|
1 """CGI-savvy HTTP Server. |
|
2 |
|
3 This module builds on SimpleHTTPServer by implementing GET and POST |
|
4 requests to cgi-bin scripts. |
|
5 |
|
6 If the os.fork() function is not present (e.g. on Windows), |
|
7 os.popen2() is used as a fallback, with slightly altered semantics; if |
|
8 that function is not present either (e.g. on Macintosh), only Python |
|
9 scripts are supported, and they are executed by the current process. |
|
10 |
|
11 In all cases, the implementation is intentionally naive -- all |
|
12 requests are executed sychronously. |
|
13 |
|
14 SECURITY WARNING: DON'T USE THIS CODE UNLESS YOU ARE INSIDE A FIREWALL |
|
15 -- it may execute arbitrary Python code or external programs. |
|
16 |
|
17 Note that status code 200 is sent prior to execution of a CGI script, so |
|
18 scripts cannot send other status codes such as 302 (redirect). |
|
19 """ |
|
20 |
|
21 |
|
22 __version__ = "0.4" |
|
23 |
|
24 __all__ = ["CGIHTTPRequestHandler"] |
|
25 |
|
26 import os |
|
27 import sys |
|
28 import urllib |
|
29 import BaseHTTPServer |
|
30 import SimpleHTTPServer |
|
31 import select |
|
32 |
|
33 |
|
34 class CGIHTTPRequestHandler(SimpleHTTPServer.SimpleHTTPRequestHandler): |
|
35 |
|
36 """Complete HTTP server with GET, HEAD and POST commands. |
|
37 |
|
38 GET and HEAD also support running CGI scripts. |
|
39 |
|
40 The POST command is *only* implemented for CGI scripts. |
|
41 |
|
42 """ |
|
43 |
|
44 # Determine platform specifics |
|
45 have_fork = hasattr(os, 'fork') |
|
46 have_popen2 = hasattr(os, 'popen2') |
|
47 have_popen3 = hasattr(os, 'popen3') |
|
48 |
|
49 # Make rfile unbuffered -- we need to read one line and then pass |
|
50 # the rest to a subprocess, so we can't use buffered input. |
|
51 rbufsize = 0 |
|
52 |
|
53 def do_POST(self): |
|
54 """Serve a POST request. |
|
55 |
|
56 This is only implemented for CGI scripts. |
|
57 |
|
58 """ |
|
59 |
|
60 if self.is_cgi(): |
|
61 self.run_cgi() |
|
62 else: |
|
63 self.send_error(501, "Can only POST to CGI scripts") |
|
64 |
|
65 def send_head(self): |
|
66 """Version of send_head that support CGI scripts""" |
|
67 if self.is_cgi(): |
|
68 return self.run_cgi() |
|
69 else: |
|
70 return SimpleHTTPServer.SimpleHTTPRequestHandler.send_head(self) |
|
71 |
|
72 def is_cgi(self): |
|
73 """Test whether self.path corresponds to a CGI script, |
|
74 and return a boolean. |
|
75 |
|
76 This function sets self.cgi_info to a tuple (dir, rest) |
|
77 when it returns True, where dir is the directory part before |
|
78 the CGI script name. Note that rest begins with a |
|
79 slash if it is not empty. |
|
80 |
|
81 The default implementation tests whether the path |
|
82 begins with one of the strings in the list |
|
83 self.cgi_directories (and the next character is a '/' |
|
84 or the end of the string). |
|
85 """ |
|
86 |
|
87 path = self.path |
|
88 |
|
89 for x in self.cgi_directories: |
|
90 i = len(x) |
|
91 if path[:i] == x and (not path[i:] or path[i] == '/'): |
|
92 self.cgi_info = path[:i], path[i+1:] |
|
93 return True |
|
94 return False |
|
95 |
|
96 cgi_directories = ['/cgi-bin', '/htbin'] |
|
97 |
|
98 def is_executable(self, path): |
|
99 """Test whether argument path is an executable file.""" |
|
100 return executable(path) |
|
101 |
|
102 def is_python(self, path): |
|
103 """Test whether argument path is a Python script.""" |
|
104 head, tail = os.path.splitext(path) |
|
105 return tail.lower() in (".py", ".pyw") |
|
106 |
|
107 def run_cgi(self): |
|
108 """Execute a CGI script.""" |
|
109 path = self.path |
|
110 dir, rest = self.cgi_info |
|
111 |
|
112 i = path.find('/', len(dir) + 1) |
|
113 while i >= 0: |
|
114 nextdir = path[:i] |
|
115 nextrest = path[i+1:] |
|
116 |
|
117 scriptdir = self.translate_path(nextdir) |
|
118 if os.path.isdir(scriptdir): |
|
119 dir, rest = nextdir, nextrest |
|
120 i = path.find('/', len(dir) + 1) |
|
121 else: |
|
122 break |
|
123 |
|
124 # find an explicit query string, if present. |
|
125 i = rest.rfind('?') |
|
126 if i >= 0: |
|
