Lon.gs: A URL shortener in C (opens in new tab)

(lon.gs)

107 pointsefnor10y ago95 comments

95 comments

72 comments · 26 top-level

mwcampbell10y ago· 10 in thread

I'm surprised there's still any interest in standalone URL shorteners. Didn't Twitter make them obsolete when it implemented its own?

greglindahl10y ago

Because URL shorteners are ticking timebombs, ArchiveTeam has a project to get as many of the links as possible into the Wayback Machine:

http://www.archiveteam.org/index.php?title=URLTeam

(edit: and you can imagine how useful that's going to be once browsers start checking the Wayback whenever they see a 404... we're getting close to starting a trial of that with Firefox, with other browsers to follow.)

rsync10y ago

We[1] just launched a new shortener and it supports URLs.

That's not the primary use-case for it[2][3], but we're happy to support people shortening URLs if they want to. The reason there's room for this is that our URL shortening function has no ads, no third party tracking, no bloat ... no dark patterns.

That's worth something to some people.

[1] Oh By, Inc.

[2] https://0x.co/examples.html

[3] https://0x.co/hnfaq.html

hk__210y ago

> The reason there's room for this is that our URL shortening function has no ads, no third party tracking, no bloat ... no dark patterns.

But it’s still a closed, proprietary database and there’s no way to decode an “Oh By Code” if the service goes down, which is the disadvantage number one you have with URL shorteners.

> The real utility are the easily recognizable codes, prefixed with "0x".

Why not using a prefix that helps differentiate your codes from hexadecimal numbers? How do you plan to get people to know your service if it’s not recognizable? Let’s say I put one of those codes on my business card, I still have to write somewhere that people should use 0x.co to access the content, which ruins the advantage of having just one code rather than a URL to my website (literally anyone knows how to open a URL in a browser).

2 more replies

ryan-c10y ago

I run my own so I can have control and have shorter URLs than available with public shorteners. I generally use it in presentations I do.

jdboyd10y ago

I like to use single line URLs in a number of circumstances, particularly email and IRC. While some URLs can be trimmed (excessively long Amazon or eBay URLs for instance), others just need a URL shortener, and I'd prefer to use one I control.

I used to run a public one but it was getting abused for spam so I stopped.

jjnoakes10y ago

Reason number 37 why URL shortened are bad. They can disappear and all URLs become invalid.

tropicalmug10y ago

There are other needs for a shortened URL. Perhaps you have to hardcode a link in code and don't want to be tied to a page whose contents may break. If you control your URL shortener, you can hardcode your shortened one, and update the redirect as needed.

hk__210y ago

> Perhaps you have to hardcode a link in code and don't want to be tied to a page whose contents may break. If you control your URL shortener, you can hardcode your shortened one, and update the redirect as needed.

And when your URL shortener goes down, all links are dead. Shortening URLs is the last thing you want to do when you need to preserve pages that might go down. Caching is a better solution.

1 more reply

vidarh10y ago

There are many reasons, but the biggest one is simply tracking/analytics for links that don't lead to your own servers.

pessimizer10y ago

TinyURL was established in 2002, Twitter in 2006.

tptacek10y ago· 6 in thread

The C code in the "framework" this thing uses is pretty scary; grep for MAX_BUFFER_SIZE, malloc, strcpy, &c. The header parsing in particular.

q3k10y ago

Agreed.

    q3k@nihilism ~/Projects/longs $ python2 -c "print 'GET / HTTP/1.1.\r\n' + 'a'*2000 + '\r\n\r\n'" | nc 127.0.0.1 1337

    q3k@nihilism ~/Projects/longs $ PORT=1337 ./longs
    *** Error in `./longs': free(): invalid next size (normal): 0x000000000155a5f0 ***
    ...

Sounds like a fun heap exploitation challenge. Almost CTF-like.

EDIT: It also throws a whole bunch of warning when compiling. [moved this here from the first line after child post mention]

longs10y ago

Thank you for raising this issue. We're currently working on fixing this. Here's the issue on the [tracker](https://github.com/riolet/longs/issues/6).

ryanlm10y ago

That's not a warning. That's a runtime error.

1 more reply

msbarnett10y ago

cool, a capture the aws instance contest! (/s)

toomanybeersies10y ago

May I ask what's wrong with malloc?

