--- parser3/src/classes/file.C 2007/02/28 19:08:46 1.153 +++ parser3/src/classes/file.C 2009/09/08 09:12:47 1.201 @@ -1,16 +1,14 @@ /** @file Parser: @b file parser class. - Copyright (c) 2001-2005 ArtLebedev Group (http://www.artlebedev.com) + Copyright (c) 2001-2009 ArtLebedev Group (http://www.artlebedev.com) Author: Alexandr Petrosian (http://paf.design.ru) */ -static const char * const IDENT_FILE_C="$Date: 2007/02/28 19:08:46 $"; +static const char * const IDENT_FILE_C="$Date: 2009/09/08 09:12:47 $"; #include "pa_config_includes.h" -#include "pcre.h" - #include "classes.h" #include "pa_vmethod_frame.h" @@ -26,19 +24,15 @@ static const char * const IDENT_FILE_C=" #include "pa_charsets.h" #include "pa_sql_connection.h" #include "pa_md5.h" +#include "pa_vregex.h" // defines -#define TEXT_MODE_NAME "text" -#define BINARY_MODE_NAME "binary" #define STDIN_EXEC_PARAM_NAME "stdin" #define CHARSET_EXEC_PARAM_NAME "charset" #define NAME_NAME "name" -#define FILE_NAME_MUST_BE_STRING "file name must be string" -#define FILE_NAME_MUST_NOT_BE_CODE "file name must not be code" - // externs extern String sql_limit_name; @@ -49,7 +43,7 @@ extern String sql_offset_name; class MFile: public Methoded { public: // VStateless_class - Value* create_new_value(Pool&, HashStringValue&) { return new VFile(); } + Value* create_new_value(Pool&) { return new VFile(); } public: // Methoded bool used_directly() { return true; } @@ -117,23 +111,40 @@ static const String::Body cdate_name("cd // methods +static bool is_valid_mode (const String& mode) { + return (mode==text_mode_name || mode==binary_mode_name); +} + static bool is_text_mode(const String& mode) { - if(mode==TEXT_MODE_NAME) + if(mode==text_mode_name) return true; - if(mode==BINARY_MODE_NAME) + if(mode==binary_mode_name) return false; - throw Exception("parser.runtime", + throw Exception(PARSER_RUNTIME, &mode, "is invalid mode, must be either '"TEXT_MODE_NAME"' or '"BINARY_MODE_NAME"'"); } static void _save(Request& r, MethodParams& params) { - Value& vmode_name=params. as_no_junction(0, "mode must not be code"); + bool is_text=is_text_mode(params.as_no_junction(0, MODE_MUST_NOT_BE_CODE).as_string()); Value& vfile_name=params.as_no_junction(1, FILE_NAME_MUST_NOT_BE_CODE); + Charset* asked_charset=0; + if(params.count()>2) + if(HashStringValue* options=params.as_no_junction(2, OPTIONS_MUST_NOT_BE_CODE).get_hash()){ + size_t valid_options=0; + if(Value* vcharset_name=options->get(PA_CHARSET_NAME)){ + asked_charset=&::charsets.get(vcharset_name->as_string().change_case(r.charsets.source(), String::CC_UPPER)); + valid_options++; + } + if(valid_options != options->count()) + throw Exception(PARSER_RUNTIME, + 0, + INVALID_OPTION_PASSED); + } + // save - GET_SELF(r, VFile).save(r.absolute(vfile_name.as_string()), - is_text_mode(vmode_name.as_string())); + GET_SELF(r, VFile).save(r.charsets, r.absolute(vfile_name.as_string()), is_text, asked_charset); } static void _delete(Request& r, MethodParams& params) { @@ -154,10 +165,10 @@ static void _move(Request& r, MethodPara } static void copy_process_source( - struct stat& , - int from_file, - const String& , const char* /*fname*/, bool, - void *context) { + struct stat& , + int from_file, + const String& , const char* /*fname*/, bool, + void *context) { int& to_file=*static_cast(context); int nCount=0; @@ -166,7 +177,7 @@ static void copy_process_source( nCount = file_block_read(from_file, buffer, sizeof(buffer)); int written=write(to_file, buffer, nCount); if( written < 0 ) - throw Exception(0, + throw Exception("file.access", 0, "write failed: %s (%d)", strerror(errno), errno); @@ -185,8 +196,6 @@ static void _copy(Request& r, MethodPara String from_spec = r.absolute(vfrom_file_name.as_string()); const String& to_spec = r.absolute(vto_file_name.as_string()); - // create_dir_for_file(to_spec); - file_write_action_under_lock( to_spec, "copy", @@ -195,47 +204,55 @@ static void _copy(Request& r, MethodPara } static void _load_pass_param( - HashStringValue::key_type key, - HashStringValue::value_type value, - HashStringValue *dest) { + HashStringValue::key_type key, + HashStringValue::value_type value, + HashStringValue *dest) { dest->put(key, value); } + static void _load(Request& r, MethodParams& params) { - Value& vmode_name=params. as_no_junction(0, "mode must not be code"); + bool as_text=is_text_mode(params.as_no_junction(0, MODE_MUST_NOT_BE_CODE).as_string()); const String& lfile_name=r.absolute(params.as_no_junction(1, FILE_NAME_MUST_NOT_BE_CODE).as_string()); - Value* third_param=params.count()>2?