|
409
by mattgiuca
Moved www/conf and www/common to a new directory lib. This separates the "web" |
1 |
# IVLE
|
2 |
# Copyright (C) 2007-2008 The University of Melbourne
|
|
3 |
#
|
|
4 |
# This program is free software; you can redistribute it and/or modify
|
|
5 |
# it under the terms of the GNU General Public License as published by
|
|
6 |
# the Free Software Foundation; either version 2 of the License, or
|
|
7 |
# (at your option) any later version.
|
|
8 |
#
|
|
9 |
# This program is distributed in the hope that it will be useful,
|
|
10 |
# but WITHOUT ANY WARRANTY; without even the implied warranty of
|
|
11 |
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
|
12 |
# GNU General Public License for more details.
|
|
13 |
#
|
|
14 |
# You should have received a copy of the GNU General Public License
|
|
15 |
# along with this program; if not, write to the Free Software
|
|
16 |
# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA
|
|
17 |
||
18 |
# Module: Interpret
|
|
19 |
# Author: Matt Giuca
|
|
20 |
# Date: 18/1/2008
|
|
21 |
||
22 |
# Runs a student script in a safe execution environment.
|
|
23 |
#
|
|
24 |
# NOTE: This script currently disables cookies. This means students will be
|
|
25 |
# unable to write session-based or stateful web applications. This is done for
|
|
26 |
# security reasons (we do not want the students to see the IVLE cookie of
|
|
27 |
# whoever is visiting their pages).
|
|
28 |
# This can be resolved but needs careful sanitisation. See fixup_environ.
|
|
29 |
||
30 |
from common import studpath |
|
31 |
import conf |
|
32 |
import functools |
|
33 |
||
34 |
import os |
|
35 |
import pwd |
|
36 |
import subprocess |
|
37 |
import cgi |
|
38 |
||
39 |
# TODO: Make progressive output work
|
|
40 |
# Question: Will having a large buffer size stop progressive output from
|
|
41 |
# working on smaller output
|
|
42 |
||
43 |
CGI_BLOCK_SIZE = 65535 |
|
44 |
||
|
420
by mattgiuca
common.interpret: Changed interface (refactor). |
45 |
def interpret_file(req, owner, jail_dir, filename, interpreter): |
|
409
by mattgiuca
Moved www/conf and www/common to a new directory lib. This separates the "web" |
46 |
"""Serves a file by interpreting it using one of IVLE's builtin
|
47 |
interpreters. All interpreters are intended to run in the user's jail. The
|
|
48 |
jail location is provided as an argument to the interpreter but it is up
|
|
49 |
to the individual interpreters to create the jail.
|
|
50 |
||
51 |
req: An IVLE request object.
|
|
52 |
owner: Username of the user who owns the file being served.
|
|
|
420
by mattgiuca
common.interpret: Changed interface (refactor). |
53 |
jail_dir: Absolute path to the user's jail.
|
|
421
by mattgiuca
apps/fileservice: Added code to call interpret on the trampoline version of |
54 |
filename: Absolute filename within the user's jail.
|
|
409
by mattgiuca
Moved www/conf and www/common to a new directory lib. This separates the "web" |
55 |
interpreter: A function object to call.
|
56 |
"""
