Sputnik: traceback errors, config pages, searching

traceback errors, config pages, searching (000001)
XSSFilter could not parse (X)HTML:


<p>From dm.lua at math2.org  Sat Aug 23 14:38:33 2008
From: dm.lua at math2.org (David Manura)
Date: Sat Aug 23 14:50:39 2008
Subject: [Sputnik-list] traceback errors, config pages, searching
Message-ID: <a href="mailto:bc4ed2190808230938x1652c455yc757bf60059c6349@mail.gmail.com">bc4ed2190808230938x1652c455yc757bf60059c6349@mail.gmail.com</a></p>

<p>A few comments...</p>

<p>(1)</p>

<p>When Sputnik raises an unexpected exception, a stack traceback is
displayed on the web page:</p>

<p><snip>
There was an error in the specified application. The full error message follows:</p>

<p>...epler-1.1/rocks//wsapi/1.0rc1-1/lua/wsapi/common.lua:183: cannot
obtain information from file `redirect:/cgi/sputnik.cgi'
stack traceback:</p>
<pre><code>   [C]: in function 'assert'
   ...epler-1.1/rocks//wsapi/1.0rc1-1/lua/wsapi/common.lua:183: in
</code></pre>
<p>function <...epler-1.1/rocks//wsapi/1.0rc1-1/lua/wsapi/common.lua:182></p>
<pre><code>   (tail call): ?
   ...utnik/kepler-1.1/rocks//wsapi/1.0rc1-1/bin/wsapi.cgi:16: in
</code></pre>
<p>function <...utnik/kepler-1.1/rocks//wsapi/1.0rc1-1/bin/wsapi.cgi:14></p>
<pre><code>   (tail call): ?
   [C]: in function 'xpcall'
   ...epler-1.1/rocks//wsapi/1.0rc1-1/lua/wsapi/common.lua:135: in
</code></pre>
<p>function 'run_app'</p>
<pre><code>   ...epler-1.1/rocks//wsapi/1.0rc1-1/lua/wsapi/common.lua:159: in
</code></pre>
<p>function 'run'</p>
<pre><code>   ...k/kepler-1.1/rocks//wsapi/1.0rc1-1/lua/wsapi/cgi.lua:16: in
</code></pre>
<p>function 'run'</p>
<pre><code>   ...utnik/kepler-1.1/rocks//wsapi/1.0rc1-1/bin/wsapi.cgi:26: in main chunk
   [C]: ?
</code></pre>
<p></snip></p>

<p>It could be argued that the end user of the web site shouldn't see a
stack traceback.  First, there may be security implications in
allowing the end user to know how the web site is implemented and
installed.  Second, the stack traceback is more useful rather to the
administrator of a web site, so perhaps it should be recorded instead
to a log file on the server, and end user should only see a ticket
number that the administrator can cross reference against the log
file.   I did some searching on this concern just now:</p>

<p>[1] http://www.jankoatwarpspeed.com/post/2008/06/02/Exception-handling-best-practices-in-ASPNET-web-applications.aspx
[2] http://www.securitypark.co.uk/article.asp?articleid=26905
[3] http://www.infosecwriters.com/text<em>resources/pdf/Top</em>10<em>Configuration</em>Security<em>Vulnerabilities</em>Part<em>One</em>BSullivan.pdf</p>

<p>The stack traceback in Sputnik is triggered by error_html in
rocks/wsapi/1.0-2/lua/wsapi/common.lua, so this might instead be a
WSAPI/Kepler concern.</p>

<p>(2)</p>

<p>After installing Sputnik, I had difficulty finding a complete list of
all the configuration pages.  Only some were on the start page.  I
later discovered they were listed on the "sputnik" page--e.g.
http://sputnik.freewisdom.org/en/sputnik .  (BTW, the "_navigation"
link on this page is broken.)  I think the "sputnik" configuration
page should be linked from the start page on the initial installation.</p>

<p>(3)</p>

<p>More generally, is there a way to obtain a complete list of all pages
that exist (without indexing them on Google)?  Perhaps I'm setting up
a new wiki and want to remove unnecessary pages.  On lua-users wiki, I
just enter an empty search in http://lua-users.org/wiki/FindPage .</p>

<p>(4)</p>

<p>I'm quite in favor of adding a built-in full-text search engine that
works out-of-the box, at least as a fallback, even if that may be
inferior in some ways to Google.  A discussion about this was here:</p>

<p>  http://lua-users.org/lists/lua-l/2008-02/msg00950.html</p>

<p>A potentially common use case is to use Sputnik internally on a small
wiki by an individual or small group.  In that case, simple linear
search through the pages (much like grep) would be sufficient and
trivial to implement.  More generally, you'd want to maintain an
inverted index, possibly using an existing production-grade search
engine (e.g. http://swish-e.org and others) or Google, but if you want
something trivial to implement now, here's the code used by the usemod
wiki ( http://www.usemod.com/cgi-bin/wiki.pl ), which is the wiki upon
which lua-users.org is based:</p>

<p>sub SearchTitleAndBody {
  my ($string) = @_;
  my ($name, $freeName, @found);</p>

<p>  foreach $name (&AllPagesList()) {</p>
<pre><code>&OpenPage($name);
&OpenDefaultText();
if (($Text{'text'} =~ /$string/i) || ($name =~ /$string/i)) {
  push(@found, $name);
} elsif ($FreeLinks) {
  if ($name =~ m/_/) {
    $freeName = $name;
    $freeName =~ s/_/ /g;
    if ($freeName =~ /$string/i) {
      push(@found, $name);
    }
  } elsif ($string =~ m/ /) {
    $freeName = $string;
    $freeName =~ s/ /_/g;
    if ($Text{'text'} =~ /$freeName/i) {
      push(@found, $name);
    }
  }
}
</code></pre>
<p>  }
  return @found;
}</p>

<p>Boolean AND/NOT logic and phrase searching would be a simple extension
to that (e.g. ' "hello world" -goodbye ').  You do not need word
tokenization (since there is no inverted index of words) nor stemming,
synonyms, etc., which would complicate the otherwise simple logic.</p>

<p>(5)</p>

<p>When previewing edits to template/config pages, it would be useful for
Sputnik to apply the templates being edited in the preview.  This is
especially true since edits to these pages can break the wiki, so it
would be desirable to preview them first.</p>