diff --git a/bashlib.in b/bashlib.in index bcdae1c..3caff41 100644 --- a/bashlib.in +++ b/bashlib.in @@ -1,17 +1,10 @@ -#!/bin/bash +#!@BASH@ # Author: darren chamberlain # Co-Author: Paul Bournival +# Co-Author: Mikhail Novosyolov # -####### -# Updated Oct 15 2004 by Tony Clayton -# * add safe_param() function with XSS and shell-invocation prevention -# * add extra "| tr -d '$`'" sanity check to name decoding to prevent shell -# invocation of param names. -# * ported function defs to be bash/ash compatible -####### - # bashlib is used by sourcing it at the beginning of scripts that # needs its functionality (by using the . or source commands). @@ -19,8 +12,9 @@ PATH=/bin:/usr/bin # # Set version number +# Must be an integer because bash cannot compare float numbers # -VERSION="0.05" +VERSION="2" # -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- # Initialization stuff begins here. These things run immediately, and @@ -42,7 +36,7 @@ fi if [ -n "${QUERY_STRING}" ]; then # name=value params, separated by either '&' or ';' if echo ${QUERY_STRING} | grep '=' >/dev/null ; then - for Q in $(@ECHO@ ${QUERY_STRING} | @TR@ ";&" "\012") ; do + for Q in $(echo ${QUERY_STRING} | @TR@ ";&" "\012") ; do # # Clear our local variables # @@ -54,12 +48,12 @@ if [ -n "${QUERY_STRING}" ]; then # get the name of the key, and decode it # name=${Q%%=*} - name=$(@ECHO@ ${name} | \ + name=$(echo ${name} | \ @SED@ -e 's/%\(\)/\\\x/g' | \ @TR@ "+" " ") - name=$(@ECHO@ ${name} | \ + name=$(echo ${name} | \ @TR@ -d ".-") - name=$(@PRINTF@ ${name} | @TR@ -d '$`') + name=$(printf ${name} | @TR@ -d '$`') # # get the value and decode it. This is tricky... printf chokes on @@ -69,7 +63,7 @@ if [ -n "${QUERY_STRING}" ]; then # printf, and then remove it. # tmpvalue=${Q#*=} - tmpvalue=$(@ECHO@ ${tmpvalue} | \ + tmpvalue=$(echo ${tmpvalue} | \ @SED@ -e 's/%\(..\)/\\\x\1 /g') #echo "Intermediate \$value: ${tmpvalue}" 1>&2 @@ -78,7 +72,7 @@ if [ -n "${QUERY_STRING}" ]; then # value # for i in ${tmpvalue}; do - g=$(@PRINTF@ ${i}) + g=$(printf ${i}) value="${value}${g}" done #value=$(echo ${value}) @@ -116,17 +110,17 @@ if [ -n "${HTTP_COOKIE}" ]; then # get the name of the key, and decode it # name=${Q%%=*} - name=$(@ECHO@ ${name} | \ + name=$(echo ${name} | \ @SED@ -e 's/%\(\)/\\\x/g' | \ @TR@ "+" " ") - name=$(@ECHO@ ${name} | \ + name=$(echo ${name} | \ @TR@ -d ".-") - name=$(@PRINTF@ ${name}) + name=$(printf ${name}) # Decode the cookie value. See the parameter section above for # an explanation of what this is doing. tmpvalue=${Q#*=} - tmpvalue=$(@ECHO@ ${tmpvalue} | \ + tmpvalue=$(echo ${tmpvalue} | \ @SED@ -e 's/%\(..