|
|
57 |
# Make sure the file exists (otherwise some interpreters may not actually
|
|
58 |
# complain).
|
|
59 |
# Don't test for execute permission, that will only be required for
|
|
60 |
# certain interpreters.
|
|
|
421
by mattgiuca
apps/fileservice: Added code to call interpret on the trampoline version of |
61 |
if filename.startswith(os.sep): |
62 |
filename_abs = filename |
|
63 |
filename_rel = filename[1:] |
|
64 |
else: |
|
65 |
filename_abs = os.path.join(os.sep, filename) |
|
66 |
filename_rel = filename |
|
67 |
||
68 |
if not os.access(os.path.join(jail_dir, filename_rel), os.R_OK): |
|
|
409
by mattgiuca
Moved www/conf and www/common to a new directory lib. This separates the "web" |
69 |
req.throw_error(req.HTTP_NOT_FOUND) |
70 |
||
71 |
# Get the UID of the owner of the file
|
|
72 |
# (Note: files are executed by their owners, not the logged in user.
|
|
73 |
# This ensures users are responsible for their own programs and also
|
|
74 |
# allows them to be executed by the public).
|
|
75 |
try: |
|
76 |
(_,_,uid,_,_,_,_) = pwd.getpwnam(owner) |
|
77 |
except KeyError: |
|
78 |
# The user does not exist. This should have already failed the
|
|
79 |
# previous test.
|
|
80 |
req.throw_error(req.HTTP_INTERNAL_SERVER_ERROR) |
|
81 |
||
82 |
# Split up req.path again, this time with respect to the jail
|
|
|
421
by mattgiuca
apps/fileservice: Added code to call interpret on the trampoline version of |
83 |
(working_dir, _) = os.path.split(filename_abs) |
|
409
by mattgiuca
Moved www/conf and www/common to a new directory lib. This separates the "web" |
84 |
# jail_dir is the absolute jail directory.
|
85 |
# path is the filename relative to the user's jail.
|
|
86 |
# working_dir is the directory containing the file relative to the user's
|
|
87 |
# jail.
|
|
88 |
# (Note that paths "relative" to the jail actually begin with a '/' as
|
|
89 |
# they are absolute in the jailspace)
|
|
90 |
||
|
421
by mattgiuca
apps/fileservice: Added code to call interpret on the trampoline version of |
91 |
return interpreter(uid, jail_dir, working_dir, filename_abs, req) |
|
409
by mattgiuca
Moved www/conf and www/common to a new directory lib. This separates the "web" |
92 |
|
93 |
class CGIFlags: |
|
94 |
"""Stores flags regarding the state of reading CGI output."""
|
|
95 |
def __init__(self): |
|
96 |
self.started_cgi_body = False |
|
97 |
self.got_cgi_headers = False |
|
98 |
self.wrote_html_warning = False |
|
99 |
self.linebuf = "" |
|
100 |
self.headers = {} # Header names : values |
|
101 |
||
102 |
def execute_cgi(interpreter, trampoline, uid, jail_dir, working_dir, |
|
103 |
script_path, req): |
|
104 |
"""
|
|
105 |
trampoline: Full path on the local system to the CGI wrapper program
|
|
106 |
being executed.
|
|
107 |
uid: User ID of the owner of the file.
|
|
108 |
jail_dir: Absolute path of owner's jail directory.
|
|
109 |
working_dir: Directory containing the script file relative to owner's
|
|
110 |
jail.
|
|
111 |
script_path: CGI script relative to the owner's jail.
|
|
112 |
req: IVLE request object.
|
|
113 |
||
114 |
The called CGI wrapper application shall be called using popen and receive
|
|
115 |
the HTTP body on stdin. It shall receive the CGI environment variables to
|
|
116 |
its environment.
|
|
117 |
"""