127 rest, query = rest[:i], rest[i+1:] |
|
128 else: |
|
129 query = '' |
|
130 |
|
131 # dissect the part after the directory name into a script name & |
|
132 # a possible additional path, to be stored in PATH_INFO. |
|
133 i = rest.find('/') |
|
134 if i >= 0: |
|
135 script, rest = rest[:i], rest[i:] |
|
136 else: |
|
137 script, rest = rest, '' |
|
138 |
|
139 scriptname = dir + '/' + script |
|
140 scriptfile = self.translate_path(scriptname) |
|
141 if not os.path.exists(scriptfile): |
|
142 self.send_error(404, "No such CGI script (%r)" % scriptname) |
|
143 return |
|
144 if not os.path.isfile(scriptfile): |
|
145 self.send_error(403, "CGI script is not a plain file (%r)" % |
|
146 scriptname) |
|
147 return |
|
148 ispy = self.is_python(scriptname) |
|
149 if not ispy: |
|
150 if not (self.have_fork or self.have_popen2 or self.have_popen3): |
|
151 self.send_error(403, "CGI script is not a Python script (%r)" % |
|
152 scriptname) |
|
153 return |
|
154 if not self.is_executable(scriptfile): |
|
155 self.send_error(403, "CGI script is not executable (%r)" % |
|
156 scriptname) |
|
157 return |
|
158 |
|
159 # Reference: http://hoohoo.ncsa.uiuc.edu/cgi/env.html |
|
160 # XXX Much of the following could be prepared ahead of time! |
|
161 env = {} |
|
162 env['SERVER_SOFTWARE'] = self.version_string() |
|
163 env['SERVER_NAME'] = self.server.server_name |
|
164 env['GATEWAY_INTERFACE'] = 'CGI/1.1' |
|
165 env['SERVER_PROTOCOL'] = self.protocol_version |
|
166 env['SERVER_PORT'] = str(self.server.server_port) |
|
167 env['REQUEST_METHOD'] = self.command |
|
168 uqrest = urllib.unquote(rest) |
|
169 env['PATH_INFO'] = uqrest |
|
170 env['PATH_TRANSLATED'] = self.translate_path(uqrest) |
|
171 env['SCRIPT_NAME'] = scriptname |
|
172 if query: |
|
173 env['QUERY_STRING'] = query |
|
174 host = self.address_string() |
|
175 if host != self.client_address[0]: |
|
176 env['REMOTE_HOST'] = host |
|
177 env['REMOTE_ADDR'] = self.client_address[0] |
|
178 authorization = self.headers.getheader("authorization") |
|
179 if authorization: |
|
180 authorization = authorization.split() |
|
181 if len(authorization) == 2: |
|
182 import base64, binascii |
|
183 env['AUTH_TYPE'] = authorization[0] |
|
184 if authorization[0].lower() == "basic": |
|
185 try: |
|
186 authorization = base64.decodestring(authorization[1]) |
|
187 except binascii.Error: |
|
188 pass |
|
189 else: |
|
190 authorization = authorization.split(':') |
|
191 if len(authorization) == 2: |
|
192 env['REMOTE_USER'] = authorization[0] |
|
193 # XXX REMOTE_IDENT |
|
194 if self.headers.typeheader is None: |
|
195 env['CONTENT_TYPE'] = self.headers.type |
|
196 else: |
|
197 env['CONTENT_TYPE'] = self.headers.typeheader |
|
198 length = self.headers.getheader('content-length') |
|
199 if length: |
|
200 env['CONTENT_LENGTH'] = length |
|
201 referer = self.headers.getheader('referer') |
|
202 if referer: |
|
203 env['HTTP_REFERER'] = referer |
|
204 accept = [] |
|
205 for line in self.headers.getallmatchingheaders('accept'): |
|
206 if line[:1] in "\t\n\r ": |
|
207 accept.append(line.strip()) |
|
208 else: |
|
209 accept = accept + line[7:].split(',') |
|
210 env['HTTP_ACCEPT'] = ','.join(accept) |
|
211 ua = self.headers.getheader('user-agent') |
|
212 if ua: |
|
213 env['HTTP_USER_AGENT'] = ua |
|
214 co = filter(None, self.headers.getheaders('cookie')) |
|
215 if co: |
|
216 env['HTTP_COOKIE'] = ', '.join(co) |
|
217 # XXX Other HTTP_* headers |
|
218 # Since we're setting the env in the parent, provide empty |
|
219 # values to override previously set values |
|
220 for k in ('QUERY_STRING', 'REMOTE_HOST', 'CONTENT_LENGTH', |
|
221 'HTTP_USER_AGENT', 'HTTP_COOKIE', 'HTTP_REFERER'): |
|
222 env.setdefault(k, "") |
|
223 os.environ.update(env) |
|
224 |
|
225 self.send_response(200, "Script output follows") |
|
226 |
|
227 decoded_query = query.replace('+', ' ') |
|
228 |
|
229 if self.have_fork: |
|
230 # Unix -- fork as we should |
|
231 args = [script] |
|
232 if '=' not in decoded_query: |
|
233 args.append(decoded_query) |