¶ms.as_no_junction(2, "filename or options must not be code") - :0; - HashStringValue* third_param_hash=third_param?third_param->get_hash():0; - size_t alt_filename_param_index=2; - if(third_param_hash) - alt_filename_param_index++; - HashStringValue* options=third_param_hash; + size_t param_index=params.count()-1; + Value* param_value=param_index>1?¶ms.as_no_junction(param_index, "filename or options must not be code"):0; + + HashStringValue* options=0; + const char *user_file_name=0; + + if(param_value){ + options=param_value->get_hash(); + if(options || param_index>2) + param_index--; + if(param_index>1){ + const String& luser_file_name=params.as_string(param_index, FILE_NAME_MUST_BE_STRING); + if(!luser_file_name.is_empty()) + user_file_name=luser_file_name.taint_cstr(String::L_FILE_SPEC); + } + } + if(!user_file_name) + user_file_name=lfile_name.taint_cstr(String::L_FILE_SPEC); + size_t offset=0; size_t limit=0; - if(options) { + + if(options){ options=new HashStringValue(*options); - if(Value *voffset=(Value *)options->get(sql_offset_name)) { + if(Value *voffset=(Value *)options->get(sql_offset_name)){ offset=r.process_to_value(*voffset).as_int(); } - if(Value *vlimit=(Value *)options->get(sql_limit_name)) { + if(Value *vlimit=(Value *)options->get(sql_limit_name)){ limit=r.process_to_value(*vlimit).as_int(); } // no check on options count here, see file_read } - File_read_result file=file_read(r.charsets, lfile_name, - is_text_mode(vmode_name.as_string()), - options, true, 0, offset, limit + File_read_result file=file_load(r, lfile_name, + as_text, options, true, 0, offset, limit ); - const char *user_file_name=params.count()>alt_filename_param_index? - params.as_string(alt_filename_param_index, FILE_NAME_MUST_BE_STRING).cstr() - :lfile_name.cstr(String::L_FILE_SPEC); - Value* vcontent_type=0; - if(file.headers) - { - if(Value* remote_content_type=file.headers->get("CONTENT-TYPE")) + if(file.headers){ + if(Value* remote_content_type=file.headers->get(HTTP_CONTENT_TYPE_UPPER)) vcontent_type=new VString(*new String(remote_content_type->as_string().cstr())); } if(!vcontent_type) @@ -243,27 +260,43 @@ static void _load(Request& r, MethodPara VFile& self=GET_SELF(r, VFile); self.set(true/*tainted*/, file.str, file.length, user_file_name, vcontent_type); - if(file.headers) + + self.set_mode(as_text); + + if(file.headers){ file.headers->for_each(_load_pass_param, &self.fields()); + } else { + size_t size; + time_t atime, mtime, ctime; + + file_stat(lfile_name, size, atime, mtime, ctime); + + HashStringValue& ff=self.fields(); + ff.put(adate_name, new VDate(atime)); + ff.put(mdate_name, new VDate(mtime)); + ff.put(cdate_name, new VDate(ctime)); + } } static void _create(Request& r, MethodParams& params) { - Value& vmode_name=params. as_no_junction(0, "mode must not be code"); - if(!is_text_mode(vmode_name.as_string())) - throw Exception("parser.runtime", + const String& mode_name=params.as_no_junction(0, MODE_MUST_NOT_BE_CODE).as_string(); + if(!is_text_mode(mode_name)) + throw Exception(PARSER_RUNTIME, 0, "only text mode is currently supported"); const char* user_file_name_cstr=r.absolute( - params.as_no_junction(1, FILE_NAME_MUST_NOT_BE_CODE).as_string()).cstr(String::L_FILE_SPEC); + params.as_no_junction(1, FILE_NAME_MUST_NOT_BE_CODE).as_string()).taint_cstr(String::L_FILE_SPEC); const String& content=params.as_string(2, "content