I don't have much experience with C outside of embedded systems, so my security practices in C are probably less than ideal for PC/server based code.

tptacek10y ago

Nothing is wrong with malloc per se, but the way it's used here is extraordinarily unsafe (they're allocating fixed-sized buffers for variable-length fields). Even if they'd attempted to allocate variable-length buffers, they'd still need to handle integers safely, and this code doesn't.

andrew372610y ago· 6 in thread

Website seems down (connection refused). Did you use any network library (aside from native, I mean)?

tux310y ago

Note that if you have an extension like HTTPS Everywhere, you might have to disable it. At least I could only connect to plain HTTP.

andrew372610y ago

Thanks, didn't think of that!

tcdent10y ago

Is the website actually the URL shortener, or some other stack? I think it's highly unlikely HN just C10K'd them.

fideloper10y ago

t2.nano has CPU credits, they may have gotten spent and we're now seeing the results of throttling (limit on % cpu allowed to use)

chadscira10y ago

Well it is entirely possible that a single HN user C10K'd them

andrew372610y ago

seems more like it just wasn't accessible using https (http works just fine).

colemickens10y ago· 5 in thread

Is anyone suffering from lack of URL shorteners? Or does anyone really care what their URL shortener is implemented in? Is there even any way that the application code contributes to the request time more meaningfully than the persistence mechanism used?

Cool hacks are cool I guess but from the sounds of it, the C code is a bit scary. If you had to build this, why not build it in Rust? At least it wouldn't be so terrifying from a security standpoint and you'd still get whatever performance is supposedly needed.

q3k10y ago

This code is more than a bit scary. This code is of very poor quality, is very poorly documented and has numerous (I'm pretty confident that they're exploitable, too) bugs.

It really isn't a project that I'd recommend to anyone, unless I wanted a shell on their machine. I'm quite distraught that it is getting this many (seemingly blind) upvotes.

Retr0spectrum10y ago

On the subject of code quality:

https://www.reddit.com/r/C_Programming/comments/4p5ung/longs...

(After a few minutes of poking)

hoov10y ago

I was thinking the same thing and then some. I ask a version of this as an interview question, and this doesn't pass my muster. That being said, I do think that implementing a URL shortener is a really good exercise, and I commend the author for that.

ryanlm10y ago

Can you define shell? Do you mean you can get a bash shell from an exploit in this code?

1 more reply

aphextron10y ago

but...but.. it's in C!

pslam10y ago· 5 in thread

Looking at the coding patterns used in the C source, I am utterly horrified this is running live on a public facing website.

I can see at least one buffer overrun dependent on database contents, and I wouldn't be surprised if there's public-facing vulnerabilities in this thing, but I don't want to spend another 5 minutes looking.

efnorOP10y ago

Judging by the code, everything that goes into the database is a Base64 encoded. Where do you see a buffer overflow?

willvarfar10y ago

Long URLs make it crash. Really. Just try and put in a very long URL...

https://github.com/riolet/longs/blob/master/longs.c#L238 looks like an example of a buffer overflow.

Etc.

1 more reply

tptacek10y ago

Look down one top-level comment on this thread. There's an extremely straightforward heap overflow exposed in simple request processing.

hueving10y ago

Dependent on what comes out of the DB, not what goes in.

1 more reply

0xdeadbeefbabe10y ago

Does anyone else think pslam is ruining the horror genre?

didip10y ago· 3 in thread

I respect the desire to work on low level language like C. Programmers should not be afraid of it.

But that said, building a proper HTTP stack is not trivial.

If you want to use C language, then why not create Nginx module?

Nginx already solved the hard problems:

* HTTP parser

* Distribute work via event loop on multiple workers

* Useful load balancing strategies (not as great as HAProxy, but i am satisfied with it)

* Serious effort in dealing with CVE

* Widely used and battle tested

Here's a fine guide on how to write Nginx module in C: http://www.evanmiller.org/nginx-modules-guide.html

AdamJacobMuller10y ago

https://kore.io/ is also a (very?) good C framework for this stuff. I don't know enough C to honestly evaluate that though.

didip10y ago

Thanks for sharing, I haven't heard about this framework.

tptacek10y ago

I disagree, and think that programmers should be very wary of C.

logicallee10y ago· 3 in thread

This is broken.

