[userv-utils] / www-cgi / user-cgi.text

Users can now arrange to have CGI scripts run by chiark's webserver.
This is achieved using userv (see /info/new 183, /usr/doc/userv and
<URL:http://www.chiark.greenend.org.uk/~ian/userv/>).

Before you write such scripts you should be aware of the security
issues involved.  Please read /info/cgi-security.text !

Note that public-cgi programs (and their source code) should be world
readable, and in any case by creating them you give me implicit
permission to read its contents, using my system privilege if
necessary, without notifying you.  See cgi-security.text for full
details of the policy.

Paths in chiark's http space of the form
  /ucgi/~<username>/<path-to-script>/<extra-stuff>...
will be taken to refer to the CGI script
  ~<username>/public-cgi/<path-to-script>
and /<extra-stuff> will be used as the PATH_INFO (as is
conventional).  For example,
  http://www.chiark.greenend.org.uk/ucgi/~ijackson/spong/foo?bar=baz
will run ~ijackson/public-cgi/spong with PATH_INFO set to `/foo' and
QUERY_STRING set to `bar=baz'.

You can debug your scripts by using
 /ucgi-debug/~<username>/<path-to-script>...
which will return a text/plain document consisting of the standard
output and standard error of your script and a line at the bottom with
the high and low bytes of the script's exit status.

Also both of
 http://www.chiark.greenend.org.uk/ucgicgi/check
 http://www.chiark.greenend.org.uk/ucgi/~ijackson/check
are scripts which will dump their arguments and environment as a
text/plain output file.  This can be used to see what input your CGI
program ought to expect.

The default configuration does not enable userv's `set-environment'
feature, so the environment your scripts in will be rather minimal.
You can change this it if you want by saying something like
  if glob service www-cgi
          set-environment
  fi
in your ~/.userv/rc file.  This will cause your scripts to be run by a
shell which has sourced your ~/.environment file, if it exists.  See
the userv documentation for details, and look in /etc/environment.

CGI programs will be run in your account.  They will be able to access
files exactly as if you had run them yourself directly.  Their PATH
and other similar variables will be set correctly (see below) and can
and should be trusted.

However, their arguments, input and webserver-provided environment
variables (the full list is in /usr/local/src/davenant/ucgicommon.c)
will have come from the client WWW browser and are highly
untrustworthy.  This means you must be very careful when writing such
programs.  Beware particularly of
  * buffer overruns in C
  * trusting data not to have metacharacters.
    You should generally not pass client-provided data to
    - eval (Perl or shell)
    - system (Perl or C) and exec (Perl)
    - open (Perl) and popen (C)
    - anything similar.

Safely using untrusted client-provided data in shell scripts is very
difficult.  I would recommend against programming CGI scripts in
shell.  If you must, make sure you use appropriate quoting and
argument unparsing everywhere.

The invocation of user-provided CGI scripts is achieved by using userv
to invoke the `www-cgi' service.  The webserver-provided environment
variables will be passed as userv parameters using
-DE_<variable>=<value>.  The E_PATH_INFO parameter contains the
portion of the path beyond the username.

The default configuration (/etc/userv/system.default) arranges for
www-cgi to run /usr/local/lib/user-cgi/target, which removes the
USERV_E_ from the start of the webserver-provided environment
variables and adjusts some of them for the script's actual location
and the calls the actual script.  `target' takes one parameter, the
location of the user's public CGI directory relative to their home
directory (`public-cgi' in the default configuration).  It must be a
relative path.

You can run your own scripts from the command line by saying
  userv -DE_PATH_INFO=/<script>[/<path-info>]                 \
        -DE_QUERY_STRING=<query> --spoof-user www - www-cgi   \
        [<arg-for-isindex-query>]

CGI programs' path components may not be empty, may not start with a
full stop `.', and may not end with a hash `#' or tilde `~'.

Please report problems to webmaster@chiark or sysadmin@chiark.
Comments on userv should go to userv-maint@chiark.greenend.org.uk.