must be string"); - const char* content_cstr=content.cstr(String::L_UNSPECIFIED); // explode content, honor tainting changes + const String::Body content_body=content.cstr_to_string_body_untaint(String::L_AS_IS); // explode content, honor tainting changes VString* vcontent_type=new VString(r.mime_type_of(user_file_name_cstr)); VFile& self=GET_SELF(r, VFile); - self.set(true/*tainted*/, content_cstr, strlen(content_cstr), user_file_name_cstr, vcontent_type); + self.set(true/*tainted*/, content_body.cstr(), content_body.length(), user_file_name_cstr, vcontent_type); + + self.set_mode(true/*as_text*/); } static void _stat(Request& r, MethodParams& params) { @@ -277,13 +310,15 @@ static void _stat(Request& r, MethodPara size, atime, mtime, ctime); + const char* user_file_name=lfile_name.taint_cstr(String::L_FILE_SPEC); + VFile& self=GET_SELF(r, VFile); - self.set(true/*tainted*/, 0/*no bytes*/, size); + + self.set(true/*tainted*/, 0/*no bytes*/, size, user_file_name, new VString(r.mime_type_of(user_file_name))); HashStringValue& ff=self.fields(); ff.put(adate_name, new VDate(atime)); ff.put(mdate_name, new VDate(mtime)); ff.put(cdate_name, new VDate(ctime)); - ff.put(content_type_name, new VString(r.mime_type_of(lfile_name.cstr(String::L_FILE_SPEC)))); } static bool is_safe_env_key(const char* key) { @@ -310,19 +345,19 @@ struct Append_env_pair_info { }; #endif static void append_env_pair( - HashStringValue::key_type akey, - HashStringValue::value_type avalue, - Append_env_pair_info *info) { + HashStringValue::key_type akey, + HashStringValue::value_type avalue, + Append_env_pair_info *info) { if(akey==STDIN_EXEC_PARAM_NAME) { info->vstdin=avalue; } else if(akey==CHARSET_EXEC_PARAM_NAME) { // ignore, already processed } else { if(!is_safe_env_key(akey.cstr())) - throw Exception("parser.runtime", + throw Exception(PARSER_RUNTIME, new String(akey, String::L_TAINTED), "not safe environment variable"); - info->env->put(akey, avalue->as_string().cstr_to_string_body(String::L_UNSPECIFIED, 0, info->charsets)); + info->env->put(akey, avalue->as_string().cstr_to_string_body_untaint(String::L_AS_IS, 0, info->charsets)); } } #ifndef DOXYGEN @@ -333,23 +368,41 @@ struct Pass_cgi_header_attribute_info { }; #endif static void pass_cgi_header_attribute( - ArrayString::element_type astring, - Pass_cgi_header_attribute_info* info) { + ArrayString::element_type astring, + Pass_cgi_header_attribute_info* info) { size_t colon_pos=astring->pos(':'); if(colon_pos!=STRING_NOT_FOUND) { const String& key=astring->mid(0, colon_pos).change_case( *info->charset, String::CC_UPPER); Value* value=new VString(astring->mid(colon_pos+1, astring->length()).trim()); info->fields->put(key, value); - if(key=="CONTENT-TYPE") + if(key==HTTP_CONTENT_TYPE_UPPER) info->content_type=value; } } + +static void append_to_argv(Request& r, ArrayString& argv, const String* str){ + if(!str->is_empty()) + argv+=new String(str->cstr_to_string_body_untaint(String::L_AS_IS, 0, &r.charsets), String::L_AS_IS); +} + /// @todo fix `` in perl - they produced flipping consoles and no output to perl -static void _exec_cgi(Request& r, MethodParams& params, - bool cgi) { +static void _exec_cgi(Request& r, MethodParams& params, bool cgi) { + bool as_text=true; + size_t param_index=0; + const String& mode_name=params.as_no_junction(0, FIRST_ARG_MUST_NOT_BE_CODE).as_string(); + if(is_valid_mode(mode_name)){ + as_text=is_text_mode(mode_name); + param_index++; + } - Value& vfile_name=params.as_no_junction(0, FILE_NAME_MUST_NOT_BE_CODE); + if(param_index>=params.count()) + throw Exception(PARSER_RUNTIME, + 0, + "file name must be specified"); + + + Value& vfile_name=params.as_no_junction(param_index++, FILE_NAME_MUST_NOT_BE_CODE); const String& script_name=r.absolute(vfile_name.as_string()); @@ -358,7 +411,7 @@ static void _exec_cgi(Request& r, Method if(value_cstr) \ env.put( \ String::Body(#name), \ - String::Body(value_cstr, 0)); \ + String::Body(*value_cstr?value_cstr:0)); \ // passing SAPI::environment if(const char *const *pairs=SAPI::environment(r.sapi_info)) { while(const char* pair=*pairs++) @@ -378,10 +431,7 @@ static void _exec_cgi(Request& r, Method ECSTR(QUERY_STRING, r.request_info.query_string); ECSTR(REQUEST_URI, r.request_info.uri); ECSTR(CONTENT_TYPE, r.request_info.content_type); - char content_length_cstr[MAX_NUMBER]; - snprintf(content_length_cstr, MAX_NUMBER, "%u", r.request_info.content_length); - //String content_length(content_length_cstr); - ECSTR(CONTENT_LENGTH, content_length_cstr); + ECSTR(CONTENT_LENGTH, format(r.request_info.content_length, "%u")); // SCRIPT_* env.put(String::Body("SCRIPT_NAME"), script_name); //env.put(String::Body("SCRIPT_FILENAME"), ??&script_name); @@ -390,8 +440,8 @@ static void _exec_cgi(Request& r, Method // environment & stdin from param String *in=new String(); Charset *charset=0; // default script works raw_in 'source' charset = no transcoding needed - if(params.count()>1) { - Value& venv=params.as_no_junction(1, "env must not be code"); + if(param_index < params.count()) { + Value& venv=params.as_no_junction(param_index++, "env must not be code"); if(HashStringValue* user_env=venv.get_hash()) { // $.charset [previewing to handle URI pieces] if(Value* vcharset=user_env->get(CHARSET_EXEC_PARAM_NAME)) @@ -412,10 +462,10 @@ static void _exec_cgi(Request& r, Method if(const String* sstdin=info.vstdin->get_string()) { in->append(*sstdin, String::L_CLEAN, true); } else - if(VFile* vfile=static_cast(info.vstdin->as("file", false))) + if(VFile* vfile=static_cast(info.vstdin->as("file"))) in->append_know_length((const char* )vfile->value_ptr(), vfile->value_size(), String::L_TAINTED); else - throw Exception("parser.runtime", + throw Exception(PARSER_RUNTIME, 0, STDIN_EXEC_PARAM_NAME " parameter must be string or file"); } @@ -424,14 +474,27 @@ static void _exec_cgi(Request& r, Method // argv from params ArrayString argv; - if(params.count()>2) { - // influence tainting - // main target -- URLencoding of tainted pieces to String::L_URI lang - Temp_client_charset temp(r.charsets, charset? *charset: r.charsets.source()); - for(size_t i=2; i 0) { - argv+=new String(param.cstr_to_string_body(String::L_UNSPECIFIED, 0, &r.charsets), String::L_AS_IS); + if(param_index < params.count()) { + // influence tainting + Temp_client_charset temp(r.charsets, charset? *charset: r.charsets.source()); + + for(size_t i=param_index; icount(); i++) { + append_to_argv(r, argv, table->get(i)->get(0)); + } + } else { + throw Exception(PARSER_RUNTIME, + 0, + "param must be string or table"); + } + } } } } @@ -447,83 +510,106 @@ static void _exec_cgi(Request& r, Method // match silent conversion in OS // exec! - PA_exec_result execution= - pa_exec(false/*forced_allow*/, script_name, &env, argv, *in); + PA_exec_result execution=pa_exec(false/*forced_allow*/, script_name, &env, argv, *in); - String *real_out=&execution.out; + File_read_result *file_out=&execution.out; String *real_err=&execution.err; - // transcode if necessary - if(charset) { - real_out=&Charset::transcode(*real_out, *charset, r.charsets.source()); + + // transcode err if necessary (@todo: need fix line breaks in err as well ) + if(charset) real_err=&Charset::transcode(*real_err, *charset, r.charsets.source()); + + if(file_out->length && as_text){ + fix_line_breaks(file_out->str, file_out->length); + // treat output as string + String *real_out = new String(file_out->str); + + // transcode out if necessary + if(charset) + real_out=&Charset::transcode(*real_out, *charset, r.charsets.source()); + + // FIXME: unsafe cast + file_out->str=const_cast(real_out->cstr()); // hacking a little + file_out->length = real_out->length(); } VFile& self=GET_SELF(r, VFile); - const String* body=real_out; // ^file:exec - const char* eol_marker=0; size_t eol_marker_size; - const String* header=0; - if(cgi) { // ^file:cgi + if(cgi) { // ^file::cgi + const char* eol_marker=0; + size_t eol_marker_size; + // construct with 'out' body and header - size_t dos_pos=real_out->pos("\r\n\r\n", 4); - size_t unix_pos=real_out->pos("\n\n", 2); + size_t dos_pos=(file_out->length)?strpos(file_out->str, "\r\n\r\n"):STRING_NOT_FOUND; + size_t unix_pos=(file_out->length)?strpos(file_out->str, "\n\n"):STRING_NOT_FOUND; bool unix_header_break; switch((dos_pos!