Here's the short url of http://news.ycombinator.com --> lon.gs/amk

Going to lon.gs/amk redirects me to an overstock.com address for a specific product.

The site doesn't appear to have been hacked, at least there's no affiliate link in the URL I was sent to. It just appears the site is broken.

longs10y ago

Thank you for raising this bug. We have fixed it.

cyphar10y ago

It looks like their "INSERT OR IGNORE" logic is broken, in that they don't properly retry if they ignored it.

Retr0spectrum10y ago

I noticed something similar. I think their id decoding/encoding may be buggy.

zoom662810y ago· 2 in thread

Some comments about comments and the code: 1. The URL shortener is just a demonstration of the framework being used. For a POC/MVP i would not expect it to be the most reliable code on the planet. Im ok with that. 2. The WAFer framework is great idea for bringing a very lite server and minimalist framework to certain devices. This has applications in SBC and IOT devices where all resources are at a premium. 3. Yes the C code might not be perfect but remove any github project that isnt perfect, secure and you wont have many left. The principle objective is 'get it out there' and let people like the other commenters have their input/opinion from which to make it better. 4. The concept and this lite implementation of the idea is hugely useful in certain use cases. Just like nginx is great for general purpose servers. This is almost a C implementation of Bottle for python. 5. nodesocket and chadscira seem to have gotten the point of this and given useful feedback to the authors (Im not one of them in case you were thinking that).

So to sum it up - a great post, excellent work with a tool that has a lot of potential for specific scenarios. When deploying if using things like Cloudfare Edge and giving it a bit of Productizing (my day job is as a Product Manager for a global ERP business) then this could be a hit (pun intended :-J ).

tptacek10y ago

The vulnerabilities found so far are in the framework, not in the application code. Those vulnerabilities are grave.

RubyPinch10y ago

I don't know whether "get it out there" is the right idea here

It feels more like a warning to avoid WAFer, as opposed to a good advertisement.

616c10y ago· 2 in thread

Perhaps I am the only one, but is anyone interested in the opposite direction, static site generator like CLI app to do short linking?

YOURLS was popular for a while, and I tried it, but I was concerned with running a not very popular PHP app even on shared hosting. At least Wordpress gets decent attention. I was worried of people compromising my own YOURLS instance against me.

http://www.cvedetails.com/vulnerability-list.php?vendor_id=1...

JonathonW10y ago

There's this, which is a script that manipulates Apache .htaccess to do short linking: http://lucasgonze.github.io/shurl/

No idea about equivalents for nginx, or something that could run on Github Pages (these would probably be the same, given that nginx doesn't have an equivalent to .htaccess out of the box).

616c10y ago

I am going to check out shurl, very interesting. It does sound familiar but I cannot remember why. Sometimes I see these things and forget to bookmark them later.

ryanlm10y ago· 2 in thread

I consider the fact that it is written in C a feature.

josteink10y ago

And now, reload this entire thread and check all the horrible bugs and security vulnerabilities this so called "feature" got you.

This is why you should never use C in networked code or when working with third-party data unless you absolutely bloody well have to: It's just too many ways to fuck up, and most programmers will.

ryanlm10y ago

You're forgetting something about networked code. At some layer of the stack it has to be written in C or assembly.

1 more reply

chadscira10y ago· 1 in thread

CloudFlare is a perfect companion for something like this because you can hard cache the redirects on their edges. I have a few services that run off tiny boxes, and just leverage CloudFlare free edge caching.

ianlevesque10y ago

And handle an HN influx better than many Wordpress sites.

nxzero10y ago· 1 in thread

Oddly, was hoping this was a way to turn URLs into long URLs; 2,083 characters if you want to support all the web clients.

nomel10y ago

There are many, like http://longurlmaker.com. I find http://shadyurl.com to be more useful in getting people to not click a link though.

alternize10y ago

hum. I tried to short "http://lon.gs" and then short the result again, now it redirects indefinitely... http://lon.gs/ack

1 more reply

kornish10y ago

Seems a bit buggy. I shortened "http://hello.com", it returned "lon.gs/akm", and I visited the shortened URL only to be redirected to https://codeandoando.com/integracion-continua-con-drone/.

