webmcp

annotate framework/env/request/handler.lua @ 347:169dfbd0246a

find changesets by author, revision, files, or words in the commit message
Prohibit public access to listing of subdirectories in static/ (on BSD systems)
author jbe
date Thu Mar 26 03:00:04 2015 +0100 (2015-03-26)
parents 3db9b672ee73
children 8cf6d927d074
rev   line source
jbe@215 1 --[[--
jbe@327 2 success = -- false if an error occurred, true otherwise
jbe@215 3 request.handler(
jbe@270 4 http_request, -- HTTP request object
jbe@215 5 )
jbe@215 6
jbe@316 7 Called by mcp.lua to process an HTTP request. Calls request.router(), and handles the request. Note: request initializers will have to be (automatically) executed before this function is invoked by mcp.lua.
jbe@215 8
jbe@215 9 --]]--
jbe@210 10
jbe@255 11 local function file_exists(filename)
jbe@255 12 local file = io.open(filename, "r")
jbe@255 13 if file then
jbe@255 14 io.close(file)
jbe@255 15 return true
jbe@255 16 else
jbe@255 17 return false
jbe@255 18 end
jbe@255 19 end
jbe@255 20
jbe@347 21 function request.handler(http_request)
jbe@212 22 request._http_request = http_request
jbe@215 23 local path = http_request.path
jbe@215 24 if path then
jbe@221 25 local relative_baseurl_elements = {}
jbe@215 26 for match in string.gmatch(path, "/") do
jbe@221 27 relative_baseurl_elements[#relative_baseurl_elements+1] = "../"
jbe@215 28 end
jbe@280 29 if #relative_baseurl_elements > 0 then
jbe@280 30 request._relative_baseurl = table.concat(relative_baseurl_elements)
jbe@280 31 else
jbe@280 32 request._relative_baseurl = "./"
jbe@280 33 end
jbe@215 34 else
jbe@215 35 request._relative_baseurl = nil
jbe@215 36 end
jbe@329 37 request._route = request.router()
jbe@275 38 do
jbe@275 39 local post_id = http_request.post_params["_webmcp_id"]
jbe@275 40 if post_id then
jbe@275 41 request._route.id = post_id
jbe@275 42 end
jbe@275 43 end
jbe@255 44
jbe@255 45 local success, error_info = xpcall(
jbe@255 46 function()
jbe@255 47
jbe@329 48 if not request._route then
jbe@329 49 request._route = {}
jbe@329 50 if request.get_404_route() then
jbe@329 51 request.set_status("404 Not Found")
jbe@329 52 request.forward(request.get_404_route())
jbe@329 53 else
jbe@329 54 error("Could not route request URL")
jbe@329 55 end
jbe@329 56 end
jbe@329 57
jbe@255 58 if request._route.static then
jbe@347 59 local filename = WEBMCP_BASE_PATH .. "static/" .. request._route.static
jbe@347 60 -- TODO: move sanitizer from request.default_router(...) to request.handler(...)
jbe@347 61 local fstat, f, errmsg
jbe@347 62 fstat, errmsg = extos.stat(filename)
jbe@347 63 if fstat then
jbe@347 64 if fstat.isdir then
jbe@347 65 errmsg = "Is a directory"
jbe@347 66 elseif not fstat.isreg then
jbe@347 67 errmsg = "Not a regular file"
jbe@347 68 else
jbe@347 69 f, errmsg = io.open(filename, "r")
jbe@347 70 end
jbe@347 71 end
jbe@270 72 if not f then
jbe@328 73 request.set_status("404 Not Found")
jbe@270 74 if request.get_404_route() then
jbe@329 75 request.set_status("404 Not Found")
jbe@270 76 request.forward(request.get_404_route())
jbe@270 77 else
jbe@270 78 error('Could not open static file "' .. request._route.static .. '": ' .. errmsg)
jbe@270 79 end
jbe@327 80 else
jbe@327 81 local d = assert(f:read("*a"))
jbe@327 82 f:close()
jbe@327 83 slot.put_into("data", d)
jbe@327 84 local filename_extension = string.match(request._route.static, "%.([^.]+)$")
jbe@327 85 slot.set_layout(nil, request._mime_types[filename_extension] or "application/octet-stream")
jbe@327 86 request.allow_caching()
jbe@327 87 return
jbe@270 88 end
jbe@255 89 end
jbe@255 90
jbe@255 91 -- restore slots if coming from http redirect
jbe@327 92 do
jbe@327 93 local tempstore_value = http_request.get_params["_tempstore"]
jbe@327 94 if tempstore_value then
jbe@327 95 trace.restore_slots{}
jbe@327 96 local blob = tempstore.pop(tempstore_value)
jbe@327 97 if blob then slot.restore_all(blob) end
jbe@327 98 end
jbe@255 99 end
jbe@255 100
jbe@255 101 if request.get_action() then
jbe@255 102 trace.request{
jbe@255 103 module = request.get_module(),
jbe@255 104 action = request.get_action()
jbe@255 105 }
jbe@255 106 if
jbe@255 107 request.get_404_route() and
jbe@255 108 not file_exists(
jbe@255 109 encode.action_file_path{
jbe@255 110 module = request.get_module(),
jbe@255 111 action = request.get_action()
jbe@255 112 }
jbe@255 113 )
jbe@255 114 then
jbe@255 115 request.set_status("404 Not Found")
jbe@255 116 request.forward(request.get_404_route())
jbe@255 117 else
jbe@255 118 if http_request.method ~= "POST" then
jbe@255 119 request.set_status("405 Method Not Allowed")
jbe@255 120 request.add_header("Allow", "POST")
jbe@255 121 error("Tried to invoke an action with a GET request.")
