#!/usr/bin/haserl --shell=/bin/bash --upload-limit=32768 --upload-dir=/www/tmp
<%# upload limit: 32Mb %>
<%
## SuperGlue project | http://superglue.it | 2014 | GPLv3
## http://git.superglue.it/superglue/serverfiles
## author: Danja Vasiliev <danja@k0a1a.net>
##
## post.sh - all POST requests are redirected to this script.
##
## examples:
## text: curl --data-urlencode '<html><title>' http://host/file.html
## image: curl --form "userimage=@file.png" -H "Expect:" http://host/file.png
## command: curl --data-urlencode 'ls' http://host/cmd
##
## returns: 200 (+ output of operation) on success
## 406 (+ error message in debug mode) on error
##
## auth: curl --digest -u admin:changeme ...
##
## no globbing, for safety
set -o noglob
## some path variables
readonly _WWW='/www'
readonly _HTDOCS="${_WWW}/htdocs"
readonly _TMP="${_WWW}/tmp"
readonly _LOG="${_WWW}/log/post.log"
## multihost, example
#if [[ $HTTP_HOST == 'domain.name' ]]; then
# _HTDOCS="${_WWW}/domain-name"
#fi
## _DEBUG=0 no logging at all
## _DEBUG=1 writes to $_LOG file
## _DEBUG=2 adds a message to HTTP response
_DEBUG=1
#### FUNCTIONS
## logging
logThis() {
[[ "$_DEBUG" -gt 0 ]] || return 0
[[ "$_ERR" -gt 0 ]] && _TYPE='E:' || _TYPE='I:' ## Info or Error indication
local _TIME=$(printf '%(%d.%m.%Y %H:%M:%S)T' -1)
printf '%b\n' "$_TIME $_TYPE ${1} " >> $_LOG
[[ "$_DEBUG" -gt 1 ]] && printf '%b\n' "[verbose] $_TYPE ${1}"
return 0
}
## inject function execution trace to global _OUT
wTf() {
local _WTF="$(printf '%s -> ' '| trace: '${FUNCNAME[*]:1})"
_OUT="$_OUT $_WTF"
}
## urldecode
urlDecode() {
local encoded="${1//+/ }"
printf '%b' "${encoded//%/\x}"
}
## http response
headerPrint() {
case ${1} in
200) printf '%b' 'HTTP/1.1 200 OK\nAccess-Control-Allow-Origin: *\n\n';;
405) printf '%b' 'HTTP/1.1 405 Method Not Allowed\n\n';;
406) printf '%b' 'HTTP/1.1 406 Not Acceptable\n\n';;
esac
return 0
}
## takes exit code variable $? and optional "message" string.
## exit code 0 simply falls through. when local message
## is not provided tries to assign global $_OUT.
##
## eg: errorCheck $? "bad zombie"
##
## produces HTTP 406 header, $_OUT message, triggers logThis()
## and exits the main loop with exit >= 1.
errorCheck() {
_ERR=${1} ## exit code
[[ $_ERR -gt 0 ]] || return 0
local _MSG=${2}
## if $_OUT is present cut it down to one line
## otherwise assign message from the invokation arguments
[[ $_OUT ]] && _OUT="${_OUT%%$'\n'*}" || { _OUT=${_MSG:='unknown error occured'}; wTf; }
[[ -e $_POST_TMP ]] && rm -f $_POST_TMP
headerPrint '406'
logThis "${_OUT}";
exit $_ERR
}
## urlencoded POST dispatcher
postUrlenc() {
## set vars found in POST
setQueryVars
case "${_REQUEST_URI}" in
\/cmd) postCmd ;; ## handle /cmd POST
*) postHtml ;; ## handle html POST
esac
}
## handle /cmd POST
postCmd() {
local _CMD=( ${_POST} ) ## convert POST to array
[[ ${#_CMD[@]} -lt 5 ]] || errorCheck '1' "'${_CMD[*]}': too many arguments"
local _EXE="${_CMD[0]}" ## first member is command
local _ARG="${_CMD[@]:1}" ## the rest is arguments
## note unquoted regex
[[ ! "$_ARG" =~ (\.\.|^/| /) ]] || errorCheck '1' "'$_ARG': illegal path"
## 'ls' replacement function
lss() {
_D='\t' ## do we want a customizable delimiter?
