serverfiles/openwrt/common/opt/lib/cgi/post2.cgi

#!/usr/bin/haserl --shell=/bin/bash  --upload-limit=32768 --upload-dir=/www/tmp 
<%# upload limit: 32Mb %>
<%

## SuperGlue project | http://superglue.it | 2014 | GPLv3
## http://git.superglue.it/superglue/serverfiles
## author: Danja Vasiliev <danja@k0a1a.net>
##
## post.sh - all POST requests are redirected to this script.
## 
## examples:
## text:    curl --data-urlencode '<html><title>' http://host/file.html
## image:   curl --form "userimage=@file.png" -H "Expect:" http://host/file.png 
## command: curl --data-urlencode 'ls' http://host/cmd
##
## returns: 200 (+ output of operation) on success
##          406 (+ error message in debug mode) on error
##
## auth:    curl --digest -u admin:changeme ...
##
## no globbing, for safety
set -o noglob

## some path variables
readonly _WWW='/www'
readonly _HTDOCS="${_WWW}/htdocs"
readonly _TMP="${_WWW}/tmp"
readonly _LOG="${_WWW}/log/post.log"

## multihost, example
#if [[ $HTTP_HOST == 'domain.name' ]]; then
#  _HTDOCS="${_WWW}/domain-name"
#fi

## _DEBUG=0 no logging at all
## _DEBUG=1 writes to $_LOG file
## _DEBUG=2 adds a message to HTTP response
_DEBUG=1

#### FUNCTIONS

## logging
logThis() {
  [[ "$_DEBUG" -gt 0 ]] || return 0
  [[ "$_ERR" -gt 0 ]] && _TYPE='E:' || _TYPE='I:'  ## Info or Error indication
  local _TIME=$(printf '%(%d.%m.%Y %H:%M:%S)T' -1)
  printf '%b\n' "$_TIME  $_TYPE ${1} " >> $_LOG
  [[ "$_DEBUG" -gt 1 ]] && printf '%b\n' "[verbose] $_TYPE ${1}"
  return 0
}

## inject function execution trace to global _OUT
wTf() {
  local _WTF="$(printf '%s -> ' '| trace: '${FUNCNAME[*]:1})"
  _OUT="$_OUT $_WTF"
}

## urldecode
urlDecode() {
  local encoded="${1//+/ }"
  printf '%b' "${encoded//%/\x}"
}

## http response
headerPrint() {
  case ${1} in
    200) printf '%b' 'HTTP/1.1 200 OK\nAccess-Control-Allow-Origin: *\n\n';;
    405) printf '%b' 'HTTP/1.1 405 Method Not Allowed\n\n';;
    406) printf '%b' 'HTTP/1.1 406 Not Acceptable\n\n';;
  esac
  return 0
}

## takes exit code variable $? and optional "message" string.
## exit code 0 simply falls through. when local message 
## is not provided tries to assign global $_OUT.
##
## eg: errorCheck $? "bad zombie"
##
## produces HTTP 406 header, $_OUT message, triggers logThis()
## and exits the main loop with exit >= 1.
errorCheck() {
  _ERR=${1}  ## exit code
  [[ $_ERR -gt 0 ]] || return 0
  local _MSG=${2}
  ## if $_OUT is present cut it down to one line
  ## otherwise assign message from the invokation arguments
  [[ $_OUT ]] && _OUT="${_OUT%%$'\n'*}" || { _OUT=${_MSG:='unknown error occured'}; wTf; }
  [[ -e $_POST_TMP ]] && rm -f $_POST_TMP
  headerPrint '406'
  logThis "${_OUT}";
  exit $_ERR
}

## urlencoded POST dispatcher
postUrlenc() {
  ## set vars found in POST
  setQueryVars
  case "${_REQUEST_URI}" in
    \/cmd) postCmd  ;;  ## handle /cmd POST
        *) postHtml ;;  ## handle html POST
  esac
}

## handle /cmd POST
postCmd() {
  local _CMD=( ${_POST} )  ## convert POST to array
  [[ ${#_CMD[@]} -lt 5 ]] || errorCheck '1' "'${_CMD[*]}': too many arguments"
  local _EXE="${_CMD[0]}"  ## first member is command 
  local _ARG="${_CMD[@]:1}"  ## the rest is arguments
  ## note unquoted regex
  [[ ! "$_ARG" =~ (\.\.|^/| /) ]] || errorCheck '1' "'$_ARG': illegal path"