=STRING_NOT_FOUND?10:00) + (unix_pos!=STRING_NOT_FOUND?01:00)) { - case 10: // dos - unix_header_break=false; - break; - case 01: // unix - unix_header_break=true; - break; - case 11: // dos & unix - unix_header_break=unix_poslength(), real_out->cstr(), - (uint)real_err->length(), real_err->cstr()); - break; //never reached + case 10: // dos + unix_header_break=false; + break; + case 01: // unix + unix_header_break=true; + break; + case 11: // dos & unix + unix_header_break=unix_poslength, (file_out->length) ? (file_out->str) : "", + real_err->length(), real_err->cstr()); + break; //never reached } - int header_break_pos; + size_t header_break_pos; if(unix_header_break) { header_break_pos=unix_pos; - eol_marker="\n"; eol_marker_size=1; + eol_marker="\n"; + eol_marker_size=1; } else { header_break_pos=dos_pos; - eol_marker="\r\n"; eol_marker_size=2; + eol_marker="\r\n"; + eol_marker_size=2; } - header=&real_out->mid(0, header_break_pos); - body=&real_out->mid(header_break_pos+eol_marker_size*2, real_out->length()); + file_out->str[header_break_pos] = 0; + String *header=new String(file_out->str); + unsigned long headersize = header_break_pos+eol_marker_size*2; + file_out->str += headersize; + file_out->length -= headersize; + + // $body + self.set(false/*not tainted*/, file_out->str, file_out->length); + + // $fields << header + if(header) { + ArrayString rows; + size_t pos_after=0; + header->split(rows, pos_after, eol_marker); + Pass_cgi_header_attribute_info info={0, 0, 0}; + info.charset=&r.charsets.source(); + info.fields=&self.fields(); + rows.for_each(pass_cgi_header_attribute, &info); + if(info.content_type) + self.fields().put(content_type_name, info.content_type); + } + } else { // ^file::exec + // $body + self.set(false/*not tainted*/, file_out->str, file_out->length); } - // body - self.set(false/*not tainted*/, body->cstr(), body->length()); - // $fields << header - if(header && eol_marker) { - ArrayString rows; - size_t pos_after=0; - header->split(rows, pos_after, eol_marker); - Pass_cgi_header_attribute_info info={0, 0, 0}; - info.charset=&r.charsets.source(); - info.fields=&self.fields(); - rows.for_each(pass_cgi_header_attribute, &info); - if(info.content_type) - self.fields().put(content_type_name, info.content_type); - } + self.set_mode(as_text); // $status self.fields().put(file_status_name, new VInt(execution.status)); // $stderr - if(real_err->length()) + if(!real_err->is_empty()) self.fields().put( String::Body("stderr"), new VString(*real_err)); @@ -538,66 +624,41 @@ static void _cgi(Request& r, MethodParam static void _list(Request& r, MethodParams& params) { Value& relative_path=params.as_no_junction(0, "path must not be code"); - const String* regexp; - pcre *regexp_code; - const int ovecsize=(1/*match*/)*3; - int ovector[ovecsize]; - if(params.count()>1) { - regexp=¶ms.as_no_junction(1, "regexp must not be code").as_string(); - - const char* pattern=regexp->cstr(); - const char* errptr; - int erroffset; - regexp_code=pcre_compile(pattern, PCRE_EXTRA | PCRE_DOTALL, - &errptr, &erroffset, - r.charsets.source().pcre_tables); - - if(!regexp_code) - throw Exception(0, - ®exp->mid(erroffset, regexp->length()), - "regular expression syntax error - %s", errptr); - } else { - regexp=0; // not used, just to calm down compiler - regexp_code=0; + VRegex* vregex=0; + VRegexCleaner vrcleaner; + if(params.count()>1){ + Value& regexp=params.as_no_junction(1, "regexp must not be code"); + if(regexp.is_defined()){ + if(Value* value=regexp.as(VREGEX_TYPE)){ + vregex=static_cast(value); + } else { + vregex=new VRegex(r.charsets.source(), ®exp.as_string(), 