From mboxrd@z Thu Jan  1 00:00:00 1970
Path: news.gmane.io!.POSTED.blaine.gmane.org!not-for-mail
From: Ricardo Wurmus <rekado@elephly.net>
Newsgroups: gmane.lisp.guile.user
Subject: Re: Web development
Date: Fri, 04 Sep 2020 22:25:43 +0200
Message-ID: <87y2lpe1bs.fsf@elephly.net>
References: <d14c3a6e-75f4-b1ed-0aad-f4b61b1c95de@posteo.de>
 <874kodfq4h.fsf@elephly.net>
 <28851dc6-d0a2-4b17-cf0c-c14571f02110@posteo.de>
Mime-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: quoted-printable
Injection-Info: ciao.gmane.io; posting-host="blaine.gmane.org:116.202.254.214";
	logging-data="17432"; mail-complaints-to="usenet@ciao.gmane.io"
User-Agent: mu4e 1.4.13; emacs 27.1
Cc: guile-user@gnu.org
To: Zelphir Kaltstahl <zelphirkaltstahl@posteo.de>
Original-X-From: guile-user-bounces+guile-user=m.gmane-mx.org@gnu.org Fri Sep 04 22:24:53 2020
Return-path: <guile-user-bounces+guile-user=m.gmane-mx.org@gnu.org>
Envelope-to: guile-user@m.gmane-mx.org
Original-Received: from lists.gnu.org ([209.51.188.17])
	by ciao.gmane.io with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
	(Exim 4.92)
	(envelope-from <guile-user-bounces+guile-user=m.gmane-mx.org@gnu.org>)
	id 1kEIGS-0004Sj-FX
	for guile-user@m.gmane-mx.org; Fri, 04 Sep 2020 22:24:52 +0200
Original-Received: from localhost ([::1]:59858 helo=lists1p.gnu.org)
	by lists.gnu.org with esmtp (Exim 4.90_1)
	(envelope-from <guile-user-bounces+guile-user=m.gmane-mx.org@gnu.org>)
	id 1kEIGR-0008Lf-Ef
	for guile-user@m.gmane-mx.org; Fri, 04 Sep 2020 16:24:51 -0400
Original-Received: from eggs.gnu.org ([2001:470:142:3::10]:55134)
 by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <rekado@elephly.net>)
 id 1kEIGH-0008LX-RC
 for guile-user@gnu.org; Fri, 04 Sep 2020 16:24:41 -0400
Original-Received: from sender4-of-o51.zoho.com ([136.143.188.51]:21110)
 by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_CBC_SHA1:256)
 (Exim 4.90_1) (envelope-from <rekado@elephly.net>)
 id 1kEIGF-0001UB-Qc
 for guile-user@gnu.org; Fri, 04 Sep 2020 16:24:41 -0400
ARC-Seal: i=1; a=rsa-sha256; t=1599251076; cv=none; 
 d=zohomail.com; s=zohoarc; 
 b=arBZlaG3aivSN5JoEVGBst5h4bovtopTQwjLw0gdl/ARZR+C6xrW+dlLAWFBg9lubrzrekPuYHulXodlzMTCGKS10/DxBryJCrd7vcmF+MG6ndkutdAcrNG89npW+sr7j9MldbapkVloPh88Prlzj8OIeEIu2t/H+oRIz2IMimU=
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com;
 s=zohoarc; t=1599251076;
 h=Content-Type:Content-Transfer-Encoding:Cc:Date:From:In-Reply-To:MIME-Version:Message-ID:References:Subject:To;
 bh=RrTI+5SYUcZ8XQLZSohgTD4Zc5yWVvwfHEz1zx2rxaY=; 
 b=ktzelpEk+C2k8D0yh83XMLNg3vbEMCaGcQCoZdYDnl66465manYZWJHqVV8R7GCAXXg2KwZYAzM7tSBpSaAKF6h7hMsHRB9ZMt8BnS4YA0u/RR0JmQrgZMcoRWiXhSQyS9UXDpGIAUXIbBPHP5lZM7SFiiziyn8SE5pIwSUrSJ0=
ARC-Authentication-Results: i=1; mx.zohomail.com;
 dkim=pass  header.i=elephly.net;
 spf=pass  smtp.mailfrom=rekado@elephly.net;
 dmarc=pass header.from=<rekado@elephly.net> header.from=<rekado@elephly.net>
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; t=1599251076; 
 s=zoho; d=elephly.net; i=rekado@elephly.net;
 h=References:From:To:Cc:Subject:In-reply-to:Date:Message-ID:MIME-Version:Content-Type:Content-Transfer-Encoding;
 bh=RrTI+5SYUcZ8XQLZSohgTD4Zc5yWVvwfHEz1zx2rxaY=;
 b=P+8bW3MV7ImMrS4K/Ko2nuAq7RU7VRcFNaqOwGJTk3Y1KXFLpSarxQHH9fyZNUYR
 1a4WHr9ID6RkMZECX6olgrnLOEWH4l1GcqW/9lVC6nyGyVi6ETVOkpCZSac5rm49kpY
 JUXtilPsOWc7j6Z1XqpA0dmK41oyJBXzVqADq17c=
Original-Received: from localhost (p54ad4e44.dip0.t-ipconnect.de [84.173.78.68]) by
 mx.zohomail.com with SMTPS id 1599251073189141.25161463063364;
 Fri, 4 Sep 2020 13:24:33 -0700 (PDT)
In-reply-to: <28851dc6-d0a2-4b17-cf0c-c14571f02110@posteo.de>
X-URL: https://elephly.net
X-PGP-Key: https://elephly.net/rekado.pubkey
X-PGP-Fingerprint: BCA6 89B6 3655 3801 C3C6  2150 197A 5888 235F ACAC
X-ZohoMailClient: External
Received-SPF: pass client-ip=136.143.188.51; envelope-from=rekado@elephly.net;
 helo=sender4-of-o51.zoho.com
X-detected-operating-system: by eggs.gnu.org: First seen = 2020/09/04 15:42:52
X-ACL-Warn: Detected OS   = Linux 3.11 and newer [fuzzy]
X-Spam_score_int: -20
X-Spam_score: -2.1
X-Spam_bar: --
X-Spam_report: (-2.1 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1,
 DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1,
 RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H2=-0.001, SPF_HELO_NONE=0.001,
 SPF_PASS=-0.001 autolearn=ham autolearn_force=no
X-Spam_action: no action
X-BeenThere: guile-user@gnu.org
X-Mailman-Version: 2.1.23
Precedence: list
List-Id: General Guile related discussions <guile-user.gnu.org>
List-Unsubscribe: <https://lists.gnu.org/mailman/options/guile-user>,
 <mailto:guile-user-request@gnu.org?subject=unsubscribe>
List-Archive: <https://lists.gnu.org/archive/html/guile-user>
List-Post: <mailto:guile-user@gnu.org>
List-Help: <mailto:guile-user-request@gnu.org?subject=help>
List-Subscribe: <https://lists.gnu.org/mailman/listinfo/guile-user>,
 <mailto:guile-user-request@gnu.org?subject=subscribe>
Errors-To: guile-user-bounces+guile-user=m.gmane-mx.org@gnu.org
Original-Sender: "guile-user" <guile-user-bounces+guile-user=m.gmane-mx.org@gnu.org>
Xref: news.gmane.io gmane.lisp.guile.user:16849
Archived-At: <http://permalink.gmane.org/gmane.lisp.guile.user/16849>


