to another web site, and tried to view it in the browser, and it is delivered as a plain text file, as expected. My free web host must detect a keyword in that file or something that causes it to redirect. Maybe .TXT files are parsed by Perl? I hope not!! Hopefully I'll get a paid host soon, then that won't be a problem.

I'm not exactly sure what you mean; but HTML pages are now processed as plain text files, so you can longer use iframes to show content from other sites. Qu'est que c'est means 'what is it?' I uploaded just a test.pl file, i think and called it something like 'not quite the index page' and when I viewed the file, it said Sam Sorry, I can only conclude that you uploaded this content yourself? Can you try the upload again, and post here what should be the contents of the file? Thanks.

http://freefile.hyperphp.com/ I made some changes and reset the site. Please test again. Thanks. Periods are no longer allowed in the member names (or passwords). Were you referring to JavaScript? JS files (.js, .html, etc.) are now renamed to they become plain text files, and will not run. Are there still problems with this? I am now using a hash to encrypt the password, but I think the member name should be visible. Your files will be saved into "/uploads/yourmembername" so you cannot hide your member name, anyway. Or was there some other reason for hiding the member name? Yes, but you would still have to know their password. I changed the background picture and color, so it should look much better. The color scheme now only uses two colors (white and blue), so it should not have to be changed since it matches now. I am now using: $whitelist = array('.zip', '.rar', '.7z', '.jpg', '.gif', '.png', '.txt', '.exe', '.doc', '.xls'); The passwords are hashed this way now (in both the cookies and the database). The member names are listed elsewhere, so they cannot be hidden. (Suppose someone wants to see your member name, and they are physically near your computer. They do not have to look at the cookies to see your member name because it is shown at my site's home page. ("Welcome, member name!")) I'm not exactly sure what you mean; but HTML pages are now processed as plain text files, so you can longer use iframes to show content from other sites.

Thanks for finding that. I didn't know a folder named "index.*" would do that. I will adjust the site so periods are not allowed in member / directory names. Any other problems?

http://freefile.hyperphp.com/ This site allows you to upload files up to 2MB after registering and logging in. All files are allowed, but files that do server-side scripting (ie .php) are renamed to *.php.txt so the script will not run. I did not do this yet for .htm / .html files yet, so the members can create home pages in their subdirectories, but I may eventually rename those to .htm[l].txt, too. For the spamcheck, select the option "FreeBasic is great!" in the drop-down selector. I would like to know if it works well, and if it is secure (probably not). Thanks.

"that beats that by 4,190,000,000 to 4,120,000,000!"

Okay, I won't show the password.