X-Git-Url: https://git.plutz.net/?p=cgilite;a=blobdiff_plain;f=cgilite.sh;h=b47a3e2e683219b773af4383059a6701f2d44d46;hp=3212137e68bcb262b338256d29b29d952c3ca9d1;hb=9bb22561275a9ce0d5403a12fe7e8aeeeb2792e9;hpb=2509a90ca35ffada128256670abf1d5c315ef6ce diff --git a/cgilite.sh b/cgilite.sh index 3212137..b47a3e2 100755 --- a/cgilite.sh +++ b/cgilite.sh @@ -1,6 +1,6 @@ #!/bin/sh -# Copyright 2017 - 2018 Paul Hänsch +# Copyright 2017 - 2021 Paul Hänsch # # This is CGIlite. # A collection of posix shell functions for writing CGI scripts. @@ -18,38 +18,114 @@ # You should have received a copy of the GNU Affero General Public License # along with CGIlite. If not, see . +[ -n "$include_cgilite" ] && return 0 +# guard set after webserver part + # ksh and zsh workaround # set -o posix # ksh, not portable setopt -o OCTAL_ZEROES 2>&- +# Integrated webserver request timeout +cgilite_timeout=2 + +# General environment variables +# $_EXEC - directory containing application itself +# $_DATA - direcotry where application data may be stored +# $_BASE - optional prefix for http path, e.g. "/myapp" +# +# Programmers should take care to use those variables throughout the +# application. +# Variables may be set via CLI argument, in environment, or left as default. + +for cgilite_arg in "$@"; do case $cgilite_arg in + --exec=*) _EXEC="${cgilite_arg#*=}";; + --data=*) _DATA="${cgilite_arg#*=}";; + --base=*) _BASE="${cgilite_arg#*=}";; +esac; done +unset cgilite_arg + +_EXEC="${_EXEC:-${0%/*}}" +_DATA="${_DATA:-.}" +_EXEC="${_EXEC%/}" _DATA="${_DATA%/}" _BASE="${_BASE%/}" + +export _EXEC _DATA _BASE + +# Carriage Return and Line Break characters for convenience CR=" " BR=' ' -cgilite_timeout=2 -HEADER(){ - # Read value of header line. Use this instead of - # referencing HTTP_* environment variables. - if [ -n "${cgilite_headers+x}" ]; then - printf %s "$cgilite_headers" \ - | sed -rn 's;^'"${1}"': ([^\r]+)\r?$;\1;i; tX; d; :X;p;q;' - else - eval "printf %s \"\$HTTP_$(printf %s "${1}" |tr a-z A-Z |tr -c A-Z _)\"" - fi -} +PATH(){ + local str seg out + # normalize path + # read from stdin if no arguments are provided -HEX_DECODE=' - s;\\;\\\\;g; :HEXDECODE_X; s;%([^0-9A-F]);\\045\1;g; tHEXDECODE_X; - # Hexadecimal { %00 - %FF } will be transformed to octal { \000 - \377 } for posix printf - s;%[0123].;&\\0;g; s;%[4567].;&\\1;g; s;%[89AB].;&\\2;g; s;%[CDEF].;&\\3;g; - s;%[048C][0-7]\\.;&0;g; s;%[048C][89A-F]\\.;&1;g; s;%[159D][0-7]\\.;&2;g; s;%[159D][89A-F]\\.;&3;g; - s;%[26AE][0-7]\\.;&4;g; s;%[26AE][89A-F]\\.;&5;g; s;%[37BF][0-7]\\.;&6;g; s;%[37BF][89A-F]\\.;&7;g; - s;%.[08](\\..);\10;g; s;%.[19](\\..);\11;g; s;%.[2A](\\..);\12;g; s;%.[3B](\\..);\13;g; - s;%.[4C](\\..);\14;g; s;%.[5D](\\..);\15;g; s;%.[6E](\\..);\16;g; s;%.[7F](\\..);\17;g; -' + [ $# -eq 0 ] && str="$(cat)" || str="$*" + while [ "$str" ]; do + seg=${str%%/*}; str="${str#*/}" + case $seg in + ..) out="${out%/}"; out="${out%/*}/";; + .|'') out="${out%/}/";; + *) out="${out%/}/${seg}";; + esac; + [ "$seg" = "$str" ] && break + done + [ "${str}" -a "${out}" ] && printf %s "$out" || printf %s/ "${out%/}" +} HEX_DECODE(){ - printf -- "$(printf %s "$1" |sed -r "$HEX_DECODE")" + local pfx="$1" in="$2" out + # Print out Data encoded as Hex + # + # Arguments: + # pfx - required, prefix for a hex tupel, e.g. "\x", "%" "\", may be empty + # in - required, string to be decoded + # + # anything that does not constitute a tupel of valid Hex numerals + # will be copied to the output literally + + while [ "$in" ]; do + case $in in + "$pfx"[0-9a-fA-F][0-9a-fA-F]*) in="${in#${pfx}}";; + \\*) in="${in#?