jbe@255 122 end
jbe@255 123 local action_status = execute.filtered_action{
jbe@255 124 module = request.get_module(),
jbe@255 125 action = request.get_action(),
jbe@255 126 }
jbe@255 127 if not request.is_rerouted() then
jbe@255 128 local routing_mode, routing_module, routing_view, routing_anchor
jbe@255 129 routing_mode = http_request.post_params["_webmcp_routing." .. action_status .. ".mode"]
jbe@255 130 routing_module = http_request.post_params["_webmcp_routing." .. action_status .. ".module"]
jbe@255 131 routing_view = http_request.post_params["_webmcp_routing." .. action_status .. ".view"]
jbe@255 132 routing_anchor = http_request.post_params["_webmcp_routing." .. action_status .. ".anchor"]
jbe@255 133 if not (routing_mode or routing_module or routing_view) then
jbe@255 134 action_status = "default"
jbe@255 135 routing_mode = http_request.post_params["_webmcp_routing.default.mode"]
jbe@255 136 routing_module = http_request.post_params["_webmcp_routing.default.module"]
jbe@255 137 routing_view = http_request.post_params["_webmcp_routing.default.view"]
jbe@255 138 routing_anchor = http_request.post_params["_webmcp_routing.default.anchor"]
jbe@255 139 end
jbe@255 140 assert(routing_module, "Routing information has no module.")
jbe@255 141 assert(routing_view, "Routing information has no view.")
jbe@255 142 if routing_mode == "redirect" then
jbe@255 143 local routing_params = {}
jbe@255 144 for key, value in pairs(request.get_param_strings{ method="POST", include_internal=true }) do
jbe@255 145 local status, stripped_key = string.match(
jbe@255 146 key, "^_webmcp_routing%.([^%.]*)%.params%.(.*)$"
jbe@255 147 )
jbe@255 148 if status == action_status then
jbe@255 149 routing_params[stripped_key] = value
jbe@255 150 end
jbe@255 151 end
jbe@255 152 request.redirect{
jbe@255 153 module = routing_module,
jbe@255 154 view = routing_view,
jbe@255 155 id = http_request.post_params["_webmcp_routing." .. action_status .. ".id"],
jbe@255 156 params = routing_params,
jbe@255 157 anchor = routing_anchor
jbe@255 158 }
jbe@255 159 elseif routing_mode == "forward" then
jbe@255 160 request.forward{ module = routing_module, view = routing_view }
jbe@255 161 else
jbe@255 162 error("Missing or unknown routing mode in request parameters.")
jbe@255 163 end
jbe@255 164 end
jbe@255 165 end
jbe@255 166 else
jbe@255 167 -- no action
jbe@255 168 trace.request{
jbe@255 169 module = request.get_module(),
jbe@255 170 view = request.get_view()
jbe@255 171 }
jbe@255 172 if
jbe@255 173 request.get_404_route() and
jbe@255 174 not file_exists(
jbe@255 175 encode.view_file_path{
jbe@255 176 module = request.get_module(),
jbe@255 177 view = request.get_view()
jbe@255 178 }
jbe@255 179 )
jbe@255 180 then
jbe@255 181 request.set_status("404 Not Found")
jbe@255 182 request.forward(request.get_404_route())
jbe@255 183 end
jbe@255 184 end
jbe@255 185
jbe@255 186 if not request.get_redirect_data() then
jbe@255 187 request.process_forward()
jbe@255 188 local view = request.get_view()
jbe@255 189 if string.find(view, "^_") then
jbe@255 190 error("Tried to call a private view (prefixed with underscore).")
