1 // Copyright 2011 The Go Authors. All rights reserved.
2 // Use of this source code is governed by a BSD-style
3 // license that can be found in the LICENSE file.
5 // This file implements the host side of CGI (being the webserver
8 // Package cgi implements CGI (Common Gateway Interface) as specified
11 // Note that using CGI means starting a new process to handle each
12 // request, which is typically less efficient than using a
13 // long-running server. This package is intended primarily for
14 // compatibility with existing systems.
33 "golang.org/x/net/http/httpguts"
36 var trailingPort = regexp.MustCompile(`:([0-9]+)$`)
38 var osDefaultInheritEnv = func() []string {
41 return []string{"DYLD_LIBRARY_PATH"}
42 case "android", "linux", "freebsd", "netbsd", "openbsd":
43 return []string{"LD_LIBRARY_PATH"}
45 return []string{"LD_LIBRARY_PATH", "SHLIB_PATH"}
47 return []string{"LD_LIBRARY_PATH", "LD_LIBRARYN32_PATH", "LD_LIBRARY64_PATH"}
48 case "illumos", "solaris":
49 return []string{"LD_LIBRARY_PATH", "LD_LIBRARY_PATH_32", "LD_LIBRARY_PATH_64"}
51 return []string{"SystemRoot", "COMSPEC", "PATHEXT", "WINDIR"}
56 // Handler runs an executable in a subprocess with a CGI environment.
58 Path string // path to the CGI executable
59 Root string // root URI prefix of handler or empty for "/"
61 // Dir specifies the CGI executable's working directory.
62 // If Dir is empty, the base directory of Path is used.
63 // If Path has no base directory, the current working
67 Env []string // extra environment variables to set, if any, as "key=value"
68 InheritEnv []string // environment variables to inherit from host, as "key"
69 Logger *log.Logger // optional log for errors or nil to use log.Print
70 Args []string // optional arguments to pass to child process
71 Stderr io.Writer // optional stderr for the child process; nil means os.Stderr
73 // PathLocationHandler specifies the root http Handler that
74 // should handle internal redirects when the CGI process
75 // returns a Location header value starting with a "/", as
76 // specified in RFC 3875 ยง 6.3.2. This will likely be
77 // http.DefaultServeMux.
79 // If nil, a CGI response with a local URI path is instead sent
80 // back to the client and not redirected internally.
81 PathLocationHandler http.Handler
84 func (h *Handler) stderr() io.Writer {
91 // removeLeadingDuplicates remove leading duplicate in environments.
92 // It's possible to override environment like following.
96 // Env: []string{"SCRIPT_FILENAME=foo.php"},
98 func removeLeadingDuplicates(env []string) (ret []string) {
99 for i, e := range env {
101 if eq := strings.IndexByte(e, '='); eq != -1 {
102 keq := e[:eq+1] // "key="
103 for _, e2 := range env[i+1:] {
104 if strings.HasPrefix(e2, keq) {
117 func (h *Handler) ServeHTTP(rw http.ResponseWriter, req *http.Request) {
123 if len(req.TransferEncoding) > 0 && req.TransferEncoding[0] == "chunked" {
124 rw.WriteHeader(http.StatusBadRequest)
125 rw.Write([]byte("Chunked request bodies are not supported by CGI."))
129 pathInfo := req.URL.Path
130 if root != "/" && strings.HasPrefix(pathInfo, root) {
131 pathInfo = pathInfo[len(root):]
135 if matches := trailingPort.FindStringSubmatch(req.Host); len(matches) != 0 {
140 "SERVER_SOFTWARE=go",
141 "SERVER_PROTOCOL=HTTP/1.1",
142 "HTTP_HOST=" + req.Host,
143 "GATEWAY_INTERFACE=CGI/1.1",
144 "REQUEST_METHOD=" + req.Method,
145 "QUERY_STRING=" + req.URL.RawQuery,
146 "REQUEST_URI=" + req.URL.RequestURI(),
147 "PATH_INFO=" + pathInfo,
148 "SCRIPT_NAME=" + root,
149 "SCRIPT_FILENAME=" + h.Path,
150 "SERVER_PORT=" + port,
153 if remoteIP, remotePort, err := net.SplitHostPort(req.RemoteAddr); err == nil {
154 env = append(env, "REMOTE_ADDR="+remoteIP, "REMOTE_HOST="+remoteIP, "REMOTE_PORT="+remotePort)
156 // could not parse ip:port, let's use whole RemoteAddr and leave REMOTE_PORT undefined
157 env = append(env, "REMOTE_ADDR="+req.RemoteAddr, "REMOTE_HOST="+req.RemoteAddr)
160 if hostDomain, _, err := net.SplitHostPort(req.Host); err == nil {
161 env = append(env, "SERVER_NAME="+hostDomain)
163 env = append(env, "SERVER_NAME="+req.Host)
167 env = append(env, "HTTPS=on")
170 for k, v := range req.Header {
171 k = strings.Map(upperCaseAndUnderscore, k)
180 env = append(env, "HTTP_"+k+"="+strings.Join(v, joinStr))
183 if req.ContentLength > 0 {
184 env = append(env, fmt.Sprintf("CONTENT_LENGTH=%d", req.ContentLength))
186 if ctype := req.Header.Get("Content-Type"); ctype != "" {
187 env = append(env, "CONTENT_TYPE="+ctype)
190 envPath := os.Getenv("PATH")
192 envPath = "/bin:/usr/bin:/usr/ucb:/usr/bsd:/usr/local/bin"
194 env = append(env, "PATH="+envPath)
196 for _, e := range h.InheritEnv {
197 if v := os.Getenv(e); v != "" {
198 env = append(env, e+"="+v)
202 for _, e := range osDefaultInheritEnv {
203 if v := os.Getenv(e); v != "" {
204 env = append(env, e+"="+v)
209 env = append(env, h.Env...)