\)/\\\x\1 /g') #echo "Intermediate \$value: ${tmpvalue}" 1>&2 @@ -135,7 +129,7 @@ if [ -n "${HTTP_COOKIE}" ]; then # value # for i in ${tmpvalue}; do - g=$(@PRINTF@ ${i}) + g=$(printf ${i}) value="${value}${g}" done #value=$(echo ${value}) @@ -153,11 +147,11 @@ fi # -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- # # Shameless plug, advertises verion. -version { +version() { echo "bashlib, version ${VERSION}" } -version_html { +version_html() { echo -n "bashlib," echo "version ${VERSION}" } @@ -178,7 +172,7 @@ param() { if [ $# -eq 1 ]; then name=$1 name=$(echo ${name} | @SED@ -e 's/FORM_//') - value=$(@ENV@ | @GREP@ "^FORM_${name}" | @SED@ -e 's/FORM_//' | @CUT@ -d= -f2-) + value=$(@ENV@ | @GREP@ "^FORM_${name}=" | @SED@ -e 's/FORM_//' | @CUT@ -d= -f2-) elif [ $# -gt 1 ]; then name=$1 shift @@ -186,7 +180,9 @@ param() { else value=$(@ENV@ | @GREP@ '^FORM_' | @SED@ -e 's/FORM_//' | @CUT@ -d= -f1) fi - echo ${value} + # "+" is URL-encoded as "%2B", web server replaces spaces with "+", replace back, + # otherwise safe_param() just removes the "+" sign and looses the space. + echo "${value}" | @SED@ -e 's/+/ /' unset name unset value } diff --git a/configure.in b/configure.in index a0ce2f1..4d2bb24 100644 --- a/configure.in +++ b/configure.in @@ -4,6 +4,7 @@ dnl $Id$ dnl ---------------------------------------------------------------------- dnl bashlib dnl Copyright (C) 2002-2005 darren chamberlain +dnl Copyright (C) 2018-2024 Mikhail Novosyolov dnl dnl This program is free software; you can redistribute it and/or modify dnl it under the terms of the GNU General Public License as published by @@ -28,17 +29,16 @@ bashlib_version=0.5 AC_INIT(bashlib.in) +AC_PATH_PROG(BASH, bash, "") AC_PATH_PROG(AWK, awk, "") AC_PATH_PROG(CAT, cat, "") AC_PATH_PROG(CUT, cut, "") AC_PATH_PROG(CP, cp, "") -AC_PATH_PROG(ECHO, echo, "") AC_PATH_PROG(ENV, env, "") AC_PATH_PROG(GREP, grep, "") AC_PATH_PROG(GZIP, gzip, "") AC_PATH_PROG(INSTALL, install, "") AC_PATH_PROG(MKDIR, mkdir, "") -AC_PATH_PROG(PRINTF, printf, "") AC_PATH_PROG(RM, rm, "") AC_PATH_PROG(SED, sed, "") AC_PATH_PROG(TAR, tar, "") diff --git a/examples/bashlib.sourceforge.net_backup.html b/examples/bashlib.sourceforge.net_backup.html new file mode 100644 index 0000000..8642fd7 --- /dev/null +++ b/examples/bashlib.sourceforge.net_backup.html @@ -0,0 +1,111 @@ + + + bashlib - CGI programming with the bash shell + + +
+

