/usr/lib/cgi-bin/sitesummary-collector.cgi is in sitesummary 0.1.28+deb9u1.
This file is owned by root:root, with mode 0o755.
The actual contents of the file can be viewed below.
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160 161 162 163 164 165 166 | #!/usr/bin/perl -wT
#
# Receive HTTP post request with a file upload and process it as a
# sitesummary submission.
#
# Handle three different submission methods
# - mime-encoded upload with sitesummary report in compressed form
use strict;
use CGI;
use POSIX qw(strftime);
use Socket;
use Sys::Syslog;
use SiteSummary;
my $basedir = "/var/lib/sitesummary";
my $handlerdir = "/usr/lib/sitesummary/handler.d";
$ENV{PATH} = "/bin:/usr/bin";
print "Content-Type: text/plain\n\n";
my ($peeripaddr, $peername) = get_peerinfo(\*STDIN);
if (exists $ENV{REQUEST_METHOD} && $ENV{REQUEST_METHOD} ne "POST")
{
print "Sitesummary HTTP-POST submission URL\n";
print "Visit http://debian-edu.alioth.debian.org/ for more info.\n";
exit 0;
}
# Extract post data, handle both simple and multipart way
my @entry;
my $filename = "unknown";
if (exists $ENV{CONTENT_TYPE} && $ENV{CONTENT_TYPE} =~ m%multipart/form-data%){
my $query = new CGI;
my $fh = $query->upload("sitesummary");
if ($fh) {
$filename = $query->param("sitesummary");
my $type = $query->uploadInfo($filename)->{'Content-Type'};
if ("application/octet-stream" ne $type) {
print "Only 'application/octet-stream' is supported (not $type)!";
die;
} else {
my $encoding = $query->uploadInfo($filename)->{'Content-Encoding'};
if ("x-gzip" eq $encoding || "gzip" eq $encoding) {
# Uncompress
print "Compressed ($encoding) encoding detected.\n";
my $data;
# $data = join("", <$fh>);
my $len = (stat($fh))[7];
read $fh, $data, $len;
$data = Compress::Zlib::memGunzip($data);
@entry = ($data);
} else { # Pass throught
#print STDERR "Identity encoding detected.\n";
@entry = <$fh>;
}
}
} else {
print $query->cgi_error;
die;
}
} else {
print <<EOF;
Unsupported submission method.
EOF
}
my $timestamp = strftime("%Y-%m-%dT%H:%M:%S", gmtime());
if ($filename =~ m/.tar.gz$/) {
$filename = "sitesummary.tar.gz";
} elsif ($filename =~ m/.tar.gz.gpg$/) {
$filename = "sitesummary.tar.gz.gpg";
} else {
die "Unhandled file type '$filename'"
}
# XXX Come up with some unique file name.
my $savefile = "$basedir/tmpstorage/$peeripaddr-$timestamp-$$-$filename";
open(SITESUMMARY, ">", $savefile) or die "Unable to write to $savefile";
print SITESUMMARY @entry;
close SITESUMMARY;
print "Thanks for your submission to site-summary!\n";
print "SITESUMMARY HTTP-POST OK\n";
process_entry($peeripaddr, $peername, $savefile);
unlink $savefile;
exit 0;
sub extract_unique_id {
return get_unique_ether_id("system/ifconfig-a") || die "Unable to read ifconfig-a";
}
sub process_entry {
my ($peeripaddr, $peername, $filename) = @_;
my $dirname;
if ($filename =~ m/(.+).tar.gz$/) {
$dirname = $1;
mkdir $dirname;
chdir $dirname;
`tar zxf $filename`;
} else {
die "Unhandled file format '$filename'";
}
open(PEERINFO, ">peerinfo") || die;
print PEERINFO "$peeripaddr $peername\n";
close(PEERINFO) || die;
my $id = extract_unique_id($dirname);
if ("ether-unknown" eq $id) {
syslog('warning', "%s", "ignoring client without MAC address connected from \[$peeripaddr\]");
chdir "..";
`rm -r $dirname`;
return;
}
my $newdir = "$basedir/entries/$id";
my $status = "new";
if ( -d $newdir ) {
`rm -r $newdir`;
$status = "update";
}
rename $dirname, $newdir || die;
$ENV{"PATH"} = "";
for my $handler (<$handlerdir/*>) {
# Untaint script path
$handler =~ m/^([^;]*)$/; $handler = $1;
system("$handler", "$newdir", "$status");
}
}
sub get_peerinfo {
my $sockethandle = shift;
my ($peeripstr, $peername) = ("", "");
if ($ENV{'REMOTE_ADDR'}) { # CGI variable
$peeripstr = $ENV{'REMOTE_ADDR'};
$peeripstr =~ m/(\d+).(\d+).(\d+).(\d+)/; # Untaint
$peeripstr = "$1.$2.$3.$4";
$peeripaddr = inet_aton($peeripstr);
$peername = gethostbyaddr($peeripaddr, AF_INET);
} elsif (my $sockaddr = getpeername($sockethandle)) {
my $peerport;
($peerport, $peeripaddr) = sockaddr_in($sockaddr);
$peername = gethostbyaddr($peeripaddr, AF_INET);
$peeripstr = inet_ntoa($peeripaddr);
} else {
# Running on the command line, use test host
$peeripstr = "127.0.0.1";
$peername = "localhost";
}
if ("" eq $peername) {
syslog('warning', "%s", "client without DNS entry connected from \[$peeripstr\]");
$peername = "$peeripstr";
}
return ($peeripstr, $peername);
}
|