%(title)s

X-Git-Url: http://www.chiark.greenend.org.uk/ucgi/~mdw/git/chopwood/blobdiff_plain/f21f5e88b5eb4b85899eabdb42eb0ee3ac08feb4..c81f8191afcbdce59ee937b544145139b4713e71:/cgi.py diff --git a/cgi.py b/cgi.py index 02797ce..8009eaf 100644 --- a/cgi.py +++ b/cgi.py @@ -59,7 +59,7 @@ CONF.DEFAULTS.update( ## Some handy regular expressions. R_URLESC = RX.compile('%([0-9a-fA-F]{2})') R_URLBAD = RX.compile('[^-\\w,.!]') -R_HTMLBAD = RX.compile('[&<>]') +R_HTMLBAD = RX.compile('[&<>\'"]') def urldecode(s): """Decode a single form-url-encoded string S.""" @@ -77,17 +77,18 @@ def htmlescape(s): ## Some standard character sequences, and HTML entity names for prettier ## versions. -_quotify = U.StringSubst({ +html_quotify = U.StringSubst({ + "<": '<', + ">": '>', + "&": '&', "`": '‘', "'": '’', + '"': '"', "``": '“', "''": '”', "--": '–', "---": '—' }) -def html_quotify(s): - """Return a pretty HTML version of S.""" - return _quotify(htmlescape(s)) ###-------------------------------------------------------------------------- ### Output machinery. @@ -104,6 +105,7 @@ class HTTPOutput (O.FileOutput): """Constructor: initialize `headerp' flag.""" super(HTTPOutput, me).__init__(*args, **kw) me.headerp = False + me.warnings = [] def write(me, msg): """Output protocol: print a header if we've not written one already.""" @@ -114,7 +116,7 @@ class HTTPOutput (O.FileOutput): """ Print a header, if none has yet been printed. - Keyword arguments can be passed to emit HTTP headers: see `http_header' + Keyword arguments can be passed to emit HTTP headers: see `http_headers' for the formatting rules. """ if me.headerp: return @@ -122,6 +124,17 @@ class HTTPOutput (O.FileOutput): for h in O.http_headers(content_type = content_type, **kw): me.writeln(h) me.writeln('') + if METHOD == 'HEAD': + HEADER_DONE() + + def warn(me, msg): + """ + Report a warning message. + + The warning is stashed in a list where it can be retrieved using + `warnings'. + """ + me.warnings.append(msg) def cookie(name, value, **kw): """ @@ -145,7 +158,7 @@ def cookie(name, value, **kw): T.gmtime(U.NOW + maxage)) return '; '.join(['%s=%s' % (urlencode(name), urlencode(value))] + [v is not True and '%s=%s' % (k, v) or k - for k, v in attr.iteritems()]) + for k, v in attr.iteritems() if v]) def action(*v, **kw): """ @@ -166,47 +179,6 @@ def static(name): """Build a URL for the static file NAME.""" return htmlescape(CFG.STATIC + '/' + name) -@CTX.contextmanager -def html(title, **kw): - """ - Context manager for HTML output. - - Keyword arguments are output as HTTP headers (if no header has been written - yet). A `' element is written, and a `' opened, before the - context body is executed; the elements are closed off properly at the end. - """ - - kw = dict(kw, content_type = 'text/html') - OUT.header(**kw) - - ## Write the HTML header. - PRINT("""\ - - - - %(title)s - - - -""" % dict(title = html_quotify(title), - style = static('chpwd.css'), - script = static('chpwd.js'))) - - ## Write the body. - PRINT('') - yield None - PRINT('''\ - -

- - -''' % dict(about = static('about.html'), - version = VERSION)) - def redirect(where, **kw): """ Write a complete redirection to some other URL. @@ -237,7 +209,8 @@ def set_template_keywords(): package = PACKAGE, version = VERSION, script = CFG.SCRIPT_NAME, - static = CFG.STATIC) + static = CFG.STATIC, + allowop = CFG.ALLOWOP) class TemplateFinder (object): """ @@ -252,7 +225,7 @@ class TemplateFinder (object): with open(OS.path.join(me._dir, key)) as f: tmpl = f.read() me._cache[key] = tmpl return tmpl -TMPL = TemplateFinder(TMPLDIR) +STATE.kw['TMPL'] = TMPL = TemplateFinder(TMPLDIR) @CTX.contextmanager def tmplkw(**kw): @@ -270,13 +243,36 @@ class FormatHTML (F.SimpleFormatOperation): """ ~H: escape output suitable for inclusion in HTML. - With `:', instead apply form-urlencoding. + With `:', additionally apply quotification. """ def _convert(me, arg): if me.colonp: return html_quotify(arg) else: return htmlescape(arg) FORMATOPS['H'] = FormatHTML +class FormatWrap (F.BaseFormatOperation): + """ + ~<...~@>: wrap enclosed material in another formatting control string. + + The argument is a formatting control. The enclosed material is split into + pieces separated by `~;' markers. The formatting control is performed, and + passed the list of pieces (as compiled formatting operations) in the + keyword argument `wrapped'. + """ + def __init__(me, *args): + super(FormatWrap, me).