--- parser3/src/classes/file.C	2002/01/25 12:09:03	1.69
+++ parser3/src/classes/file.C	2002/06/18 11:09:02	1.85
@@ -1,10 +1,10 @@
 /** @file
 	Parser: @b file parser class.
 
-	Copyright (c) 2001 ArtLebedev Group (http://www.artlebedev.com)
-	Author: Alexander Petrosyan <paf@design.ru> (http://paf.design.ru)
+	Copyright (c) 2001, 2002 ArtLebedev Group (http://www.artlebedev.com)
+	Author: Alexandr Petrosian <paf@design.ru> (http://paf.design.ru)
 
-	$Id: file.C,v 1.69 2002/01/25 12:09:03 paf Exp $
+	$Id: file.C,v 1.85 2002/06/18 11:09:02 paf Exp $
 */
 
 #include "pa_config_includes.h"
@@ -22,14 +22,56 @@
 #include "pa_vtable.h"
 #include "pa_charset.h"
 
-// consts
-
 // defines
 
-#define FILE_CLASS_NAME "file"
-
 #define TEXT_MODE_NAME "text"
 
+// consts
+
+/// from apache-1.3|src|support|suexec.c 
+static const char *suexec_safe_env_lst[]={
+    "AUTH_TYPE",
+    "CONTENT_LENGTH",
+    "CONTENT_TYPE",
+    "DATE_GMT",
+    "DATE_LOCAL",
+    "DOCUMENT_NAME",
+    "DOCUMENT_PATH_INFO",
+    "DOCUMENT_ROOT",
+    "DOCUMENT_URI",
+    "FILEPATH_INFO",
+    "GATEWAY_INTERFACE",
+    "LAST_MODIFIED",
+    "PATH_INFO",
+    "PATH_TRANSLATED",
+    "QUERY_STRING",
+    "QUERY_STRING_UNESCAPED",
+    "REMOTE_ADDR",
+    "REMOTE_HOST",
+    "REMOTE_IDENT",
+    "REMOTE_PORT",
+    "REMOTE_USER",
+    "REDIRECT_QUERY_STRING",
+    "REDIRECT_STATUS",
+    "REDIRECT_URL",
+    "REQUEST_METHOD",
+    "REQUEST_URI",
+    "SCRIPT_FILENAME",
+    "SCRIPT_NAME",
+    "SCRIPT_URI",
+    "SCRIPT_URL",
+    "SERVER_ADMIN",
+    "SERVER_NAME",
+    "SERVER_ADDR",
+    "SERVER_PORT",
+    "SERVER_PROTOCOL",
+    "SERVER_SOFTWARE",
+    "UNIQUE_ID",
+    "USER_NAME",
+    "TZ",
+    NULL
+};
+
 // class
 
 class MFile : public Methoded {
@@ -85,18 +127,18 @@ static void _find(Request& r, const Stri
 
 	// passed file name simply exists in current dir
 	if(file_readable(r.absolute(lfile_name))) {
-		r.write_no_lang(*new(pool) VString(lfile_name));
+		r.write_no_lang(lfile_name);
 		return;
 	}
 
 	// scan .. dirs for result
 	for(int i=0; i<FIND_MONKEY_MAX_HOPS; i++) {
-		String test_name(pool);
+		String local_test_name(pool);
 		for(int j=0; j<i; j++)
-			test_name.APPEND_CONST("../");
-		test_name.append(lfile_name, String::UL_CLEAN);
-		if(file_readable(r.absolute(test_name))) {
-			r.write_no_lang(*new(pool) VString(*new(pool) String(test_name)));
+			local_test_name.APPEND_CONST("../");
+		local_test_name.append(lfile_name, String::UL_CLEAN);
+		if(file_readable(r.absolute(local_test_name))) {
+			r.write_no_lang(*new(pool) String(local_test_name));
 			return;
 		}
 	}
@@ -147,11 +189,25 @@ static void _stat(Request& r, const Stri
 	ff.put(*new(pool) String(pool, "cdate"), new(pool) VDate(pool, ctime));
 }
 
+static bool is_safe_env_key(const char *key) {
+	if(strncmp(key, "HTTP_", 5)==0)
+		return true;
+	if(strncmp(key, "CGI_", 4)==0)
+		return true;
+	for(int i=0; suexec_safe_env_lst[i]; i++) {
+		if(strcmp(key, suexec_safe_env_lst[i])==0)
+			return true;
+	}
+	return false;
+}
 static void append_env_pair(const Hash::Key& key, Hash::Val *value, void *info) {
 	Hash& hash=*static_cast<Hash *>(info);
+	if(!is_safe_env_key(key.cstr()))
+		throw Exception("parser.runtime",
+			&key,
+			"not safe environment variable");
 	hash.put(key, &static_cast<Value *>(value)->as_string());
 }
-
 static void pass_cgi_header_attribute(Array::Item *value, void *info) {
 	String& string=*static_cast<String *>(value);
 	Hash& hash=*static_cast<Hash *>(info);
@@ -161,7 +217,6 @@ static void pass_cgi_header_attribute(Ar
 		new(string.pool()) VString(string.mid(colon_pos+1, string.size())));
 }
 /** @todo fix `` in perl - they produced flipping consoles and no output to perl
-	@test EPASS, ECSTR [touched them when optimized hash]
 */
 static void _exec_cgi(Request& r, const String& method_name, MethodParams *params,
 					  bool cgi) {
@@ -179,13 +234,15 @@ static void _exec_cgi(Request& r, const
 			name##value.APPEND_CONST(value_cstr); \
 			env.put(name##key, &name##value); \
 		}
-	#define EPASS(name) \
-		String name##key(pool, #name); \
-		String name##value(pool); \
-		if(const char *value_cstr=SAPI::get_env(pool, #name)) { \
-			name##value.APPEND_CONST(value_cstr); \
-			env.put(name##key, &name##value); \
-		}
+	// passing SAPI::environment
+	if(const char *const *pairs=SAPI::environment(pool)) {
+		while(const char *pair=*pairs++)
+			if(const char *eq_at=strchr(pair, '=')) {
+				String& key=*new(pool) String(pool, pair, eq_at-pair);
+				String& value=*new(pool) String(pool, eq_at+1);
+				env.put(key, &value);
+			}
+	}
 