1 more reply

BrainInAJar10y ago

Looks like the perfect way to turn URL's in to root shells on the hosting server

ryan-c10y ago

From https://www.reddit.com/r/C_Programming/comments/4p5ung/longs...

    $ curl -i http://lon.gs/abf
    HTTP/1.1 301 Moved Permanently
    Location: foo
    X-Evil-Header: evilvalue

there were also examples of XSS and data URIs.

(they claim to have fixed this elsewhere in the thread, but I guess some of the "evil" URLs still work)

nxzero10y ago

Shortened a URL, but service doesn't appear to redirect: http://lon.gs/akt

EDIT: Very strange, the redirect now goes to a URL I didn't enter... (http://www.sadfasdfasfdasdfsadfasd.com)

nodesocket10y ago

Seems great and performant, but not productized. Seems like things are hard-coded in the c code. For example...

What are the api endpoints? docs? Can you view a list of all shortened urls? Can you delete shortened urls?

Can you change the base domain of lon.gs?

vmarsy10y ago

the URL creation and the browsing of a short URL definitely works fast, I guess this being on the front page is a cheap way to verify if the C10k claims are true!

nine_k10y ago

Let's look at this project as a cautionary tale.

theseoafs10y ago

If there are any aspiring crackers looking to bring down their first site, this one should be easier than the average

ryanf32310y ago

This does not handle Microsoft office URL pre-fetching...and is written in C...

knicholes10y ago

Wasn't there something posted recently about urls that are too short are too easily guessed and that it's good to make sure that these short urls are longer?

cmdrfred10y ago

It seems pretty responsive.

efficax10y ago

Why would you write something like this in C anymore? If you really need it to have a tiny memory footprint, write it in rust. If you need it to be fast, but can handle a runtime taking care of memory management, write it in go. C is just asking for trouble anymore.

ratsimihah10y ago

this made my URL longer :/ lon.gs/ae9

j / k navigate · click thread line to collapse

95 comments

72 comments · 26 top-level

mwcampbell10y ago· 10 in thread

I'm surprised there's still any interest in standalone URL shorteners. Didn't Twitter make them obsolete when it implemented its own?

greglindahl10y ago

Because URL shorteners are ticking timebombs, ArchiveTeam has a project to get as many of the links as possible into the Wayback Machine:

http://www.archiveteam.org/index.php?title=URLTeam

rsync10y ago

We[1] just launched a new shortener and it supports URLs.

That's worth something to some people.

[1] Oh By, Inc.

[2] https://0x.co/examples.html

[3] https://0x.co/hnfaq.html

hk__210y ago

> The reason there's room for this is that our URL shortening function has no ads, no third party tracking, no bloat ... no dark patterns.

But it’s still a closed, proprietary database and there’s no way to decode an “Oh By Code” if the service goes down, which is the disadvantage number one you have with URL shorteners.

> The real utility are the easily recognizable codes, prefixed with "0x".

2 more replies

ryan-c10y ago

I run my own so I can have control and have shorter URLs than available with public shorteners. I generally use it in presentations I do.

jdboyd10y ago

I used to run a public one but it was getting abused for spam so I stopped.

jjnoakes10y ago

Reason number 37 why URL shortened are bad. They can disappear and all URLs become invalid.

tropicalmug10y ago

hk__210y ago

And when your URL shortener goes down, all links are dead. Shortening URLs is the last thing you want to do when you need to preserve pages that might go down. Caching is a better solution.

1 more reply

vidarh10y ago

There are many reasons, but the biggest one is simply tracking/analytics for links that don't lead to your own servers.

pessimizer10y ago

TinyURL was established in 2002, Twitter in 2006.

tptacek10y ago· 6 in thread

The C code in the "framework" this thing uses is pretty scary; grep for MAX_BUFFER_SIZE, malloc, strcpy, &c. The header parsing in particular.

q3k10y ago

Agreed.

    q3k@nihilism ~/Projects/longs $ python2 -c "print 'GET / HTTP/1.1.\r\n' + 'a'*2000 + '\r\n\r\n'" | nc 127.0.0.1 1337

    q3k@nihilism ~/Projects/longs $ PORT=1337 ./longs
    *** Error in `./longs': free(): invalid next size (normal): 0x000000000155a5f0 ***
    ...

