I am making a post request to a python script and then I want to save an image file to the server, in the html folder here is what I am doing
fh = open("/var/www/html/images/logo.png", "wb")
fh.write(image_data.decode('base64'))
fh.close()
but then I get this error, IOError: [Errno 13] Permission denied: I have found out that it means this file doest have permission to save the image, and I could get around it by doing chmod to 777 but that is dangerous and bad, so how else can I save the file but not let the file be edited by anyone?
Thanks
You could either change the permissions or run the script as a user with the correct permissions. I don't see many other options. You could have your script edit the permissions, write, and then change the permissions back although it would still be editable for a moment, and it just seems like a bad idea. The script could fail for some reason and leave the permissions allowing anyone to edit. Edit: If you can change the permission you should be able to write, making my last idea pointless.
It may appear a bit convoluted but I suggest that you might want to investigate the /etc/sudoers file.
For your purposes, you would create the file somewhere that you do have permissions like /tmp and then move it to /var/www/html/images/ using a script that is named as a sudoers Cmnd_Alias.
You still need to envoke the Cmnd_Alias script with sudo but if you have declared it with NOPASSWD then it should just function without asking for the sudo password.
Always access the /etc/sudoesrs file using visudo
an example of the entries in that file:
# Cmnd alias specification
Cmnd_Alias WEB = /home/test.s
and then later in the file:
# User privilege specification
root ALL=(ALL:ALL) ALL
rolf ALL=(ALL:ALL) NOPASSWD:WEB
with this, the /home/test.sh will perform whatever task the user rolf sets it, such as moving a file from /tmp to /var/www/html/images/ when the command line, sudo /home/test.sh is issued, without asking for the password.
Related
I'm making a discord bot with discord.js, but my reset command isn't working.
//!reload
if(command === `${botsettings.prefix}reload`) {
console.clear();
bot.destroy()
bot.login(botsettings.token);
message.channel.send("Reloaded");
return;
}
It doesn't give any error; it restarts and goes back on but the commands don't update!
I tried so many different things I found, but it doesn't work.
I only have one file for all commands.
If you use a nodemon system and a local batch file it will automatically reload the file for every change saved in it, and will output the new file changes.
If you need more help on this, watch a few videos from TheSourceCode on YouTube and you'll see in around 3-4 episodes on him using nodemon.
If you end up hosting it on Heroku, which is frowned upon, but I do, it will automatically reload for every change in your GitHub repository, just make sure to replace your token with process.env.token and make sure you have it set on your Heroku.
So i am guessing you have your various files set out (config etc) and one central bot.js file, and you load the bot by using something like
node bot.js
on your host machine, and obviously part of your .js file sets up the bot something like this:
const bot = new Discord.Client();
From what I can tell, your
bot.destroy()
and
bot.login(botsettings.token);
is just refreshing the const 'bot', but what it is not doing is reloading your bot.js file (with the updated commands and code).
What you would need to do, is have it set up to run a batch file or something on your host machine that terminates the entire process bot.js, and then restarts it. As this would then use the new and updated bot.js file.
The only problem is I am still figuring out how to run a batch file from my JS file, as understandably for security that feature isn't built in (other wise most websites that use JS would be vunerable to getting it to run things like format C:\)
I imagine it will involve using WSH in my JS, and I will update here if I do get it going.
I hope this was clear? let me know if you still have a question :)
In the code you provided, it seems like your only refreshing the const 'bot' instead of reloading the bot.js file.
I recommend that you use a batch file.
client.destroy();
client.login();
That's not possible since there's a dead socket.
Instead, you're able to make a Shell script and have a background Daemon service the needs that you want.
I am trying to make a compiler in which users make code at abc.com/newProject and their output is in an iframe, that iframe need to be served files that are made at the abc.com/newProject. So I will be doing a POST of JSON obj at abc.com/compile-project that will create files and those will be used by the iframe, after being used those should get deleted. Files are basically JS files that iframe will fetch using script in header.
So a pseudo-code will look something like this:-
app.post('/compile-project', function(req, res){
//Directory created using node tmp
//files created in the directory
//These files are accessible using <script src="/js/file1.js"></script>
//when the current connection requests the files they get deleted
});
Any help will be appreciated thanks.....
I am trying to make a compiler [...] Any help will be appreciated thanks.....
I would strongly discourage you from doing that if you don't know what you're doing (and considering the fact that you're asking how to save a file then apparently you don't).
The requirements that you described are extremely simple but you need to have much deeper understanding of everything that's going on to avoid serious security problems that you will encounter with no doubt along the way.
What you describes can be done without even using a file system, since all your files are served only once so it doesn't make much sense to store them in actual files. But even if you insist on the file system then all you need is to use fs.mkdtemp to create a temporary directory, use something like the uuid module for unique IDs to use in the filenames, then use fs.writeFile to write a file. This is all you need for the file upload endpoint. Now in the download endpoint all you need is to use fs.readFile to read the file and fs.unlink to remove it. That's it.
Now, it will surely get you into trouble of failures on browser reloads, back button not working, and finally security issues of people being able to serve any random code from your servers leading to vulnerabilities too numerous to even list here.
Take a look at the source code of repl.it and JS Bin on GitHub:
https://github.com/replit/repl.it
https://github.com/jsbin/jsbin
to appreciate the scope of the project that you are willing to undertake.
