Comments (7)
@szampier thanks for reporting this, and sorry for not being able to come back earlier.
As noted in the commit message above, we disabled the internal
, ng_log
and cfg
parameters a while ago because of the security risk they represented. I've special-cased the internal=ngamsStatus.dtd
value now though, and added a test that checks this is working as expected. Please let me know if this works for you now and I'll merge back to master
.
This might or might not open another can of worms in terms of invalid XML being returned... hopefully nothing too bad :)
from ngas.
Hi @rtobar , thanks for looking into this. I've verified that it's now possible to retrieve ngamsStatus.dtd
but this DTD refers to other internal DTDs located at DUMMYHOST:DUMMYPORT...
So the error is now: "MalformedURLException" (Java) or "Invalid URI" (python lxml).
$ curl http://127.0.0.1:7777/RETRIEVE?internal=ngamsStatus.dtd
<?xml version="1.0" encoding="UTF-8"?>
<!ENTITY % XmlStd SYSTEM "http://DUMMYHOST:DUMMYPORT/RETRIEVE?internal=XmlStd.dtd">
%XmlStd;
<!ENTITY % NgamsInternal SYSTEM
"http://DUMMYHOST:DUMMYPORT/RETRIEVE?internal=ngamsInternal.dtd">
%NgamsInternal;
...
from ngas.
Mmmm... moreover, the contents of the DTD document are non-standard (e.g., see the third line, which reads %XmlStd;
, definitely not XML!). There was some code in NGAS that did some custom substitutions, but from what I can dig this code was never invoked, not even in the first version of the code we imported in our git repo, so I have no idea how this would have ever worked.
@szampier could you show me how this looks for for the ESO version? If anything, I'd try to match that behaviour. @smclay might want to chip in as well from the ALMA side, in case they're using this feature.
Sorry, I stand corrected, this was me not knowing enough about DTD (never had to deal with it before, I think it had been superseeded by XSD by the time I starting dealing with XML). The line I pointed out is a https://www.w3.org/TR/xml11/#NT-PEReference. It all looks good then, and it should all work if I change those URLs to point to the server.
from ngas.
Hi @rtobar, below is a diff between VLT-NGAS (right) and ICRAR (left) ngamsStatus.dtd. Note that the VLT one points to a public document on the ESO pages, which is also not optimal IMO.
diff ngamsStatus.dtd ngamsStatus-icrar.dtd
2c2
< <!ENTITY % XmlStd SYSTEM "http://www.eso.org/projects/esoxml/dtd/XmlStd.dtd">
---
> <!ENTITY % XmlStd SYSTEM "http://DUMMYHOST:DUMMYPORT/RETRIEVE?internal=XmlStd.dtd">
5c5
< "http://www.eso.org/projects/esoxml/dtd/ngamsInternal.dtd">
---
> "http://DUMMYHOST:DUMMYPORT/RETRIEVE?internal=ngamsInternal.dtd">
from ngas.
Thanks @szampier, that looks all more or less fine.
I've ended up going through a bit of a rabbit hole and fixed a couple of things:
- The
DOCTYPE
declarations in the generatedngamsStatus
XML documents in the server did not use theHost
HTTP request header to populate the URL for theRETRIEVE
command that would provide thengamsStatus.dtd
file, which could be an issue depending on the installation (e.g., if the server is behind a NAT, or depending on DNS configurations). I've fixed that. - I added the
ngamsInternal.dtd
andXmlStd.dtd
files to the list of allowed files to be retrieved via theRETRIEVE?internal=
flag - I'm now replacing those
DUMMYHOST:DUMMYPORT
strings with the correct server URL using the same logic that the one for the first point.
All of that provides now with the infrastructure to retrieve the DTD files... only to expect loads of validation failures, as initally expected. I'm using lxml to validate the output of a vanilla STATUS
command. The first error is that the Status
field is returning SUCCESS
instead of OK
/FAILURE
/-
, but then if I fix that I get that the NgamsStatus
element is missing a Header
sub-element
All of this makes me wonder what's the situation for the responses from the ESO servers? Our DTDs have clearly diverged from what we're serving, but it's not clear whether that happened before any of our changes or before we even adopted NGAS into our git repo (~11 years ago, from ALMA).
I've pushed the changes to the issue-103
branch anyway, as they shouldn't be harmful. If anything, they open the door to trying to align the schemas and the documents we produce.
from ngas.
Hi @rtobar , the last changes seem to have fixed the problem on our side. We will run some more tests until the end of the week, if you don't hear from us it means that it's all fine and you can merge the changes. Thanks a lot for the fix!
from ngas.
closing issue after merging PR #104
from ngas.
Related Issues (20)
- ngamsServer and ngamsDaemon use different PID files HOT 1
- NGAMS python client --server option bug HOT 1
- Checksum calculation mismatch failure on python 3 HOT 3
- Improve path computation fixed in #80
- Deprecated function calls in src/ngamsCore/ngamsLib HOT 4
- ngamsDapiStatus attribute __ioTime: Integer vs. Float HOT 1
- ngamsCore/ngamsLib/logutils.py inconsistent types of local variable HOT 1
- ngamsCore, function isoTime2Secs() mixes Integers and Floats HOT 1
- ngamsUDT/ngamsUDTSender.py not Python3 ready HOT 1
- ngamsUtils/ngamsUtils/ngasUtilsLib.py, function decrypt_access_code() is broken HOT 2
- There is no six.input() function HOT 1
- base64 decoding of DB password is incorrect Python3 code HOT 1
- Insufficient error checks in get_db_parameters() function HOT 2
- more Python3-related changes to ngamsUtils/ngamsUtils/ngasXSyncTool.py HOT 1
- Python3-related fixes to ngamsUtils/ngamsUtils/ngasVerifyCloning.py HOT 1
- Python3-related issues in ngamsUtils/ngamsUtils/ngasCheckFileCopies.py HOT 2
- Defunct (Janitor) process after OFFLINE,ONLINE (or INIT) HOT 2
- QUERY/files command does not support UseFileIgnore=false HOT 4
- Backward compatible checksum variant HOT 5
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from ngas.