0/*options*/); + vregex->study(); + vrcleaner.vregex=vregex; + } + } } - - const char* absolute_path_cstr=r.absolute(relative_path.as_string()).cstr(String::L_FILE_SPEC); + const char* absolute_path_cstr=r.absolute(relative_path.as_string()).taint_cstr(String::L_FILE_SPEC); Table::columns_type columns(new ArrayString); *columns+=new String("name"); Table& table=*new Table(columns); + const int ovector_size=(1/*match*/)*3; + int ovector[ovector_size]; + LOAD_DIR(absolute_path_cstr, const char* file_name_cstr=ffblk.ff_name; size_t file_name_size=strlen(file_name_cstr); - bool suits=true; - if(regexp_code) { - int exec_result=pcre_exec(regexp_code, 0, - ffblk.ff_name, file_name_size, 0, - 0, ovector, ovecsize); - - if(exec_result==PCRE_ERROR_NOMATCH) - suits=false; - else if(exec_result<0) { - (*pcre_free)(regexp_code); - throw Exception(0, - regexp, - "regular expression execute (%d)", - exec_result); - } - } - if(suits) { + if(!vregex || vregex->exec(ffblk.ff_name, file_name_size, ovector, ovector_size)>=0) { Table::element_type row(new ArrayString); - *row+=new String(pa_strdup(file_name_cstr, file_name_size), file_name_size, true); + *row+=new String(pa_strdup(file_name_cstr, file_name_size), String::L_TAINTED); table+=row; } ); - if(regexp_code) - pcre_free(regexp_code); - // write out result r.write_no_lang(*new VTable(&table)); } @@ -620,7 +681,11 @@ static void _lock(Request& r, MethodPara ¶ms.as_junction(1, "body must be code") }; - file_write_action_under_lock(file_spec, "lock", lock_execute_body, &info); + file_write_action_under_lock( + file_spec, + "lock", + lock_execute_body, + &info); } static int lastposafter(const String& s, size_t after, const char* substr, size_t substr_size, bool beforelast=false) { @@ -628,7 +693,7 @@ static int lastposafter(const String& s, if(beforelast) size=s.length(); size_t at; - while((at=s.pos(String::Body(substr, substr_size), after))!=STRING_NOT_FOUND) { + while((at=s.pos(String::Body(substr), after))!=STRING_NOT_FOUND) { size_t newafter=at+substr_size/*skip substr*/; if(beforelast && newafter==size) break; @@ -677,32 +742,32 @@ static void _find(Request& r, MethodPara static void _dirname(Request& r, MethodParams& params) { const String& file_spec=params.as_string(0, FILE_NAME_MUST_BE_STRING); - // /a/some.tar.gz > /a + // /a/some.tar.gz > /a // /a/b/ > /a int afterslash=lastposafter(file_spec, 0, "/", 1, true); if(afterslash>0) r.write_assign_lang(file_spec.mid(0, afterslash==1?1:afterslash-1)); else - r.write_assign_lang(String(".", 1)); + r.write_assign_lang(String(".")); } static void _basename(Request& r, MethodParams& params) { const String& file_spec=params.as_string(0, FILE_NAME_MUST_BE_STRING); - // /a/some.tar.gz > some.tar.gz + // /a/some.tar.gz > some.tar.gz int afterslash=lastposafter(file_spec, 0, "/", 1); r.write_assign_lang(file_spec.mid(afterslash, file_spec.length())); } static void _justname(Request& r, MethodParams& params) { const String& file_spec=params.as_string(0, FILE_NAME_MUST_BE_STRING); - // /a/some.tar.gz > some.tar + // /a/some.tar.gz > some.tar int afterslash=lastposafter(file_spec, 0, "/", 1); int afterdot=lastposafter(file_spec, afterslash, ".", 1); r.write_assign_lang(file_spec.mid(afterslash, afterdot!=afterslash?afterdot-1:file_spec.length())); } static void _justext(Request& r, MethodParams& params) { const String& file_spec=params.as_string(0, FILE_NAME_MUST_BE_STRING); - // /a/some.tar.gz > gz + // /a/some.tar.gz > gz int afterdot=lastposafter(file_spec, 0, ".", 1); if(afterdot>0) r.write_assign_lang(file_spec.mid(afterdot, file_spec.length())); @@ -755,7 +820,7 @@ public: bool add_column(SQL_Error& error, const char* /*str*/, size_t /*length*/) { if(got_columns++==3) { - error=SQL_Error("parser.runtime", "result must contain not more then 3 columns"); + error=SQL_Error(PARSER_RUNTIME, "result must contain not more then 3 columns"); return true; } return false; @@ -770,14 +835,14 @@ public: