File: cgihandler.py

package info (click to toggle)
libapache2-mod-python 3.5.0.6-2
  • links: PTS, VCS
  • area: main
  • in suites: forky, sid
  • size: 1,776 kB
  • sloc: python: 7,503; ansic: 7,033; makefile: 296; lex: 246; sh: 212
file content (143 lines) | stat: -rw-r--r-- 4,666 bytes parent folder | download | duplicates (2) 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
 
 #
 # Copyright (C) 2000, 2001, 2013, 2024 Gregory Trubetskoy
 # Copyright (C) 2002, 2003, 2004, 2005, 2006, 2007 Apache Software Foundation
 #
 # Licensed under the Apache License, Version 2.0 (the "License"); you
 # may not use this file except in compliance with the License.  You
 # may obtain a copy of the License at
 #
 #      http://www.apache.org/licenses/LICENSE-2.0
 #
 # Unless required by applicable law or agreed to in writing, software
 # distributed under the License is distributed on an "AS IS" BASIS,
 # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
 # implied.  See the License for the specific language governing
 # permissions and limitations under the License.
 #
 # Originally developed by Gregory Trubetskoy.
 #

from . import apache
import os
import sys
PY2 = sys.version[0] == '2'

if PY2 or sys.hexversion < 0x030c0000: # 3.12.0
    import imp
else:
    import importlib.util

# if threads are not available
# create a functionless lock object
try:
    import threading
    _lock = threading.Lock()
except (ImportError, AttributeError):
    class DummyLock:
        def acquire(self):
            pass
        def release(self):
            pass
    _lock = DummyLock()

# the next statement  deserves some explaining.
# it seems that the standard os.environ object looses
# memory if the environment is manipulated frequently. Since for
# CGI you have to rebuild it for every request, your httpd will
# grow rather fast. I am not exactly sure why it happens and if there
# is a more sensible remedy, but this seems to work OK.
os.environ = {}

original = list(sys.modules.keys())

# find out the standard library location
stdlib, x = os.path.split(os.__file__)

def handler(req):

    ### if you don't need indirect modules reloaded, comment out
    ### code unitl ### end

    # if there are any new modules since the import of this module,
    # delete them.
    for m in list(sys.modules.keys()):
        if m not in original:
            # unless they are part of standard library
            mod = sys.modules[m]
            if hasattr(mod, "__file__"):
                path, x = os.path.split(mod.__file__)
                if path != stdlib:
                    del sys.modules[m]
    ### end

    # get the filename of the script
    if "script_filename" in req.subprocess_env:
        dir, file = os.path.split(req.subprocess_env["script_filename"])
    else:
        dir, file = os.path.split(req.filename)
    module_name, ext = os.path.splitext(file)

    _lock.acquire()
    try:

        try:

            # The CGI spec requires us to set current working
            # directory to that of the script. This is not
            # thread safe, this is why we must obtain the lock.
            cwd = os.getcwd()
            os.chdir(dir)

            # simulate cgi environment
            env, si, so = apache.setup_cgi(req)

            scriptPath = os.path.join(dir, file)

            if not os.path.exists(scriptPath):
                raise apache.SERVER_RETURN(apache.HTTP_NOT_FOUND)

            # avoid loading modules outside dir
            # (e.g. shenanigans like ../../../../etc/passwd)
            scriptPath = os.path.abspath(scriptPath)
            if not scriptPath.startswith(dir):
                raise apache.SERVER_RETURN(apache.HTTP_NOT_FOUND)

            if PY2 or sys.hexversion < 0x030c0000: # 3.12.0

                try:
                    # we do not search the pythonpath (security reasons)
                    fd, path, desc = imp.find_module(module_name, [dir])
                except ImportError:
                    raise apache.SERVER_RETURN(apache.HTTP_NOT_FOUND)

                # this executes the module
                imp.load_module(module_name, fd, path, desc)

            else:

                try:
                    # we do not search the pythonpath (security reasons)
                    spec = importlib.util.spec_from_file_location(module_name, scriptPath)
                except (ModuleNotFoundError, ValueError):
                    raise apache.SERVER_RETURN(apache.HTTP_NOT_FOUND)

                if spec is None:
                    raise apache.SERVER_RETURN(apache.HTTP_NOT_FOUND)

                module = importlib.util.module_from_spec(spec)
                sys.modules[module_name] = module
                spec.loader.exec_module(module)

            return apache.OK

        finally:
            # unsimulate the cgi environment
            apache.restore_nocgi(env, si, so)
            if PY2:
                try:
                    fd.close()
                except: pass
            os.chdir(cwd)

    finally:
        _lock.release()