1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
|
# Copyright (c) 2000 Gregory Trubetskoy. All rights reserved.
#
# Redistribution and use in source and binary forms, with or without
# modification, are permitted provided that the following conditions
# are met:
#
# 1. Redistributions of source code must retain the above copyright
# notice, this list of conditions and the following disclaimer.
#
# 2. Redistributions in binary form must reproduce the above copyright
# notice, this list of conditions and the following disclaimer in
# the documentation and/or other materials provided with the
# distribution.
#
# 3. The end-user documentation included with the redistribution, if
# any, must include the following acknowledgment: "This product
# includes software developed by Gregory Trubetskoy."
# Alternately, this acknowledgment may appear in the software itself,
# if and wherever such third-party acknowledgments normally appear.
#
# 4. The names "mod_python", "modpython" or "Gregory Trubetskoy" must not
# be used to endorse or promote products derived from this software
# without prior written permission. For written permission, please
# contact grisha@modpython.org.
#
# 5. Products derived from this software may not be called "mod_python"
# or "modpython", nor may "mod_python" or "modpython" appear in their
# names without prior written permission of Gregory Trubetskoy.
#
# THIS SOFTWARE IS PROVIDED BY GREGORY TRUBETSKOY ``AS IS'' AND ANY
# EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
# PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL GREGORY TRUBETSKOY OR
# HIS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
# SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
# NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
# LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
# HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
# STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
# ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
# OF THE POSSIBILITY OF SUCH DAMAGE.
# ====================================================================
#
# $Id: publisher.py,v 1.12.2.1 2002/04/10 21:18:22 gtrubetskoy Exp $
"""
This handler is conceputally similar to Zope's ZPublisher, except
that it:
1. Is written specifically for mod_python and is therefore much faster
2. Does not require objects to have a documentation string
3. Passes all arguments as simply string
4. Does not try to match Python errors to HTTP errors
5. Does not give special meaning to '.' and '..'.
"""
import apache
import util
import os
import string
import imp
import re
import base64
import new
from types import ClassType, ModuleType
# list of suffixes - .py, .pyc, etc.
suffixes = map(lambda x: x[0], imp.get_suffixes())
# now compile a regular expression out of it:
exp = "\\" + string.join(suffixes, "$|\\")
suff_matcher = re.compile(exp)
def handler(req):
# use direct access to _req for speed
_req = req._req
args = {}
# get the path PATH_INFO (everthing after script)
if not _req.subprocess_env.has_key("PATH_INFO"):
raise apache.SERVER_RETURN, apache.HTTP_NOT_FOUND
func_path = _req.subprocess_env["PATH_INFO"][1:] # skip fist /
func_path = string.replace(func_path, "/", ".")
if func_path[-1] == ".":
func_path = func_path[:-1]
# if any part of the path begins with "_", abort
if func_path[0] == '_' or string.count(func_path, "._"):
raise apache.SERVER_RETURN, apache.HTTP_NOT_FOUND
# process input, if any
fs = util.FieldStorage(req, keep_blank_values=1)
req.form = fs
# step through fields
for field in fs.list:
# if it is a file, make File()
if field.filename:
val = File(field)
else:
val = field.value
if args.has_key(field.name):
args[field.name].append(val)
else:
args[field.name] = [val]
# at the end, we replace lists with single values
for arg in args.keys():
if len(args[arg]) == 1:
args[arg] = args[arg][0]
# add req
args["req"] = req
# import the script
path, module_name = os.path.split(_req.filename)
# get rid of the suffix
module_name = suff_matcher.sub("", module_name)
# import module (or reload if needed)
module = apache.import_module(module_name, _req, [path])
