shell2http
shell2http copied to clipboard
msoap
POST body value will become variable name if `-form`
I use both -cgi and -form as a receiver for a bitbucket webhook (i can't control the format of the payload) and I'm hardwired to both options - I know with -cgi only, the payload would come as stdin, but i really need both (file uploads, etc)
To reproduce, try the example from https://github.com/msoap/shell2http/issues/79
Run shell2http container:
docker run -it --rm -p 80:80 msoap/shell2http -port 80 -no-index -show-errors -export-all-vars -form -cgi -include-stderr -500 / 'env | grep ^v'
Send payload:
curl -X POST -d '{"id":123}' localhost/
v_{"id":123}=
as you see, the json payload is not the value of the variable as expected, but the variable name itself.
This could be prevented by modifying the post payload to a named one, like -d 'test={"id":123}'
but for payloads you can not control, you can't address the payload
To fix that, the payload should also not be transformed into a variable with a not fixed name depending on the content of the payload, rather than a fixed variable name for the actual raw body payload.
Perhaps there's a way to fix this while not making this a breaking change by checking if the resulting variable name would be $v_ ?
so instead of this
v_{"id":123}=
it should look like this.
v_={"id":123}
Hi @sgohl,
there is conflict between -form and -cgi options, let me tell how they work:
-form- added parsing form data from url or from POST-data, this data looks likeaaa=12&bbb=34. And using typically with headersContent-Type: application/x-www-form-urlencodedormultipart/form-data. And transfers uploaded data to the stdin as well.-cgi- makes it work similar to cgi script, and make only three things:- parse http-headers from shell stdout and process it, like make redirection or change status code
- setup environment variables with
HTTP_*from request headers, andQUERY_STRINGand another variables based on http-request - transfers all POST/PUT data to the stdin of shell script
And because POST data (-d '{"id":123}') already parsed by -form, nothing is sent to stdin anymore. And it parsed just by splitting by & and = in Go http stdlib.
So, looks like you need only -cgi option, for uploading and reading POST data from stdin?
Or do you need to parse parameters from url and get POST data in the same time?
A little later i will think about this problem, add a description of the conflict to the documentation and perhaps add a warning when using two options at the same time, or even prohibit their simultaneous use
Thank you for sharing this useful program with us!
I would also like to have POST body as stdin and query parameters parsed and available as environment variables. Then I would use those variables as CLI parameters to my program.
Currently, when using the CGI mode the parameters are available as $QUERY_STRING. I think it would be nice to, in addition to this variable, also expose each parameter separately, with it's value decoded. Parsing them in a shell script is not trivial. I resorted to use a wrapper implemented in Nushell as a workaround. Here it is, in case someone finds it useful.
#!/usr/bin/env nu
## A CGI wrapper to tad-presentation, useful with shell2http
let query = $env.QUERY_STRING
| url split-query
| transpose --ignore-titles --as-record --header-row
( tad-presentation from-html
--author $query.author
--title $query.title
--output-selector "body > *" )
As mentioned, my program reads from stdin and writes to stdout, but also expects some CLI parameters. Now I can expose it as follows:
shell2http --cgi /tad-presentation ./tad-presentation-cgi
So, looks like you need only -cgi option, for uploading and reading POST data from stdin? Or do you need to parse parameters from url and get POST data in the same time?
yes I need and use both. The given example was just a small thing I have a problem with I build an admin console all-in-one dashboard for me that does various things.
shell2http is so damn awesome, it's been my favorite tool of all time, really 🥇
being able to run any arbitrary shell-near command within a webpage is so underrated 💯
so, to conclude this, I'd say that -form and -cgi shouldn't be mutually exclusive, as it seems they are
yes, unfortunately, right now they contradict each other. i'll think how to avoid this, maybe by duplicating all stdin data for shell script before parsing to variables.
so, the fact that there even is a variable, and it has the full payload, is good. The problem is just that the value is the variable name.
so, wouldn't it be possible to check whether the generated variable has actually no name and instead of giving it the value as name, just let the variable name be v_ and put the content in the value?