1 / 65

Emlékeztető

Emlékeztető. December 1.-én pótoljuk az elmaradt előadást ( nov. 24-ről) az A/1 228-as teremben 16-18-ig December 8.-án tartjuk a pótZH -t a sikertelen ZH-t írók számára az előadás ezért fél órával később kezdődik . Common Gateway Interface. Need for CGI.

shubha
Download Presentation

Emlékeztető

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Emlékeztető • December 1.-én pótoljukazelmaradtelőadást (nov. 24-ről) az A/1 228-as teremben 16-18-ig • December 8.-án tartjuk a pótZH-t a sikertelen ZH-t írókszámáraazelőadásezértfélórávalkésőbbkezdődik.

  2. Common Gateway Interface

  3. Need for CGI • HTML/XHTML is static, it is not parameterized; • using only HTML/XHTML, CSS and JS one can not write dynamic web pages: pages that look differently depending on the user who visit it (client, administrator etc.), pages that display different products depending on what is in a database, pages that should be displayed depending on the value of some parameters. • using only HTML/XHTML, CSS and JS one can not develop distributed web applications (e-commerce sites, hotel booking, web search applications etc.)

  4. What is CGI? • a standard protocol for interfacing external application software with the web server • developed in 1993 at NCSA (National Center for Supercomputing Applications) • CGI 1.1 specified in RFC 3875, 2004 • allows an external executable file to respond to an HTTP Request from the browser • CGI defines how information is passed from the web server to the executable program and how information is passed from this back to the server

  5. What is CGI? • CGI is an acronym that stands for Common Gateway Interface is a standard for interfacing external applications with information servers, such as HTTP or Web servers • This interface provides a means for browsers and the server where document resides to communicate and pass information back and forth • Primarily, this is done through the <FORM> tag, but there can be other ways to use CGI effectively, like through Server Side Includes (SSI)

  6. Common Gateway Interface • CGI is a standard mechanism for: • Associating URLs with programs that can be run by a web server. • A protocol (of sorts) for how the request is passed to the external program. • How the external program sends the response to the client.

  7. What is CGI? • CGI, permits interactivity between a client and a host operating system through the World Wide Web via the Hyper Text Transfer Protocol (HTTP) • CGI program can be written in C or C++, Perl, ASP, PHP, Python, TCL, shells, and many others languages and scripts

  8. Drawbacks of CGI • because no special web-oriented language is used for writing CGI scripts (e.g. shell, perl, c/c++, python etc.) errors are highly probable and so, security vulnerabilities due to these problems • usually a new process is created for each run of a CGI script; this increases the load on the server • CGI scripts are executable file; they can write/delete from the local disk, so this is a security vulnerability

  9. CGI URLs • There is some mapping between URLs and CGI programs provided by a web sever. The exact mapping is not standardized (web server admin can set it up). • Typically: • requests that start with /CGI-BIN/ , /cgi-bin/ or /cgi/, etc. refer to CGI programs (not to static documents).

  10. Examples of uses for CGI • Forms • forms on web sites allow the user to enter information which is processed by CGI and mailed to an administrator or logged • On-the-Fly Pages • web pages can be created dynamically (as needed) with up-to-date information. • Database Interaction • an application of on-the-fly page creation. Web pages can be created using information read from a database, or a web site form can allow a user to update database entries

  11. Examples of uses for CGI • Logging / Counters • a log file can record traffic data updated with information on each visitor. A counter can be included on the web page to advertise traffic. • Animation • "server-push" programs can be used to feed the client successive images in an animated sequence. • Catalogs, Search engines

  12. Requirements • Web server (NCSA, Apache, IIS, Microsoft Personal Web server etc.) • Compiler (C/C++) or Interpreter (Perl), PHP, ASP • Web browser (NN, IE etc.)

  13. Writing CGI programs involves • Obtaining input from a user or from a data file. • Storing that input in program variables. •  Manipulating those variables to achieve some desired purpose, and • Sending the results to a file or video display.

  14. CGI Programming HTTP SERVER setenv(), dup(), fork(), exec(), ... http request CLIENT CGI Program http response

  15. First CGI example (in shell) #!/bin/bash echo Status: 200 OK echo Content-Type: text/html echo echo echo "<html><head></head>" echo "<body>" echo "Hello world." echo "</body></html>"

  16. Getting parameters from the client/browser • parameters can be passed from the user to the CGI script through an html <form> <form action=“script.cgi” method=“GET | POST”> <input type=“…” name=“input1” /> <input type=“…” name=“input2” /> … <input type=“…” name=“inputN” /> </form> • the script.cgi will get the parameters as: input1=val1&input2=val2& … &inputN=valN

  17. Getting parameters from the client/browser (2) • parameters can be sent through the GET method (in the HTTP Request header) => the CGI script will receive the parameters from the web server in an environment variable $QUERY_STRING • or they can be passed through the POST method (in the body of the HTTP Request) => the CGI script will receive the parameters from the web server in the standard input

  18. Request CGI program • The web server sets some environment variables with information about the request. • The web server fork()s and the child process exec()s the CGI program. • The CGI program gets information about the request from environment variables.

