Programming Homework 3 -- Mini-web server

The assignment is to write a mini-web server.  Much of the emphasis
-- and grade -- should be on the test cases you use to check its
security.

The server should listen on some port number -- you pick it; it can't
be port 80 because you're not running as root -- and read HTTP request.
My browser generated something that looked like this:

	GET / HTTP/1.1
	Host: gg1.cs.columbia.edu:8000
	User-Agent: Mozilla/5.0 (X11; U; NetBSD i386; en-US; rv:1.8.0.7) Gecko/20060915 Firefox/1.5.0.7
	Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
	Accept-Language: en-us,en;q=0.5
	Accept-Encoding: gzip,deflate
	Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
	Keep-Alive: 300
	Connection: keep-alive

terminated by a blank line when I pointed it at
http://gg1.cs.columbia.edu:8000 (I'll keep that server running, if you want
to run your own tests -- it's primary purpose is to demonstrate cookies).

The interesting thing for purposes of this assignment is the '/' on the
first line.  That's the path name to be retrieved, relative to the
"document root".  Read but ignore all other lines.

Your server should accept, on the command line, two parameters, a
document root -- the root of a file system subtree that you're serving --
and the port number you're listening on.  These have to be on the
command line, to facilitate testing by the TAs.

The output returned should be

	HTTP/1.0 200 OK
	Content-Type: text/html

a blank line, and then the contents of the file.  You're only required
to serve html files; don't worry about anything else.

The central requirement is to ensure that you serve *exactly* what
is supposed to be served: that subtree, and nothing more.  *Never*
return a file whose name starts with '.'.  If the requested file is
a directory and doesn't end in a /, return

	HTTP/1.0 301 Moved Permanently
	Location: directoryname_ending_with_/

For a directory whose name does end with /, look for a file named
index.html in that directory and return it.  If there is no such file,
return

	HTTP/1.0 404 Not Found
	Content-Type: text/html

	error html

You must check for strange URLs that are trying to trick the server,
including ones with strange characters, .., %xx where 'xx' are two
hex digits, etc.  You should return '403 Forbidden' for URLs you
want to reject.

VERY IMPORTANT: to protect files here, the *first thing* your program
*must do* when a connection is completed is to check the client's IP
address.  *IMMEDIATELY DROP* all connections from non-Columbia addresses.
The two address blocks to accept are 128.59.0.0/16 and 160.39.0.0.
If you need to use other client addresses for testing, you're welcome
to add them, but *only* as /32s, i.e., explicit IP addresses.  As I said,
this is *very important* -- any program that does not implement this check
as described will receive a grade of 0.

You should test with a web browser; you should also use more scripted
test data.  You may find the 'nc' command (also known as netcat) useful;
it's installed on the CLIC machines.

Document your test cases and the rationale for them.