src/server/safs/cgiutils.c

Fri, 30 Dec 2016 19:43:41 +0100

author
Olaf Wintermann <olaf.wintermann@gmail.com>
date
Fri, 30 Dec 2016 19:43:41 +0100
changeset 143
6bf5d2f37425
parent 141
ff311b63c3af
child 145
1c93281ca4bf
permissions
-rw-r--r--

fixes some acl safs

/*
 * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS HEADER.
 *
 * Copyright 2008 Sun Microsystems, Inc. All rights reserved.
 *
 * THE BSD LICENSE
 *
 * Redistribution and use in source and binary forms, with or without 
 * modification, are permitted provided that the following conditions are met:
 *
 * Redistributions of source code must retain the above copyright notice, this
 * list of conditions and the following disclaimer. 
 * Redistributions in binary form must reproduce the above copyright notice, 
 * this list of conditions and the following disclaimer in the documentation
 * and/or other materials provided with the distribution. 
 *
 * Neither the name of the  nor the names of its contributors may be
 * used to endorse or promote products derived from this software without 
 * specific prior written permission. 
 *
 * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
 * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
 * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
 * A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER 
 * OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL,
 * EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, 
 * PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; 
 * OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, 
 * WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR 
 * OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF 
 * ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 */

// code from open webserver
// safs/cgi.cpp

#include "cgiutils.h"

#include <stdio.h>
#include <stdlib.h>
#include <inttypes.h>

#include "../util/util.h"
#include "../util/pblock.h"
#include "../daemon/protocol.h"


//-----------------------------------------------------------------------------
// Macros
//-----------------------------------------------------------------------------

#define CGI_VERSION "CGI/1.1"

// CGI env sizing
#define MAX_CGI_COMMON_VARS      23
#define MAX_CGI_SPECIFIC_VARS    10
#define MAX_CGI_CLIENT_AUTH_VARS 64

//-----------------------------------------------------------------------------
// cgi_parse_query
//-----------------------------------------------------------------------------

int cgi_parse_query(char **argv, int n, char *q)
{
    int i = 0;

    for (;;) {
        // Parse an arg from the query string
        char *arg = q;
        while (*q != ' ' && *q != '\0')
            q++;

        // Caller must ensure argv[] is appropriately sized
        WS_ASSERT(i < n);
        if (i >= n)
            return -1;

        // Escape any shell characters (does a MALLOC on our behalf)
        char c = *q;
        *q = '\0';
        argv[i] = util_sh_escape(arg);
        *q = c;

        // Unescape this arg, bailing on error
        if (!argv[i] || !util_uri_unescape_strict(argv[i]))
            return -1;

        // We successfully parsed another arg
        i++;

        // We're done when we hit the end of the query string
        if (*q == '\0')
            break;

        q++;
    }

    return i;
}

//-----------------------------------------------------------------------------
// cgi_create_argv
//-----------------------------------------------------------------------------

char **cgi_create_argv(const char *program, const char *script, const char *query)
{
    int nargs = 1;

    // The script name, if any, will be argv[1]
    if (script)
        nargs++;

    // Turn '+' into ' ' in query string, counting the number of arg as we go
    char *qargs = NULL;
    if (query && !strchr(query, '=')) {
        qargs = STRDUP(query);
        if (!qargs)
            return NULL;
        nargs++;
        for (char *t = qargs; *t; t++) {
            if (*t == '+')
                *t = ' ';
            if (*t == ' ')
                nargs++;
        }
    }

    // Allocate the argv[] array, leaving room for the trailing NULL
    char **argv = (char **) MALLOC((nargs + 1) * sizeof(char *));
    if (!argv)
        return NULL;

    int i = 0;

    // Set argv[0] to the program name
    argv[i] = STRDUP(program);
    i++;

    // Set argv[1] to the script name
    if (script) {
        argv[i] = STRDUP(script);
        i++;
    }

    // Parse the query string into argv[]
    if (qargs) {
        int n = cgi_parse_query(&argv[i], nargs - i, qargs);
        if (n > 0)
            i += n;
    }

