Talk:Wii Web Server

From WiiBrew
Jump to navigation Jump to search

My quality assurence

Rest assured that I will be merciless when doing quality assurements on this one. Don't expect to get any cheats by me, you better be designing a proper structure. While I am fine with c, I do recommend c++. By the way, I checked the CVS (Personally I suggest that you upgrade to SVN instead of CVS, SF got both and they are equally easy to work with, SVN just is better) repo and while I sure didn't have any high expectations, I wasn't stunned. Better get something neat done. Oh yeah, just for a challenge, see if you can write a PHP SAPI for the service while you are at it, it's easier than you expect.--henke37 10:46, 4 June 2008 (PDT)

Seriously, I checked out the progress and I am not enjoying it. Get a grip! No sleeping during the program! No infinite recursion! No random while loops! Write a real request parser! And stop with the hardcoded reply headers. It is one thing to make a POC, but that stage is past now, time to start working for real. Also, go learn threading, a http service just can't be single threaded.--henke37 01:56, 5 June 2008 (PDT)
Cut me some slack, this is my first proper C project, i know so little C that everytime i do somthing i have to google it. Everything that has been done is meant to be functional, not pretty. There are no wrong ways to code, just finding a way that works. I have been coding it for a week, for about and hour daily, so thats about 7 hours to get this far. Be patient, the request parser is in the works. The sleeping has to be there for the HTTP sending to work without the socket closing before its has finished being sent, if its not there then the browser complains about loss of connection. This was never means to be a massive serious project, just a way to learn C that turned out better than expected. :-P Cboomf 02:02, 5 June 2008 (PDT)
I am deeply sorry that I've been so harsh. I now see that you are honestly trying your best. I think that you are making progress. Please don't think that all I do is to make harsh comments, I am happy to assist if you chat me up on IRC. I promise to cut you some slack.--henke37 12:50, 6 June 2008 (CEST)
Much appreciated henke37 Cboomf 18:44, 6 June 2008 (CEST)

Time for some constructive criticism

I think I see a negative pattern in your code. Do not make a new function for each page. Make a generic function that you call with different parameters. Like a struct or object with a bunch of fields that represent the request. And do not do any infinite recursion. Do infinite loops, not recursion.--henke37 09:56, 8 June 2008 (CEST)


Please abstract things a bit more. No stupid globals, and seriously, get rid of the infinite recursion. Also, I hope that you understand how extremely likely it is for a file to not be found. Send proper 404 responses instead of being open for a single hit DOS attack. Also, start using threading now, a single thread just does not do for a multi user service.--henke37 00:11, 9 June 2008 (CEST) Once i have the file size sorted (i.e allow files larger than 4KB), then 404 and threading are on the cards cos only then will this start being any use Cboomf 20:22, 10 June 2008 (CEST)


I see that you are making progress nicely. Here is a few issues that I noticed:

  • Indention issues, try just writing it like "else if" and don't add any extra indention, it keeps the indention level sane when having a lot of conditions.
  • 500 pages uses 404 lenghts
  • Fixing of folders to index.html is hardcoded and not heuristic and will fail for sub-directories.
  • Directory traversal vulnerabilities allows people to sneak out of the web root. Ops, now people can "borrow" all those "borrowed" games you also happen to have on the sd-card.

And here is a few ideas (hurry slow and all that):

  • Add a way to add directory aliases
  • Add the capability to use the Range header
  • Add support for the cache control headers (please read the RFC before doing these)
  • Add access control features.
  • Eventually, it could be neat to have vhost support
  • It could be neat to have SSL support
  • There is no cool control interface on the tv.

--henke37 21:51, 28 June 2008 (CEST)


Misc bugs today, no show stoppers this time.

  • Directories without an ending / is not redirected to the same url, but with a slash
  • There is no directory listing if there is no index.html
  • Request specific info is stored in globals (not safe for multi threading in the future)
  • Exact server version is not in the http reply headers
  • Connections is not timed out if the client doesn't make any requests
  • Date header is hardcoded to the past.

Misc suggestions (easy too):

  • Custom error pages
  • The ability to turn off the builtin pages so that they can be replaced

--henke37 15:24, 2 July 2008 (CEST)


From suggestions:

  • In the works ;-)
  • Most have now been removed, the only one to stay is the favicon and error pages

Cboomf 19:38, 14 July 2008 (CEST)


Today I just have a few updates to the mime type table.

--henke37 10:58, 3 July 2008 (CEST)

Ok, I did find some minor bugs:

  • HEAD requests may not have any reply body, no matter the reply code.
  • Url encoding decoding is more or less incomplete. Space is not the only thing that can be encoded with the percent sign. Btw, the Plus sign also stands for a space.