bashlib - CGI programming with the bash shell

+ + [ Project Page + | Why? + | bashlib news + | How it came about + | Using bashlib ]
+ + [ CVs eXtender + | Something you don't like? + | Getting bashlib + | Other Resources + | Comments? ] + +
+

Why?

+

bashlib is a shell script that makes CGI programming in the bash shell easier, or at least more tolerable. It contains a few functions that get called automatically and place form elements (from POSTs and GETs) and cookies in your environment. It also contains complete documentation on how to use these variables and how to set cookies manually.

+

Recent bashlib News

+

The most recent version of bashlib will always be available from http://bashlib.sourceforge.net/src/bashlib-current.tar.gz and will + be browsable at http://bashlib.sourceforge.net/src/bashlib-current/.

+

Version 0.4 (download or browse) of bashlib, released March 12, 2002, is fully autoconfiscated. To install it, run ./configure as usual. If you check out the CVS version, you'll need autoconf installed to create the configure script from configure.in.

+

I released version 0.3 (download or browse)of bashlib on February 21, 2001. The only difference between 0.3 and 0.2 is that the tarball works. I've been testing it for a while, and it definitely seems stable enough for real use. The interface has changed a little; the sample below reflects these changes.

+

How this came about, and what it is useful for

+

Things such as this are born of necessity. My ISP, while being incredibly useful in most ways, doesn't have a recent version of Perl available for their casual users (e.g., dial-up accounts, with web pages in http://www.isp.net/~mylogin/) -- Perl is a "value-added" service. This was a great source of frustration for me, since I am a Perl programmer by day. So, I began rooting (not literally) around for other methods of writing CGI scripts, and realized that the shell, which I spent most of my time using, was not only a great generaly purpose scripting environment, but also a good one for CGI scripts. This naturally led me to forms and cookies, and here we are today.

+

No, I really don't have this much free time. The current release is the result of about a days worth of work (on and off throughout the day), with some help. Well, that's not quite true -- 9 years of using Unix went into it as well.

+

Using bashlib

+

Using bashlib is pretty straight-forward. More important, however, is knowing what to do with the variables once they come into your script and knowing how to write CGI scripts. (This script is not running here, for obvious reasons.)

+ 
+#!/bin/bash
+
+# this sources bashlib into your current environment
+. /usr/local/lib/bashlib
+
+echo "Content-type: text/html"
+echo ""
+
+# OK, so we've sent the header... now send some content
+echo "<html><title>Crack This Server</title><body>"
+
+# print a "hello" if the username is filled out
+username=`param username`
+if [ -n "x$username" != "x" ] ; then
+    echo "<h1>Hello, $username</h1>
+fi
+
+echo "<h2>Users on `/bin/hostname`</h2>"
+echo "<ul>"
+
+# for each user in the passwd file, print their login and full name
+# bold them if they are the current user
+for user in $(cat /etc/passwd | awk -F: '{print $1 "\t" $5}') ; do
+    echo "<li>"
+    if [ "$username" = "$user" ] ; then
+        echo "<strong>$user</strong>"
+    else
+        echo "$user"
+    fi
+    echo "</li>"
+done
+echo "</ul>"
+echo "</body></html>"
+
+ + + +

Other Resoruces

+
    +
  • I recommend checking out bashish if you use bash often; it is dedicated to the configuration of bash. Although it isn't helpful for CGI programming in bash, it makes day to day usage of bash quite nice. To quote:
    • +
    +Bashish is a theme engine for the console.
    +It lets you customize title, prompt, background, foreground, colors, font and a lot of other things.
    +Bashish is also very configurable, you can turn on and off nearly all features.
    +
    +
  • ^txt2regex$ is a Regular Expression "wizard", all written with bash2 builtins, that converts human sentences to RegExs. with a simple interface, you just answer to questions and build your own RegEx for a large variety of programs, like awk, ed, emacs, grep, perl, php, procmail, python, sed and vim. there are more than 20 supported programs. it's bash so download and run, no compilation needed.
    • +
  • For folks who do a lot of command-line-based web work, surfaw might be useful:
    • +
    + Surfraw (Shell Users' Revolutionary Front Rage Against the Web) provides a Unix command line interface to a variety of popular Web search engines and sites, including Google, Altavista, Babelfish, Raging, DejaNews, Research Index, Yahoo!, WeatherNews, Slashdot, freshmeat, and many others. +
    +
  • The BASH Programming - Introduction HOW-TO and Advanced Bash-Scripting HOWTO: A guide to shell scripting, using Bash are very, very useful.
    • +
  • I just came across Prentice Hall's 1996 book Portable Shell Programming, and it is wonderful. All the examples are pure Bourne shell, so they are (naturally) portable, and also very informative.
    • +
  • And, finally, while it's not free, David Tansley's Linux & Unix Shell Programming is a wonderful resource (get it from fatbrain).
    • +
+ + + +

Something you don't like?

+

OK, so there's probably something in here you think should be different, could be better, etc. Well, drop me a line (email me at dlc@users.sourceforge.net) and let me know. You can write it out in words ("bashlib should uuencode GIFs on the fly"), provide a patch (via diff -u), or rewrite the whole thing (try to keep it in shell, though). All reasonable emails will be read, and probably answered as well.