|
234 nobody = nobody_uid() |
|
235 self.wfile.flush() # Always flush before forking |
|
236 pid = os.fork() |
|
237 if pid != 0: |
|
238 # Parent |
|
239 pid, sts = os.waitpid(pid, 0) |
|
240 # throw away additional data [see bug #427345] |
|
241 while select.select([self.rfile], [], [], 0)[0]: |
|
242 if not self.rfile.read(1): |
|
243 break |
|
244 if sts: |
|
245 self.log_error("CGI script exit status %#x", sts) |
|
246 return |
|
247 # Child |
|
248 try: |
|
249 try: |
|
250 os.setuid(nobody) |
|
251 except os.error: |
|
252 pass |
|
253 os.dup2(self.rfile.fileno(), 0) |
|
254 os.dup2(self.wfile.fileno(), 1) |
|
255 os.execve(scriptfile, args, os.environ) |
|
256 except: |
|
257 self.server.handle_error(self.request, self.client_address) |
|
258 os._exit(127) |
|
259 |
|
260 elif self.have_popen2 or self.have_popen3: |
|
261 # Windows -- use popen2 or popen3 to create a subprocess |
|
262 import shutil |
|
263 if self.have_popen3: |
|
264 popenx = os.popen3 |
|
265 else: |
|
266 popenx = os.popen2 |
|
267 cmdline = scriptfile |
|
268 if self.is_python(scriptfile): |
|
269 interp = sys.executable |
|
270 if interp.lower().endswith("w.exe"): |
|
271 # On Windows, use python.exe, not pythonw.exe |
|
272 interp = interp[:-5] + interp[-4:] |
|
273 cmdline = "%s -u %s" % (interp, cmdline) |
|
274 if '=' not in query and '"' not in query: |
|
275 cmdline = '%s "%s"' % (cmdline, query) |
|
276 self.log_message("command: %s", cmdline) |
|
277 try: |
|
278 nbytes = int(length) |
|
279 except (TypeError, ValueError): |
|
280 nbytes = 0 |
|
281 files = popenx(cmdline, 'b') |
|
282 fi = files[0] |
|
283 fo = files[1] |
|
284 if self.have_popen3: |
|
285 fe = files[2] |
|
286 if self.command.lower() == "post" and nbytes > 0: |
|
287 data = self.rfile.read(nbytes) |
|
288 fi.write(data) |
|
289 # throw away additional data [see bug #427345] |
|
290 while select.select([self.rfile._sock], [], [], 0)[0]: |
|
291 if not self.rfile._sock.recv(1): |
|
292 break |
|
293 fi.close() |
|
294 shutil.copyfileobj(fo, self.wfile) |
|
295 if self.have_popen3: |
|
296 errors = fe.read() |
|
297 fe.close() |
|
298 if errors: |
|
299 self.log_error('%s', errors) |
|
300 sts = fo.close() |
|
301 if sts: |
|
302 self.log_error("CGI script exit status %#x", sts) |
|
303 else: |
|
304 self.log_message("CGI script exited OK") |
|
305 |
|
306 else: |
|
307 # Other O.S. -- execute script in this process |
|
308 save_argv = sys.argv |
|
309 save_stdin = sys.stdin |
|
310 save_stdout = sys.stdout |
|
311 save_stderr = sys.stderr |
|
312 try: |
|
313 save_cwd = os.getcwd() |
|
314 try: |
|
315 sys.argv = [scriptfile] |
|
316 if '=' not in decoded_query: |
|
317 sys.argv.append(decoded_query) |
|
318 sys.stdout = self.wfile |
|
319 sys.stdin = self.rfile |
|
320 execfile(scriptfile, {"__name__": "__main__"}) |
|
321 finally: |
|
322 sys.argv = save_argv |
|
323 sys.stdin = save_stdin |
|
324 sys.stdout = save_stdout |
|
325 sys.stderr = save_stderr |
|
326 os.chdir(save_cwd) |
|
327 except SystemExit, sts: |
|
328 self.log_error("CGI script exit status %s", str(sts)) |
|
329 else: |
|
330 self.log_message("CGI script exited OK") |
|
331 |
|
332 |
|
333 nobody = None |
|
334 |
|
335 def nobody_uid(): |
|
336 """Internal routine to get nobody's uid""" |
|
337 global nobody |
|
338 if nobody: |
|
339 return nobody |
|
340 try: |
|
341 import pwd |
|
342 except ImportError: |
|
343 return -1 |
|
344 try: |
|
345 nobody = pwd.getpwnam('nobody')[2] |
|
346 except KeyError: |
|
347 nobody = 1 + max(map(lambda x: x[2], pwd.getpwall())) |
|
348 return nobody |
|
349 |
|
350 |
|
351 def executable(path): |
|
352 """Test for executable file.""" |
|
353 try: |
|
354 st = os.stat(path) |
|
355 except os.error: |
|
356 return False |
|
357 return st.st_mode & 0111 != 0 |
|
358 |
|
359 |
|
360 def test(HandlerClass = CGIHTTPRequestHandler, |
|
361 ServerClass = BaseHTTPServer.HTTPServer): |
|
362 SimpleHTTPServer.test(HandlerClass, ServerClass) |
|
363 |
|
364 |
|
365 if __name__ == '__main__': |
|
366 test() |