X-Git-Url: http://git.plutz.net/?p=cgilite;a=blobdiff_plain;f=cgi.sh;h=f79d41635746e19ce821700ec9fe80a8956913a0;hp=408201ff70b04ae869e9120cb90db19cfa8205db;hb=1a1d111199b770c092e1b16a7e03568d3d911b79;hpb=397e40b92e591ae9066dcabb414d8097555beea8 diff --git a/cgi.sh b/cgi.sh index 408201f..f79d416 100755 --- a/cgi.sh +++ b/cgi.sh @@ -1,6 +1,6 @@ #!/bin/zsh -# Copyright 2014,2015 Paul Hänsch +# Copyright 2014 - 2016 Paul Hänsch # # This file is part of shcgi. # @@ -17,6 +17,7 @@ # You should have received a copy of the GNU Affero General Public License # along with shcgi. If not, see . +unset _GET _POST _REF _COOKIE declare -A _GET declare -A _POST declare -A _REF @@ -33,10 +34,12 @@ printf '%s\n' "$QUERY_STRING" |tr '&' '\n' |while read query; do debug "_GET[$key] => $val" done -if [ "$REQUEST_METHOD" = POST ]; then +if [ "$REQUEST_METHOD" = POST -a "${HTTP_CONTENT_LENGTH:=$CONTENT_LENGTH}" -gt 0 ]; then # parse HTTP POST string debug "== CGI DATA: POST ==" - sed -u 1q |tr '&' '\n' |while read query; do + head -c "$HTTP_CONTENT_LENGTH" \ + | sed -un 's;&;\n;g; p; q' \ + | while read query; do key="$(printf %s "$query" |sed -r 's:^([\.a-zA-Z0-9_-]+)=(.*)$:\1:')" val="$(printf %s "$query" |sed -r 's:^([\.a-zA-Z0-9_-]+)=(.*)$:\2:')" value="$(printf "$(printf %s "$val" |sed 's:+: :g;s:\\:\\\\:g;s:%:\\x:g;')")" @@ -70,29 +73,62 @@ cgi_cookie() { # Parse GET data from referer done } +htmlsafe(){ + # escape HTML code from string + + printf %s "$*" \ + | sed 's;&;\&\;;g; + s;<;\<\;;g; + s;>;\>\;;g; + s;";\"\;;g; + s;/;\/\;;g; + s;'\'';\'\;;g;' +} + urlsafe(){ + # Code every character in URL escape hex format + # except alphanumeric ascii + printf %s "$*" \ - | sed 's;%;%25;g; - s;\?;%3f;g; - s;#;%23;g; - s;<;%3c;g; - s;>;%3e;g; - s;&;%26;g; - s;";%22;g; - s;'\'';%27;g;' + | hexdump -v -e '/1 ",%02X"' \ + | tr , % \ + | sed 's;%30;0;g; s;%31;1;g; s;%32;2;g; s;%33;3;g; s;%34;4;g; s;%35;5;g; + s;%36;6;g; s;%37;7;g; s;%38;8;g; s;%39;9;g; + s;%41;A;g; s;%42;B;g; s;%43;C;g; s;%44;D;g; s;%45;E;g; s;%46;F;g; + s;%47;G;g; s;%48;H;g; s;%49;I;g; s;%4A;J;g; s;%4B;K;g; s;%4C;L;g; + s;%4D;M;g; s;%4E;N;g; s;%4F;O;g; s;%50;P;g; s;%51;Q;g; s;%52;R;g; + s;%53;S;g; s;%54;T;g; s;%55;U;g; s;%56;V;g; s;%57;W;g; s;%58;X;g; + s;%59;Y;g; s;%5A;Z;g; + s;%61;a;g; s;%62;b;g; s;%63;c;g; s;%64;d;g; s;%65;e;g; s;%66;f;g; + s;%67;g;g; s;%68;h;g; s;%69;i;g; s;%6A;j;g; s;%6B;k;g; s;%6C;l;g; + s;%6D;m;g; s;%6E;n;g; s;%6F;o;g; s;%70;p;g; s;%71;q;g; s;%72;r;g; + s;%73;s;g; s;%74;t;g; s;%75;u;g; s;%76;v;g; s;%77;w;g; s;%78;x;g; + s;%79;y;g; s;%7A;z;g; s;%2D;-;g; s;%2E;.;g; s;%2F;/;g; s;%5F;_;g' } -htmlsafe(){ +attribsafe(){ + # Code every character in HTML escape hex format + # except alphanumerig ascii + printf %s "$*" \ - | sed 's;<;\<\;;g; - s;>;\>\;;g; - s;&;\&\;;g; - s;";\"\;;g; - s;'\'';\&apos\;;g;' + | iconv -f utf-8 -t utf32le \ + | hexdump -v -e '/4 "&#x%02X;"' \ + | sed 's;0\;;0;g; s;1\;;1;g; s;2\;;2;g; s;3\;;3;g; s;4\;;4;g; s;5\;;5;g; + s;6\;;6;g; s;7\;;7;g; s;8\;;8;g; s;9\;;9;g; + s;A\;;A;g; s;B\;;B;g; s;C\;;C;g; s;D\;;D;g; s;E\;;E;g; s;F\;;F;g; + s;G\;;G;g; s;H\;;H;g; s;I\;;I;g; s;J\;;J;g; s;K\;;K;g; s;L\;;L;g; + s;M\;;M;g; s;N\;;N;g; s;O\;;O;g; s;P\;;P;g; s;Q\;;Q;g; s;R\;;R;g; + s;S\;;S;g; s;T\;;T;g; s;U\;;U;g; s;V\;;V;g; s;W\;;W;g; s;X\;;X;g; + s;Y\;;Y;g; s;Z\;;Z;g; + s;a\;;a;g; s;b\;;b;g; s;c\;;c;g; s;d\;;d;g; s;e\;;e;g; s;f\;;f;g; + s;g\;;g;g; s;h\;;h;g; s;i\;;i;g; s;j\;;j;g; s;k\;;k;g; s;l\;;l;g; + s;m\;;m;g; s;n\;;n;g; s;o\;;o;g; s;p\;;p;g; s;q\;;q;g; s;r\;;r;g; + s;s\;;s;g; s;t\;;t;g; s;u\;;u;g; s;v\;;v;g; s;w\;;w;g; s;x\;;x;g; + s;y\;;y;g; s;z\;;z;g;' } redirect(){ - printf '%s\n\n' "Location: $*" + printf 'Status: 303 See Other\r\nLocation: %s\r\n\r\n' "$*" exit 0 } @@ -107,5 +143,5 @@ set_cookie(){ printf 'Set-Cookie: %s' "$cookie" [ -n "$expire" ] && printf '; Expires=%s' "$expire" [ $# -ge 3 ] && shift 2 && printf '; %s' "$@" - printf '\n' + printf '\r\n' }