Implementing a web server in a single printf() call (2014)

https://tinyhack.com/2014/03/12/implementing-a-web-server-in-a-single-printf-call/

80•nateb2022•4w ago

Comments

gnabgib•4w ago

Discussion at the time (181 points, 39 comments) https://news.ycombinator.com/item?id=7389623

ori_b•3w ago

OpenBSD has removed the format specifier that makes this possible, for hopefully obvious reasons.

josefx•3w ago

Was the thought process: "Anything involving C string handling is fundamentally security hostile, lets fix it by breaking %n!"

trashb•3w ago

Can you elaborate on the statement "Anything involving C string handling is fundamentally security hostile"?

lou1306•3w ago

As soon as you forget (or your adversary manages to delete) an \0 at the end of any string, you may induce buffer overflows, get the application to leak secrets, and so on. Several standard library functions related to strings are prone to timing attacks, or have weird semantics that may expose you to attack. If you roll your own security-related functions (typical example: a scrubber for strings that hold secrets), you need to make sure these do not get optimised away by the compiler.

There's an awful lot of pitfalls and footguns in there.

trashb•3w ago

I thought you meant a hello world or similar program only handling strings would be fundamentally insecure but rather you mean that it is hard to write secure code with C strings.

There are indeed a lot of pitfalls and footguns in C in general but I would argue that has more to do with c's memory focused design. I always feel like C strings are a bit of an afterthought but it does confirm well with the C design. Perhaps it is more so a syntax issue where the memory handling of strings is quite abstracted and not very clear to the programmer.

lou1306•3w ago

> I thought you meant a hello world or similar program only handling strings would be fundamentally insecure but rather you mean that it is hard to write secure code with C strings.

Disclaimer: I am not the author of the comment, and honestly I am more than happy if OpenBSD broke %n in printf because it looks awful from a security standpoint.

> you mean that it is hard to write secure code with C strings.

Indeed I do :) It is possible to write a "secure" hello world program in C; the point is that both the language and the standard library make it exceedingly easy to slip in attack vectors when you deal with strings in any serious capacity.

tom_•3w ago

It is the only one that actually writes to memory. It's occasionally convenient, but it's also largely unnecessary: the caller can typically make multiple calls to printf, for example, noting the return value for each one. Or use strlen and fputs. And so on.

The C11 printf_s functions don't support it at all, so it's clearly already on the naughty list even from the standard's perspective.

X said it would give $1M to a user who had previously shared racist posts

155M US land parcel boundaries

Private Inference

Font Rendering from First Principles

Show HN: Seedance 2.0 AI video generator for creators and ecommerce

Wally: A fun, reliable voice assistant in the shape of a penguin

Rewriting Pycparser with the Help of an LLM

Lobsters Vibecoding Challenge

E-Commerce vs. Social Commerce

Avoiding Modern C++ – Anton Mikhailov [video]

Show HN: AegisMind–AI system with 12 brain regions modeled on human neuroscience

Zig – Package Management Workflow Enhancements

AI-powered text correction for macOS

AppSecMaster – Learn Application Security with hands on challenges

Fibonacci Number Certificates

AI Overviews are killing the web search, and there's nothing we can do about it

City skylines need an upgrade in the face of climate stress

1979: The Model World of Robert Symes [video]

Satellites Have a Lot of Room

1980s Farm Crisis

Show HN: FSID - Identifier for files and directories (like ISBN for Books)

Show HN: Holy Grail: Open-Source Autonomous Development Agent

Show HN: Minecraft Creeper meets 90s Tamagotchi

Show HN: Termiteam – Control center for multiple AI agent terminals

The only U.S. particle collider shuts down

Ask HN: Why do purchased B2B email lists still have such poor deliverability?

Show HN: Remotion directory (videos and prompts)

Portable C Compiler

Show HN: Kokki – A "Dual-Core" System Prompt to Reduce LLM Hallucinations

Software Engineering Transformation 2026