testing/eval-test-site

config/eval.conf

@@ -0,0 +1,47 @@
+server {
+    listen 8080;
+
+    root www/eval;
+    index index.html;
+
+    error_page 404 /errors/404.html;
+    error_page 405 /errors/405.html;
+    error_page 500 /errors/500.html;
+
+    location / {
+        allow_methods GET;
+
+    }
+
+    location /upload {
+        allow_methods POST DELETE;
+        allow_uploads on;
+        autoindex on; 
+    }
+
+    location /post_body {
+        return 302 /upload;
+        allow_methods POST DELETE;
+        allow_uploads on;
+        autoindex on; 
+    }
+
+    location /assets/ {
+        allow_methods GET;
+    }
+
+    location /delete_me/ {
+        allow_methods GET DELETE;
+    }
+
+    location /cgi-py/ {
+        allow_methods GET POST;
+        cgi_handler .py /usr/bin/python3;
+    }
+
+    location /cgi-bin/ {
+        allow_methods GET POST;
+        cgi_handler .bla /bin/sh;
+        allow_uploads on;
+    }
+}

config/youpi_banane.conf

@@ -1,19 +1,23 @@
 server {
     listen 8080;
-    root ./tests;
 
-    allow_methods GET;
+    root ./www/YoupiBanane;
 
-    cgi_handler .bla /cgi_tester;
+    cgi_handler .bla /cgi-bin/cgi_tester;
     cgi_allow_methods POST;
 
+    location / {
+        allow_methods GET;
+    }
+
     location /post_body {
         allow_methods POST;
         client_max_body_size 100;
+        allow_uploads on;
+        upload_store ./www/YoupiBanane/uploads;
     }
 
     location /directory/ {
-        /YoupiBanane;
         allow_methods GET;
         index youpi.bad_extension;
     }

src/main.cpp

@@ -10,9 +10,10 @@ int main(void)
     setup_signal_handlers();
 
     try {
+        // HttpConfig cfg = load_http_config("config/youpi_banane.conf");
         // HttpConfig cfg = load_http_config("config/vitepress.conf");
-        HttpConfig cfg = load_http_config("config/site1.conf");
-
+        // HttpConfig cfg = load_http_config("config/python.conf");
+        HttpConfig cfg = load_http_config("config/eval.conf");
         Server server(cfg.servers[0]);
         server.init();
         server.run();

src/router/router.cpp

@@ -68,13 +68,15 @@ const RouteConfig& Router::find_best_route(const std::string& request_path) cons
 // This seems to be valid in some cases but we ignore it right now.
 static bool is_cgi_request(const HttpRequest& request, const RouteConfig& route)
 {
+    LOG(DEBUG) << "shared.ext" << route.shared.cgi.extension;
     if (route.shared.cgi.extension.empty())
         return false;
 
     size_t dot = request.path.find_last_of(".");
     if (dot == std::string::npos)
         return false;
-
+    std::string ext = request.path.substr(dot); 
+    LOG(DEBUG) << "ext = " << ext;
     return request.path.substr(dot) == route.shared.cgi.extension;
 }
 

www/YoupiBanane/index.html

@@ -0,0 +1 @@
+Some content

www/YoupiBanane/youpi.bad_extension

@@ -0,0 +1 @@
+youpi.bad_extension

www/eval/assets/cold_fusion.txt

@@ -0,0 +1 @@
+TOP SECRET cold fusion 

www/eval/cgi-bin/echo.bla

@@ -0,0 +1,4 @@
+#!/bin/sh
+echo "Content-Type: text/plain"
+echo
+echo "OK"

www/eval/cgi-bin/env.bla

@@ -0,0 +1,9 @@
+#!/bin/sh
+echo "Content-Type: text/plain"
+echo
+echo "CGI env (sample):"
+echo "REQUEST_METHOD=$REQUEST_METHOD"
+echo "PATH_INFO=$PATH_INFO"
+echo "QUERY_STRING=$QUERY_STRING"
+echo "CONTENT_LENGTH=$CONTENT_LENGTH"
+echo "CONTENT_TYPE=$CONTENT_TYPE"

www/eval/cgi-bin/upload_save.bla

@@ -0,0 +1,11 @@
+#!/bin/sh
+# Saves request body to a timestamped file in /www/upload/
+# Requires that your server exposes /www as root (so /www/upload exists on disk).
+
+OUT="/www/upload/$(date +%s).txt"
+
+echo "Content-Type: text/plain"
+echo
+echo "Saving body to: $OUT"
+cat > "$OUT"
+echo "Done."

www/eval/cgi-py/cgi_upper.py

@@ -0,0 +1,30 @@
+#!/usr/bin/env python3
+
+import os
+import sys
+
+def main():
+    # Read input
+    method = os.environ.get("REQUEST_METHOD", "")
+    data = ""
+
+    if method == "GET":
+        data = os.environ.get("QUERY_STRING", "")
+    elif method == "POST":
+        length = int(os.environ.get("CONTENT_LENGTH", "0"))
+        data = sys.stdin.read(length)
+
+    # Transform input
+    result = data.upper()
+    content_length = len(result)
+
+    # Output CGI response
+    print("Status: 200 OK")
+    print("Content-Type: text/plain")
+    print("Content-Length: " + str(content_length))
+    print()
+    print(result, end="")
+    sys.stdout.flush()
+
+if __name__ == "__main__":
+    main()

www/eval/delete_me/victim.txt

@@ -0,0 +1 @@
+If DELETE works, this file should disappear.

www/eval/errors/404.html

@@ -0,0 +1,4 @@
+<!doctype html>
+<meta charset="utf-8">
+<h1>404 Not Found</h1>
+<p>Custom error page from /www/errors/404.html</p>

www/eval/errors/405.html

@@ -0,0 +1,4 @@
+<!doctype html>
+<meta charset="utf-8">
+<h1>405 Method Not Allowed</h1>
+<p>Custom error page from /www/errors/405.html</p>

www/eval/errors/500.html

@@ -0,0 +1,4 @@
+<!doctype html>
+<meta charset="utf-8">
+<h1>500 Internal Server Error</h1>
+<p>Custom error page from /www/errors/500.html</p>