break; case 1: if(!user_file_name) // user not specified? - user_file_name=new String(str, length, true); + user_file_name=new String(str, String::L_TAINTED); break; case 2: if(!user_content_type) // user not specified? - user_content_type=new String(str, length, true); + user_content_type=new String(str, String::L_TAINTED); break; default: - error=SQL_Error("parser.runtime", "result must not contain more then one row, three rows"); + error=SQL_Error(PARSER_RUNTIME, "result must not contain more then one row, three rows"); return true; } return false; @@ -793,13 +858,15 @@ static void _sql(Request& r, MethodParam Temp_lang temp_lang(r, String::L_SQL); const String& statement_string=r.process_to_string(statement); - const char* statement_cstr= - statement_string.cstr(String::L_UNSPECIFIED, r.connection()); + const char* statement_cstr=statement_string.untaint_cstr(r.flang, r.connection()); + File_sql_event_handlers handlers(statement_string, statement_cstr); + ulong limit=SQL_NO_LIMIT; + ulong offset=0; + if(params.count()>1) - if(HashStringValue* options= - params.as_no_junction(1, "param must not be code").get_hash()) { + if(HashStringValue* options=params.as_no_junction(1, PARAM_MUST_NOT_BE_CODE).get_hash()){ int valid_options=0; if(Value* vfilename=options->get(NAME_NAME)) { valid_options++; @@ -809,8 +876,16 @@ static void _sql(Request& r, MethodParam valid_options++; handlers.user_content_type=&vcontent_type->as_string(); } + if(Value* vlimit=options->get(sql_limit_name)) { + valid_options++; + limit=(ulong)r.process_to_value(*vlimit).as_double(); + } + if(Value* voffset=options->get(sql_offset_name)) { + valid_options++; + offset=(ulong)r.process_to_value(*voffset).as_double(); + } if(valid_options!=options->count()) - throw Exception("parser.runtime", + throw Exception(PARSER_RUNTIME, 0, "called with invalid option"); } @@ -819,12 +894,12 @@ static void _sql(Request& r, MethodParam r.connection()->query( statement_cstr, 0, 0, - 0, 0, + offset, limit, handlers, statement_string); if(!handlers.value) - throw Exception("parser.runtime", + throw Exception(PARSER_RUNTIME, 0, "produced no result"); @@ -837,30 +912,31 @@ static void _sql(Request& r, MethodParam : 0; VFile& self=GET_SELF(r, VFile); self.set(true/*tainted*/, handlers.value.str, handlers.value.length, user_file_name_cstr, vcontent_type); + self.set_mode(false/*binary*/); } static void _base64(Request& r, MethodParams& params) { bool dynamic = !(&r.get_self() == file_class); - if ( dynamic ){ - VFile& self=GET_SELF(r, VFile); - if(params.count()) { - // decode - const char* cstr=params.as_string(0, "parameter must be string").cstr(); - char* decoded_cstr=0; - size_t decoded_size=0; - pa_base64_decode(cstr, strlen(cstr), decoded_cstr, decoded_size); - if(decoded_cstr && decoded_size) - self.set(true/*tainted*/, decoded_cstr, decoded_size); - } else { - // encode - const char* encoded=pa_base64_encode(self.value_ptr(), self.value_size()); - r.write_assign_lang(*new String(encoded, 0, true/*once ?param=base64(something) was needed*/)); - } + if(dynamic){ + VFile& self=GET_SELF(r, VFile); + if(params.count()) { + // decode: ^file::base64[encoded] + const char* cstr=params.as_string(0, PARAMETER_MUST_BE_STRING).cstr(); + char* decoded=0; + size_t length=0; + pa_base64_decode(cstr, strlen(cstr), decoded, length); + if(decoded && length) + self.set(true/*tainted*/, decoded, length); + } else { + // encode: ^f.base64[] + const char* encoded=pa_base64_encode(self.value_ptr(), self.value_size()); + r.write_assign_lang(*new String(encoded, String::L_TAINTED/*once ?param=base64(something) was needed**/)); + } } else { - // encode + // encode: ^file:base64[filespec] const String& file_spec=params.as_string(0, FILE_NAME_MUST_BE_STRING); const char* encoded=pa_base64_encode(r.absolute(file_spec)); - r.write_assign_lang(*new String(encoded, 0, true/*once ?param=base64(something) was needed*/)); + r.write_assign_lang(*new String(encoded, String::L_TAINTED/*once ?param=base64(something) was needed*/)); } } @@ -872,7 +948,7 @@ static void _crc32(Request& r, MethodPar const String& file_spec=params.as_string(0, FILE_NAME_MUST_BE_STRING); crc32=pa_crc32(r.absolute(file_spec)); } else { - throw Exception("parser.runtime", + throw Exception(PARSER_RUNTIME, 0, "file name must be defined"); } @@ -886,10 +962,10 @@ static void _crc32(Request& r, MethodPar static void file_md5_file_action( - struct stat& finfo, - int f, - const String& , const char* /*fname*/, bool, - void *context) + struct stat& finfo, + int f, + const String& , const char* /*fname*/, bool, + void *context) { PA_MD5_CTX& md5context=*static_cast(context); if(finfo.st_size) { @@ -934,7 +1010,7 @@ static void _md5(Request& r, MethodParam const String& file_spec=params.as_string(0, FILE_NAME_MUST_BE_STRING); md5=pa_md5(r.absolute(file_spec)); } else { - throw Exception("parser.runtime", + throw Exception(PARSER_RUNTIME, 0, "file name must be defined"); } @@ -955,7 +1031,8 @@ MFile::MFile(): Methoded("file") { add_native_method("create", Method::CT_DYNAMIC, _create, 3, 3); // ^file.save[mode;file-name] - add_native_method("save", Method::CT_DYNAMIC, _save, 2, 2); + // ^file.save[mode;file-name;$.charset[...]] + add_native_method("save", Method::CT_DYNAMIC, _save, 2, 3); // ^file:delete[file-name] add_native_method("delete", Method::CT_STATIC, _delete, 1, 1); @@ -965,20 +1042,22 @@ MFile::MFile(): Methoded("file") { // ^file::load[mode;disk-name] // ^file::load[mode;disk-name;user-name] - add_native_method("load", Method::CT_DYNAMIC, _load, 2, 3); + // ^file::load[mode;disk-name;user-name;options hash] + // ^file::load[mode;disk-name;options hash] + add_native_method("load", Method::CT_DYNAMIC, _load, 2, 4); // ^file::stat[disk-name] add_native_method("stat", Method::CT_DYNAMIC, _stat, 1, 1); - // ^file::cgi[file-name] - // ^file::cgi[file-name;env hash] - // ^file::cgi[file-name;env hash;1cmd;2line;3ar;4g;5s] - add_native_method("cgi", Method::CT_DYNAMIC, _cgi, 1, 2+50); - - // ^file::exec[file-name] - // ^file::exec[file-name;env hash] - // ^file::exec[file-name;env hash;1cmd;2line;3ar;4g;5s] - add_native_method("exec", Method::CT_DYNAMIC, _exec, 1, 2+50); + // ^file::cgi[mode;file-name] + // ^file::cgi[mode;file-name;env hash] + // ^file::cgi[mode;file-name;env hash;1cmd;2line;3ar;4g;5s] + add_native_method("cgi", Method::CT_DYNAMIC, _cgi, 1, 3+50); + + // ^file::exec[mode;file-name] + // ^file::exec[mode;file-name;env hash] + // ^file::exec[mode;file-name;env hash;1cmd;2line;3ar;4g;5s] + add_native_method("exec", Method::CT_DYNAMIC, _exec, 1, 3+50); // ^file:list[path] // ^file:list[path][regexp] @@ -991,22 +1070,22 @@ MFile::MFile(): Methoded("file") { // ^file:find[file-name]{when-not-found} add_native_method("find", Method::CT_STATIC, _find, 1, 2); - // ^file:dirname[/a/some.tar.gz]=/a + // ^file:dirname[/a/some.tar.gz]=/a // ^file:dirname[/a/b/]=/a add_native_method("dirname", Method::CT_STATIC, _dirname, 1, 1); - // ^file:basename[/a/some.tar.gz]=some.tar.gz - add_native_method("basename", Method::CT_STATIC, _basename, 1, 1); - // ^file:justname[/a/some.tar.gz]=some.tar + // ^file:basename[/a/some.tar.gz]=some.tar.gz + add_native_method("basename", Method::CT_STATIC, _basename, 1, 1); + // ^file:justname[/a/some.tar.gz]=some.tar add_native_method("justname", Method::CT_STATIC, _justname, 1, 1); - // ^file:justext[/a/some.tar.gz]=gz + // ^file:justext[/a/some.tar.gz]=gz add_native_method("justext", Method::CT_STATIC, _justext, 1, 1); - // /some/page.html: ^file:fullpath[a.gif] => /some/a.gif + // /some/page.html: ^file:fullpath[a.gif] => /some/a.gif add_native_method("fullpath", Method::CT_STATIC, _fullpath, 1, 1); - // ^file.sql-string[] + // ^file.sql-string[] add_native_method("sql-string", Method::CT_DYNAMIC, _sql_string, 0, 0); - // ^file::sql[[alt_name]]{} + // ^file::sql{}[options hash] add_native_method("sql", Method::CT_DYNAMIC, _sql, 1, 2); // ^file::base64[string] << decode