目录
0 实现一个返回json格式应答的CGI
1 实现一个form来发送http请求
2 实现一个返回html页面,标题和内容都为Hello World
3 温故知新
(1) Introduction to CGI
(2) Basic Bash CGI Example
(3) Processing Bash CGI Input
(4) CGI Security
0 实现一个返回json格式应答的CGI
#!/bin/bash
echo "Content-type: text/html"
echo ""
# ok, we've sent the header, now send some content
echo "{\"ret\":0,\"msg\":\"ok\"}"
测试方法:
将上述的Bash脚本放在Websvr下,可以通过curl命令发送http请求,例如:curl "http://172.25.81.16/cgi-bin/ret_json_ok.sh",然后会返回:{"ret":0,"msg":"ok"}。
效果如下图所示:
实现方法分两步: (1) 写一个简单的html页面,例如,form.html
Enter Host:
(2) 写一个接收请求的CGI,上面的ACTION已指定,即,form_test.sh
#!/bin/bash
echo 'Content-type: test/html'
echo ''
echo $QUERY_STRING返回的页面效果如下图:
#!/bin/bash
echo 'Content-type: test/html'
echo ''
echo ''
echo ''
echo ''
echo 'Hello World'
echo ''
echo ''
echo 'Hello World'
echo ''
echo ''
exit 0通过上面几个非常简单的例子,下面总结一些基本概念:
(1) Introduction to CGIWeb CGI programs can be written in any language which can process standard input (stdin),environment variables and write to standard output (stdout).The web server will interact with all CGI programs using the "Common Gateway Interface" (CGI) standard as set by RFC 3875. This capability is possessed by most modern computer programming and scripting languages, including the bash shell.
(2) Basic Bash CGI Example
CGI programs typically perform the following:
- All CGI scripts must write out a header used by the browser to identify the content.
- They typically process some input. (URL, form data or ISINDEX)
- CGI can access environment variables set by the web server.
- CGI scripts will write out HTML content to be viewed. This typically has the structure of the "head" which contains non-viewable content and "body" which provides the viewable content.
Script Location:
Various distributions of Linux locate the CGI directory in different directory paths. The path is set by the web server configuration file. For the Apache web server, the "ScriptAlias" directive defines the CGI path:
Linux DistributionPathRed Hat Enterprise, 7.x-9, Fedora core, CentOS/var/www/cgi-bin/Red Hat 6.x and older/home/httpd/cgi-bin/SuSe/srv/www/cgi-bin/Ubuntu/Debian/usr/lib/cgi-bin/
Script Permissions:
The script will require system executable permissions: chmod +x /var/www/cgi-bin/hello.sh
If using SELinux, the security context must also permit execution: chcon -t httpd_sys_content_t /var/www/cgi-bin/hello.sh
Executing Shell Commands:
Typically one will want to process shell or system commands:
Add the paths required to find the commands:
(3) Processing Bash CGI Input
Accessing Environment Variables:
The web server will pass environment variables to the CGI which it can access and use. This is very simple for bash.
#!/bin/bash
echo "Content-type: text/html"
echo ""
echo ''
echo ''
echo ''
echo 'Environment Variables'
echo ''
echo ''
echo 'Environment Variables:'
echo ''
/usr/bin/env
echo '
'
echo ''
echo ''
exit 0
Typically one will want to process input from the URL "QUERY_STRING" such as "namex=valuex&namey=valuey&namez=valuez" extracted from the following URL:http://localhost/cgi-bin/env.sh?namex=valuex&namey=valuey&namez=valuez
Script Description:
- Script will loop through all of the arguments in environment variable "QUERY_STRING" as separated by the delimiter "&". Thus the script loops three times with the following "Args":
- namex=valuex
- namey=valuey
- namez=valuez
- For each "Args" line, look for each token separated by the delimeter "=". Component 1 ($1) and component 2 ($2).
- Use "sed" to parse and substitute characters. A blank space is substituted for all %20's.
#!/bin/bash
echo "Content-type: text/html"
echo ""
echo ''
echo ''
echo ''
echo 'Environment Variables'
echo ''
echo ''
echo 'Parse Variables:'
# Save the old internal field separator.
OIFS="$IFS"
# Set the field separator to & and parse the QUERY_STRING at the ampersand.
IFS="${IFS}&"
set $QUERY_STRING
Args="$*"
IFS="$OIFS"
# Next parse the individual "name=value" tokens.
ARGX=""
ARGY=""
ARGZ=""
for i in $Args ;do
# Set the field separator to =
IFS="${OIFS}="
set $i
IFS="${OIFS}"
case $1 in
# Don't allow "/" changed to " ". Prevent hacker problems.
namex) ARGX="`echo $2 | sed 's|[\]||g' | sed 's|%20| |g'`"
;;
# Filter for "/" not applied here
namey) ARGY="`echo $2 | sed 's|%20| |g'`"
;;
namez) ARGZ="${2/\// /}"
;;
*) echo "Warning:"\
"Unrecognized variable \'$1\' passed by FORM in QUERY_STRING."
;;
esac
done
echo 'Parsed Values:'
echo ''
echo $ARGX
echo ''
echo $ARGY
echo ''
echo $ARGZ
echo ''
echo ''
exit 0Output:
Parsed Values:
valuex
valuey
valuez
You will get the same results for: http://node1.megawww.com/cgi-bin/env.sh?namex=valuex&namez=valuez&namey=valuey
Typically one will also want to produce and process input from an HTML form:
URL: http://localhost/cgi-bin/exampleForm.sh
#!/bin/bash
echo "Content-type: text/html"
echo ""
echo ''
echo ''
echo ''
echo 'Form Example'
echo ''
echo ''
echo ""\
''\
'Input'\
'Section'\
''
echo ' Option 1'\
' Option 2'\
' Option 3'
echo ''\
''
# Make sure we have been invoked properly.
if [ "$REQUEST_METHOD" != "GET" ]; then
echo "Script Error:"\
"Usage error, cannot complete request, REQUEST_METHOD!=GET."\
"Check your FORM declaration and be sure to use METHOD=\"GET\"."
exit 1
fi
# If no search arguments, exit gracefully now.
if [ -z "$QUERY_STRING" ]; then
exit 0
else
# No looping this time, just extract the data you are looking for with sed:
XX=`echo "$QUERY_STRING" | sed -n 's/^.*val_x=\([^&]*\).*$/\1/p' | sed "s/%20/ /g"`
YY=`echo "$QUERY_STRING" | sed -n 's/^.*val_y=\([^&]*\).*$/\1/p' | sed "s/%20/ /g"`
ZZ=`echo "$QUERY_STRING" | sed -n 's/^.*val_z=\([^&]*\).*$/\1/p' | sed "s/%20/ /g"`
echo "val_x: " $XX
echo ''
echo "val_y: " $YY
echo ''
echo "val_z: " $ZZ
fi
echo ''
echo ''
exit 0Note that the environment variables $REQUEST_METHOD and $QUERY_STRING can be processed by the shell directly.
You can string together more "sed" translators as needed (depending on your content):| sed "s/%20/ /g" | sed "s/%3A/:/g" | sed "s/%2F/\//g"
(4) CGI SecurityOne must filter the input to avoid cross site scripting. Filter out "&*?./" to avoid trouble from hackers.
