Web Server Design
Assignment #5: Unsafe Methods & CGI
Due: 05/05/2010
Old Dominion University
Department of Computer Science
CS 495/595 Spring 2010
Martin Klein <mklein@cs.odu.edu>
Grading
• To be done by an automated program that will test
most (all?) combinations
– assignment is listed under the day it is to be demoed in
class
– each group will give a 3-4 minute status report the
week before an assignment is due!
• If you have a question:
– email the class list
– mimic the behavior of a well known Apache server
(e.g., www.cs.odu.edu)
Methods to Support
• Same as assignments 1-4, plus:
– DELETE, PUT, POST
• as per Lecture 13
• n.b. OPTIONS (lecture 13)
Status Codes to Support
• Same as assignments 1-4, plus:
– 201 Created
• PUT, POST
–
–
–
–
405 Method Not Allowed
411 Length Required
413 Request Entity Too Large
414 Request-URI Too Long
Request Headers
• Same as assignments 1-4, plus:
– Content-type:
– Content-Length:
– Content-Disposition:
(in form data)
Response Headers
• Same as assignments 1-4
MIME Types, Encodings, etc.
• All as per assignments 1-4, plus:
• Your server accepts the following “ContentType” headers:
– multipart/form-data
– application/x-form-www-urlencoded
Guidelines
• PUT, DELETE are allowed recursively, as per
directives in the WeMustProtectThisHouse! file
• Limits
– URI: 2k
– Entity: 2MB
• You should flag for Entities longer than advertised
as per the “Content-Length” header, but I will not
test for error conditions
• Always issue an HTML description describing the
results (success or failure) of PUT and DELETE
– we will not produce 202 or 204
WeMustProtectThisHouse!
Format
% cat WeMustProtectThisHouse\!
#
ALLOW-PUT
ALLOW-DELETE
#
authorization-type=Basic
realm=“Fried Twice”
# always quote realm since it might have spaces
#
# user format = name:md5(password)
#
mklein:3102125cae72c19f215480ddf2d0d5c3
mk:318bcb4be908d0da6448a0db76908d78
jbollen:c82138c7e01ad922b0a58fdd33c3a91c
mln:5a71416849df37fd781035da39885214
CGI Invocation
• Invoke the URI as an executable program
iff:
– POST, GET, HEAD methods are used
• Warning!!!
– ensure your URI is relative to your document
root
• dangerous: GET /bin/rm?-rf HTTP/1.1
CGI Program
#!/usr/bin/perl
print "Content-type: text/html\n\n";
foreach $key (keys (%ENV)) {
print "$key = $ENV{$key} <br>\n";
}
while (<STDIN>) {
print "$_<br>\n";
}
Required Environment Variables
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
SCRIPT_NAME
SCRIPT_URI
SCRIPT_FILENAME
HTTP_REFERER
HTTP_USER_AGENT
REQUEST_METHOD
REMOTE_ADDR
QUERY_STRING
REMOTE_USER
AUTH_TYPE
SERVER_NAME
SERVER_SOFTWARE
SERVER_PORT
SERVER_ADDR
SERVER_PROTOCOL
leave blank if
not available
Keep in mind:
Status report in 1 week!
START
NOW!!!