+ + + +

Getting bashlib

+

bashlib is a pretty short script (as libraries go), and all versions can be browsed here. It is available for download from Sourceforge at http.

+

bashlib is also available from anonymous CVS. The CVS repository can be checked out through anonymous (pserver) CVS. When prompted for a password for anonymous, simply press the Enter key.

+
+cvs -d:pserver:anonymous@cvs.bashlib.sourceforge.net:/cvsroot/bashlib login 
+cvs -z3 -d:pserver:anonymous@cvs.bashlib.sourceforge.net:/cvsroot/bashlib co bashlib
+
+
+ SourceForge Logo +
+ diff --git a/examples/promo-codes.sh b/examples/promo-codes.sh new file mode 100644 index 0000000..781c5bd --- /dev/null +++ b/examples/promo-codes.sh @@ -0,0 +1,52 @@ +#!/usr/bin/env bash +# CGI script +# Does not work with FastCGI (fcgi) because it requires additional communication, see https://unix.stackexchange.com/a/241694 +set -e +set -f +#set -u # BAH01215: ./bashlib: line 82: value: unbound variable + +# https://stackoverflow.com/questions/3919755/how-to-parse-query-string-from-a-bash-cgi-script + +# source bashlib https://github.com/mikhailnov/bashlib +. ./bashlib 2>/dev/null || . bashlib || ( echo "Failed to source bashlib!" ; exit 1 ) + +# get file with promo codes +for file in './promo_codes_1.txt' '/var/www/domain.tld/promo_codes_1.txt' +do + [ -f "$file" ] && file_codes="$file" && break +done + +do_redirect_back(){ +code_error_type="${code_error_type:-неверный}" +echo -n " + +
+Ошибка: вы ввели ${code_error_type} промо-код! +
+
+
" +} + +do_redirect_forward(){ +redir_URL='https://domain.tld/page2' +echo -n " + + + + + +Вы будете перенаправлены на страницу записи. Если она не открылась, перейдите по ссылке. +" +} + +write_used_code(){ + # used codes will be converted to empty lines + # TODO: check if this file is writable and redirect back in case of error + sed -e "s/${code}//g" -i "$file_codes" +} + +code="$(param code)" +if grep -q "$code" "$file_codes" + then write_used_code && do_redirect_forward # don't redirect if failed to write_used_code + else do_redirect_back +fi diff --git a/examples/write-to-file.sh b/examples/write-to-file.sh new file mode 100755 index 0000000..d76ebf0 --- /dev/null +++ b/examples/write-to-file.sh @@ -0,0 +1,36 @@ +#!/bin/bash + +# Example request: +# http://localhost/cgi-bin/r8168.cgi?rev=0x00&probe=b0cdd5070e + +# https://github.com/mikhailnov/bashlib, https://abf.io/import/bashlib +. bashlib ||{ echo "Failed to source bashlib!" ; exit 1 ;} + +readonly file="/var/www/r8168.list" +readonly lock="/var/www/r8168.lock" +readonly rev="$(safe_param rev)" +readonly probe="$(safe_param probe)" + +# possible values: 0x15, 0x09 +if ! [[ "$rev" =~ ^0x..$ ]]; then + echo "Status: 400 Bad request" + echo "Content-Type: text/plain; charset=utf-8" + echo "" + echo "Incorrect value of rev" + exit 1 +fi + +if [ ${#probe} -gt 20 ] || ! [[ "$probe" =~ ^[a-zA-Z0-9]+$ ]]; then + echo "Status: 400 Bad request" + echo "Content-Type: text/plain; charset=utf-8" + echo "" + echo "Incorrect value of probe" + exit 1 +fi + +set -e +echo "$rev;$probe" | flock "$lock" tee -a "$file" >/dev/null +echo "Status: 200 OK" +echo "Content-Type: text/plain; charset=utf-8" +echo "" +echo "OK"