Sounds like a fun heap exploitation challenge. Almost CTF-like.

EDIT: It also throws a whole bunch of warning when compiling. [moved this here from the first line after child post mention]

longs10y ago

Thank you for raising this issue. We're currently working on fixing this. Here's the issue on the [tracker](https://github.com/riolet/longs/issues/6).

ryanlm10y ago

That's not a warning. That's a runtime error.

1 more reply

msbarnett10y ago

cool, a capture the aws instance contest! (/s)

toomanybeersies10y ago

May I ask what's wrong with malloc?

I don't have much experience with C outside of embedded systems, so my security practices in C are probably less than ideal for PC/server based code.

tptacek10y ago

andrew372610y ago· 6 in thread

Website seems down (connection refused). Did you use any network library (aside from native, I mean)?

tux310y ago

Note that if you have an extension like HTTPS Everywhere, you might have to disable it. At least I could only connect to plain HTTP.

andrew372610y ago

Thanks, didn't think of that!

tcdent10y ago

Is the website actually the URL shortener, or some other stack? I think it's highly unlikely HN just C10K'd them.

fideloper10y ago

t2.nano has CPU credits, they may have gotten spent and we're now seeing the results of throttling (limit on % cpu allowed to use)

chadscira10y ago

Well it is entirely possible that a single HN user C10K'd them

andrew372610y ago

seems more like it just wasn't accessible using https (http works just fine).

colemickens10y ago· 5 in thread

q3k10y ago

This code is more than a bit scary. This code is of very poor quality, is very poorly documented and has numerous (I'm pretty confident that they're exploitable, too) bugs.

It really isn't a project that I'd recommend to anyone, unless I wanted a shell on their machine. I'm quite distraught that it is getting this many (seemingly blind) upvotes.

Retr0spectrum10y ago

On the subject of code quality:

https://www.reddit.com/r/C_Programming/comments/4p5ung/longs...

(After a few minutes of poking)

hoov10y ago

ryanlm10y ago

Can you define shell? Do you mean you can get a bash shell from an exploit in this code?

1 more reply

aphextron10y ago

but...but.. it's in C!

pslam10y ago· 5 in thread

Looking at the coding patterns used in the C source, I am utterly horrified this is running live on a public facing website.

efnorOP10y ago

Judging by the code, everything that goes into the database is a Base64 encoded. Where do you see a buffer overflow?

willvarfar10y ago

Long URLs make it crash. Really. Just try and put in a very long URL...

https://github.com/riolet/longs/blob/master/longs.c#L238 looks like an example of a buffer overflow.

Etc.

1 more reply

tptacek10y ago

Look down one top-level comment on this thread. There's an extremely straightforward heap overflow exposed in simple request processing.

hueving10y ago

Dependent on what comes out of the DB, not what goes in.

1 more reply

0xdeadbeefbabe10y ago

Does anyone else think pslam is ruining the horror genre?

didip10y ago· 3 in thread

I respect the desire to work on low level language like C. Programmers should not be afraid of it.

But that said, building a proper HTTP stack is not trivial.

If you want to use C language, then why not create Nginx module?

Nginx already solved the hard problems:

* HTTP parser

* Distribute work via event loop on multiple workers

* Useful load balancing strategies (not as great as HAProxy, but i am satisfied with it)

* Serious effort in dealing with CVE

* Widely used and battle tested

Here's a fine guide on how to write Nginx module in C: http://www.evanmiller.org/nginx-modules-guide.html

AdamJacobMuller10y ago

https://kore.io/ is also a (very?) good C framework for this stuff. I don't know enough C to honestly evaluate that though.

didip10y ago

Thanks for sharing, I haven't heard about this framework.

tptacek10y ago

I disagree, and think that programmers should be very wary of C.

logicallee10y ago· 3 in thread

This is broken.

Here's the short url of http://news.ycombinator.com --> lon.gs/amk

Going to lon.gs/amk redirects me to an overstock.com address for a specific product.