|
|
118 |
||
119 |
# Get the student program's directory and execute it from that context.
|
|
120 |
(tramp_dir, _) = os.path.split(trampoline) |
|
121 |
||
122 |
# TODO: Don't create a file if the body length is known to be 0
|
|
123 |
# Write the HTTP body to a temporary file so it can be passed as a *real*
|
|
124 |
# file to popen.
|
|
125 |
f = os.tmpfile() |
|
126 |
body = req.read() |
|
127 |
if body is not None: |
|
128 |
f.write(body) |
|
129 |
f.flush() |
|
130 |
f.seek(0) # Rewind, for reading |
|
131 |
||
132 |
# Set up the environment
|
|
133 |
# This automatically asks mod_python to load up the CGI variables into the
|
|
134 |
# environment (which is a good first approximation)
|
|
135 |
old_env = os.environ.copy() |
|
136 |
for k in os.environ.keys(): |
|
137 |
del os.environ[k] |
|
138 |
for (k,v) in req.get_cgi_environ().items(): |
|
139 |
os.environ[k] = v |
|
140 |
fixup_environ(req) |
|
141 |
||
142 |
# usage: tramp uid jail_dir working_dir script_path
|
|
143 |
pid = subprocess.Popen( |
|
144 |
[trampoline, str(uid), jail_dir, working_dir, interpreter, |
|
145 |
script_path], |
|
146 |
stdin=f, stdout=subprocess.PIPE, stderr=subprocess.STDOUT, |
|
147 |
cwd=tramp_dir) |
|
148 |
||
149 |
# Restore the environment
|
|
150 |
for k in os.environ.keys(): |
|
151 |
del os.environ[k] |
|
152 |
for (k,v) in old_env.items(): |
|
153 |
os.environ[k] = v |
|
154 |
||
155 |
# process_cgi_line: Reads a single line of CGI output and processes it.
|
|
156 |
# Prints to req, and also does fancy HTML warnings if Content-Type
|
|
157 |
# omitted.
|
|
158 |
cgiflags = CGIFlags() |
|
159 |
||
160 |
# Read from the process's stdout into req
|
|
161 |
data = pid.stdout.read(CGI_BLOCK_SIZE) |
|
162 |
while len(data) > 0: |
|
163 |
process_cgi_output(req, data, cgiflags) |
|
164 |
data = pid.stdout.read(CGI_BLOCK_SIZE) |
|
165 |
||
166 |
# If we haven't processed headers yet, now is a good time
|
|
167 |
if not cgiflags.started_cgi_body: |
|
168 |
process_cgi_output(req, '\n', cgiflags) |
|
169 |
||
170 |
# If we wrote an HTML warning header, write the footer
|
|
171 |
if cgiflags.wrote_html_warning: |
|
172 |
req.write("""</pre> |
|
173 |
</div>
|
|
174 |
</body>
|
|
175 |
</html>""") |
|
176 |
||
177 |
def process_cgi_output(req, data, cgiflags): |
|
178 |
"""Processes a chunk of CGI output. data is a string of arbitrary length;
|
|
179 |
some arbitrary chunk of output written by the CGI script."""
|
|
180 |
if cgiflags.started_cgi_body: |
|
181 |
if cgiflags.wrote_html_warning: |
|
182 |
# HTML escape text if wrote_html_warning
|
|
183 |
req.write(cgi.escape(data)) |
|
184 |
else: |
|
185 |
req.write(data) |
|
186 |
else: |
|
187 |
# Break data into lines of CGI header data.
|
|
188 |
linebuf = cgiflags.linebuf + data |
|
189 |
# First see if we can split all header data
|
|
190 |
split = linebuf.split('\r\n\r\n', 1) |
|
191 |
if len(split) == 1: |
|
192 |
# Allow UNIX newlines instead
|
|
193 |
split = linebuf.split('\n\n', 1) |
|
194 |
if len(split) == 1: |
|
195 |
# Haven't seen all headers yet. Buffer and come back later.
|
|
196 |
cgiflags.linebuf = linebuf |
|
197 |
return
|
|
198 |
||
199 |
headers = split[0] |
|
200 |
data = split[1] |
|
201 |
cgiflags.linebuf = "" |
|
202 |
cgiflags.started_cgi_body = True |
|
203 |
# Process all the header lines
|
|
204 |
split = headers.split('\r\n', 1) |
|
205 |
if len(split) == 1: |
|
206 |
split = headers.split('\n', 1) |
|
207 |
while True: |
|
208 |
process_cgi_header_line(req, split[0], cgiflags) |
|
209 |
if len(split) == 1: break |
|
210 |
headers = split[1] |
|
211 |
if cgiflags.wrote_html_warning: |
|
212 |
# We're done with headers. Treat the rest as data.
|
|
213 |
data = headers + '\n' + data |
|
214 |
break
|
|
215 |
split = headers.split('\r\n', 1) |
|
216 |
if len(split) == 1: |
|
217 |
split = headers.split('\n', 1) |
|
218 |
||
219 |
# Check to make sure the required headers were written
|
|
220 |
if cgiflags.wrote_html_warning: |
|
221 |
# We already reported an error, that's enough
|
|
222 |
pass
|
|
223 |
elif "Content-Type" in cgiflags.headers: |
|
224 |
pass
|
|
225 |
elif "Location" in cgiflags.headers: |
|
226 |
if ("Status" in cgiflags.headers and req.status >= 300 |
|
227 |
and req.status < 400): |
|
228 |
pass
|
|
229 |
else: |
|
230 |
message = """You did not write a valid status code for |
|
231 |
the given location. To make a redirect, you may wish to try:</p>
|
|
232 |
<pre style="margin-left: 1em">Status: 302 Found
|
|
233 |
Location: <redirect address></pre>"""
|
|
234 |
write_html_warning(req, message) |
|
235 |
cgiflags.wrote_html_warning = True |
|
236 |
else: |
|
237 |
message = """You did not print a Content-Type header. |
|
238 |
CGI requires that you print a "Content-Type". You may wish to try:</p>
|
|
239 |
<pre style="margin-left: 1em">Content-Type: text/html</pre>"""
|
|
240 |
write_html_warning(req, message) |
|
241 |
cgiflags.wrote_html_warning = True |
|
242 |
||
243 |
# Call myself to flush out the extra bit of data we read
|
|
244 |
process_cgi_output(req, data, cgiflags) |
|
245 |
||
246 |
def process_cgi_header_line(req, line, cgiflags): |
|
247 |
"""Process a line of CGI header data. line is a string representing a
|
|
248 |
complete line of text, stripped and without the newline.
|
|
249 |
"""
|
|
250 |
try: |
|
251 |
name, value = line.split(':', 1) |
|
252 |
except ValueError: |
|
253 |
# No colon. The user did not write valid headers.
|
|
254 |
if len(cgiflags.headers) == 0: |
|
255 |
# First line was not a header line. We can assume this is not
|
|
256 |
# a CGI app.
|
|
257 |
message = """You did not print a CGI header. |
|
258 |
CGI requires that you print a "Content-Type". You may wish to try:</p>
|
|
259 |
<pre style="margin-left: 1em">Content-Type: text/html</pre>"""
|
|
260 |
else: |
|
261 |
# They printed some header at least, but there was an invalid
|
|
262 |
# header.
|
|
263 |
message = """You printed an invalid CGI header. You need to leave |
|
264 |
a blank line after the headers, before writing the page contents."""
|
|
265 |
write_html_warning(req, message) |
|
266 |
cgiflags.wrote_html_warning = True |
|
267 |
# Handle the rest of this line as normal data
|
|
268 |
process_cgi_output(req, line + '\n', cgiflags) |
|
269 |
return
|
|
270 |
||
271 |
# Read CGI headers
|
|
272 |
value = value.strip() |
|
273 |
if name == "Content-Type": |
|
274 |
req.content_type = value |
|
275 |
elif name == "Location": |
|
276 |
req.location = value |
|
277 |
elif name == "Status": |
|
278 |
# Must be an integer, followed by a space, and then the status line
|
|
279 |
# which we ignore (seems like Apache has no way to send a custom
|
|
280 |
# status line).
|
|
281 |
try: |
|
282 |
req.status = int(value.split(' ', 1)[0]) |
|
283 |
except ValueError: |
|
284 |
message = """The "Status" CGI header was invalid. You need to |
|
285 |
print a number followed by a message, such as "302 Found"."""
|
|
286 |
write_html_warning(req, message) |
|
287 |
cgiflags.wrote_html_warning = True |
|
288 |
# Handle the rest of this line as normal data
|
|
289 |
process_cgi_output(req, line + '\n', cgiflags) |
|
290 |
else: |
|
291 |
# Generic HTTP header
|
|
292 |
# FIXME: Security risk letting users write arbitrary headers?
|
|
293 |
req.headers_out[name] = value |
|
294 |
cgiflags.headers[name] = value |
|
295 |
||
296 |
def write_html_warning(req, text): |
|
297 |
"""Prints an HTML warning about invalid CGI interaction on the part of the
|
|
298 |
user. text may contain HTML markup."""
|
|
299 |
req.content_type = "text/html" |
|
300 |
req.write("""<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" |
|
301 |
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
|
|
302 |
<html xmlns="http://www.w3.org/1999/xhtml">
|
|
303 |
<head>
|
|
304 |
<meta http-equiv="Content-Type"
|
|
305 |
content="text/html; charset=utf-8" />
|
|
306 |
</head>
|
|
307 |
<body style="margin: 0; padding: 0; font-family: sans-serif;">
|
|
308 |
<div style="background-color: #faa; border-bottom: 1px solid black;
|
|
309 |
padding: 8px;">
|
|
310 |
<p><strong>Warning</strong>: %s |
|
311 |
</div>
|
|
312 |
<div style="margin: 8px;">
|
|
313 |
<pre>
|
|
314 |
""" % text) |
|
315 |
||
316 |
location_cgi_python = os.path.join(conf.ivle_install_dir, |
|
317 |
"bin/trampoline") |
|
318 |
||
319 |
# Mapping of interpreter names (as given in conf/app/server.py) to
|
|
320 |
# interpreter functions.
|
|
321 |
||
322 |
interpreter_objects = { |
|
323 |
'cgi-python'
|
|
324 |
: functools.partial(execute_cgi, "/usr/bin/python", |
|
325 |
location_cgi_python), |
|
326 |
# Should also have:
|
|
327 |
# cgi-generic
|
|
328 |
# python-server-page
|
|
329 |
}
|
|
330 |
||
331 |
def fixup_environ(req): |
|
332 |
"""Assuming os.environ has been written with the CGI variables from
|
|
333 |
apache, make a few changes for security and correctness.
|
|
334 |
||
335 |
Does not modify req, only reads it.
|
|
336 |
"""
|
|
337 |
env = os.environ |
|
338 |
# Comments here are on the heavy side, explained carefully for security
|
|
339 |
# reasons. Please read carefully before making changes.
|
|
340 |
||
341 |
# Remove HTTP_COOKIE. It is a security risk to have students see the IVLE
|
|
342 |
# cookie of their visitors.
|
|
343 |
try: |
|
344 |
del env['HTTP_COOKIE'] |
|
345 |
except: pass |
|
346 |
||
347 |
# Remove DOCUMENT_ROOT and SCRIPT_FILENAME. Not part of CGI spec and
|
|
348 |
# exposes unnecessary details about server.
|
|
349 |
try: |
|
350 |
del env['DOCUMENT_ROOT'] |
|
351 |
except: pass |
|
352 |
try: |
|
353 |
del env['SCRIPT_FILENAME'] |
|
354 |
except: pass |
|
355 |
||
356 |
# Remove PATH. The PATH here is the path on the server machine; not useful
|
|
357 |
# inside the jail. It may be a good idea to add another path, reflecting
|
|
358 |
# the inside of the jail, but not done at this stage.
|
|
359 |
try: |
|
360 |
del env['PATH'] |
|
361 |
except: pass |
|
362 |
||
363 |
# Remove SCRIPT_FILENAME. Not part of CGI spec (see SCRIPT_NAME).
|
|
364 |
||
365 |
# PATH_INFO is wrong because the script doesn't physically exist.
|
|
366 |
# Apache makes it relative to the "serve" app. It should actually be made
|
|
367 |
# relative to the student's script.
|
|
368 |
# TODO: At this stage, it is not possible to add a path after the script,
|
|
369 |
# so PATH_INFO is always "".
|
|
370 |
path_info = "" |
|
371 |
env['PATH_INFO'] = path_info |
|
372 |
||
373 |
# PATH_TRANSLATED currently points to a non-existant location within the
|
|
374 |
# local web server directory. Instead make it represent a path within the
|
|
375 |
# student jail.
|
|
376 |
(username, _, path_translated) = studpath.url_to_jailpaths(req.path) |
|
377 |
if len(path_translated) == 0 or path_translated[0] != os.sep: |
|
378 |
path_translated = os.sep + path_translated |
|
379 |
env['PATH_TRANSLATED'] = path_translated |
|
380 |
||
381 |
# CGI specifies that REMOTE_HOST SHOULD be set, and MAY just be set to
|
|
382 |
# REMOTE_ADDR. Since Apache does not appear to set this, set it to
|
|
383 |
# REMOTE_ADDR.
|
|
384 |
if 'REMOTE_HOST' not in env and 'REMOTE_ADDR' in env: |
|
385 |
env['REMOTE_HOST'] = env['REMOTE_ADDR'] |
|
386 |
||
387 |
# SCRIPT_NAME is the path to the script WITHOUT PATH_INFO.
|
|
388 |
script_name = req.uri |
|
389 |
if len(path_info) > 0: |
|
390 |
script_name = script_name[:-len(path_info)] |
|
391 |
env['SCRIPT_NAME'] = script_name |
|
392 |
||
393 |
# SERVER_SOFTWARE is actually not Apache but IVLE, since we are
|
|
394 |
# custom-making the CGI request.
|
|
395 |
env['SERVER_SOFTWARE'] = "IVLE/" + str(conf.ivle_version) |
|
396 |
||
397 |
# Additional environment variables
|
|
398 |
env['HOME'] = os.path.join('/home', username) |