writing cgi apps in sh

dninja · 2008-05-04 17:19:37

I have an environment where I only have sh (actually ash) available for writing cgi scripts in. I've tried googling around to find the best way to read and split down a POST into its constituent parts but can't find any examples. Can anyone give me any code or links to code to split a POST down in a sensible way?

I have a limited number of possible inputs, currently 5 values, if that makes any difference.

gnud · 2008-05-13 11:09:30

Try this shell hackery i smashed together -- it parses www-urlencoded strings

#!/bin/sh

##
## A function to decode a urlencoded string of any number of key=value pairs.
## needs only 1 parameter, the string to decode
declare -a DECODED
function urldecode {
    unset DECODED[*] #clear array
    local i=0 #array index, start at 0
    for s in $(echo ${1} | tr '&' '\n') #splits the string into lines at each &
    do
        s=$(echo ${s} | tr '+' ' ') #replace pluses with spaces

        #this lets us iterate through all the urlencoded values in the string s...
        for charno in $(echo ${s} | grep -o '%[0-9A-Fa-f]\{2\}' | tr -d '%' | uniq)
        do
            #... and then replace them
            char=$(printf "\x${charno}") #this is the actual character
            sedstr="s/%${charno}/\\${char}/" # the char will need to be escaped
            s=$(echo ${s} | sed ${sedstr})
        done
        DECODED[${i}]=${s} #store the result in the array, at index i
        let i="i+1" #increment array index
    done
}
####
## Usage is shown here
STR="name=Gnud&distro=Arch+Linux&math=2%2B2%3D4" #string with urlencoded data
urldecode ${STR} #call the function, the result is stored in DECODED

for index in $(seq 0 $(expr ${#DECODED[@]} - 1)) #loop through the array of results
do
    echo ${DECODED[index]} #print the key=value pair
done

Try putting that code in a shell file and execute it.
It needs sed and tr, and might use some bash specific functions.

dninja · 2008-05-13 11:18:28

That looks good, thanks.

As most of the params being passed in are going to be passed to command line apps (iwpriv and others) I've got to work out how to make sure they are properly sanitised. Any tips on that?

gnud · 2008-05-13 11:28:36

I assume you are working with a discrete and known set of parameters? If so, just don't pass the parameters themselves to the uses, send a key or something that identifies it. When you look up the parameter for a specific key, you know it's already sane, because you typed it in yourself. If you let the user type in parameters directly, tell them to use ssh instead of a cgi script

gnud · 2008-05-13 11:33:57

Of course, if you're talking about ip adresses or port numbers, then check with a regex. I think i would use grep, and check if there is output. If there's no output, the input is invalid.

dninja · 2008-05-13 12:15:11

Currently, all except one of the fields can be checked with either a regex or by passing params. The one field that is left I was planning to cheat a bit on and limit it to a reasonable alpha-numeric-symbol list.

I'm thinking of future proofing at the initial development stage and having the code built in ready to use if I need it rather than really needing it now.

Arch Linux

#1 2008-05-04 17:19:37

writing cgi apps in sh

#2 2008-05-13 11:09:30

Re: writing cgi apps in sh

#3 2008-05-13 11:18:28

Re: writing cgi apps in sh

#4 2008-05-13 11:28:36

Re: writing cgi apps in sh

#5 2008-05-13 11:33:57

Re: writing cgi apps in sh

#6 2008-05-13 12:15:11

Re: writing cgi apps in sh

Board footer