# Copyright (C) 2016-2019 all contributors <meta@public-inbox.org>
# License: AGPL-3.0+ <https://www.gnu.org/licenses/agpl-3.0.txt>
+# This package can either be a PSGI response body for a static file
+# OR a standalone PSGI app which returns the above PSGI response body
+# (or an HTML directory listing).
+#
+# It encapsulates the "autoindex", "index", and "gzip_static"
+# functionality of nginx.
package PublicInbox::WwwStatic;
use strict;
use parent qw(Exporter);
+use bytes ();
use Fcntl qw(SEEK_SET O_RDONLY O_NONBLOCK);
+use POSIX qw(strftime lround);
use HTTP::Date qw(time2str);
use HTTP::Status qw(status_message);
use Errno qw(EACCES ENOTDIR ENOENT);
-our @EXPORT_OK = qw(@NO_CACHE r);
+use URI::Escape qw(uri_escape_utf8);
+use PublicInbox::Hval qw(ascii_html);
+use Plack::MIME;
+our @EXPORT_OK = qw(@NO_CACHE r path_info_raw);
our @NO_CACHE = ('Expires', 'Fri, 01 Jan 1980 00:00:00 GMT',
'Pragma', 'no-cache',
'Cache-Control', 'no-cache, max-age=0, must-revalidate');
+our $STYLE = <<'EOF';
+<style>
+@media screen {
+ *{background:#000;color:#ccc}
+ a{color:#69f;text-decoration:none}
+ a:visited{color:#96f}
+}
+@media screen AND (prefers-color-scheme:light) {
+ *{background:#fff;color:#333}
+ a{color:#00f;text-decoration:none}
+ a:visited{color:#808}
+}
+</style>
+EOF
+
+$STYLE =~ s/^\s*//gm;
+$STYLE =~ tr/\n//d;
+
sub r ($;$) {
my ($code, $msg) = @_;
$msg ||= status_message($code);
($code, $len);
}
-sub response {
+# returns a PSGI arrayref response iff .gz and non-.gz mtimes match
+sub try_gzip_static ($$$$) {
my ($env, $h, $path, $type) = @_;
+ return unless ($env->{HTTP_ACCEPT_ENCODING} // '') =~ /\bgzip\b/i;
+ my $mtime;
+ return unless -f $path && defined(($mtime = (stat(_))[9]));
+ my $gz = "$path.gz";
+ return unless -f $gz && (stat(_))[9] == $mtime;
+ my $res = response($env, $h, $gz, $type);
+ return if ($res->[0] > 300 || $res->[0] < 200);
+ push @{$res->[1]}, qw(Cache-Control no-transform Content-Encoding gzip);
+ $res;
+}
+
+sub response ($$$;$) {
+ my ($env, $h, $path, $type) = @_;
+ $type //= Plack::MIME->mime_type($path) // 'application/octet-stream';
+ if ($path !~ /\.gz\z/i) {
+ if (my $res = try_gzip_static($env, $h, $path, $type)) {
+ return $res;
+ }
+ }
my $in;
if ($env->{REQUEST_METHOD} eq 'HEAD') {
[ $code, $h, $body ];
}
-# called by PSGI servers:
+# called by PSGI servers on each response chunk:
sub getline {
my ($self) = @_;
my $len = $self->{len} or return; # undef, tells server we're done
undef;
}
-sub close {} # noop, just let everything go out-of-scope
+sub close {} # noop, called by PSGI server, just let everything go out-of-scope
+
+# OO interface for use as a Plack app
+sub new {
+ my ($class, %opt) = @_;
+ my $index = $opt{'index'} // [ 'index.html' ];
+ $index = [ $index ] if defined($index) && ref($index) ne 'ARRAY';
+ $index = undef if scalar(@$index) == 0;
+ my $style = $opt{style};
+ if (defined $style) {
+ $style = \$style unless ref($style);
+ }
+ my $docroot = $opt{docroot};
+ die "`docroot' not set" unless defined($docroot) && $docroot ne '';
+ bless {
+ docroot => $docroot,
+ index => $index,
+ autoindex => $opt{autoindex},
+ style => $style // \$STYLE,
+ }, $class;
+}
+
+# PATH_INFO is decoded, and we want the undecoded original
+my %path_re_cache;
+sub path_info_raw ($) {
+ my ($env) = @_;
+ my $sn = $env->{SCRIPT_NAME};
+ my $re = $path_re_cache{$sn} ||= do {
+ $sn = '/'.$sn unless index($sn, '/') == 0;
+ $sn =~ s!/\z!!;
+ qr!\A(?:https?://[^/]+)?\Q$sn\E(/[^\?\#]+)!;
+ };
+ $env->{REQUEST_URI} =~ $re ? $1 : $env->{PATH_INFO};
+}
+
+sub redirect_slash ($) {
+ my ($env) = @_;
+ my $url = $env->{'psgi.url_scheme'} . '://';
+ my $host_port = $env->{HTTP_HOST} //
+ "$env->{SERVER_NAME}:$env->{SERVER_PORT}";
+ $url .= $host_port . path_info_raw($env) . '/';
+ my $body = "Redirecting to $url\n";
+ [ 302, [ qw(Content-Type text/plain), 'Location', $url,
+ 'Content-Length', length($body) ], [ $body ] ]
+}
+
+sub human_size ($) {
+ my ($size) = @_;
+ my $suffix = '';
+ for my $s (qw(K M G T P)) {
+ last if $size < 1024;
+ $size /= 1024;
+ if ($size <= 1024) {
+ $suffix = $s;
+ last;
+ }
+ }
+ lround($size).$suffix;
+}
+
+# by default, this returns "index.html" if it exists for a given directory
+# It'll generate a directory listing, (autoindex).
