--- /dev/null
+ucgi
+ucgitarget
--- /dev/null
+To install the www-cgi service:
+
+1. Run make to build ucgi and ucgitarget.
+
+2. Create the directory /usr/local/lib/user-cgi/cgi
+
+3. Install the programs:
+(a) ucgitarget as /usr/local/lib/user-cgi/target
+(b) ucgi as /usr/local/lib/user-cgi/ucgi
+(c) a symlink /usr/local/lib/user-cgi/ucgi-debug -> ucgi
+(d) the script `check' as /usr/local/lib/user-cgi/check
+
+4. Put the extra ScriptAlias directives in srm.conf.fragment in the
+appropriate part of your webserver configuration.
+
+5. Install the userv service:
+(a) Put the file www-cgi in /etc/userv/services.d (you may need to
+ adjust it for your local configuration)
+(b) If you don't already have it, add this line to /etc/userv/system.default:
+ include-lookup service /etc/userv/services.d
+
+6. As a test user, create a `public-cgi' directory, and a symlink in
+it called `check' which points to /usr/local/lib/user-cgi/check.
+
+7. Test that all is working by visiting
+ http://www.example.com/ucgi-debug/~fred/check
+ http://www.example.com/ucgi/~fred/check
+
+
+Copyright (C) 1999 Ian Jackson
+
+This is free software; you can redistribute it and/or modify it
+under the terms of the GNU General Public License as published by
+the Free Software Foundation; either version 2 of the License, or
+(at your option) any later version.
+
+This program is distributed in the hope that it will be useful, but
+WITHOUT ANY WARRANTY; without even the implied warranty of
+MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+General Public License for more details.
+
+You should have received a copy of the GNU General Public License
+along with userv-utils; if not, write to the Free Software
+Foundation, 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA.
+
+$Id: INSTALL,v 1.1 1999/11/09 23:04:32 ian Exp $
CFLAGS= -Wall -Wwrite-strings -Wmissing-prototypes -Wstrict-prototypes \
- -Wpointer-arith -O2 -g -DREALLY_CHECK_FILE='"/etc/inittab"'
+ -Wpointer-arith -O2 -g
LDFLAGS=
-TARGETS=really ucgi ucgitarget
+TARGETS= ucgi ucgitarget
all: $(TARGETS)
-ucgi: ucgi.o ucgicommon.o
+OBJS= ucgi.o ucgitarget.o ucgicommon.o
+ucgi: ucgi.o ucgicommon.o
ucgitarget: ucgitarget.o ucgicommon.o
-really: really.o myopt.o
-
-really-test: really Makefile
- rm -f really-test
- cp really really-test
- really chown root.staff really-test
- really chmod 4770 really-test
-
-really-check: really-test really.testcases
- ./really.testcases
+$(OBJS): ucgi.h
ScriptAlias /ucgi/ /usr/local/lib/user-cgi/cgi/ucgi/
ScriptAlias /ucgi-debug/ /usr/local/lib/user-cgi/cgi/ucgi-debug/
-ScriptAlias /ucgicgi/ /usr/local/lib/user-cgi/cgi/
/*
* Usage: as CGI script
*/
+/*
+ * Copyright (C) 1998-1999 Ian Jackson
+ *
+ * This is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by
+ * the Free Software Foundation; either version 2 of the License, or
+ * (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ * General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with userv-utils; if not, write to the Free Software
+ * Foundation, 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA.
+ *
+ * $Id: ucgi.c,v 1.2 1999/11/09 23:04:32 ian Exp $
+ */
#include <stdio.h>
#include <string.h>
-/**/
+/*
+ * Copyright (C) 1998-1999 Ian Jackson
+ *
+ * This is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by
+ * the Free Software Foundation; either version 2 of the License, or
+ * (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ * General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with userv-utils; if not, write to the Free Software
+ * Foundation, 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA.
+ *
+ * $Id: ucgi.h,v 1.2 1999/11/09 23:04:32 ian Exp $
+ */
#ifndef UCGI_H
#define UCGI_H
-/**/
+/*
+ * Copyright (C) 1998-1999 Ian Jackson
+ *
+ * This is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by
+ * the Free Software Foundation; either version 2 of the License, or
+ * (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ * General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with userv-utils; if not, write to the Free Software
+ * Foundation, 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA.
+ *
+ * $Id: ucgicommon.c,v 1.3 1999/11/09 23:04:32 ian Exp $
+ */
#include <stdio.h>
#include <string.h>
* Usage: as CGI script, but called by userv
* environment variables are USERV_U_E_...
*/
+/*
+ * Copyright (C) 1998-1999 Ian Jackson
+ *
+ * This is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by
+ * the Free Software Foundation; either version 2 of the License, or
+ * (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ * General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with userv-utils; if not, write to the Free Software
+ * Foundation, 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA.