__init__(*args) + pieces = [] + while True: + piece, delim = F.collect_subformat('>;') + pieces.append(piece) + if delim.char == '>': break + me.pieces = pieces + def _format(me, atp, colonp): + op = F.compile(me.getarg.get()) + with F.FORMAT.bind(argmap = dict(F.FORMAT.argmap, wrapped = me.pieces)): + op.format() +FORMATOPS['<'] = FormatWrap + def format_tmpl(control, **kw): with F.COMPILE.bind(opmaps = [FORMATOPS, F.BASEOPS]): with tmplkw(**kw): @@ -286,7 +282,8 @@ def page(template, header = {}, title = 'Chopwood', **kw): header = dict(header, content_type = 'text/html') OUT.header(**header) format_tmpl(TMPL['wrapper.fhtml'], - title = title, payload = TMPL[template], **kw) + title = title, warnings = OUT.warnings, + payload = TMPL[template], **kw) ###-------------------------------------------------------------------------- ### Error reporting. @@ -305,7 +302,7 @@ def cgi_errors(hook = None): if hook: hook() if isinstance(e, U.ExpectedError) and not OUT.headerp: page('error.fhtml', - headers = dict(status = e.code), + header = dict(status = e.code), title = 'Chopwood: error', error = e) else: exty, exval, extb = SYS.exc_info() @@ -319,7 +316,7 @@ def cgi_errors(hook = None): format_tmpl(TMPL['exception.fhtml'], toplevel = False) else: page('exception.fhtml', - headers = dict(status = 500), + header = dict(status = 500), title = 'Chopwood: internal error', toplevel = True) @@ -327,11 +324,14 @@ def cgi_errors(hook = None): ### CGI input. ## Lots of global variables to be filled in by `cgiparse'. +METHOD = None COOKIE = {} SPECIAL = {} PARAM = [] PARAMDICT = {} PATH = [] +SSLP = False +HEADER_DONE = lambda: None ## Regular expressions for splitting apart query and cookie strings. R_QSPLIT = RX.compile('[;&]') @@ -387,34 +387,40 @@ def cgiparse(): `PATH' The trailing `PATH_INFO' path, split at `/' markers, with any trailing empty component removed. + + `SSLP' + True if the client connection is carried over SSL or TLS. """ + global METHOD, SSLP + def getenv(var): try: return ENV[var] except KeyError: raise U.ExpectedError, (500, "No `%s' supplied" % var) ## Yes, we want the request method. - method = getenv('REQUEST_METHOD') + METHOD = getenv('REQUEST_METHOD') ## Acquire the query string. - if method == 'GET': - q = getenv('QUERY_STRING') + if METHOD in ['GET', 'HEAD']: + q = ENV.get('QUERY_STRING', '') - elif method == 'POST': + elif METHOD == 'POST': ## We must read the query string from stdin. n = getenv('CONTENT_LENGTH') if not n.isdigit(): raise U.ExpectedError, (500, "Invalid CONTENT_LENGTH") n = int(n, 10) - if getenv('CONTENT_TYPE') != 'application/x-www-form-urlencoded': + ct = getenv('CONTENT_TYPE') + if ct != 'application/x-www-form-urlencoded': raise U.ExpectedError, (500, "Unexpected content type `%s'" % ct) q = SYS.stdin.read(n) if len(q) != n: raise U.ExpectedError, (500, "Failed to read correct length") else: - raise U.ExpectedError, (500, "Unexpected request method `%s'" % method) + raise U.ExpectedError, (500, "Unexpected request method `%s'" % METHOD) ## Populate the `SPECIAL', `PARAM' and `PARAMDICT' tables. seen = set() @@ -424,7 +430,8 @@ def cgiparse(): else: PARAM.append((k, v)) if k in seen: - del PARAMDICT[k] + try: del PARAMDICT[k] + except KeyError: pass else: PARAMDICT[k] = v seen.add(k) @@ -443,6 +450,10 @@ def cgiparse(): if pp and not pp[-1]: pp.pop() PATH[:] = pp + ## Check the crypto for the connection. + if ENV.get('SSL_PROTOCOL'): + SSLP = True + ###-------------------------------------------------------------------------- ### CGI subcommands. @@ -454,6 +465,11 @@ class Subcommand (SC.Subcommand): CGI parameters. """ + def __init__(me, name, contexts, desc, func, + methods = ['GET', 'POST'], *args, **kw): + super(Subcommand, me).__init__(name, contexts, desc, func, *args, **kw) + me.methods = set(methods) + def cgi(me, param, path): """ Invoke the subcommand given a collection of CGI parameters. @@ -470,6 +486,8 @@ class Subcommand (SC.Subcommand): the list of path elements is non-empty. """ + global HEADER_DONE + ## We're going to make a pass over the supplied parameters, and we'll ## check them off against the formal parameters as we go; so we'll need ## to be able to look them up. We'll also keep track of the ones we've @@ -483,6 +501,12 @@ class Subcommand (SC.Subcommand): want = {} kw = {} + ## Check the request method against the permitted list. + meth = METHOD + if meth == 'HEAD': meth = 'GET' + if meth not in me.methods: + raise U.ExpectedError, (500, "Unexpected request method `%s'" % METHOD) + def set_value(k, v): """Set a simple value: we shouldn't see multiple values.""" if k in kw: