From c6968635f50cef03d184645b8022a3ebf92df84e Mon Sep 17 00:00:00 2001 From: Jo-Philipp Wich Date: Fri, 13 Sep 2019 07:23:25 +0200 Subject: [PATCH] cgi-io: add download operation Add a new `cgi-download` applet which allows to retrieve the contents of regular files or block devices. In order to initiate a transfer, a POST request in x-www-form-urlencoded format must be sent to the applet, with one field "sessionid" holding the login session and another field "path" containing the file path to download. Further optional fields are "filename" which - if present - will cause the download applet to set a Content-Dispostition header and "mimetype" which allows to let the applet respond with a specific type instead of the default "application/octet-stream". Below is an example for the required acl rules to grant download access to files or block devices: ubus call session grant '{ "ubus_rpc_session": "...", "scope": "cgi-io", "objects": [ [ "download", "read" ] ] }' ubus call session grant '{ "ubus_rpc_session": "...", "scope": "file", "objects": [ [ "/etc/config/*", "read" ], [ "/dev/mtdblock*", "read" ] ] }' Signed-off-by: Jo-Philipp Wich --- Makefile | 3 +- src/main.c | 83 ++++++++++++++++++++++++++++++++++++++++++++++++++++++ 2 files changed, 85 insertions(+), 1 deletion(-) diff --git a/Makefile b/Makefile index 4b2d664..5ba695f 100644 --- a/Makefile +++ b/Makefile @@ -8,7 +8,7 @@ include $(TOPDIR)/rules.mk PKG_NAME:=cgi-io -PKG_RELEASE:=9 +PKG_RELEASE:=10 PKG_LICENSE:=GPL-2.0-or-later @@ -38,6 +38,7 @@ define Package/cgi-io/install $(INSTALL_DIR) $(1)/usr/libexec $(1)/www/cgi-bin/ $(INSTALL_BIN) $(PKG_BUILD_DIR)/cgi-io $(1)/usr/libexec $(LN) ../../usr/libexec/cgi-io $(1)/www/cgi-bin/cgi-upload + $(LN) ../../usr/libexec/cgi-io $(1)/www/cgi-bin/cgi-download $(LN) ../../usr/libexec/cgi-io $(1)/www/cgi-bin/cgi-backup endef diff --git a/src/main.c b/src/main.c index 44a5205..aaba37d 100644 --- a/src/main.c +++ b/src/main.c @@ -26,6 +26,9 @@ #include #include #include +#include +#include +#include #include #include @@ -645,6 +648,84 @@ main_upload(int argc, char *argv[]) return 0; } +static int +main_download(int argc, char **argv) +{ + char *fields[] = { "sessionid", NULL, "path", NULL, "filename", NULL, "mimetype", NULL }; + unsigned long long size = 0; + char *p, buf[4096]; + ssize_t len = 0; + struct stat s; + int rfd; + + postdecode(fields, 4); + + if (!fields[1] || !session_access(fields[1], "cgi-io", "download", "read")) + return failure(0, "Download permission denied"); + + if (!fields[3] || !session_access(fields[1], "file", fields[3], "read")) + return failure(0, "Access to path denied by ACL"); + + if (stat(fields[3], &s)) + return failure(errno, "Failed to stat requested path"); + + if (!S_ISREG(s.st_mode) && !S_ISBLK(s.st_mode)) + return failure(0, "Requested path is not a regular file or block device"); + + for (p = fields[5]; p && *p; p++) + if (!isalnum(*p) && !strchr(" ()<>@,;:[]?.=%", *p)) + return failure(0, "Invalid characters in filename"); + + for (p = fields[7]; p && *p; p++) + if (!isalnum(*p) && !strchr(" .;=/-", *p)) + return failure(0, "Invalid characters in mimetype"); + + rfd = open(fields[3], O_RDONLY); + + if (rfd < 0) + return failure(errno, "Failed to open requested path"); + + if (S_ISBLK(s.st_mode)) + ioctl(rfd, BLKGETSIZE64, &size); + else + size = (unsigned long long)s.st_size; + + printf("Status: 200 OK\r\n"); + printf("Content-Type: %s\r\n", fields[7] ? fields[7] : "application/octet-stream"); + + if (fields[5]) + printf("Content-Disposition: attachment; filename=\"%s\"\r\n", fields[5]); + + printf("Content-Length: %llu\r\n\r\n", size); + fflush(stdout); + + while (size > 0) { + len = sendfile(1, rfd, NULL, size); + + if (len == -1) { + if (errno == ENOSYS || errno == EINVAL) { + while ((len = read(rfd, buf, sizeof(buf))) > 0) + fwrite(buf, len, 1, stdout); + + fflush(stdout); + break; + } + + if (errno == EINTR || errno == EAGAIN) + continue; + } + + if (len <= 0) + break; + + size -= len; + } + + close(rfd); + + return 0; +} + static int main_backup(int argc, char **argv) { @@ -718,6 +799,8 @@ int main(int argc, char **argv) { if (strstr(argv[0], "cgi-upload")) return main_upload(argc, argv); + else if (strstr(argv[0], "cgi-download")) + return main_download(argc, argv); else if (strstr(argv[0], "cgi-backup")) return main_backup(argc, argv); -- 2.30.2