jbe@255 191 end
jbe@255 192 execute.filtered_view{
jbe@255 193 module = request.get_module(),
jbe@255 194 view = view,
jbe@255 195 }
jbe@255 196 end
jbe@255 197
jbe@255 198 end,
jbe@255 199
jbe@255 200 function(errobj)
jbe@255 201 return {
jbe@255 202 errobj = errobj,
jbe@255 203 stacktrace = string.gsub(
jbe@255 204 debug.traceback('', 2),
jbe@255 205 "^\r?\n?stack traceback:\r?\n?", ""
jbe@255 206 )
jbe@255 207 }
jbe@255 208 end
jbe@255 209 )
jbe@255 210
jbe@255 211 if not success then trace.error{} end
jbe@255 212
jbe@255 213 -- TODO: extend trace system to generally monitor execution time
jbe@255 214 -- trace.exectime{ real = extos.monotonic_hires_time(), cpu = os.clock() }
jbe@255 215
jbe@255 216 slot.select('trace', trace.render) -- render trace information
jbe@255 217
jbe@255 218 local redirect_data = request.get_redirect_data()
jbe@255 219
jbe@255 220 -- log error and switch to error layout, unless success
jbe@255 221 if not success then
jbe@255 222 local errobj = error_info.errobj
jbe@255 223 local stacktrace = error_info.stacktrace
jbe@255 224 if not request._status then
jbe@255 225 request._status = "500 Internal Server Error"
jbe@255 226 end
jbe@328 227 http_request:close_after_finish()
jbe@255 228 slot.set_layout('system_error')
jbe@255 229 slot.select('system_error', function()
jbe@255 230 if getmetatable(errobj) == mondelefant.errorobject_metatable then
jbe@255 231 slot.put(
jbe@255 232 "<p>Database error of class <b>",
jbe@255 233 encode.html(errobj.code),
jbe@255 234 "</b> occured:<br/><b>",
jbe@255 235 encode.html(errobj.message),
jbe@255 236 "</b></p>"
jbe@255 237 )
jbe@255 238 else
jbe@255 239 slot.put("<p><b>", encode.html(tostring(errobj)), "</b></p>")
jbe@255 240 end
jbe@255 241 slot.put("<p>Stack trace follows:<br/>")
jbe@255 242 slot.put(encode.html_newlines(encode.html(stacktrace)))
jbe@255 243 slot.put("</p>")
jbe@255 244 end)
jbe@255 245 elseif redirect_data then
jbe@267 246 redirect_data = table.new(redirect_data)
jbe@267 247 redirect_data.params = table.new(redirect_data.params)
jbe@255 248 local slot_dump = slot.dump_all()
jbe@255 249 if slot_dump ~= "" then
jbe@312 250 redirect_data.params._tempstore = tempstore.save(slot_dump)
jbe@255 251 end
jbe@255 252 http_request:send_status("303 See Other")
jbe@264 253 for i, header in ipairs(request._response_headers) do
jbe@264 254 http_request:send_header(header[1], header[2])
jbe@264 255 end
jbe@267 256 http_request:send_header("Location", encode.url(redirect_data))
jbe@255 257 http_request:finish()
jbe@255 258 end
jbe@255 259
jbe@255 260 if not success or not redirect_data then
jbe@255 261
jbe@255 262 http_request:send_status(request._status or "200 OK")
jbe@255 263 for i, header in ipairs(request._response_headers) do
jbe@255 264 http_request:send_header(header[1], header[2])
jbe@255 265 end
jbe@291 266 if not request._cache_manual then
jbe@291 267 local cache_time = request._cache_time
jbe@291 268 if request._cache and cache_time and cache_time > 0 then
jbe@291 269 http_request:send_header("Cache-Control", "max-age=" .. cache_time)
jbe@291 270 else
jbe@291 271 http_request:send_header("Cache-Control", "no-cache")
jbe@291 272 end
jbe@291 273 end
jbe@255 274 http_request:send_header("Content-Type", slot.get_content_type())
jbe@255 275 http_request:send_data(slot.render_layout())
jbe@255 276 http_request:finish()
jbe@255 277 end
jbe@255 278
jbe@327 279 return success
jbe@327 280
jbe@215 281 end

Impressum / About Us