Zelphir Kaltstahl <zelphirkaltstahl@posteo.de> writes:

>>> (2) What do you use to serve static files (securely)? If you use Guile's
>>> web server, how exactly do you do it? Do you have the code somewhere?
>> I configure an assets directory and define a procedure that sanitizes
>> the requested file name to serve it from that directory.  I don=E2=80=99=
t do
>> much with files so I don=E2=80=99t usually do anything other than
>>
>>     (call-with-input-file file-name get-bytevector-all)
>>
>> for the body of the response.  But if I had to send large files I=E2=80=
=99d use
>> =E2=80=9Csendfile=E2=80=9D directly.
>
> Don't you need to also check what kind of file type it is and select the
> appropriate MIME type for answering the request?

Yes, you need to send along the correct MIME type.  In my projects I
know the MIME type of all files I=E2=80=99ll send ahead of time, so I can g=
et
away with looking up the file extension in an alist of extensions to
MIME types.

Something like that:

--8<---------------cut here---------------start------------->8---
(define (render-static-file root path)
  ;; PATH is a list of path components
  (let ((file-name (string-join (cons* root path) "/")))
    (if (and (not (any (cut string-contains <> "..") path))
             (file-exists? file-name)
             (not (directory? file-name)))
        (list `((content-type . ,(assoc-ref file-mime-types
                                            (file-extension file-name))))
              (call-with-input-file file-name get-bytevector-all))
        (not-found (build-uri 'http
                              #:host (assoc-ref %config 'host)
                              #:port (assoc-ref %config 'port)
                              #:path (string-join path "/" 'prefix))))))
--8<---------------cut here---------------end--------------->8---

There=E2=80=99s probably a better way and a fail-safe way to do this, but t=
his
has worked fine for me.

> And how do you use sendfile directly? (Code example for this would also
> be great to see.)

I=E2=80=99ve got no example for that in my projects, but =E2=80=9Cguix publ=
ish=E2=80=9D provides
an implementation of =E2=80=9Chttp-write=E2=80=9D that uses sendfile.  See
guix/scripts/publish.scm in the Guix source tree.

> Is it still necessary to sanitize the requested file names, when an HTTP
> server handles requests for assets before the Guile application is hit?

I=E2=80=99d still do that because I=E2=80=99d want the application to never=
 do the wrong
thing, even when the deployment details change.

--=20
Ricardo