while getopts 'la' _OPT; do
case $_OPT in
l) local _LNG="$_D%F$_D%s$_D%y$_D%U$_D%G$_D%a" ;;
a) shopt -s dotglob
esac
done
shift $((OPTIND-1)) ## removing used args
[[ -z "${@}" ]] && _PT="./*" ## list ./* if called with no args
[[ -d "${@}" ]] && _PT="/*" ## add /* to directories
## if error occures return 0
stat --printf "%n$_LNG\n" -- "${@%%/}"$_PT 2>/dev/null || _ERR=0
return $_ERR
}
case "$_EXE" in
ls|lss) _EXE="lss"; _ARG="${_ARG}" ;; ## no error is returned
cp) _ARG="${_ARG}" ;;
rm) _ARG="${_ARG}" ;; ## add recursive option if you need
mv) _ARG="${_ARG}" ;;
mkdir) _ARG="${_ARG}" ;;
log) _EXE="tail"; _ARG="${_ARG} ${_LOG}" ;;
wget) _ARG="-q ${_ARG/ */} -O ${_ARG/* /}" ;; ## quiet
*) errorCheck '1' "'$_EXE': bad command" ;;
esac
## toggle globbing
set +o noglob
_OUT=$($_EXE $_ARG 2>&1)
_ERR=$?
## toggle globbing
set -o noglob
logThis "$_EXE $_ARG"
errorCheck $_ERR
}
## handle html POST
postHtml() {
## save POST to file
_OUT=$( (printf '%b' "${_POST}" > "${_HTDOCS}${_REQUEST_URI}") 2>&1)
_ERR=$?
errorCheck $_ERR
}
setQueryVars() {
_VARS=( ${!POST_*} )
local v
for v in ${_VARS[@]}; do
logThis "$v=${!v}"
done
}
## octet POST dispatcher
postOctet() {
## get 'data:' header length
local IFS=','; read -d',' -r _DH < $_POST_TMP
case "${_ENC}" in
base64) postBase64Enc;;
binary) postBinary ;;
*) postGuessEnc ;; ## handle data POST
esac
}
## to be converted into a proper data-type detection function
postGuessEnc() {
shopt -s nocasematch
local _DTP="^.*\;([[:alnum:]].+)$" ## data-type header pattern
## look for encoding in the data header
[[ "${_DH}" =~ ${_DTP} ]] && _ENC="${BASH_REMATCH[1]}"
logThis "'$_ENC:' encoding is the best guess";
shopt -u nocasematch
case "$_ENC" in
base64) postBase64Enc ;;
## binary) _ERR=1 ;;
## json) _ERR=1 ;;
## quoted-printable) _ERR=1 ;;
*) _ERR=1; _OUT="'${_ENC:='unknown'}' encoding, unknown POST failed";;
esac
errorCheck $_ERR
}
## handle base64 post
postBase64Enc() {
logThis "'${_ENC}:' decoding stream"
_DL=${#_DH} ## get data-header length
[[ $_DL -lt 10 ]] && { _DL=23; _SKP=0; } || { let _DL+=1; _SKP=1; } ## '23' - what?!
## the line below seems to be the best solution for the time being
## dd 'ibs' and 'iflags' seem not to work on OpenWRT - investigate as it might be very useful
_OUT=$( dd if=${_POST_TMP} bs=${_DL} skip=${_SKP} | base64 -d > "${_HTDOCS}${_REQUEST_URI}" 2>&1)
_ERR=$?
errorCheck $_ERR
}
postBinary() {
logThis "'binary': decoding stream"
## it is unclear what will be necessary to do here
_OUT=$( dd if="${_POST_TMP}" of="${_HTDOCS}${_REQUEST_URI}" 2>&1 )
_ERR=$?
