luci/modules/luci-base/luasrc/http.lua

-- Copyright 2008 Steven Barth <steven@midlink.org>
-- Copyright 2010-2018 Jo-Philipp Wich <jo@mein.io>
-- Licensed to the public under the Apache License 2.0.

local util  = require "luci.util"
local coroutine = require "coroutine"
local table = require "table"
local lhttp = require "lucihttp"
local nixio = require "nixio"
local ltn12 = require "luci.ltn12"

local table, ipairs, pairs, type, tostring, tonumber, error =
	table, ipairs, pairs, type, tostring, tonumber, error

module "luci.http"

HTTP_MAX_CONTENT      = 1024*100		-- 100 kB maximum content size

context = util.threadlocal()

Request = util.class()
function Request.__init__(self, env, sourcein, sinkerr)
	self.input = sourcein
	self.error = sinkerr


	-- File handler nil by default to let .content() work
	self.filehandler = nil

	-- HTTP-Message table
	self.message = {
		env = env,
		headers = {},
		params = urldecode_params(env.QUERY_STRING or ""),
	}

	self.parsed_input = false
end

function Request.formvalue(self, name, noparse)
	if not noparse and not self.parsed_input then
		self:_parse_input()
	end

	if name then
		return self.message.params[name]
	else
		return self.message.params
	end
end

function Request.formvaluetable(self, prefix)
	local vals = {}
	prefix = prefix and prefix .. "." or "."

	if not self.parsed_input then
		self:_parse_input()
	end

	local void = self.message.params[nil]
	for k, v in pairs(self.message.params) do
		if k:find(prefix, 1, true) == 1 then
			vals[k:sub(#prefix + 1)] = tostring(v)
		end
	end

	return vals
end

function Request.content(self)
	if not self.parsed_input then
		self:_parse_input()
	end

	return self.message.content, self.message.content_length
end

function Request.getcookie(self, name)
	return lhttp.header_attribute("cookie; " .. (self:getenv("HTTP_COOKIE") or ""), name)
end

function Request.getenv(self, name)
	if name then
		return self.message.env[name]
	else
		return self.message.env
	end
end

function Request.setfilehandler(self, callback)
	self.filehandler = callback

	if not self.parsed_input then
		return
	end

	-- If input has already been parsed then uploads are stored as unlinked
	-- temporary files pointed to by open file handles in the parameter
	-- value table. Loop all params, and invoke the file callback for any
	-- param with an open file handle.
	local name, value
	for name, value in pairs(self.message.params) do
		if type(value) == "table" then
			while value.fd do
				local data = value.fd:read(1024)
				local eof = (not data or data == "")

				callback(value, data, eof)

				if eof then
					value.fd:close()
					value.fd = nil
				end
			end
		end
	end
end

function Request._parse_input(self)
	parse_message_body(
		 self.input,
		 self.message,
		 self.filehandler
	)
	self.parsed_input = true
end

function close()
	if not context.eoh then
		context.eoh = true
		coroutine.yield(3)
	end

	if not context.closed then
		context.closed = true
		coroutine.yield(5)
	end
end

function content()
	return context.request:content()
end

function formvalue(name, noparse)
	return context.request:formvalue(name, noparse)
end

function formvaluetable(prefix)
	return context.request:formvaluetable(prefix)
end

function getcookie(name)
	return context.request:getcookie(name)
end

-- or the environment table itself.
function getenv(name)
	return context.request:getenv(name)
end

function setfilehandler(callback)
	return context.request:setfilehandler(callback)
end

function header(key, value)
	if not context.headers then
		context.headers = {}
	end
	context.headers[key:lower()] = value
	coroutine.yield(2, key, value)
end

function prepare_content(mime)
	if not context.headers or not context.headers["content-type"] then
		if mime == "application/xhtml+xml" then
			if not getenv("HTTP_ACCEPT") or
			  not getenv("HTTP_ACCEPT"):find("application/xhtml+xml", nil, true) then
				mime = "text/html; charset=UTF-8"
			end
			header("Vary", "Accept")
		end
		header("Content-Type", mime)
	end
end

function source()
	return context.request.input
end

function status(code, message)
	code = code or 200
	message = message or "OK"
	context.status = code
	coroutine.yield(1, code, message)
end