The site doesn't appear to have been hacked, at least there's no affiliate link in the URL I was sent to. It just appears the site is broken.

longs10y ago

Thank you for raising this bug. We have fixed it.

cyphar10y ago

It looks like their "INSERT OR IGNORE" logic is broken, in that they don't properly retry if they ignored it.

Retr0spectrum10y ago

I noticed something similar. I think their id decoding/encoding may be buggy.

zoom662810y ago· 2 in thread

tptacek10y ago

The vulnerabilities found so far are in the framework, not in the application code. Those vulnerabilities are grave.

RubyPinch10y ago

I don't know whether "get it out there" is the right idea here

It feels more like a warning to avoid WAFer, as opposed to a good advertisement.

616c10y ago· 2 in thread

Perhaps I am the only one, but is anyone interested in the opposite direction, static site generator like CLI app to do short linking?

http://www.cvedetails.com/vulnerability-list.php?vendor_id=1...

JonathonW10y ago

There's this, which is a script that manipulates Apache .htaccess to do short linking: http://lucasgonze.github.io/shurl/

No idea about equivalents for nginx, or something that could run on Github Pages (these would probably be the same, given that nginx doesn't have an equivalent to .htaccess out of the box).

616c10y ago

I am going to check out shurl, very interesting. It does sound familiar but I cannot remember why. Sometimes I see these things and forget to bookmark them later.

ryanlm10y ago· 2 in thread

I consider the fact that it is written in C a feature.

josteink10y ago

And now, reload this entire thread and check all the horrible bugs and security vulnerabilities this so called "feature" got you.

This is why you should never use C in networked code or when working with third-party data unless you absolutely bloody well have to: It's just too many ways to fuck up, and most programmers will.

ryanlm10y ago

You're forgetting something about networked code. At some layer of the stack it has to be written in C or assembly.

1 more reply

chadscira10y ago· 1 in thread

ianlevesque10y ago

And handle an HN influx better than many Wordpress sites.

nxzero10y ago· 1 in thread

Oddly, was hoping this was a way to turn URLs into long URLs; 2,083 characters if you want to support all the web clients.

nomel10y ago

There are many, like http://longurlmaker.com. I find http://shadyurl.com to be more useful in getting people to not click a link though.

alternize10y ago

hum. I tried to short "http://lon.gs" and then short the result again, now it redirects indefinitely... http://lon.gs/ack

1 more reply

kornish10y ago

Seems a bit buggy. I shortened "http://hello.com", it returned "lon.gs/akm", and I visited the shortened URL only to be redirected to https://codeandoando.com/integracion-continua-con-drone/.

1 more reply

BrainInAJar10y ago

Looks like the perfect way to turn URL's in to root shells on the hosting server

ryan-c10y ago

From https://www.reddit.com/r/C_Programming/comments/4p5ung/longs...

    $ curl -i http://lon.gs/abf
    HTTP/1.1 301 Moved Permanently
    Location: foo
    X-Evil-Header: evilvalue

there were also examples of XSS and data URIs.

(they claim to have fixed this elsewhere in the thread, but I guess some of the "evil" URLs still work)

nxzero10y ago

Shortened a URL, but service doesn't appear to redirect: http://lon.gs/akt

EDIT: Very strange, the redirect now goes to a URL I didn't enter... (http://www.sadfasdfasfdasdfsadfasd.com)

nodesocket10y ago

Seems great and performant, but not productized. Seems like things are hard-coded in the c code. For example...

What are the api endpoints? docs? Can you view a list of all shortened urls? Can you delete shortened urls?

Can you change the base domain of lon.gs?

vmarsy10y ago

the URL creation and the browsing of a short URL definitely works fast, I guess this being on the front page is a cheap way to verify if the C10k claims are true!

nine_k10y ago

Let's look at this project as a cautionary tale.

theseoafs10y ago

If there are any aspiring crackers looking to bring down their first site, this one should be easier than the average

ryanf32310y ago

This does not handle Microsoft office URL pre-fetching...and is written in C...

knicholes10y ago

Wasn't there something posted recently about urls that are too short are too easily guessed and that it's good to make sure that these short urls are longer?

cmdrfred10y ago

It seems pretty responsive.

efficax10y ago

ratsimihah10y ago

this made my URL longer :/ lon.gs/ae9

j / k navigate · click thread line to collapse