    // Mark end of argv[]
    argv[i] = NULL;

    return argv;
}

//----------------------------------------------------------------------------
// cgi_get_request_uri
//----------------------------------------------------------------------------

char* cgi_get_request_uri(Request *req)
{
    // Extract the encoded URI from the request line if possible
    char *clf_request = pblock_findkeyval(pb_key_clf_request, req->reqpb);
    if (clf_request) {
        // Find the beginning of the method
        char *method = clf_request;
        while (*method && isspace(*method))
            method++;

        // Skip over the method
        char *uri = method;
        while (*uri && !isspace(*uri))
            uri++;

        // Find the beginning of the URI
        while (*uri && isspace(*uri))
            uri++;

        // Find the end of the URI
        char *end = uri;
        while (*end && !isspace(*end)) 
            end++;

        // Make a copy of the uri
        int len = end - uri;
        char* request_uri = (char*) MALLOC(len+1);
        memcpy(request_uri, uri, len);
        request_uri[len] = '\0';

        return request_uri;
    }

    // No request line.
    return NULL;
}

//-----------------------------------------------------------------------------
// cgi_specific_vars
//-----------------------------------------------------------------------------

char** cgi_specific_vars(Session *sn, Request *rq, const char *args,
                         char** env, int scriptVars)
{
    int y;
    register pblock *pb;
    char c, *t, *u;

    pb = rq->reqpb;

    int x;
    env = util_env_create(env, MAX_CGI_SPECIFIC_VARS, &x);
    env[x++] = util_env_str("GATEWAY_INTERFACE", CGI_VERSION);

    // Added error check for missing request information.
    t = pblock_findval("protocol", pb);
    if (t == NULL) {
        log_ereport(LOG_FAILURE, "cgi_specific_vars", "missing \"protocol\" in rq->reqpb");
        return NULL;
    }
    env[x++] = util_env_str("SERVER_PROTOCOL", t);

    t = pblock_findval("method", pb);
    if (t == NULL) {
        log_ereport(LOG_FAILURE, "cgi_specific_vars", "missing \"request method\" in rq->reqpb");
        return NULL;
    }
    env[x++] = util_env_str("REQUEST_METHOD", t);

    if (args)
        env[x++] = util_env_str("QUERY_STRING", args);

    // set REQUEST_URI
    if (rq->orig_rq) {
        t = cgi_get_request_uri(rq->orig_rq);
    } else {
        t = cgi_get_request_uri(rq);
    }
    if (t) {
        env[x++] = util_env_str("REQUEST_URI", t);
        FREE(t);
    }

    if (scriptVars) {
        t = pblock_findval("uri", pb);

        /* Simulate CGI URIs by truncating path info */
        if ((u = pblock_findval("path-info", rq->vars))) {
            y = strlen(t) - strlen(u);
            if (y >= 0) {
                c = t[y];
                t[y] = '\0';
            }
            env[x++] = util_env_str("SCRIPT_NAME", t);
            if (y >= 0) {
                t[y] = c;
            }

            env[x++] = util_env_str("PATH_INFO", u);
            
            // TODO
            /*
            if((t = INTservact_translate_uri2(u, sn, rq))) {
                env[x++] = util_env_str("PATH_TRANSLATED", t);
                // keep path-translated in rq->vars since we may need it
                // during fastcgi processing
                pblock_nvinsert("path-translated", t, rq->vars);
                FREE(t);
            }
            */
        } else {
            env[x++] = util_env_str("SCRIPT_NAME", t);
        }

        if ((t = pblock_findval("path", rq->vars)))
            env[x++] = util_env_str("SCRIPT_FILENAME", t);
    }

    env[x] = NULL;
    return env;
}

//-----------------------------------------------------------------------------
// cgi_common_vars
//-----------------------------------------------------------------------------

char** cgi_common_vars(Session *sn, Request *rq, char **env) 
{    
    char *t;
    int x;

    env = util_env_create(env, MAX_CGI_COMMON_VARS, &x);