--henke37 11:09, 3 July 2008 (CEST)

  • The mimetypes are taken from this mime table
  • HEAD requests don't send the body anyway
  • %20 is the most common on, others will be added later

Cboomf 19:36, 14 July 2008 (CEST)

Trust me on this one, I used THE authoritative source for mime types, the very organization that defines them, I am correct about it. I even cited it!

And you are violating the RFC about the HEAD requests, you are sending the error pages even for head requests. You are explicitly forbidden from doing that. Here is a better algorithm: Use a buffer(preferably smarter than a fixed size char[]) to store the reply body in all cases. Then at the final stage, send the body specific headers, like the length of it. Finally, send the buffer, if it should be sent. This follows the spirit of the HEAD requests, do everything as normal, except for sending the body.--henke37 01:49, 15 July 2008 (CEST)


I like that you added a password feature, but I have some comments about it.

  • Don't put the password in the url, urls leaks easily.
  • Don't violate the concept of safe requests, use some other request method, like POST to perform the action.
  • There is a slight spoofing issue if you hardcode a path to use fat0:, since it is like the active drive in windows, change it and all old commands changes. Keep it in the mind for the future.
  • It does not help if you backup the pointer to the string, strtok changes the actual string. Luckily there is no harm, this time.

--henke37 11:56, 12 July 2008 (CEST)

  • If i can find a way to do base64 decoding then the password can be taken out the URL and be entered at the prompt
  • POST wont be needed if base64 can be done
  • Don't understand :-(
  • Oooops my bad

Cboomf 19:35, 14 July 2008 (CEST)

You don't get it, a safe request is a request that the user doesn't need to authorize manually. What if a prefetching application used the link? If it did something bad, you just violated the requirement about safe requests.

About the spoofing issue, remmeber how fat0: works, it is an alias to the last used drive. What if someone used the usb drive last time? Now it would look for the password on the usb drive when it's suposed to be on the SD card. (The opposite is possible too.) My point is that you should explitly name the device that you want to use.--henke37 01:40, 15 July 2008 (CEST)


Where do the HTML files go? Just trying to do some of my own home theater testing ideas with this. Also, what does this use? Apache etc. type of thing. Pinball wizard 21:16, 7 June 2008 (CEST)

Until alpha v0.4, you can't use your own html files, (well, you can, sort of, but its not recommended and might not work) and it uses my own code, not apache or anything Cboomf 22:23, 7 June 2008 (CEST)
Thanks, I'm going to use tis later on today. Time to start home theatering remotely.
Alpha v0.4 only lets html be loaded, but in alpha v0.5 any file type is planned Cboomf 17:23, 8 June 2008 (CEST)
Any file type (listed on main page) and of any size can now be sent Cboomf 10:07, 26 June 2008 (CEST)



I like the progress of your web server, I think its coming along nicely. I do not know if it is a hard thing to do but would it be possible to implement PHP?

PHP is designed to be easy to add to servers. You just need to call less than 10 functions. One to init the engine, one to init the request, one to set the callback for the output headers, one to close the request and one to close the engine.--henke37 23:24, 22 June 2008 (CEST)
Yeah, the header part is going to be the killer here. This project just does not do the headers at all. It just has them hardcoded. Btw, for those who want to give this a shot, look at the SAPI folder in the PHP sources, you need to create one folder like those.--henke37 23:33, 22 June 2008 (CEST)
Can you provide a link, i have no idea where they are Cboomf
Here in the php cvs repo.--henke37 19:06, 24 June 2008 (CEST)
PHP itself is useless. To use PHP someone has to port the PHP application including most of the common modules and its dependencies. Bugs in those libraries (and/or your php application or the webserver itself) may allow crackers and scriptkiddies to execute code on your Wii and to actually brick it. Tempory files would have to be stored on a NAND memory (a SD card or the internal NAND) which would drastically reduce the lifetime of this memory. A implementation of php causes a lot of significant problems but has nearly no benefit.
You can use GNU Make + PHP (or XML and XSLT etc.) to easily create a whole bunch of static web pages which use shared data (header, footer, menus etc.) and/or content from a database. -- Tz 20:07, 27 June 2008 (CEST)

Torrent Files?