  19. Environment Variables stdin CGI Program HTTP SERVER stdout

  20. STDIN, STDOUT • Before calling exec(), the child process sets up pipes so that stdin comes from the web server and stdout goes to the web server. • In some cases part of the request is read from stdin. • Anything written to stdout is forwarded by the web server to the client.

  21. Environment Variables(What are they used for?) • In order to pass data from the server to the script, the server uses command line arguments along with environment variables. • The Environment Variables are set when the server executes a CGI Script. • Environment Variables allow the CGI Script to reference variables that might be wanted for the Script output. • There are two types of environment variables: • Non-Request specific variables - those set for every request • Request specific variables - those that are dependent on the request being fulfilled by the CGI Script

  22. Data are obtained in ENVIRONMENT variables. • The ENVIRONMENT variables are shown below in the table

  23. ENVIRONMENTVARIABLE                                      DESCRIPTION SERVER_NAME The server's Host name or IP address . SERVER_SOFTWARE The name and version of the server-software that is answering the client requests. SERVER_PROTOCOL The name and revision of the information protocol the request came in with. The method with which the information request was issued. REQUEST_METHOD QUERY_STRING The query information passed to the program. It is appended to the URL with a "?". • It displays the server document root directory DOCUMENT_ROOT

  24. CONTENT_TYPE ENVIRONMENTVARIABLE                                      DESCRIPTION The MIME type of the query data, such as "text/html". CONTENT_LENGTH CONTENT_TYPE The length of the data in bytes, passed to the CGI program through standard input. The MIME type of the query data, such as "text/html". CONTENT_LENGTH GATEWAY_INTERFACE The revision of the CGI that the server uses. The length of the data in bytes, passed to the CGI program through standard input. HTTP_USER_AGENT HTTP_REFERER The browser the clients is using to issue the request. The URL of the document that the client points to before accessing the CGI program. HTTP_REFERER The URL of the document that the client points to before accessing the CGI program. GATEWAY_INTERFACE The revision of the CGI that the server uses. HTTP_USER_AGENT The browser the client is using to issue the request.

  25. Where does the data for the CGI Script come from? • The most common way for data to be sent to CGI Scripts is through HTML forms. HTML forms use a multitude of input methods to get data to a CGI Script. Some of these input types are radio buttons, check boxes, text input and pull-down menus. • After the input necessary for the Script is determined and what type of input are going to be used, there are two main ways to receive information using the form. The methods are Get and Post. The information will be encoded differently depending on on which method is used.

  26. GET Method • The form data is encoded and then appended to the URL after ? mark • The information contained in the part of the URL after the ? mark is called the QUERY_STRING, which consists of a string of name=value pairs separated by ampersands (&) • GET http://www.ncsi.iisc.ernet.in/cgi-bin/example/simple.pl?first=Jason&last=Nugent • Example 3

  27. GET Method • All the form data is appended to the URL • QUERY_STRING contains query information passed to the program • When user clicks the submit button from a html form, browser generates a HTTP request  GET /Scrits/Workshop/simple2.pl?u11/11/99name=Rani&service=CAS&entrydate= 26%2F11%2F1999 HTTP/1.0 and sends to the web browser.

  28. GET Method Cont… • The continuous string of text that follows the question mark represents the query string. • In response to this request from the browser, the server executes the script simple2.pl and places the string uname=Rani&service=CAS&entrydate= 26%2F11%2F1999,  in the QUERY_STRING environment variable and HTTP/1.0 inSERVER_PROTOCOL • CGI program reads these environment variables, process, and passes some results to Web Server

  29. Request Method: Get • GET requests can include a query string as part of the URL: GET /cgi-bin/finger?hollingd HTTP/1.0 Delimiter Request Method Resource Name Query String

  30. /cgi-bin/finger?hollingd • The web server treats everything before the ‘?’ delimiter as the resource name • In this case the resource name is the name of a program. • Everything after the ‘?’ is a string that is passed to the CGI program.