 - Ian Jackson 14.07.1998
Commit	Line	Data
9a7d9296	1	Users can now arrange to have CGI scripts run by chiark's webserver.
	2	This is achieved using userv (see /info/new 183, /usr/doc/userv and
	3	<URL:http://www.chiark.greenend.org.uk/~ian/userv/>).
	4
	5	Before you write such scripts you should be aware of the security
	6	issues involved. Please read /info/cgi-security.text !
	7
	8	Note that public-cgi programs (and their source code) should be world
	9	readable, and in any case by creating them you give me implicit
	10	permission to read its contents, using my system privilege if
	11	necessary, without notifying you. See cgi-security.text for full
	12	details of the policy.
	13
	14	Paths in chiark's http space of the form
	15	/ucgi/~<username>/<path-to-script>/<extra-stuff>...
	16	will be taken to refer to the CGI script
	17	~<username>/public-cgi/<path-to-script>
	18	and /<extra-stuff> will be used as the PATH_INFO (as is
	19	conventional). For example,
	20	http://www.chiark.greenend.org.uk/ucgi/~ijackson/spong/foo?bar=baz
	21	will run ~ijackson/public-cgi/spong with PATH_INFO set to `/foo' and
	22	QUERY_STRING set to `bar=baz'.
	23
	24	You can debug your scripts by using
	25	/ucgi-debug/~<username>/<path-to-script>...
	26	which will return a text/plain document consisting of the standard
	27	output and standard error of your script and a line at the bottom with
	28	the high and low bytes of the script's exit status.
	29
	30	Also both of
	31	http://www.chiark.greenend.org.uk/ucgicgi/check
	32	http://www.chiark.greenend.org.uk/ucgi/~ijackson/check
	33	are scripts which will dump their arguments and environment as a
	34	text/plain output file. This can be used to see what input your CGI
	35	program ought to expect.
	36
	37	The default configuration does not enable userv's `set-environment'
	38	feature, so the environment your scripts in will be rather minimal.
	39	You can change this it if you want by saying something like
	40	if glob service www-cgi
	41	set-environment
	42	fi
	43	in your ~/.userv/rc file. This will cause your scripts to be run by a
	44	shell which has sourced your ~/.environment file, if it exists. See
	45	the userv documentation for details, and look in /etc/environment.
	46
	47	CGI programs will be run in your account. They will be able to access
	48	files exactly as if you had run them yourself directly. Their PATH
	49	and other similar variables will be set correctly (see below) and can
	50	and should be trusted.
	51
	52	However, their arguments, input and webserver-provided environment
	53	variables (the full list is in /usr/local/src/davenant/ucgicommon.c)
	54	will have come from the client WWW browser and are highly
	55	untrustworthy. This means you must be very careful when writing such
	56	programs. Beware particularly of
	57	* buffer overruns in C
	58	* trusting data not to have metacharacters.
	59	You should generally not pass client-provided data to
	60	- eval (Perl or shell)
	61	- system (Perl or C) and exec (Perl)
	62	- open (Perl) and popen (C)
	63	- anything similar.
	64
65	Safely using untrusted client-provided data in shell scripts is very
66	difficult. I would recommend against programming CGI scripts in
67	shell. If you must, make sure you use appropriate quoting and
68	argument unparsing everywhere.
69
70	The invocation of user-provided CGI scripts is achieved by using userv
71	to invoke the `www-cgi' service. The webserver-provided environment
72	variables will be passed as userv parameters using
73	-DE_<variable>=<value>. The E_PATH_INFO parameter contains the
74	portion of the path beyond the username.
75
76	The default configuration (/etc/userv/system.default) arranges for
77	www-cgi to run /usr/local/lib/user-cgi/target, which removes the
78	USERV_E_ from the start of the webserver-provided environment
79	variables and adjusts some of them for the script's actual location
80	and the calls the actual script. `target' takes one parameter, the
81	location of the user's public CGI directory relative to their home
82	directory (`public-cgi' in the default configuration). It must be a
83	relative path.
84
85	You can run your own scripts from the command line by saying
86	userv -DE_PATH_INFO=/<script>[/<path-info>] \
87	-DE_QUERY_STRING=<query> --spoof-user www - www-cgi \
88	[<arg-for-isindex-query>]
89
90	CGI programs' path components may not be empty, may not start with a
91	full stop `.', and may not end with a hash `#' or tilde `~'.
92
93	Please report problems to webmaster@chiark or sysadmin@chiark.
94	Comments on userv should go to userv-maint@chiark.greenend.org.uk.
95
96	- Ian Jackson 14.07.1998