File: o-saft.php

package info (click to toggle)
o-saft 22.11.22-1
  • links: PTS, VCS
  • area: main
  • in suites: bookworm, sid
  • size: 8,720 kB
  • sloc: perl: 22,252; makefile: 3,703; tcl: 3,499; sh: 3,048; awk: 319; ruby: 75; xml: 38; php: 32; csh: 13
file content (76 lines) | stat: -rw-r--r-- 3,258 bytes parent folder | download 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
 
<?php
#?
#? NAME
#?      $0 - simple wrapper for o-saft.cgi
#?
#? WARNING ####################################################################
#?      This is not tamper-proof code.                                       ##
#?      It passes all received parameters unmodified "as is" to the shell.   ##
#?      Hence this script may be subject to code injections.                 ##
#?                                                                           ##
#?                          You have been warned!                            ##
#?                                                                           ##
#? ############################################################################
#?
#? DESCRIPTION
#?      PHP wrapper to call  o-saft.cgi.  All arguments are passed thru.
#?      The purpose is to support  o-saft.cgi  on web servers which have not
#?      enabled perl as  CGI, or if it is not possible to configure a proper
#?      handler for perl but allows PHP.
#?      o-saft.cgi or o-saft.pl  will be search for in various paths related
#?      to $_SERVER['SCRIPT_FILENAME'].
#?
#? VERSION
#?      @(#) o-saft.php 1.9 19/11/12 11:26:46
#?
#? AUTHOR
#?      17-feb-17 Achim Hoffmann
# -----------------------------------------------------------------------------

function get_exe($base, $file, $dirs) {
    $exe = $file;   # fallback
    foreach ($dirs as $dir) {
        #$exe = realpath(os.path.join($base, $dir, $file));
            # NOTE: os.path not used to avoid include of os
        $exe = realpath(join(DIRECTORY_SEPARATOR, [$base, $dir, $file]));
        if (! empty($exe)) { break; }   # got it
    }
    return $exe;
}

# list of directories where to search for o-saft.[cgi|pl] ; first one wins
# NOTE: */O-Saft and ../ used for easy testing in development environment,
#       can/should be removed in production
$dirs = array('.', 'cgi-bin', '../cgi-bin', 'O-Saft', 'cgi-bin/O-Saft', '../cgi-bin/O-Saft', '..');
$path = pathinfo( $_SERVER['SCRIPT_FILENAME']); # analyze myself

if (empty($_SERVER['QUERY_STRING'])) {
    header("HTTP/1.1 406 Not Acceptable");
    exit(2);
}

$_SERVER['QUERY_STRING'] .= "&--cgi-no-header";     # HTTP headers are most likely done by PHP module itself, hence disable in CGI
putenv("QUERY_STRING=".$_SERVER['QUERY_STRING']);   # ensure setting, in case of missing
$cgi  = get_exe($path['dirname'], 'o-saft.cgi', $dirs);
$path = pathinfo($cgi);     # need to start in directory so that .o-saft.pl is used
$cgi  = join(DIRECTORY_SEPARATOR, ['.', $path['basename'] ]); # redefine to ./o-saft.cgi
$call = join(' ', ['cd', $path['dirname'], ';', $cgi]);
passthru("$call", $err);
exit(0);

#_________________________________________ alternate methods, NOT RECOMMENDED _

header('Content-Type: text/plain');
$qs   = "";
if (isset($_SERVER['QUERY_STRING'])) {
  $qs = join(' ', preg_split('/&/', $_SERVER['QUERY_STRING']));
}
$qs   = preg_replace('/[;&`>!|$<]/', '', $qs, -1);# remove just a few dangerous characters
$exe  = get_exe($path['dirname'], 'o-saft.pl', $dirs);
$call = join(' ', ['cd', $path['dirname'], ';', $path['basename'], '--cgi', $qs]);
#dbx# echo("call=$call\n");
passthru(  "$call", $err);  # pass QUERY_STRING on command line
#dbx# echo "# ERROR=$err\n";
exit(0);

?>