+ *
+ * $Id: ucgitarget.c,v 1.2 1999/11/09 23:04:32 ian Exp $
+ */
#include <stdio.h>
#include <string.h>
-Users can now arrange to have CGI scripts run by chiark's webserver.
-This is achieved using userv (see /info/new 183, /usr/doc/userv and
+Users can arrange to have CGI scripts run by the webserver.
+This is achieved using userv (see
<URL:http://www.chiark.greenend.org.uk/~ian/userv/>).
Before you write such scripts you should be aware of the security
-issues involved. Please read /info/cgi-security.text !
+issues involved.
-Note that public-cgi programs (and their source code) should be world
-readable, and in any case by creating them you give me implicit
-permission to read its contents, using my system privilege if
-necessary, without notifying you. See cgi-security.text for full
-details of the policy.
-
-Paths in chiark's http space of the form
+Paths in the http space of the form
/ucgi/~<username>/<path-to-script>/<extra-stuff>...
will be taken to refer to the CGI script
~<username>/public-cgi/<path-to-script>
and /<extra-stuff> will be used as the PATH_INFO (as is
conventional). For example,
- http://www.chiark.greenend.org.uk/ucgi/~ijackson/spong/foo?bar=baz
+ http://www.example.com/ucgi/~ijackson/spong/foo?bar=baz
will run ~ijackson/public-cgi/spong with PATH_INFO set to `/foo' and
QUERY_STRING set to `bar=baz'.
output and standard error of your script and a line at the bottom with
the high and low bytes of the script's exit status.
-Also both of
- http://www.chiark.greenend.org.uk/ucgicgi/check
- http://www.chiark.greenend.org.uk/ucgi/~ijackson/check
-are scripts which will dump their arguments and environment as a
-text/plain output file. This can be used to see what input your CGI
-program ought to expect.
+Also, /usr/local/lib/user-cgi/cgi/check is a script which will dump
+its arguments and environment as a text/plain output file. This can
+be used to see what input your CGI program ought to expect.
The default configuration does not enable userv's `set-environment'
feature, so the environment your scripts in will be rather minimal.
and should be trusted.
However, their arguments, input and webserver-provided environment
-variables (the full list is in /usr/local/src/davenant/ucgicommon.c)
-will have come from the client WWW browser and are highly
-untrustworthy. This means you must be very careful when writing such
-programs. Beware particularly of
+variables (the full list is in ucgicommon.c) will have come from the
+client WWW browser and are highly untrustworthy. This means you must
+be very careful when writing such programs. Beware particularly of
* buffer overruns in C
* trusting data not to have metacharacters.
You should generally not pass client-provided data to
Safely using untrusted client-provided data in shell scripts is very
difficult. I would recommend against programming CGI scripts in
shell. If you must, make sure you use appropriate quoting and
-argument unparsing everywhere.
+argument unparsing everywhere (and don't do it if you don't know what
+I mean by argument unparsing).
The invocation of user-provided CGI scripts is achieved by using userv
to invoke the `www-cgi' service. The webserver-provided environment
CGI programs' path components may not be empty, may not start with a
full stop `.', and may not end with a hash `#' or tilde `~'.
-Please report problems to webmaster@chiark or sysadmin@chiark.
-Comments on userv should go to userv-maint@chiark.greenend.org.uk.
+It is important that the webserver removes /../ components from the
+PATH_INFO - if it doesn't there is a security hole.
+
+
+Copyright (C) 1998-1999 Ian Jackson
+
+This is free software; you can redistribute it and/or modify it
+under the terms of the GNU General Public License as published by
+the Free Software Foundation; either version 2 of the License, or
+(at your option) any later version.
+
+This program is distributed in the hope that it will be useful, but
+WITHOUT ANY WARRANTY; without even the implied warranty of
+MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+General Public License for more details.
+
+You should have received a copy of the GNU General Public License
+along with userv-utils; if not, write to the Free Software
+Foundation, 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA.
- - Ian Jackson 14.07.1998
+$Id: user-cgi.text,v 1.2 1999/11/09 23:04:32 ian Exp $
+++ /dev/null
-129078 1 drwxrwsr-x 3 root staff 1024 Sep 22 1997 /usr/local/lib/user-cgi
-129079 1 lrwxrwxrwx 1 root root 34 Jan 25 1998 /usr/local/lib/user-cgi/target -> /usr/local/src/davenant/ucgitarget
-239707 1 drwxrwsr-x 2 ian staff 1024 Sep 22 1997 /usr/local/lib/user-cgi/cgi
-239708 1 lrwxrwxrwx 1 root root 28 Jan 25 1998 /usr/local/lib/user-cgi/cgi/ucgi -> /usr/local/src/davenant/ucgi
-239709 1 lrwxrwxrwx 1 root root 4 Jan 25 1998 /usr/local/lib/user-cgi/cgi/ucgi-debug -> ucgi
-239710 1 -rwxrwxr-x 1 ian staff 95 Sep 22 1997 /usr/local/lib/user-cgi/cgi/check