X-Git-Url: http://www.chiark.greenend.org.uk/ucgi/~mdw/git/chopwood/blobdiff_plain/a2916c0635fec5b45ad742904db9f5769b48f53d..b53a8abe0e74514e8d9d7225766190ca978e2a95:/cgi.py diff --git a/cgi.py b/cgi.py index f69646c..3b3d441 100644 --- a/cgi.py +++ b/cgi.py @@ -59,7 +59,7 @@ CONF.DEFAULTS.update( ## Some handy regular expressions. R_URLESC = RX.compile('%([0-9a-fA-F]{2})') R_URLBAD = RX.compile('[^-\\w,.!]') -R_HTMLBAD = RX.compile('[&<>]') +R_HTMLBAD = RX.compile('[&<>\'"]') def urldecode(s): """Decode a single form-url-encoded string S.""" @@ -77,17 +77,18 @@ def htmlescape(s): ## Some standard character sequences, and HTML entity names for prettier ## versions. -_quotify = U.StringSubst({ +html_quotify = U.StringSubst({ + "<": '<', + ">": '>', + "&": '&', "`": '‘', "'": '’', + '"': '"', "``": '“', "''": '”', "--": '–', "---": '—' }) -def html_quotify(s): - """Return a pretty HTML version of S.""" - return _quotify(htmlescape(s)) ###-------------------------------------------------------------------------- ### Output machinery. @@ -145,7 +146,7 @@ def cookie(name, value, **kw): T.gmtime(U.NOW + maxage)) return '; '.join(['%s=%s' % (urlencode(name), urlencode(value))] + [v is not True and '%s=%s' % (k, v) or k - for k, v in attr.iteritems()]) + for k, v in attr.iteritems() if v]) def action(*v, **kw): """ @@ -166,47 +167,6 @@ def static(name): """Build a URL for the static file NAME.""" return htmlescape(CFG.STATIC + '/' + name) -@CTX.contextmanager -def html(title, **kw): - """ - Context manager for HTML output. - - Keyword arguments are output as HTTP headers (if no header has been written - yet). A `' element is written, and a `' opened, before the - context body is executed; the elements are closed off properly at the end. - """ - - kw = dict(kw, content_type = 'text/html') - OUT.header(**kw) - - ## Write the HTML header. - PRINT("""\ - - - - %(title)s - - - -""" % dict(title = html_quotify(title), - style = static('chpwd.css'), - script = static('chpwd.js'))) - - ## Write the body. - PRINT('') - yield None - PRINT('''\ - -
- Chopwood, version %(version)s: - copyright © 2012 Mark Wooding -
- - -''' % dict(about = static('about.html'), - version = VERSION)) - def redirect(where, **kw): """ Write a complete redirection to some other URL. @@ -270,7 +230,7 @@ class FormatHTML (F.SimpleFormatOperation): """ ~H: escape output suitable for inclusion in HTML. - With `:', instead apply form-urlencoding. + With `:', additionally apply quotification. """ def _convert(me, arg): if me.colonp: return html_quotify(arg) @@ -291,74 +251,6 @@ def page(template, header = {}, title = 'Chopwood', **kw): ###-------------------------------------------------------------------------- ### Error reporting. -def cgi_error_guts(): - """ - Report an exception while we're acting as a CGI, together with lots of - information about our state. - - Our caller has, probably at great expense, arranged that we can format lots - of text. - """ - - ## Grab the exception information. - exty, exval, extb = SYS.exc_info() - - ## Print the exception itself. - PRINT("""\ -

Exception

-
%s
""" % html_quotify( - '\n'.join(TB.format_exception_only(exty, exval)))) - - ## Format a traceback so we can find out what has gone wrong. - PRINT("""\ -

Traceback

-
    """) - for file, line, func, text in TB.extract_tb(extb, 20): - PRINT("
  1. %s:%d (%s)" % ( - htmlescape(file), line, htmlescape(func))) - if text is not None: - PRINT("
    %s" % htmlescape(text)) - PRINT("
") - - ## Format various useful tables. - def fmt_dict(d): - fmt_kvlist(d.iteritems()) - def fmt_kvlist(l): - for k, v in sorted(l): - PRINT("%s%s" % ( - htmlescape(k), htmlescape(v))) - def fmt_list(l): - for i in l: - PRINT("%s" % htmlescape(i)) - - PRINT("""\ -

Parameters

""") - for what, thing, how in [('Query', PARAM, fmt_kvlist), - ('Cookies', COOKIE, fmt_dict), - ('Path', PATH, fmt_list), - ('Environment', ENV, fmt_dict)]: - PRINT("

%s

\n" % what) - how(thing) - PRINT("
") - -def cgi_error(): - """ - Report an exception while in CGI mode. - - If we've not produced a header yet, then we can do that, and produce a - status code and everything; otherwise we'll have to make do with a small - piece of the page. - """ - if OUT.headerp: - PRINT("
") - cgi_error_guts() - PRINT("
\n") - else: - with html("chpwd internal error", status = 500): - PRINT("

chpwd internal error

") - cgi_error_guts() - SYS.exit(1) - @CTX.contextmanager def cgi_errors(hook = None): """ @@ -373,7 +265,7 @@ def cgi_errors(hook = None): if hook: hook() if isinstance(e, U.ExpectedError) and not OUT.headerp: page('error.fhtml', - headers = dict(status = e.code), + header = dict(status = e.code), title = 'Chopwood: error', error = e) else: exty, exval, extb = SYS.exc_info() @@ -387,7 +279,7 @@ def cgi_errors(hook = None): format_tmpl(TMPL['exception.fhtml'], toplevel = False) else: page('exception.fhtml', - headers = dict(status = 500), + header = dict(status = 500), title = 'Chopwood: internal error', toplevel = True) @@ -400,6 +292,7 @@ SPECIAL = {} PARAM = [] PARAMDICT = {} PATH = [] +SSLP = False ## Regular expressions for splitting apart query and cookie strings. R_QSPLIT = RX.compile('[;&]') @@ -455,8 +348,13 @@ def cgiparse(): `PATH' The trailing `PATH_INFO' path, split at `/' markers, with any trailing empty component removed. + + `SSLP' + True if the client connection is carried over SSL or TLS. """ + global SSLP + def getenv(var): try: return ENV[var] except KeyError: raise U.ExpectedError, (500, "No `%s' supplied" % var) @@ -511,6 +409,10 @@ def cgiparse(): if pp and not pp[-1]: pp.pop() PATH[:] = pp + ## Check the crypto for the connection. + if ENV.get('SSL_PROTOCOL'): + SSLP = True + ###-------------------------------------------------------------------------- ### CGI subcommands.