I was looking at the supported files and I saw .torrent? What? When you put it on your Wii, will it DOWNLOAD .torrent files or what? If not, then what is the point of implementing it? TheDuck 07:54, 23 June 2008 (CEST)

It enables people to download torrents via torrent links... Pertmywert 08:32, 23 June 2008 (CEST)
It just allows .torrent files to be downloaded, is is not a torrent client or tracker Cboomf

quit function

i am just sharring my thoughts.

quote: To quit, type "//quit" at the end of the web-address, so - "192.168.0.X//quit", will now return to HBC

i think now your webserver is getting somewhat mature you should think about security for a moment. anyone being able to shut down a webserver from anywhere is a little bit of a security risk i think. there should at least be a username ans password, prefrebly a list of allowed ip (ranges) and maby sometime in the future an ssl implementation. usernames and passwords should not be hardcoded ofcourse, the xmllib is a good point to start a config file. "192.168.0.X//admin" could be a page to manage the webserver's functions (including the quit function). good luck on your project! Bitflusher 09:39, 23 June 2008 (CEST)

I am sure they know of the impact of the link. If you are so worried, take it out. Personally I think that there currently is bigger issues with the software. It still uses infinite recursion. This is no good. Even after a few thousand requests, it's going to run out of stack space.--henke37 12:29, 23 June 2008 (CEST)
I am working on a way to stop the infinite recursion, maybe using threading, maybe not sunce i have never used it. The //admin page is not a bad idea but would require a fair amount of work, maybe about in beta v0.1 (ish), so not soon anyway Cboomf
I like that you are working on it. But next time, don't forget to remove the loops too. Sure, they are not a problem. They just look stupid.--henke37 19:04, 24 June 2008 (CEST)
The loops are now removed and so is the infinite recursion Cboomf 22:36, 24 June 2008 (CEST)

Just a suggestion - I'd really like the ability to shut off the webserver (and/or the wii, both are very simple) from a remote computer, but of course I wouldn't want other people to be able to do it. Therefore: allow users to create a file somewhere on the SD card, probably the root directory, which contains a password which could be appended to the //quit - so to shut off the wii, for example, I might type There can't be a default password, of course, but this functionality would be really useful and easy to implement.

Thats a gd idea, expect to see it in v0.8 Cboomf 08:23, 12 July 2008 (CEST)
This has no been added in v0.76 Cboomf 11:05, 12 July 2008 (CEST)


I cant get mp3s working it gives me a cant find image, am I doing something wrong?Pebls123 22:29, 24 June 2008 (CEST)

Could you please provide more details :-) Cboomf 22:35, 24 June 2008 (CEST)
never mind,I got it working. Pebls123 05:54, 25 June 2008 (CEST)

I may be stupid. but how does this work?

when i load the application in HBC it starts and it says ready and then thats all. :S can someone explain me this?

You then open your web browser then dial in the wii's ip in the address bar and hey presto, there is no user interaction needed, to shut down you use http://192.168.0.X//quit as explained above, OK. It sets itself up on your network, then loads files from the front sd on request, all you have to do is browse it :D Cboomf 18:58, 25 June 2008 (CEST)

I waited for like 15 mins and it still says ready.

It should say ready all the time no pc has asked for a request Cboomf 20:09, 18 February 2009 (UTC)

Can someone tell how to look for music or video files?

I think not all of us know how this work, if there is someone with the time to do a simple list of instructions on how to write down or whatever it has to be done to look for a file, this program could become easier, so please anyone? Thanks.--Bushe777 03:37, 29 June 2008 (CEST)

I'm willing to assist you, if you make what you want clear. You want to know how to search for files... Files on your SD card? Pertmywert 13:17, 3 July 2008 (CEST)

A few feature suggestions

Autorestart every half hour to attempt to prevent memory leaks or the like (until it is stable enough)
Integrate FTPii (a lot later)
SD cards are somewhat small (especially with some ROMS, Quake, and files for Mplayer), how about adding USB flash drive/hard drive support?
I would but without patches the current support for usb flash or hdd's requires one to be pluggen in at boot, it not then the black screen of death appears Cboomf 10:10, 31 July 2008 (CEST)

ready for 30mins

I load wii web server and then it say ready for like 30mins. Is it bug? or something? someone please help me

its a web SERVER and so once an index page has been put in, you just navigate to your wii's ip from IE or firefox Cboomf 20:08, 18 February 2009 (UTC)

Can you connect out side your network?

Can you connect to your server on the Wii outside your local network with this?

Yep, you just need to know the IP your ISP has given you or set up a domain name redirect Cboomf 15:29, 19 September 2008 (UTC)

i have no idea what to do

ok i got the app and i put an index on it but it doesn't work. do i need to have a pc also for the app or will it work with the wii only as long as you have wifi

same answer as above Cboomf 20:08, 18 February 2009 (UTC)

directory listing

i am planning to build a website for our community. Any idea if there will be a directory listing?

Domstang68 19:59, 12 August 2009 (UTC)Domstang68

does NOT work with latest version of HBC or DVDX

I just connected up my wii and uppon starting HBC it said an update is available (my wii was online so it could tell). I updated it and it also asked if I wanted to install DVDX, and I allowed it, thinking it would let me backup may game disks to a computer via the FTP server I'd just installed as disk images, as well as play copies of my backups I'd burned. But it didn't and I can't figure out how to make it work. On Top of that a couple of my HBC bootable softwares will NOT work now. Among these is Wii Web Server. Please help me.