212 env = removeLeadingDuplicates(env)
219 cwd, path = filepath.Split(h.Path)
225 internalError := func(err error) {
226 rw.WriteHeader(http.StatusInternalServerError)
227 h.printf("CGI error: %v", err)
232 Args: append([]string{h.Path}, h.Args...),
237 if req.ContentLength != 0 {
240 stdoutRead, err := cmd.StdoutPipe()
251 if hook := testHookStartProcess; hook != nil {
255 defer stdoutRead.Close()
257 linebody := bufio.NewReaderSize(stdoutRead, 1024)
258 headers := make(http.Header)
261 sawBlankLine := false
263 line, isPrefix, err := linebody.ReadLine()
265 rw.WriteHeader(http.StatusInternalServerError)
266 h.printf("cgi: long header line from subprocess.")
273 rw.WriteHeader(http.StatusInternalServerError)
274 h.printf("cgi: error reading headers: %v", err)
282 header, val, ok := strings.Cut(string(line), ":")
284 h.printf("cgi: bogus header line: %s", string(line))
287 if !httpguts.ValidHeaderFieldName(header) {
288 h.printf("cgi: invalid header name: %q", header)
291 val = textproto.TrimString(val)
293 case header == "Status":
295 h.printf("cgi: bogus status (short): %q", val)
298 code, err := strconv.Atoi(val[0:3])
300 h.printf("cgi: bogus status: %q", val)
301 h.printf("cgi: line was %q", line)
306 headers.Add(header, val)
309 if headerLines == 0 || !sawBlankLine {
310 rw.WriteHeader(http.StatusInternalServerError)
311 h.printf("cgi: no headers")
315 if loc := headers.Get("Location"); loc != "" {
316 if strings.HasPrefix(loc, "/") && h.PathLocationHandler != nil {
317 h.handleInternalRedirect(rw, req, loc)
321 statusCode = http.StatusFound
325 if statusCode == 0 && headers.Get("Content-Type") == "" {
326 rw.WriteHeader(http.StatusInternalServerError)
327 h.printf("cgi: missing required Content-Type in headers")
332 statusCode = http.StatusOK
335 // Copy headers to rw's headers, after we've decided not to
336 // go into handleInternalRedirect, which won't want its rw
337 // headers to have been touched.
338 for k, vv := range headers {
339 for _, v := range vv {
340 rw.Header().Add(k, v)
344 rw.WriteHeader(statusCode)
346 _, err = io.Copy(rw, linebody)
348 h.printf("cgi: copy error: %v", err)
349 // And kill the child CGI process so we don't hang on
350 // the deferred cmd.Wait above if the error was just
351 // the client (rw) going away. If it was a read error
352 // (because the child died itself), then the extra
353 // kill of an already-dead process is harmless (the PID
354 // won't be reused until the Wait above).
359 func (h *Handler) printf(format string, v ...any) {
361 h.Logger.Printf(format, v...)
363 log.Printf(format, v...)
367 func (h *Handler) handleInternalRedirect(rw http.ResponseWriter, req *http.Request, path string) {
368 url, err := req.URL.Parse(path)
370 rw.WriteHeader(http.StatusInternalServerError)
371 h.printf("cgi: error resolving local URI path %q: %v", path, err)
374 // TODO: RFC 3875 isn't clear if only GET is supported, but it
375 // suggests so: "Note that any message-body attached to the
376 // request (such as for a POST request) may not be available
377 // to the resource that is the target of the redirect." We
378 // should do some tests against Apache to see how it handles
379 // POST, HEAD, etc. Does the internal redirect get the same
380 // method or just GET? What about incoming headers?
381 // (e.g. Cookies) Which headers, if any, are copied into the
383 newReq := &http.Request{
389 Header: make(http.Header),
391 RemoteAddr: req.RemoteAddr,
394 h.PathLocationHandler.ServeHTTP(rw, newReq)
397 func upperCaseAndUnderscore(r rune) rune {
399 case r >= 'a' && r <= 'z':
400 return r - ('a' - 'A')
404 // Maybe not part of the CGI 'spec' but would mess up
405 // the environment in any case, as Go represents the
406 // environment as a slice of "key=value" strings.
409 // TODO: other transformations in spec or practice?
413 var testHookStartProcess func(*os.Process) // nil except for some tests