  31. Simple GET queries - ISINDEX • You can put an <ISINDEX> tag inside an HTML document. • The browser will create a text box that allows the user to enter a single string. • If an ACTION is specified in the ISINDEX tag, when the user presses Enter, a request will be sent to the server specified as the ACTION.

  32. ISINDEX Example Enter a string: <ISINDEX ACTION=http://foo.com/search.cgi> Press Enter to submit your query. If you enter the string “blahblah”, the browser will send a request to the http server at foo.com that looks like this: GET /search.cgi?blahblah HTTP/1.1

  33. What the CGI sees • The CGI Program gets REQUEST_METHOD using getenv: char *method; method = getenv(“REQUEST_METHOD”); if (method==NULL) … /* error! */

  34. Getting the GET • If the request method is GET: if (strcasecmp(method,”get”)==0) • The next step is to get the query string from the environment variable QUERY_STRING char *query; query = getenv(“QUERY_STRING”);

  35. Send back http Response and Headers: • The CGI program can send back a http status line : printf(“HTTP/1.1 200 OK\r\n”); • and headers: printf(“Content-type: text/html\r\n”); printf(“\r\n”);

  36. Important! • A CGI program doesn’t have to send a status line (the http server will do this for you if you don’t). • A CGI program must always send back at least one header line indicating the data type of the content (usually text/html). • The web server will typically throw in a few header lines of it’s own (Date, Server, Connection).

  37. Simple GET handler int main() { char *method, *query; method = getenv(“REQUEST_METHOD”); if (method==NULL) … /* error! */ query = getenv(“QUERY_STRING”); printf(“Content-type: text/html\r\n\r\n”); printf(“<H1>Your query was %s</H1>\n”, query); return(0); }

  38. URL-encoding • Browsers use an encoding when sending query strings that include special characters. • Most nonalphanumeric characters are encoded as a ‘%’ followed by 2 ASCII encoded hex digits. • ‘=‘ (which is hex 3D) becomes “%3D” • ‘&’ becomes “%26”

  39. More URL encoding • The space character ‘‘ is replaced by ‘+’. • Why? (think about project 2 parsing…) • The ‘+’ character is replaced by “%2B” Example: “foo=6 + 7”becomes “foo%3D6+%2B+7”

  40. Security!!! • It is a very bad idea to build a command line containing user input! • What if the user submits: “; rm -r *;” grep ; rm -r *; /usr/dict/words

  41. Beyond ISINDEX - Forms • Many Web services require more than a simple ISINDEX. • HTML includes support for forms: • lots of field types • user answers all kinds of annoying questions • entire contents of form must be stuck together and put in QUERY_STRING by the Web server.

  42. Form Fields • Each field within a form has a name and a value. • The browser creates a query that includes a sequence of “name=value”substrings and sticks them together separated by the ‘&’ character.

  43. Form fields and encoding • 2 fields - name and occupation. • If user types in “Dave H.” as the name and “none” for occupation, the query would look like this: “name=Dave+H%2E&occupation=none”

  44. HTML Forms • Each form includes a METHOD that determines what http method is used to submit the request. • Each form includes an ACTION that determines where the request is made.

  45. What a CGI will get • The query (from the environment variable QUERY_STRING) will be a URL-encoded string containing the name,value pairs of all form fields. • The CGI must decode the query and separate the individual fields.

  46. Form example <html> <head></head> <body> <form action="cgi-bin/post_ex.cgi" method="POST"> User: <input type="text" size="20" name="user" /><br /> Password: <input type="text" size="20" name="pass" /><br /> <input type="submit" value="Submit" name="submit" /> </form> </body> </html>

  47. Getting parameters through GET #!/bin/bash echo "Content-Type: text/html" echo echo echo "<html><head></head>" echo "<body>" echo "Parameters are:<br />" user=`echo $QUERY_STRING | cut -d"&" -f 1 | cut -d"=" -f 2` pass=`echo $QUERY_STRING | cut -d"&" -f 2 | cut -d"=" -f 2` echo $user $pass echo "</body></html>"

  48. POST Method • Difference between Get and Post method is primarily defined in terms of form data encoding • The information is sent after all request headers have been sent to the server • With the post method, the server passes the information contained in the submitted form as standard input (STDIN) to the CGI program

  49. POST Method ... • The length of the information (in bytes) is also sent to the server, to let the CGI script know how much information it has to read • The environment variable CONTENT_LENGTH contains information about how much amount of data being transferred from html form. • Examples 4

  50. POST Method • Data from the form is encoded as string of data divided in NAME/VALUE pair and separated by &. • In case of POST methods with the same html form it will generate the request

More Related