}"; out="${out}\\\\"; continue;; + %*) in="${in#?}"; out="${out}%%"; continue;; + *) att="${in%%"${pfx}"*}"; att="${att%%%*}"; att="${att%%\\*}" + out="${out}${att}"; in="${in#"${att}"}"; continue;; + esac; + + # Hex escapes for printf (e.g. \x41) are not portable + # The portable way for Hex output is transforming Hex to Octal + # (e.g. \x41 = \101) + case $in in + [0123]?*) out="${out}\\0";; + [4567]?*) out="${out}\\1";; + [89aAbB]?*) out="${out}\\2";; + [c-fC-F]?*) out="${out}\\3";; + esac + case $in in + [048cC][0-7]*) out="${out}0";; + [048cC][89a-fA-F]*) out="${out}1";; + [159dD][0-7]*) out="${out}2";; + [159dD][89a-fA-F]*) out="${out}3";; + [26aAeE][0-7]*) out="${out}4";; + [26aAeE][89a-fA-F]*) out="${out}5";; + [37bBfF][0-7]*) out="${out}6";; + [37bBfF][89a-fA-F]*) out="${out}7";; + esac + case $in in + ?[08]*) out="${out}0";; + ?[19]*) out="${out}1";; + ?[2aA]*) out="${out}2";; + ?[3bB]*) out="${out}3";; + ?[4cC]*) out="${out}4";; + ?[5dD]*) out="${out}5";; + ?[6eE]*) out="${out}6";; + ?[7fF]*) out="${out}7";; + esac + in="${in#?}" + in="${in#?}" + done + printf -- "$out" } if [ -z "$REQUEST_METHOD" ]; then @@ -68,41 +144,68 @@ if [ -z "$REQUEST_METHOD" ]; then (sleep $cgilite_timeout && kill $$) & cgilite_watchdog=$! while read REQUEST_METHOD REQUEST_URI SERVER_PROTOCOL; do + unset PATH_INFO QUERY_STRING cgilite_headers CONTENT_LENGTH CONTENT_TYPE + + [ "${SERVER_PROTOCOL#HTTP/1.[01]${CR}}" ] && break kill $cgilite_watchdog - PATH_INFO="$(HEX_DECODE "${REQUEST_URI%\?*}")" - QUERY_STRING="${REQUEST_URI#*\?}" - cgilite_headers="$(while read -r hl; do [ "${hl%${CR}}" ] && printf '%s\n' "$hl" || break; done )" - HTTP_CONTENT_LENGTH="$(HEADER Content-Length |grep -xE '[0-9]+')" + SERVER_PROTOCOL="${SERVER_PROTOCOL%${CR}}" + PATH_INFO="$(HEX_DECODE % "${REQUEST_URI%\?*}" |PATH)" + [ "${REQUEST_URI}" = "${REQUEST_URI#*\?}" ] \ + && QUERY_STRING='' \ + || QUERY_STRING="${REQUEST_URI#*\?}" + while read -r hl; do + hl="${hl%${CR}}"; [ "$hl" ] || break + case $hl in + 'Content-Length: '*) CONTENT_LENGTH="${hl#*: }";; + 'Content-Type: '*) CONTENT_TYPE="${hl#*: }";; + esac + cgilite_headers="${cgilite_headers}${hl}${BR}" + done export REMOTE_ADDR SERVER_NAME SERVER_PORT REQUEST_METHOD REQUEST_URI SERVER_PROTOCOL \ - PATH_INFO QUERY_STRING HTTP_CONTENT_LENGTH + PATH_INFO QUERY_STRING CONTENT_TYPE CONTENT_LENGTH cgilite_headers # Try to serve multiple requests, provided that script serves a # Content-Length header. # Without Content-Length header, connection will terminate after # script. - cgilite_status='200 OK'; cgilite_response=''; cgilite_cl="Connection: close${CR}"; + cgilite_status='200 OK'; cgilite_response=''; cgilite_cl="Connection: close${CR}${BR}"; . "$0" | while read -r l; do case $l in - Status:*) cgilite_status="${l#Status: }";; - Content-Length:*) cgilite_cl="${l}";; - $CR) printf '%s %s\r\n%s\n%s\n\r\n' \ + Status:*) + cgilite_status="${l#Status: }";; + Content-Length:*) + cgilite_cl="" + cgilite_response="${cgilite_response:+${cgilite_response}${BR}}${l}";; + Connection:*) + cgilite_cl="${l}${BR}";; + $CR) printf '%s %s\r\n%s%s\r\n' \ 'HTTP/1.1' "${cgilite_status%${CR}}" \ - "$cgilite_response" "${cgilite_cl}" - cat + "${cgilite_response}${cgilite_response:+${BR}}" "${cgilite_cl}" + cat || kill $$ [ "${cgilite_cl#Connection}" = "${cgilite_cl}" ]; exit;; - *) cgilite_response="$cgilite_response${BR}$l";; + *) cgilite_response="${cgilite_response:+${cgilite_response}${BR}}${l}";; esac; done || exit 0; (sleep $cgilite_timeout && kill $$) & cgilite_watchdog=$! done + kill $cgilite_watchdog + exit 0 fi -if [ "$REQUEST_METHOD" = POST -a "${HTTP_CONTENT_LENGTH:=${CONTENT_LENGTH:=0}}" -gt 0 ]; then - cgilite_post="$(head -c "$HTTP_CONTENT_LENGTH")" +include_cgilite="$0" + +if [ "${REQUEST_METHOD}" = POST -a "${CONTENT_LENGTH:-0}" -gt 0 -a \ + "${CONTENT_TYPE}" = "application/x-www-form-urlencoded" ]; then + cgilite_post="$(head -c "$CONTENT_LENGTH")" fi -[ -n "${DEBUG+x}" ] && env +PATH_INFO="$(PATH "/${PATH_INFO#${_BASE}}")" + +debug(){ [ $# -gt 0 ] && printf '%s\n' "$@" >&2 || tee -a /dev/stderr; } +[ "${DEBUG+x}" ] && env >&2 + +# general helper functions, see GET, POST, and REF below cgilite_count(){ printf %s "&$1" \ @@ -113,74 +216,115 @@ cgilite_count(){ cgilite_value(){ local str="&$1" name="$2" cnt="${3:-1}" while [ $cnt -gt 0 ]; do - str=${str#*&${name}=} + [ "${str}" = "${str#*&${name}=}" ] && return 1 + str="${str#*&${name}=}" cnt=$((cnt - 1)) done - printf -- "$(printf %s "${str%%&*}" |sed -r 's;\+; ;g;'"$HEX_DECODE")" + HEX_DECODE % "$(printf %s "${str%%&*}" |tr + \ )" +} + +cgilite_keys(){ + local str="&$1" + while [ "${str#*&}" != "${str}" ]; do + str="${str#*&}" + printf '%s\n' "${str%%=*}" + done \ + | sort -u } -GET(){ cgilite_value "${QUERY_STRING}" $@; } +# Read arguments from GET, POST, or the query string of the referrer (REF). +# Example: +# GET varname n +# +# where n is number for the Nth occurence of a variable and defaults to 1 +# +# *_COUNT varname +# -> returns number of ocurences +# *_KEYS +# -> returns list of available varnames + +GET(){ cgilite_value "${QUERY_STRING}" "$@"; } GET_COUNT(){ cgilite_count "${QUERY_STRING}" $1; } +GET_KEYS(){ cgilite_keys "${QUERY_STRING}"; } -POST(){ cgilite_value "${cgilite_post}" $@; } +POST(){ cgilite_value "${cgilite_post}" "$@"; } POST_COUNT(){ cgilite_count "${cgilite_post}" $1; } +POST_KEYS(){ cgilite_keys "${cgilite_post}"; } -REF(){ cgilite_value "${HTTP_REFERER#*\?}" $@; } +REF(){ cgilite_value "${HTTP_REFERER#*\?}" "$@"; } REF_COUNT(){ cgilite_count "${HTTP_REFERER#*\?}" $1; } +REF_KEYS(){ cgilite_keys "${HTTP_REFERER#*\?}"; } + +HEADER(){ + # Read value of header line. Use this instead of + # referencing HTTP_* environment variables. + if [ -n "${cgilite_headers+x}" ]; then + local str="${BR}${cgilite_headers}" + [ "${str}" = "${str#*${BR}${1}: }" ] && return 1 + str="${str#*${BR}${1}: }" + printf %s "${str%%${BR}*}" + else + local var="HTTP_$(printf %s "$1" |tr a-z- A-Z-)" + eval "[ \"\$$var\" ] && printf %s \"\$$var\" || return 1" + # eval "printf %s \"\$HTTP_$(printf %s "${1}" |tr a-z A-Z |tr -c A-Z _)\"" + fi +} COOKIE(){ - HEX_DECODE "$( + # Read value of cookie + HEX_DECODE % "$( HEADER Cookie \ | grep -oE '(^|; ?)'"