-- This function is as a valid LTN12 sink.
-- If the content chunk is nil this function will automatically invoke close.
function write(content, src_err)
	if not content then
		if src_err then
			error(src_err)
		else
			close()
		end
		return true
	elseif #content == 0 then
		return true
	else
		if not context.eoh then
			if not context.status then
				status()
			end
			if not context.headers or not context.headers["content-type"] then
				header("Content-Type", "text/html; charset=utf-8")
			end
			if not context.headers["cache-control"] then
				header("Cache-Control", "no-cache")
				header("Expires", "0")
			end
			if not context.headers["x-frame-options"] then
				header("X-Frame-Options", "SAMEORIGIN")
			end
			if not context.headers["x-xss-protection"] then
				header("X-XSS-Protection", "1; mode=block")
			end
			if not context.headers["x-content-type-options"] then
				header("X-Content-Type-Options", "nosniff")
			end

			context.eoh = true
			coroutine.yield(3)
		end
		coroutine.yield(4, content)
		return true
	end
end

function splice(fd, size)
	coroutine.yield(6, fd, size)
end

function redirect(url)
	if url == "" then url = "/" end
	status(302, "Found")
	header("Location", url)
	close()
end

function build_querystring(q)
	local s, n, k, v = {}, 1, nil, nil

	for k, v in pairs(q) do
		s[n+0] = (n == 1) and "?" or "&"
		s[n+1] = util.urlencode(k)
		s[n+2] = "="
		s[n+3] = util.urlencode(v)
		n = n + 4
	end

	return table.concat(s, "")
end

urldecode = util.urldecode

urlencode = util.urlencode

function write_json(x)
	util.serialize_json(x, write)
end

-- from given url or string. Returns a table with urldecoded values.
-- Simple parameters are stored as string values associated with the parameter
-- name within the table. Parameters with multiple values are stored as array
-- containing the corresponding values.
function urldecode_params(url, tbl)
	local parser, name
	local params = tbl or { }

	parser = lhttp.urlencoded_parser(function (what, buffer, length)
		if what == parser.TUPLE then
			name, value = nil, nil
		elseif what == parser.NAME then
			name = lhttp.urldecode(buffer)
		elseif what == parser.VALUE and name then
			params[name] = lhttp.urldecode(buffer) or ""
		end

		return true
	end)

	if parser then
		parser:parse((url or ""):match("[^?]*$"))
		parser:parse(nil)
	end

	return params
end

-- separated by "&". Tables are encoded as parameters with multiple values by
-- repeating the parameter name with each value.
function urlencode_params(tbl)
	local k, v
	local n, enc = 1, {}
	for k, v in pairs(tbl) do
		if type(v) == "table" then
			local i, v2
			for i, v2 in ipairs(v) do
				if enc[1] then
					enc[n] = "&"
					n = n + 1
				end

				enc[n+0] = lhttp.urlencode(k)
				enc[n+1] = "="
				enc[n+2] = lhttp.urlencode(v2)
				n = n + 3
			end
		else
			if enc[1] then
				enc[n] = "&"
				n = n + 1
			end

			enc[n+0] = lhttp.urlencode(k)
			enc[n+1] = "="
			enc[n+2] = lhttp.urlencode(v)
			n = n + 3
		end
	end

	return table.concat(enc, "")
end

-- Content-Type. Stores all extracted data associated with its parameter name
-- in the params table within the given message object. Multiple parameter
-- values are stored as tables, ordinary ones as strings.
-- If an optional file callback function is given then it is fed with the
-- file contents chunk by chunk and only the extracted file name is stored
-- within the params table. The callback function will be called subsequently
-- with three arguments:
--  o Table containing decoded (name, file) and raw (headers) mime header data
--  o String value containing a chunk of the file data
--  o Boolean which indicates whether the current chunk is the last one (eof)
function mimedecode_message_body(src, msg, file_cb)
	local parser, header, field
	local len, maxlen = 0, tonumber(msg.env.CONTENT_LENGTH or nil)

	parser, err = lhttp.multipart_parser(msg.env.CONTENT_TYPE, function (what, buffer, length)
		if what == parser.PART_INIT then
			field = { }

		elseif what == parser.HEADER_NAME then
			header = buffer:lower()

		elseif what == parser.HEADER_VALUE and header then
			if header:lower() == "content-disposition" and
			   lhttp.header_attribute(buffer, nil) == "form-data"
			then
				field.name = lhttp.header_attribute(buffer, "name")
				field.file = lhttp.header_attribute(buffer, "filename")
				field[1] = field.file
			end

			if field.headers then
				field.headers[header] = buffer
			else
				field.headers = { [header] = buffer }
			end

		elseif what == parser.PART_BEGIN then
			return not field.file

		elseif what == parser.PART_DATA and field.name and length > 0 then
			if field.file then
				if file_cb then
					file_cb(field, buffer, false)
					msg.params[field.name] = msg.params[field.name] or field
				else
					if not field.fd then
						field.fd = nixio.mkstemp(field.name)
					end