I hope the question didn't confuse you firstly. I'm very picky on security and do not want to have ANY PHP files anywhere in the public_html folder, but on the private area usually before this directory "../public_html". Here's a quick example of my needs, and do believe .htaccess will rescue me (or one of you guys!) with a solution. Inside JS I get data I want to send to PHP. I'm not going to write all the JS code but you'll understand surely. The JS file is located here: c://wamp64/public_html/assets/js/send_ajax.js and index /public_html/index.php
var username = helloWorlder;
/* and all the onreadystate change content here */
xmlhttp.open("POST", "this_is_the_problem_file_name.php", true);
xmlhttp.setRequestHeader("Content-type", "application/x-www-form-urlencoded");
xmlhttp.send("u=" + username);
You see the file I'm POSTing to, I want to have a rewrite condition so it can point to this example C://wamp64/private_area/php/this_file.php. I don't want to do this in the JS script ../../../private_area/this_file.php because that will be TOO much revealing a sensitive directory. To clarify the index page, and of course JS file is public. The PHP file isn't. Surely there's a way. Thanks in advance.
.htaccess and javascript will only be able to communicate with what is publicly accessible by the browser. What you will probably want is an intermediary controller. You can set up a snippet in MODX that loads your hidden PHP files, set up a blank page that calls that snippet, then post your requests to that page and read the responses.
You can't make a request that gets processed by a PHP program unless you give that PHP program a URL.
The easiest way to do that is to put the PHP program under the server root.
You could use alias or mod_rewrite to keep the file elsewhere, but that is largely pointless.
The only benefit that gives you is that in the unlikely event of something going wrong with your server configuration which might leak the source code of the PHP program, then it will likely go sufficiently wrong to break access to it entirely.
You can get the same benefits, without the complexity, by putting the sensitive parts of the program outside the server root and then include()ing them.
I have stucture code like this:
I try to load javascript into php file like this:
But i have an error like this:
This is my html :
And this is another javascript:
And i try to copy paste the link, and i got an error 404 not found. How can i fix it? Thanks.
Permissions
When the host is correct, and the file is in the right place, and you have no other networking problems, you may sometimes still get a 404 because of bad file permissions. If a server does not have permission to access a file, it may send out a 404 error in response. The reason why some "Not Authorized" error is not given instead, is that this would reveal more information about the files than you, the owner of the server, may intend. The way to respond to requests for privileged files without revealing whether or not they exist is to give a 404.
On Windows, you can view and change the permissions from the File Explorer by right-clicking on the file or folder, then going to Properties -> Security -> Edit. For more information, see the notes on permissions on Microsoft's site.
File Types
Besides permissions, a server must also be configured to serve the type of file you are accessing. If files with different extensions are served, but .js files are not, check the configuration of your server to make sure that .js files aren't blacklisted (or not whitelisted, as the case may be).
Directory Location
You should also verify that the files are actually stored in the top-most directory of the web server if that's how you are accessing them. If they aren't, you may need to prefix the path with the path from the webserver root to your application directory. E.g., instead of fusioncharts/..., you may need /path/to/fusioncharts/... or ../../path/to/fusioncharts.
Other Considerations
In your particular case, you should also verify that the files inside the fusioncharts folder are actually structured the way you think. (E.g., is there really a js/[insert name here].js file inside the fusioncharts folder?
If none of that solves your problem, try to take something that is working and gradually make it more and more similar to the files that aren't working. By figuring out at which point you go from a working setup to a not working setup, you may discover the problem.
If you are referring to a file with path: /ui/new-file.js
then,
1.In html file include
<script type="text/javascript" src="/ui/new-file.js"></script>
2.In server.js or app.js whichever you have, include
app.get('/ui/new-file.js', function (req, res) {
res.sendFile(path.join(__dirname, 'ui', 'login-file.js'));
});
Assuming you are using codeigniter, you can use base_url() function to include JS files in your codeignitor view template file.
<script src="<?php echo base_url(); ?>fusioncharts/js/fusioncharts.js" type="text/javascript"></script>
codeigniter default view template is called welcome_message.php and this file is located in application/view folder.
This is how I include js files in my codeigniter projects. Hope this will help.
In the html you can write *script** in the head or in the body, but not in your file js, delete this in fusionCharts.js
<script type=text/javascript>
In fusionCharts.js write only the function without the script
If you are developing locally, try clearing your cache.
Google Chrome likes to use the cached JavaScript files instead of the real ones.
Clearing your cache should resolve the issue.
I wonder if someone can give me an example about how "node-remote" works if I want to run some of the logic/functions of my application from the server.
Like, I don't know what to do after adding "node-remote" : "hostip" into package.json, what should my server provide? .js file that has the functions I want to run? So is it like: "node-remote" : "myappserver.com/funcs.js" ? I am so confused about this...
I can't find enough information on web about this, so some help or at least a better explanation of "baconface"'s reply from this link would be so helpful: https://github.com/nwjs/nw.js/issues/3278
node-remote is used for to expose node.js + nw.gui APIs for html script tags and javascript files coming from your website. That's it! You can use require, objects like global, process in these files.
node-remote parameter itself expects a domain name or ip address of hosts you want nw.js to allow to use node.js APIs for these hosts while other hosts can't access them.
Little example:
configure simple package.json and set node-remote parameter to github.com on it.
save package.json.
open nw application.
open page https://github.com/ on it.
open Developer Tools.
in console type require('fs').writeFileSync('test.txt', 'Hello, World!'); and hit enter.
Now you should see test.txt file in nw's root directory.
delete test.txt.
edit your package.json and remove node-remote field.
repeat [2..6] actions.
Now you should see error like "require" is undefined in DevTools console
Hope this helps.
Sicne this has been posted "node-remote" has change slightly. Here is an example:
"node-remote": "*://*",
Direct Links:
Notes about changes from v0.12 to v0.13 - http://docs.nwjs.io/en/latest/For%20Users/Migration/From%200.12%20to%200.13/
Formatting of "node-remote": http://docs.nwjs.io/en/latest/References/Manifest%20Format/#node-remote