2 * This file is part of DisOrder.
3 * Copyright (C) 2004, 2005, 2007, 2008 Richard Kettlewell
5 * This program is free software; you can redistribute it and/or modify
6 * it under the terms of the GNU General Public License as published by
7 * the Free Software Foundation; either version 2 of the License, or
8 * (at your option) any later version.
10 * This program is distributed in the hope that it will be useful, but
11 * WITHOUT ANY WARRANTY; without even the implied warranty of
12 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
13 * General Public License for more details.
15 * You should have received a copy of the GNU General Public License
16 * along with this program; if not, write to the Free Software
17 * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307
20 /** @file server/cgimain.c
30 #include <sys/types.h>
31 #include <sys/socket.h>
38 #include "server-cgi.h"
41 #include "configuration.h"
43 #include "api-client.h"
50 #include "macros-disorder.h"
52 /** @brief Return true if @p a is better than @p b
54 * NB. We don't bother checking if the path is right, we merely check for the
55 * longest path. This isn't a security hole: if the browser wants to send us
56 * bad cookies it's quite capable of sending just the right path anyway. The
57 * point of choosing the longest path is to avoid using a cookie set by another
58 * CGI script which shares a path prefix with us, which would allow it to
59 * maliciously log users out.
61 * Such a script could still "maliciously" log someone in, if it had acquired a
62 * suitable cookie. But it could just log in directly if it had that, so there
63 * is no obvious vulnerability here either.
65 static int better_cookie(const struct cookie
*a
, const struct cookie
*b
) {
66 if(a
->path
&& b
->path
)
67 /* If both have a path then the one with the longest path is best */
68 return strlen(a
->path
) > strlen(b
->path
);
70 /* If only @p a has a path then it is better */
73 /* If neither have a path, or if only @p b has a path, then @p b is
78 int main(int argc
, char **argv
) {
79 const char *cookie_env
, *conf
;
88 /* RFC 3875 s8.2 recommends rejecting PATH_INFO if we don't make use of
90 if(getenv("PATH_INFO")) {
91 /* TODO it might be nice to link back to the right place... */
92 printf("Content-Type: text/html\n");
93 printf("Status: 404\n");
95 printf("<p>Sorry, PATH_INFO not supported.</p>\n");
99 /* We allow various things to be overridden from the environment. This is
100 * intended for debugging and is not a documented feature. */
101 if((conf
= getenv("DISORDER_CONFIG")))
102 configfile
= xstrdup(conf
);
103 if(getenv("DISORDER_DEBUG"))
107 /* Figure out our URL. This can still be overridden from the config file if
108 * necessary but it shouldn't be necessary in ordinary installations. */
110 config
->url
= infer_url();
111 memset(&g
, 0, sizeof g
);
112 memset(&s
, 0, sizeof s
);
114 g
.client
= disorder_get_client();
116 output
.sink
= sink_stdio("stdout", stdout
);
117 /* See if there's a cookie */
118 cookie_env
= getenv("HTTP_COOKIE");
120 /* This will be an HTTP header */
121 if(!parse_cookie(cookie_env
, &cd
)) {
122 /* Pick the best available cookie from all those offered */
124 for(n
= 0; n
< cd
.ncookies
; ++n
) {
125 /* Is this the right cookie? */
126 if(strcmp(cd
.cookies
[n
].name
, "disorder"))
128 /* Is it better than anything we've seen so far? */
130 || better_cookie(&cd
.cookies
[n
], &cd
.cookies
[best_cookie
]))
133 if(best_cookie
!= -1)
134 login_cookie
= cd
.cookies
[best_cookie
].value
;
136 error(0, "could not parse cookie field '%s'", cookie_env
);
138 /* Register expansions */
139 mx_register_builtin();
140 register_disorder_expansions();
141 /* Update search path. We look in the config directory first and the data
142 * directory second, so that the latter overrides the former. */
143 mx_search_path(pkgconfdir
);
144 mx_search_path(pkgdatadir
);
145 /* Create the initial connection, trying the cookie if we found a suitable
147 disorder_cgi_login(&s
, &output
);
148 /* The main program... */
149 disorder_cgi(&output
, &s
);
150 /* In practice if a write fails that probably means the web server went away,
151 * but we log it anyway. */
152 if(fclose(stdout
) < 0)
153 fatal(errno
, "error closing stdout");