Readit Newsaround line 663. there's a call to strrchr, checking for a period in the filename. then immediately after that, there's a strlen that uses the results.
Which is fine, unless the first call returns NULL, because there was no period in the name, and then the program will crash.
Oof, thanks.
Should be back up now with a very temporary workaround in place.
Found the issue - a use after free in send_response() if I close the session early due to an error. Was continuing to the next bit. Put a temp fix in place, will push a proper one later.
Still seems to have an issue, but no output before the crash. Will have to do some more debugging. Thanks for the test HN!
Source is here btw: https://github.com/GSGBen/unsafehttp/blob/main/src/main.c
On the whole, it actually almost implements the minimally required amount of HTTP/1.1: I would suggest adding support for HEAD requests, it's just a single flag that you need to set in the try_parse_request_path(), and check in generate_response(). Also, probably check that the request path is followed by "HTTP/1." before sending the response? And I'd really recommend finishing reading out all of the request from the socket (that is, until you've seen "\r\n\r\n"), or you may run into the problem of your clients not being sent the complete response [0].
But other than that, yeah, it is an HTTP server. The HTTP protocol is decently well thought out so that you can be oblivious of most of the features you don't want to support.
[0] https://blog.netherlabs.nl/articles/2009/01/18/the-ultimate-... — the tl;dr is that if you do close() on a socket that still has the data from the client you haven't recv()d, the client will be sent an RST.