 	// const
 	ECSTR(GATEWAY_INTERFACE, "CGI/1.1");
@@ -200,22 +257,9 @@ static void _exec_cgi(Request& r, const
 	snprintf(content_length_cstr, MAX_NUMBER, "%u", r.info.content_length);
 	String content_length(pool, content_length_cstr);
 	ECSTR(CONTENT_LENGTH, content_length_cstr);
-	ECSTR(HTTP_COOKIE, r.info.cookie);
-	ECSTR(HTTP_USER_AGENT, r.info.user_agent);
-	// passing some SAPI:get_env-s
-	EPASS(SERVER_PROTOCOL);
-	EPASS(SERVER_NAME);
-	EPASS(SERVER_PORT);
-	EPASS(HTTP_REFERER);
-	EPASS(REMOTE_ADDR);
-	EPASS(REMOTE_HOST);
-	EPASS(REMOTE_USER);
-	// SCRIPT_NAME
+	// SCRIPT_*
 	env.put(*new(pool) String(pool, "SCRIPT_NAME"), &script_name);
-#ifdef WIN32
-	// WIN32 shell
-	EPASS(COMSPEC);
-#endif
+	//env.put(*new(pool) String(pool, "SCRIPT_FILENAME"), ??&script_name);
 
 	if(params->size()>1) {
 		Value& venv=params->as_no_junction(1, "env must not be code");
@@ -236,7 +280,7 @@ static void _exec_cgi(Request& r, const
 	//out.APPEND_CONST("content-type:text/plain\nheader:test-header\n\ntest-body");
 	//out<<in;
 	String& err=*new(pool) String(pool);
-	int status=pa_exec(script_name, &env, argv, in, out, err);
+	int status=pa_exec(false/*forced_allow*/, script_name, &env, argv, in, out, err);
 
 	VFile& self=*static_cast<VFile *>(r.self);
 
@@ -252,9 +296,9 @@ static void _exec_cgi(Request& r, const
 		}
 		if(pos<0) {
 			delim_size=0; // calm down, compiler
-			throw Exception(0, 0,
+			throw Exception(0,
 				&method_name,
-				"output does not contain CGI header; exit code=%d; outsize=%u; out: \"%s\"; errsize=%u; err: \"%s\"", 
+				"output does not contain CGI header; exit status=%d; stdoutsize=%u; stdout: \"%s\"; stderrsize=%u; stderr: \"%s\"", 
 					status, 
 					(uint)out.size(), out.cstr(),
 					(uint)err.size(), err.cstr());
@@ -301,8 +345,8 @@ static void _list(Request& r, const Stri
 
 	const String *regexp;
 	pcre *regexp_code;
-	int ovecsize;
-	int *ovector;
+	const int ovecsize=(1/*match*/)*3;
+	int ovector[ovecsize];
 	if(params->size()>1) {
 		regexp=&params->as_no_junction(1, "regexp must not be code").as_string();
 
@@ -314,11 +358,9 @@ static void _list(Request& r, const Stri
 			pool.get_client_charset().pcre_tables);
 
 		if(!regexp_code)
-			throw Exception(0, 0, 
+			throw Exception(0, 
 				&regexp->mid(erroffset, regexp->size()), 
 				"regular expression syntax error - %s", errptr);
-
-		ovector=(int *)pool.malloc(sizeof(int)*(ovecsize=(1/*match*/)*3));
 	} else 
 		regexp_code=0;
 
@@ -342,7 +384,7 @@ static void _list(Request& r, const Stri
 				suits=false;
 			else if(exec_result<0) {
 				(*pcre_free)(regexp_code);
-				throw Exception(0, 0, 
+				throw Exception(0, 
 					regexp, 
 					"regular expression execute (%d)", 
 						exec_result);
@@ -367,7 +409,6 @@ static void _list(Request& r, const Stri
 
 	// write out result
 	VTable& result=*new(pool) VTable(pool, &table);
-	result.set_name(method_name);
 	r.write_no_lang(result);
 }
 
@@ -388,15 +429,12 @@ static void _lock(Request& r, const Stri
 	Value& body_code=params->as_junction(1, "body must be code");
 
 	Lock_execute_body_info info={&r, &body_code};
-	file_action_under_lock(file_spec, "lock", lock_execute_body, &info);
+	file_write_action_under_lock(file_spec, "lock", lock_execute_body, &info);
 }
 
 // constructor
 
-MFile::MFile(Pool& apool) : Methoded(apool) {
-	set_name(*NEW String(pool(), FILE_CLASS_NAME));
-
-
+MFile::MFile(Pool& apool) : Methoded(apool, "file") {
 	// ^save[mode;file-name]
 	add_native_method("save", Method::CT_DYNAMIC, _save, 2, 2);