					if field.fd then
						field.fd:write(buffer)
						msg.params[field.name] = msg.params[field.name] or field
					end
				end
			else
				field.value = buffer
			end

		elseif what == parser.PART_END and field.name then
			if field.file and msg.params[field.name] then
				if file_cb then
					file_cb(field, "", true)
				elseif field.fd then
					field.fd:seek(0, "set")
				end
			else
				local val = msg.params[field.name]

				if type(val) == "table" then
					val[#val+1] = field.value or ""
				elseif val ~= nil then
					msg.params[field.name] = { val, field.value or "" }
				else
					msg.params[field.name] = field.value or ""
				end
			end

			field = nil

		elseif what == parser.ERROR then
			err = buffer
		end

		return true
	end, HTTP_MAX_CONTENT)

	return ltn12.pump.all(src, function (chunk)
		len = len + (chunk and #chunk or 0)

		if maxlen and len > maxlen + 2 then
			return nil, "Message body size exceeds Content-Length"
		end

		if not parser or not parser:parse(chunk) then
			return nil, err
		end

		return true
	end)
end

-- Content-Type. Stores all extracted data associated with its parameter name
-- in the params table within the given message object. Multiple parameter
-- values are stored as tables, ordinary ones as strings.
function urldecode_message_body(src, msg)
	local err, name, value, parser
	local len, maxlen = 0, tonumber(msg.env.CONTENT_LENGTH or nil)

	parser = lhttp.urlencoded_parser(function (what, buffer, length)
		if what == parser.TUPLE then
			name, value = nil, nil
		elseif what == parser.NAME then
			name = lhttp.urldecode(buffer, lhttp.DECODE_PLUS)
		elseif what == parser.VALUE and name then
			local val = msg.params[name]

			if type(val) == "table" then
				val[#val+1] = lhttp.urldecode(buffer, lhttp.DECODE_PLUS) or ""
			elseif val ~= nil then
				msg.params[name] = { val, lhttp.urldecode(buffer, lhttp.DECODE_PLUS) or "" }
			else
				msg.params[name] = lhttp.urldecode(buffer, lhttp.DECODE_PLUS) or ""
			end
		elseif what == parser.ERROR then
			err = buffer
		end

		return true
	end, HTTP_MAX_CONTENT)

	return ltn12.pump.all(src, function (chunk)
		len = len + (chunk and #chunk or 0)

		if maxlen and len > maxlen + 2 then
			return nil, "Message body size exceeds Content-Length"
		elseif len > HTTP_MAX_CONTENT then
			return nil, "Message body size exceeds maximum allowed length"
		end

		if not parser or not parser:parse(chunk) then
			return nil, err
		end

		return true
	end)
end

-- This function will examine the Content-Type within the given message object
-- to select the appropriate content decoder.
-- Currently the application/x-www-urlencoded and application/form-data
-- mime types are supported. If the encountered content encoding can't be
-- handled then the whole message body will be stored unaltered as "content"
-- property within the given message object.
function parse_message_body(src, msg, filecb)
	if msg.env.CONTENT_LENGTH or msg.env.REQUEST_METHOD == "POST" then
		local ctype = lhttp.header_attribute(msg.env.CONTENT_TYPE, nil)

		-- Is it multipart/mime ?
		if ctype == "multipart/form-data" then
			return mimedecode_message_body(src, msg, filecb)

		-- Is it application/x-www-form-urlencoded ?
		elseif ctype == "application/x-www-form-urlencoded" then
			return urldecode_message_body(src, msg)

		end

		-- Unhandled encoding
		-- If a file callback is given then feed it chunk by chunk, else
		-- store whole buffer in message.content
		local sink

		-- If we have a file callback then feed it
		if type(filecb) == "function" then
			local meta = {
				name = "raw",
				encoding = msg.env.CONTENT_TYPE
			}
			sink = function( chunk )
				if chunk then
					return filecb(meta, chunk, false)
				else
					return filecb(meta, nil, true)
				end
			end
		-- ... else append to .content
		else
			msg.content = ""
			msg.content_length = 0

			sink = function( chunk )
				if chunk then
					if ( msg.content_length + #chunk ) <= HTTP_MAX_CONTENT then
						msg.content        = msg.content        .. chunk
						msg.content_length = msg.content_length + #chunk
						return true
					else
						return nil, "POST data exceeds maximum allowed length"
					end
				end
				return true
			end
		end

		-- Pump data...
		while true do
			local ok, err = ltn12.pump.step( src, sink )

			if not ok and err then
				return nil, err
			elseif not ok then -- eof
				return true
			end
		end

		return true
	end

	return false
end