Tag Archives: Web

Building a Quick and Dirty Url Shortener

Posted on by 0 comment

At work last week we were discussing the security implications of url shortening services, such as tinyURL, biy.ly and goo.gl not only the fact that they can be used to hide malicious URLs for use in phishing attacks but the problem’s we’re having are:

  • Users in more restrictive access groups not being able to click links from these services
  • But worse, some users are using this service to shorten intranet links

Now that second point is an issue for me; if a shortening service were hacked our server names could be leaked to the world.

The two obvious solutions were ban all users from using such services or run our own internal service

My instinct told me that one shouldn’t be to hard to build.

So Here it is in less than 50 lines

from SimpleHTTPServer import SimpleHTTPRequestHandler
import StringIO,os,BaseHTTPServer,sqlite3
if "urls.db" in os.listdir("."):
    con = sqlite3.connect("urls.db")
    con = sqlite3.connect("urls.db")
    c.execute("create table shorts (id integer primary key, url varchar unique)")
server = BaseHTTPServer.HTTPServer
server_address = ("", 8000)
class MyHandler(SimpleHTTPRequestHandler):
    def send_head(self):
        body,response = " ",200
        if self.path=="""/""":pass
        elif self.path.endswith("+"):
            c.execute('SELECT url FROM shorts WHERE id=(?)', (self.path[1:-1].decode("base64"),))
            boady = s[0]        
        elif r"/add?" not in self.path:
            c.execute('SELECT url FROM shorts WHERE id=?', (self.path[1:].decode("base64"),))
                c.execute("insert into shorts(url) values (?)", (x,))
            except sqlite3.IntegrityError:pass
            c.execute('SELECT id FROM shorts WHERE url=(?)', (x,))
            body = "ok. " + str(s[0]).encode("base64")
        self.send_header("Content-type", "text/html; charset=utf-8")  
        self.send_header("Content-Length", str(len(body)))  
        if response==301:
                return StringIO.StringIO(body)
httpd = server(server_address, MyHandler)
print "Starting server..."
except KeyboardInterrupt:
Category: Python, Software | Tags: , ,

Automajikly updating a log page with JQuery

Posted on by 0 comment

I was developing a a web application at work for use on the intranet. And if you’re anything like the security nut I am you love logging just as much as I do. I love logging so much I have a page for just about every I use generally my log pages look something like

import os
print "Content-Type:text/html"
print '<br/>'.join(os.popen("tail -100 somelog.log").read().split("n"))

Now this is ok but wouldn’t it be cool if it updated without the page refreshing?
Now I’m not very good at Jquery so I had no idea to start but eventually I came across Jeff Star’s blog post http://perishablepress.com/ajax-error-log/ which was pretty much exactly what I was after without all the fancy 404 logging since my web framework does all that.
So quite simply I took this code

		<title>Ajax Error Log</title>
		<!-- Ajax Error Log @ http://perishablepress.com/ajax-error-log/ -->
		<meta http-equiv="content-type" content="text/html; charset=UTF-8">
			pre {
				font: 10px/1.5 Courier, "Courier New", mono;
				background-color: #efefef; border: 1px solid #ccc;
				width: 700px; margin: 7px; padding: 10px;
				white-space: pre-wrap;
		<script src="http://ajax.googleapis.com/ajax/libs/jquery/1.3.0/jquery.min.js "></script>
			$(document).ready(function() {
				var refreshId = setInterval(function() {
				}, 2000); // refresh time (default = 2000 ms = 2 seconds)
		<noscript><div id="response"><h1>JavaScript is required for this demo.</h1></div></noscript>
		<div id="results"></div>

And changed AjaxErrorLog.php to the cgi script tailing my log and presto a live log feed.

Choosing A Type Disposition

Posted on by 0 comment

Type dispositions allow you choose the action the browser will take when you give it a file, it’s defined in rfc 2183 if you want to display the file in the browser you can output

print "Content-Disposition: inline; filename="$filename.$ext"n"

as apart of the file before the mime type and if you wish to force a download of the file use

print "Content-Disposition: attachment; filename="$filename.$ext"n"
Category: Software | Tags: , ,