  ## 'ls' replacement function
  lss() {
    _D='\t' ## do we want a customizable delimiter? 
    while getopts 'la' _OPT; do
      case $_OPT in
        l) local _LNG="$_D%F$_D%s$_D%y$_D%U$_D%G$_D%a" ;;
        a) shopt -s dotglob
      esac
    done
    shift $((OPTIND-1)) ## removing used args
    [[ -z "${@}" ]] && _PT="./*"  ## list ./* if called with no args
    [[ -d "${@}" ]] && _PT="/*" ## add /* to directories
    ## if error occures return 0
    stat --printf "%n$_LNG\n" -- "${@%%/}"$_PT 2>/dev/null || _ERR=0
    return $_ERR
  }
  case "$_EXE" in
   ls|lss) _EXE="lss"; _ARG="${_ARG}" ;;  ## no error is returned
       cp) _ARG="${_ARG}" ;;
       rm) _ARG="${_ARG}" ;;  ## add recursive option if you need
       mv) _ARG="${_ARG}" ;;
    mkdir) _ARG="${_ARG}" ;;
      log) _EXE="tail"; _ARG="${_ARG} ${_LOG}" ;; 
     wget) _ARG="-q ${_ARG/ */} -O ${_ARG/* /}" ;;  ## quiet
        *) errorCheck '1' "'$_EXE': bad command" ;;
  esac
  ## toggle globbing  
  set +o noglob  
  _OUT=$($_EXE $_ARG 2>&1)
  _ERR=$?
   ## toggle globbing
  set -o noglob
  logThis "$_EXE $_ARG"
  errorCheck $_ERR
}

## handle html POST
postHtml() {
  ## save POST to file
  _OUT=$( (printf '%b' "${_POST}" > "${_HTDOCS}${_REQUEST_URI}") 2>&1)
  _ERR=$?
  errorCheck $_ERR
}

setQueryVars() {
  _VARS=( ${!POST_*} )
  local v
  for v in ${_VARS[@]}; do
    logThis "$v=${!v}"
  done
}

## octet POST dispatcher
postOctet() {
  ## get 'data:' header length 
  local IFS=','; read -d',' -r _DH < $_POST_TMP
  case "${_ENC}" in
    base64) postBase64Enc;;
    binary) postBinary ;;
         *) postGuessEnc ;;  ## handle data POST
  esac
}

## to be converted into a proper data-type detection function
postGuessEnc() {
  shopt -s nocasematch
  local _DTP="^.*\;([[:alnum:]].+)$" ## data-type header pattern
  ## look for encoding in the data header
  [[ "${_DH}" =~ ${_DTP} ]] && _ENC="${BASH_REMATCH[1]}"
  logThis "'$_ENC:' encoding is the best guess";
  shopt -u nocasematch
  case "$_ENC" in
                base64) postBase64Enc ;;
             ## binary) _ERR=1 ;; 
             ##   json) _ERR=1 ;;
   ## quoted-printable) _ERR=1 ;;
                     *) _ERR=1; _OUT="'${_ENC:='unknown'}' encoding, unknown POST failed";;
  esac
  errorCheck $_ERR
}

## handle base64 post
postBase64Enc() {
  logThis "'${_ENC}:' decoding stream"
  _DL=${#_DH}  ## get data-header length
  [[ $_DL -lt 10 ]] && { _DL=23; _SKP=0; } || { let _DL+=1; _SKP=1; }  ## '23' - what?!
  ## the line below seems to be the best solution for the time being
  ## dd 'ibs' and 'iflags' seem not to work on OpenWRT - investigate as it might be very useful
  _OUT=$( dd if=${_POST_TMP} bs=${_DL} skip=${_SKP} | base64 -d > "${_HTDOCS}${_REQUEST_URI}" 2>&1) 
  _ERR=$?
  errorCheck $_ERR
}

postBinary() {
  logThis "'binary': decoding stream"
  ## it is unclear what will be necessary to do here
  _OUT=$( dd if="${_POST_TMP}" of="${_HTDOCS}${_REQUEST_URI}" 2>&1 )
  _ERR=$?
  errorCheck $_ERR
}

postMpart() {
  logThis "'multipart': decoding stream"
  local _BND=$(findPostOpt 'boundary')
  ## bash is binary unsafe and eats away precious lines
  ## thus using gawk
  function cutFile() {
    gawk -v "want=$1" -v "bnd=$_BND" '
      BEGIN { RS="\r\n"; ORS="\r\n" }