errorCheck $_ERR
}
postMpart() {
logThis "'multipart': decoding stream"
local _BND=$(findPostOpt 'boundary')
## bash is binary unsafe and eats away precious lines
## thus using gawk
function cutFile() {
gawk -v "want=$1" -v "bnd=$_BND" '
BEGIN { RS="\r\n"; ORS="\r\n" }
# reset based on boundaries
$0 == "--"bnd"" { st=1; next; }
$0 == "--"bnd"--" { st=0; next; }
$0 == "--"bnd"--\r" { st=0; next; }
# search for wanted file
st == 1 && $0 ~ "^Content-Disposition:.* name=\""want"\"" { st=2; next; }
st == 1 && $0 == "" { st=9; next; }
# wait for newline, then start printing
st == 2 && $0 == "" { st=3; next; }
st == 3 { print $0 }
' 2>&1
}
cutFile 'userimage' < "${_POST_TMP}" > "${_HTDOCS}${_REQUEST_URI}"
_ERR=$?
errorCheck $_ERR
}
## find arbitrary option supplied in Content-Type header
## eg: "Content-Type:application/octet-stream; verbose=1"
findPostOpt() {
for i in "${CONTENT_TYPE[@]:1}"; do
case "${i/=*}" in
"$1") printf '%b' "${i/*=}" ;;
esac
done
return 0
}
## sanitize by backslashing all expandable symbols
escapeStr() {
printf "%q" "${*}"
}
## brutally replace unwanted characters
cleanFname() {
shopt -s extglob
local _STR="${*}"
echo -n "${_STR//[^[:alnum:]._\-\/\\]/_}"
shopt -u extglob
}
#### MAIN LOOP
logThis 'yes'
## timing
## TODO: remove it
## run once here and once at the end
#read t z < /proc/uptime
## check if we are in $_HTDOCS directory
cd $_HTDOCS || errorCheck $? 'htdocs unavailable'
[[ "${PWD}" == "${_HTDOCS}" ]] || errorCheck $? 'htdocs misconfigured'
if [[ "${REQUEST_METHOD^^}" == "POST" ]]; then
[[ $CONTENT_LENGTH -gt 0 ]] || err 'content length is zero, 301 back to referer' '301'
case "${CONTENT_TYPE^^}" in
APPLICATION/X-WWW-FORM-URLENCODED*) setQueryVars;;
MULTIPART/FORM-DATA*) getQueryFile;;
*) _ERR=1; _OUT='this is not a post';;
esac
case $REQUEST_URI in
*cmd) pwdChange;;
*) logThis 'bad action'; headerPrint 405;
echo 'no such thing'; exit 1;;
esac
fi
## URI is considered as a file dest to work with
## add 'index.html' to default and empty request uri
_REQUEST_URI="${REQUEST_URI/%\///index.html}"
_REQUEST_URI="$(urlDecode $_REQUEST_URI)"
_PATH="${_REQUEST_URI%/*}"
CONTENT_TYPE=( ${CONTENT_TYPE} )
_CONTENT_TYPE="${CONTENT_TYPE[0]/;}"
_ENC="${HTTP_CONTENT_ENCODING}"
#logThis "Len: $CONTENT_LENGTH Ctype: $CONTENT_TYPE Enc: $_CONTENT_ENCODING"
## check for 'verbose' option in POST
#findPostOpt 'verbose' || { _DEBUG=2; logThis 'verbose mode is requested'; }
logThis 'yes 2'
#_POST_TMP=$(mktemp -p $_TMP) ## make tmp POST file
#cat > $_POST_TMP ## cautiously storing entire POST in a file
## dispatching POST
case "${_CONTENT_TYPE}" in
application\/x-www-form-urlencoded) postUrlenc ;;
application\/octet-stream) postOctet ;;
multipart/form-data) postMpart ;;
*) _ERR=1; _OUT='this is not a post' ;;
esac
#[[ -e $_POST_TMP ]] && rm -f $_POST_TMP
## make sure we are good
errorCheck $_ERR
[[ -z $_OUT ]] || _OUT="${_OUT}\n"
headerPrint '200' ## on success
printf '%b' "${_OUT}"
logThis 'OK 200'
#read d z < /proc/uptime
#logThis $((${d/./}-${t/./}))"/100s"
exit 0
%>