Hello, Adam recently contacted me as a random DD, as he was interested in getting Bashbro into Debian. As a courtesy to the others that have visited with him about it, here is an excerpt of my response.
Hi Adam, That's a pretty neat concept! I'm impressed - HTTP serving in bash. It wouldn't have occurred to me. A neat idea! And, I'm glad that you're interested in Debian! When considering adding a package to Debian, we remember that adding a package is expensive. That is, it requires infrastructure resources, human time (reviewing uploads, etc), bandwidth, disk space, etc. It also implies commitments for future humans: security team, etc. So there are some broad criteria we look at when considering adding a package: 1) Does it duplicate existing functionality? If so, is it sufficiently different/better to justify inclusion anyhow? 2) Is it likely to be actively maintained for the extended lifetime of a release (several years)? 3) Is it of high quality? Debian already contains this kind of functionality in the default install (run python -m http.server 9000, for instance; see https://docs.python.org/3/library/http.server.html#http-server-security ). There are also numerous other minimal HTTP servers in Debian already. So the question is: is this sufficiently better to justify the effort? The main thing I'm concerned about here is security. Writing HTTP code is notoriously difficult and I'm sure there have been thousands of CVEs over the years related to it. So off the bat, writing one's own HTTP-parsing code implies a base-level risk. I note you have made a solid effort to use good shell quoting practices -- excellent. Remember that on most Linux filesystems, every 8-bit character except 0x00 and '/' is valid in a filename. So, consider what would happen if you had to deal with a filename or a request: - Beginning with '-' - Beginning with "of=" - Contains '+', '?', ' ', or '&' - Containing %0D, %0A, %00, %20, %FF, or their unencoded versions - Is 1GB long (what does "read" do with that?) - Has headers that are 1GB long - Contains ANSI terminal-manipulation sequences - Contains a byte sequence that isn't valid UTF-8 while run in a UTF-8 locale Just to pass on examples here... '+' should expand to a space, but urldecode() doesn't. Calling dd with of=blah would overwrite blah. The behavior of file could be significantly altered by a request beginning with '-'. I'm not really sure what an embedded NULL character would do. In short, it is extremely difficult to write a shell script that is robust against untrusted input, and I can immediately spot some potential issues here. Log/verbose output may additionally scramble the user's terminal or otherwise conceal malicious attempts. Besides that, it has some important missing functionality. Most importantly, because it doesn't support HTTP/1.1, it doesn't support ranged requests (resumption) or a way for the client to know affirmatively if it got the entire file. Of course, it is also quite inefficient but that may not matter too much for the intended use case. So, as an example program, this is fantastic. As something that Debian as a project would like to support users actually using, is has some notable drawbacks against the minimal option already included in Debian. I would heartily recommend this to someone as an exercise to learn about bash programming -- especially if they are able to spot the things I highlighted above (or others). But I'm afraid that, as a Debian sysadmin, I wouldn't want to support this for users or have it installed on my system for real use. I suspect that the ftpmasters wouldn't accept it into the distribution, and that may be why there hasn't been a sponsor. If you would like to package up something else for Debian, I'd be happy to look at it for you though! Regards, - John