+# May be disabled by setting autoindex => 0
+sub dir_response ($$$) {
+ my ($self, $env, $fs_path) = @_;
+ if (my $index = $self->{'index'}) { # serve index.html or similar
+ for my $html (@$index) {
+ my $p = $fs_path . $html;
+ my $res = response($env, [], $p);
+ return $res if $res->[0] != 404;
+ }
+ }
+ return r(404) unless $self->{autoindex};
+ opendir(my $dh, $fs_path) or do {
+ return r(404) if ($! == ENOENT || $! == ENOTDIR);
+ return r(403) if $! == EACCES;
+ return r(500);
+ };
+ my @entries = grep(!/\A\./, readdir($dh));
+ $dh = undef;
+ my (%dirs, %other, %want_gz);
+ my $path_info = $env->{PATH_INFO};
+ push @entries, '..' if $path_info ne '/';
+ for my $base (@entries) {
+ my $href = ascii_html(uri_escape_utf8($base));
+ my $name = ascii_html($base);
+ my @st = stat($fs_path . $base) or next; # unlikely
+ my ($gzipped, $uncompressed, $hsize);
+ my $entry = '';
+ my $mtime = $st[9];
+ if (-d _) {
+ $href .= '/';
+ $name .= '/';
+ $hsize = '-';
+ $dirs{"$base\0$mtime"} = \$entry;
+ } elsif (-f _) {
+ $other{"$base\0$mtime"} = \$entry;
+ if ($base !~ /\.gz\z/i) {
+ $want_gz{"$base.gz\0$mtime"} = undef;
+ }
+ $hsize = human_size($st[7]);
+ } else {
+ next;
+ }
+ # 54 = 80 - (SP length(strftime(%Y-%m-%d %k:%M)) SP human_size)
+ $hsize = sprintf('% 8s', $hsize);
+ my $pad = 54 - length($name);
+ $pad = 1 if $pad <= 0;
+ $entry .= qq(<a\nhref="$href">$name</a>) . (' ' x $pad);
+ $mtime = strftime('%Y-%m-%d %k:%M', gmtime($mtime));
+ $entry .= $mtime . $hsize;
+ }
+
+ # filter out '.gz' files as long as the mtime matches the
+ # uncompressed version
+ delete(@other{keys %want_gz});
+ @entries = ((map { ${$dirs{$_}} } sort keys %dirs),
+ (map { ${$other{$_}} } sort keys %other));
+
+ my $path_info_html = ascii_html($path_info);
+ my $body = "<html><head><title>Index of $path_info_html</title>" .
+ ${$self->{style}} .