    /*
    if (!_env_initialized) cgi_env_init();
    if (_env_path) env[x++] = util_env_str("PATH", _env_path);
    if (_env_tz) env[x++] = util_env_str("TZ", _env_tz);
    if (_env_lang) env[x++] = util_env_str("LANG", _env_lang);
    if (_env_ldpath) env[x++] = util_env_str(LIBRARY_PATH, _env_ldpath);
    env[x++] = util_env_str("SERVER_SOFTWARE", PRODUCT_HEADER_ID"/"PRODUCT_VERSION_ID);
    */ // TODO: enable

    //NSString srvName, portStr;
    //char buf1[256], buf2[64];
    //srvName.useStatic(buf1, sizeof(buf1), 0); 
    //portStr.useStatic(buf2, sizeof(buf2), 0); 
    //GetServerHostnameAndPort(*rq, *sn, srvName, portStr);
    char *scheme;
    char *host;
    uint16_t port;
    http_get_scheme_host_port(sn, rq, &scheme, &host, &port);
    char portstr[8];
    snprintf(portstr, 8, "%" PRIu16, (int)port);
    env[x++] = util_env_str("SERVER_PORT", portstr);
    env[x++] = util_env_str("SERVER_NAME", host);
    
    //t = http_uri2url_dynamic("","",sn,rq);
    //env[x++] = util_env_str("SERVER_URL", t);
    //FREE(t);

    char *ip;
    ip = pblock_findval("ip", sn->client);
    t = session_dns(sn);
    env[x++] = util_env_str("REMOTE_HOST", (t ? t : ip));
    env[x++] = util_env_str("REMOTE_ADDR", ip);

    if((t = pblock_findval("auth-user", rq->vars))) {
        env[x++] = util_env_str("REMOTE_USER", t);
         if((t = pblock_findval("auth-type", rq->vars))) {
             env[x++] = util_env_str("AUTH_TYPE", t);
        }
        if((t = pblock_findval("auth-userdn", rq->vars))) {
            env[x++] = util_env_str("REMOTE_USERDN", t);
        }
    }
    if((t = pblock_findval("password-policy", rq->vars))) {
        /* chrisk made up this variable name */
        env[x++] = util_env_str("PASSWORD_POLICY", t);
    }

    // Handle Apache ErrorDocument-style variables from the send-error SAF
    if (rq->orig_rq != rq) {
        if ((t = pblock_findval("uri", rq->orig_rq->reqpb))) {
            env[x++] = util_env_str("REDIRECT_URL", t);
        }
        if ((t = pblock_findval("status", rq->orig_rq->srvhdrs))) {
            env[x++] = util_env_str("REDIRECT_STATUS", t);
        }
    }

    if(sn->ssl) {
        env[x++] = util_env_str("HTTPS", "ON");
    }
    
#if 0
    if (GetSecurity(sn)) {
        env[x++] = util_env_str("HTTPS", "ON");

        if (t = pblock_findval("keysize", sn->client))
            env[x++] = util_env_str("HTTPS_KEYSIZE", t);

        if (t = pblock_findval("secret-keysize", sn->client))
            env[x++] = util_env_str("HTTPS_SECRETKEYSIZE", t);

        t = pblock_findval("ssl-id", sn->client);
        env[x++] = util_env_str("HTTPS_SESSIONID", t ? t : (char *)"");

        unsigned char random_bytes[NUM_RANDOM_BYTES + 2];
        char random_string[NUM_RANDOM_BYTES*2 + 2];
        PK11_GenerateRandom(random_bytes, NUM_RANDOM_BYTES);

        int i;
        for(i = 0; i < NUM_RANDOM_BYTES; i++)  {
            sprintf(&random_string[i*2], "%02x", 
                    (unsigned int)(random_bytes[i] & 0xff));
        }
        random_string[NUM_RANDOM_BYTES*2] = '\0';
        env[x++] = util_env_str("HTTPS_RANDOM", random_string);

    } else {
        env[x++] = util_env_str("HTTPS", "OFF");
    }
#endif

    env[x] = NULL;

    //env = cgi_client_auth_vars(sn, rq, env); // TODO: enable

    return env;
    
}

mercurial