$1"'=[^;]*' \ - | sed -rn "${2:-1}"'{s;^[^=]+=;;; s;\+; ;g; p;}' + | sed -En "${2:-1}"'{s;^[^=]+=;;; s;\+; ;g; p;}' )" } HTML(){ - # HTML Entity Coding - # Prints UTF-8 string as decimal Unicode Code Points - # Useful for escaping user input for use in HTML text and attributes - { [ $# -eq 0 ] && cat || printf %s "$*"; } \ - | hexdump -ve '/1 "%03o\n"' \ - | while read n; do - case $n in - # bitbanging octal UTF-8 chains into singular 7 digit octal numbers - [01]??) printf '0000%s' $n;; # 7 bit ASCII character, nothing to do - 2??) printf '%s' ${n#2};; # tail fragment, append 6 bit - 3[0123]?) printf '000%s' ${n#3};; # 2 octet (11 bit) chain start - 34?) printf '00%s' ${n#34};; # 3 octet (16 bit) chain start - 35?) printf '01%s' ${n#35};; # 3 octet chain start, high - 36?) printf '%s' ${n#36};; # 4 octet (21 bit) chain start - esac - done \ - | sed -r 's;.{7};&\n;g;' \ - | while read n; do - printf '&#%d;' $((0$n)) - done + # Escape HTML cahracters + # Also escape [, ], and \n for use in html-sh + local str out + [ $# -eq 0 ] && str="$(cat)" || str="$*" + while [ "$str" ]; do case $str in + \&*) out="${out}&"; str="${str#?}";; + \<*) out="${out}<"; str="${str#?}";; + \>*) out="${out}>"; str="${str#?}";; + \"*) out="${out}""; str="${str#?}";; + \'*) out="${out}'"; str="${str#?}";; + \[*) out="${out}["; str="${str#?}";; + \]*) out="${out}]"; str="${str#?}";; + "${CR}"*) out="${out} "; str="${str#?}";; + "${BR}"*) out="${out} "; str="${str#?}";; + *) out="${out}${str%%[]&<>\"\'[]*}"; str="${str#"${str%%[]&<>\"\'[]*}"}";; + esac; done + printf %s "$out" } URL(){ - # Code every character in URL escape hex format - # except alphanumeric ascii - - { [ $# -eq 0 ] && cat || printf %s "$*"; } \ - | hexdump -v -e '/1 ",%02X"' \ - | sed 's;,;%;g; s;%2F;/;g;' + # Escape pathes, so they can be used in link tags and HTTP Headers + local str out + [ $# -eq 0 ] && str="$(cat)" || str="$*" + while [ "$str" ]; do case $str in + \&*) out="${out}%26"; str="${str#?}";; + \"*) out="${out}%22"; str="${str#?}";; + \'*) out="${out}%27"; str="${str#?}";; + \?*) out="${out}%3F"; str="${str#?}";; + \#*) out="${out}%23"; str="${str#?}";; + \[*) out="${out}%5B"; str="${str#?}";; + \]*) out="${out}%5D"; str="${str#?}";; + \ *) out="${out}%20"; str="${str#?}";; + " "*) out="${out}%09"; str="${str#?}";; + "${CR}"*) out="${out}%0D"; str="${str#?}";; + "${BR}"*) out="${out}%0A"; str="${str#?}";; + %*) out="${out}%25"; str="${str#?}";; + *) out="${out}${str%%[]&\"\'\?# ${CR}${BR}%[]*}"; str="${str#"${str%%[]&\"\'\?# ${CR}${BR}%[]*}"}";; + esac; done + printf %s "$out" } -PATH(){ - { [ $# -eq 0 ] && cat || printf %s "$*"; } \ - | sed -r 's;^.*$;/&/;; s;/+;/;g; - :X; - s;^/\.\./;/;; s;/\./;/;g; - tX; - s;/[^/]+/\.\./;/;; - tX; - s;^(/.*)/$;\1;' -} - - SET_COOKIE(){ + # Param: session | +seconds | [date] + # Param: name=value + # Param: Path= | Domain= | Secure local expire cookie case "$1" in ''|0|session) expire='';; @@ -189,13 +333,14 @@ SET_COOKIE(){ esac cookie="$2" - printf 'Set-Cookie: %s' "$cookie" + printf 'Set-Cookie: %s; HttpOnly; SameSite=Lax' "$cookie" [ -n "$expire" ] && printf '; Expires=%s' "${expire%+????}${expire:+GMT}" [ $# -ge 3 ] && shift 2 && printf '; %s' "$@" printf '\r\n' } REDIRECT(){ + # Trigger redirct and terminate script printf '%s: %s\r\n' \ Status "303 See Other" \ Content-Length 0 \