+ "</head><body><pre>Index of $path_info_html</pre><hr><pre>\n";
+ $body .= join("\n", @entries) . "</pre><hr></body></html>\n";
+ [ 200, [ qw(Content-Type text/html
+ Content-Length), bytes::length($body) ], [ $body ] ]
+}
+
+sub call { # PSGI app endpoint
+ my ($self, $env) = @_;
+ return r(405) if $env->{REQUEST_METHOD} !~ /\A(?:GET|HEAD)\z/;
+ my $path_info = $env->{PATH_INFO};
+ return r(403) if index($path_info, "\0") >= 0;
+ my (@parts) = split(m!/+!, $path_info, -1);
+ return r(403) if grep(/\A(?:\.\.)\z/, @parts) || $parts[0] ne '';
+
+ my $fs_path = join('/', $self->{docroot}, @parts);
+ return dir_response($self, $env, $fs_path) if $parts[-1] eq '';
+
+ my $res = response($env, [], $fs_path);
+ $res->[0] == 404 && -d $fs_path ? redirect_slash($env) : $res;
+}
1;
--- /dev/null
+# Copyright (C) 2019 all contributors <meta@public-inbox.org>
+# License: AGPL-3.0+ <https://www.gnu.org/licenses/agpl-3.0.txt>
+use strict;
+use warnings;
+use Test::More;
+use PublicInbox::TestCommon;
+my ($tmpdir, $for_destroy) = tmpdir();
+my @mods = qw(HTTP::Request::Common Plack::Test URI::Escape);
+require_mods(@mods);
+use_ok $_ foreach @mods;
+use_ok 'PublicInbox::WwwStatic';
+
+my $app = sub {
+ my $ws = PublicInbox::WwwStatic->new(docroot => $tmpdir, @_);
+ sub { $ws->call(shift) };
+};
+
+test_psgi($app->(), sub {
+ my $cb = shift;
+ my $res = $cb->(GET('/'));
+ is($res->code, 404, '404 on "/" by default');
+ open my $fh, '>', "$tmpdir/index.html" or die;
+ print $fh 'hi' or die;
+ close $fh or die;
+ $res = $cb->(GET('/'));
+ is($res->code, 200, '200 with index.html');
+ is($res->content, 'hi', 'default index.html returned');
+ $res = $cb->(HEAD('/'));
+ is($res->code, 200, '200 on HEAD /');
+ is($res->content, '', 'no content');
+ is($res->header('Content-Length'), '2', 'content-length set');
+ like($res->header('Content-Type'), qr!^text/html\b!,
+ 'content-type is html');
+});
+
+test_psgi($app->(autoindex => 1, index => []), sub {
+ my $cb = shift;
+ my $res = $cb->(GET('/'));
+ my $updir = 'href="../">../</a>';
+ is($res->code, 200, '200 with autoindex default');
+ my $ls = $res->content;
+ like($ls, qr/index\.html/, 'got listing with index.html');
+ ok(index($ls, $updir) < 0, 'no updir at /');
+ mkdir("$tmpdir/dir") or die;
+ rename("$tmpdir/index.html", "$tmpdir/dir/index.html") or die;
+
+ $res = $cb->(GET('/dir/'));
+ is($res->code, 200, '200 with autoindex for dir/');
+ $ls = $res->content;
+ ok(index($ls, $updir) > 0, 'updir at /dir/');
+
+ for my $up (qw(/../ .. /dir/.. /dir/../)) {
+ is($cb->(GET($up))->code, 403, "`$up' traversal rejected");
+ }
+
+ $res = $cb->(GET('/dir'));
+ is($res->code, 302, '302 w/o slash');
+ like($res->header('Location'), qr!://[^/]+/dir/\z!,
+ 'redirected w/ slash');
+
+ rename("$tmpdir/dir/index.html", "$tmpdir/dir/foo") or die;
+ link("$tmpdir/dir/foo", "$tmpdir/dir/foo.gz") or die;
+ $res = $cb->(GET('/dir/'));
+ unlike($res->content, qr/>foo\.gz</,
+ '.gz file hidden if mtime matches uncompressed');
+ like($res->content, qr/>foo</, 'uncompressed foo shown');
+
+ $res = $cb->(GET('/dir/foo/bar'));
+ is($res->code, 404, 'using file as dir fails');
+
+ unlink("$tmpdir/dir/foo") or die;
+ $res = $cb->(GET('/dir/'));
+ like($res->content, qr/>foo\.gz</,
+ '.gz shown when no uncompressed version exists');
+
+ open my $fh, '>', "$tmpdir/dir/foo" or die;
+ print $fh "uncompressed\n" or die;
+ close $fh or die;
+ utime(0, 0, "$tmpdir/dir/foo") or die;
+ $res = $cb->(GET('/dir/'));
+ my $html = $res->content;
+ like($html, qr/>foo</, 'uncompressed foo shown');
+ like($html, qr/>foo\.gz</, 'gzipped foo shown on mtime mismatch');
+
+ $res = $cb->(GET('/dir/foo'));
+ is($res->content, "uncompressed\n",
+ 'got uncompressed on mtime mismatch');
+
+ utime(0, 0, "$tmpdir/dir/foo.gz") or die;
+ my $get = GET('/dir/foo');
+ $get->header('Accept-Encoding' => 'gzip');
+ $res = $cb->($get);
+ is($res->content, "hi", 'got compressed on mtime match');
+});
+
+done_testing();