# does it have an __auth__?
realm, user, passwd = process_auth(req, module)
# resolve the object ('traverse')
try:
object = resolve_object(req, module, func_path, realm, user, passwd)
except AttributeError:
raise apache.SERVER_RETURN, apache.HTTP_NOT_FOUND
# not callable, a class or an aunbound method
if not callable(object) or \
str(type(object)) == "<type 'class'>" \
or (hasattr(object, 'im_self') and not object.im_self):
result = str(object)
else:
# callable, (but not a class or unbound method)
# we need to weed out unexpected keyword arguments
# and for that we need to get a list of them. There
# are a few options for callable objects here:
if str(type(object)) == "<type 'instance'>":
# instances are callable when they have __call__()
object = object.__call__
if hasattr(object, "func_code"):
# function
fc = object.func_code
expected = fc.co_varnames[0:fc.co_argcount]
elif hasattr(object, 'im_func'):
# method
fc = object.im_func.func_code
expected = fc.co_varnames[1:fc.co_argcount]
# remove unexpected args
for name in args.keys():
if name not in expected:
del args[name]
result = apply(object, (), args)
if result:
result = str(result)
# unless content_type was manually set, we will attempt
# to guess it
if not req._content_type_set:
# make an attempt to guess content-type
if string.lower(string.strip(result[:100])[:6]) == '<html>' \
or string.find(result,'</') > 0:
req.content_type = 'text/html'
else:
req.content_type = 'text/plain'
req.send_http_header()
req.write(result)
return apache.OK
else:
return apache.HTTP_INTERNAL_SERVER_ERROR
def process_auth(req, object, realm="unknown", user=None, passwd=None):
found_auth, found_access = 0, 0
# because ap_get_basic insists on making sure that AuthName and
# AuthType directives are specified and refuses to do anything
# otherwise (which is technically speaking a good thing), we
# have to do base64 decoding ourselves.
#
# to avoid needless header parsing, user and password are parsed
# once and the are received as arguments
if not user and req.headers_in.has_key("Authorization"):
try:
s = req.headers_in["Authorization"][6:]
s = base64.decodestring(s)
user, passwd = string.split(s, ":", 1)
except:
raise apache.SERVER_RETURN, apache.HTTP_BAD_REQUEST
if hasattr(object, "__auth_realm__"):
realm = object.__auth_realm__
if type(object) == type(process_auth):
# functions are a bit tricky
if hasattr(object, "func_code"):
func_code = object.func_code
if "__auth__" in func_code.co_names:
i = list(func_code.co_names).index("__auth__")
__auth__ = func_code.co_consts[i+1]
if hasattr(__auth__, "co_name"):
__auth__ = new.function(__auth__, globals())
found_auth = 1
if "__access__" in func_code.co_names:
# first check the constant names
i = list(func_code.co_names).index("__access__")
__access__ = func_code.co_consts[i+1]
if hasattr(__access__, "co_name"):
__access__ = new.function(__access__, globals())
found_access = 1
if "__auth_realm__" in func_code.co_names:
i = list(func_code.co_names).index("__auth_realm__")
realm = func_code.co_consts[i+1]
else:
if hasattr(object, "__auth__"):
__auth__ = object.__auth__
found_auth = 1
if hasattr(object, "__access__"):
__access__ = object.__access__
found_access = 1
if found_auth:
if not user:
s = 'Basic realm = "%s"' % realm
req.err_headers_out["WWW-Authenticate"] = s
raise apache.SERVER_RETURN, apache.HTTP_UNAUTHORIZED
if callable(__auth__):
rc = __auth__(req, user, passwd)
else:
if type(__auth__) == type({}): # dictionary
rc = __auth__.has_key(user) and __auth__[user] == passwd
else:
rc = __auth__
if not rc:
s = 'Basic realm = "%s"' % realm
req.err_headers_out["WWW-Authenticate"] = s
raise apache.SERVER_RETURN, apache.HTTP_UNAUTHORIZED
if found_access:
if callable(__access__):
rc = __access__(req, user)
else:
if type(__access__) in (type([]), type(())):
rc = user in __access__
else:
rc = __access__
if not rc:
raise apache.SERVER_RETURN, apache.HTTP_FORBIDDEN
return realm, user, passwd
def resolve_object(req, obj, object_str, realm=None, user=None, passwd=None):
"""
This function traverses the objects separated by .
(period) to find the last one we're looking for.
"""
parts = string.split(object_str, '.')
for n in range(len(parts)):
obj = getattr(obj, parts[n])
obj_type = type(obj)
# object cannot be a module
# neither a class
if obj_type in [ClassType, ModuleType]:
raise apache.SERVER_RETURN, apache.HTTP_NOT_FOUND
# all but the last object...
if n < (len(parts)-1):
# ...must be instance
if obj_type != InstanceType:
raise apache.SERVER_RETURN, apache.HTTP_NOT_FOUND
realm, user, passwd = process_auth(req, obj, realm,
user, passwd)
return obj
class File:
""" Like a file, but also has headers and filename
"""
def __init__(self, field):
# steal all the file-like methods
for m in field.file.__methods__:
self.__dict__[m] = getattr(field.file, m)
self.headers = field.headers
self.filename = field.filename
|