      # reset based on boundaries
      $0 == "--"bnd""     { st=1; next; }
      $0 == "--"bnd"--"   { st=0; next; }
      $0 == "--"bnd"--\r" { st=0; next; }

      # search for wanted file
      st == 1 && $0 ~  "^Content-Disposition:.* name=\""want"\"" { st=2; next; }
      st == 1 && $0 == "" { st=9; next; }

      # wait for newline, then start printing
      st == 2 && $0 == "" { st=3; next; }
      st == 3 { print $0 }
      ' 2>&1
  }
  cutFile 'userimage' < "${_POST_TMP}" > "${_HTDOCS}${_REQUEST_URI}"
  _ERR=$?
  errorCheck $_ERR
}

## find arbitrary option supplied in Content-Type header
## eg: "Content-Type:application/octet-stream; verbose=1"
findPostOpt() {
  for i in "${CONTENT_TYPE[@]:1}"; do
    case "${i/=*}" in 
      "$1") printf '%b' "${i/*=}" ;;
    esac
  done
  return 0
}

## sanitize by backslashing all expandable symbols
escapeStr() {
  printf "%q" "${*}"
}

## brutally replace unwanted characters
cleanFname() {
  shopt -s extglob
  local _STR="${*}"
  echo -n "${_STR//[^[:alnum:]._\-\/\\]/_}"
  shopt -u extglob
}

#### MAIN LOOP

logThis 'yes'

## timing
## TODO: remove it
## run once here and once at the end
#read t z < /proc/uptime

## check if we are in $_HTDOCS directory
cd $_HTDOCS || errorCheck $? 'htdocs unavailable'
[[ "${PWD}" == "${_HTDOCS}" ]] || errorCheck $? 'htdocs misconfigured'
if [[ "${REQUEST_METHOD^^}" == "POST" ]]; then
  [[ $CONTENT_LENGTH -gt 0 ]] || err 'content length is zero, 301 back to referer' '301'
  case "${CONTENT_TYPE^^}" in 
    APPLICATION/X-WWW-FORM-URLENCODED*) setQueryVars;;
                  MULTIPART/FORM-DATA*) getQueryFile;;
                                     *) _ERR=1; _OUT='this is not a post';;
  esac

  case $REQUEST_URI in
                *cmd) pwdChange;;
                   *) logThis 'bad action'; headerPrint 405; 
                      echo 'no such thing'; exit 1;;
  esac
fi

## URI is considered as a file dest to work with
## add 'index.html' to default and empty request uri
_REQUEST_URI="${REQUEST_URI/%\///index.html}"
_REQUEST_URI="$(urlDecode $_REQUEST_URI)"
_PATH="${_REQUEST_URI%/*}"

CONTENT_TYPE=( ${CONTENT_TYPE} )
_CONTENT_TYPE="${CONTENT_TYPE[0]/;}"
_ENC="${HTTP_CONTENT_ENCODING}"

#logThis "Len: $CONTENT_LENGTH Ctype: $CONTENT_TYPE Enc: $_CONTENT_ENCODING"

## check for 'verbose' option in POST
#findPostOpt 'verbose' || { _DEBUG=2; logThis 'verbose mode is requested'; }

logThis 'yes 2'


#_POST_TMP=$(mktemp -p $_TMP)  ## make tmp POST file
#cat > $_POST_TMP  ## cautiously storing entire POST in a file

## dispatching POST
case "${_CONTENT_TYPE}" in
  application\/x-www-form-urlencoded) postUrlenc ;;
           application\/octet-stream) postOctet ;;
                 multipart/form-data) postMpart ;;
                                   *) _ERR=1; _OUT='this is not a post' ;;
esac
#[[ -e $_POST_TMP ]] && rm -f $_POST_TMP

## make sure we are good
errorCheck $_ERR 

[[ -z $_OUT ]] || _OUT="${_OUT}\n"

headerPrint '200' ## on success
printf '%b' "${_OUT}" 
logThis 'OK 200' 

#read d z < /proc/uptime
#logThis $((${d/./}-${t/./}))"/100s"

exit 0

%>