CGI Tutorial

CGI Tutorial
Some host providers only let you run CGI¹ scripts in a certain directory, often named cgi-
bin. In this case all you have to do to run the script is to call it like this:
http://my_server.tld/cgi-bin/my_script.py
The script will have to be made executable by "others". Give it a 755 permission or check
the executable boxes if there is a graphical FTP interface.
Some hosts let you run CGI scripts in any directory. In some of these hosts you don't have to
do anything to configure the directories. In others you will have to add these lines to a file
named .htaccess in the directory you want to run CGI scripts from:
Options +ExecCGI
AddHandler cgi-script .py
If the file does not exist create it. All directories below a directory with a .htaccess file will
inherit the configurations. So if you want to be able to run CGI scripts from all directories
create this file in the document root.
If you are using your own server then probably you won't need to do anything to run a CGI
script at the cgi-bin directory. Just make sure there is a line like the next in httpd.conf and
that it is not commented. The trailing slashs are required.
ScriptAlias /cgi-bin/ "/path/to/cgi-bin/directory/"
If you are using the line above and want html files to be handled correctly in the cgi-bin
directory add the next to httpd.conf. No trailing slash.
<Directory /path/to/cgi-bin/directory>
AddHandler default-handler .html .htm
</Directory>
To run a script saved at the root:

http://my_server.tld/my_script.py
If it was saved in some directory:
http://my_server.tld/some_dir/some_subdir/my_script.py
If your desktop is the server then execute it like this:
http://localhost/cgi-bin/my_script.py
In Windows, sometimes Apache will listen on port 8080. In this case the above address will
be written with the port:
http://localhost:8080/cgi-bin/my_script.py
Make sure all text files you upload to the server are uploaded as text (not binary), specially
if you are in Windows, otherwise you will have problems.
¹ Common Gateway Interface
1. Hello World
This is the classical "Hello World" in python CGI fashion:
#!/usr/bin/env python
print "Content-Type: text/html"
print
print """\
<html>
<body>
<h2>Hello World!</h2>
</body>
</html>
"""
To test your setup save it with the .py extension, upload it to your server as text and make it
executable before trying to run it.
The first line of a python CGI script sets the path where the python interpreter will be found
in the server. Ask your provider what is the correct one. If it is wrong the script will fail.
Some examples:
#!/usr/bin/python
#!/usr/bin/python2.3
#!c:\Python24\python.exe
#!c:\Python25\python.exe
The first 3 lines above are Linux paths and the last 2 are Windows paths.
It is necessary that the script outputs the HTTP header. The HTTP header consists of one or
more messages followed by a blank line. If the output of the script is to be interpreted as
HTML then the content type will be text/html. The blank line signals the end of the header
and is required.
print
Many times the blank line will be written as \n:

print "Content-Type: text/html\n"
If you change the content type to text/plain the browser will not interpret the script's output
as HTML but as pure text and you will only see the HTML source. Try it now to never forget.
A page refresh may be necessary for it to work.
Client versus Server

When programming for the Web you are in a client-server environment. All python code
will be executed at the server only. The client's http agent (e.g. the browser) will never see a
single line of python. In instead it will only get the python script output, be it text, html, css,
javascript etc. So do not make things like trying to open a file in the client's computer as if
the python script were running there. You can only achieve what your python script output
can and the http clients in general have a very restrictive security context.
2. Debugging
To catch syntax error messages run the script in a local shell before uploading to the server.
Header errors are hard to catch unless you have access to the server logs. In case you have,
look for error_log and access_log in Linux and for error.log and access.log in Windows.
For a nice exceptions report there is the cgitb module. It will show a traceback inside a
context. The default output is sent to standard output as HTML:
print
import cgitb; cgitb.enable()
print 1/0
The handler() method can be used to handle only the catched exceptions:
print
import cgitb
try:
f = open('non-existent-file.txt', 'r')
except:
cgitb.handler()
There is also the option for a crude approach making the header "text/plain" and setting the
standard error to standard out:
print "Content-Type: text/plain"
print
import sys
sys.stderr = sys.stdout
Will output this:

Traceback (most recent call last):
File "/var/www/html/teste/cgi-bin/text_error.py", line 6, in ?
IOError: [Errno 2] No such file or directory: 'non-existent-file.txt'
Warning: These techniques expose information that can be used by an attacker. Use it only
while developing/debugging. Once in production disable them.
3. Form
The FieldStorage class of the cgi module has all that is needed to handle submited forms.
import cgi
form = cgi.FieldStorage() # instantiate only once!
It is transparent to the programmer if the data was submited by GET or by POST. The
interface is exactly the same.
• Unique field names
• Multiple field names
• File Upload
• Big File Upload
3.1 Unique field names

Suppose we have this HTML form which submits a field named name to a python CGI script
named process_form.py:
<html><body>
<form method="get" action="process_form.py">
Name: <input type="text" name="name">
<input type="submit" value="Submit">
</form>
</body></html>
This is the process_form.py script:

import cgi
form = cgi.FieldStorage() # instantiate only once!
name = form.getfirst('name', 'empty')
# Avoid script injection escaping the user input

name = cgi.escape(name)
print """\
Content-Type: text/html\n
<html><body>
<p>The submitted name was "%s"</p>
</body></html>
""" % name
The getfirst() method returns the first value of the named field or a default or None if no
field with that name was submited or if it is empty. If there is more than one field with the
same name only the first will be returned.
If the HTML form method is changed from get to post the process_form.py script will be the
same.
If the user inputed data is to be shown in a HTML document then it is necessary to escape it
from HTML tags or else everything inside < > will be interpreted by the HTML parser
including javascript code like
<script type="text/javascript"> malicious code here </script>
The cgi.escape() method will transform the above into safe HTML text:
<script type="text/javascript"> malicious code here </script>
This is useful not only to prevent script injection but also to make it possible to display
HTML source code as has just been done above.
3.2 Multiple field names
If there is more than one field with the same name like in HTML input check boxes then the
method to be used is getlist(). It will return a list containing as many items (the values) as
checked boxes. If no check box was checked the list will be empty.
Sample HTML with check boxes:
<html><body>
<form method="post" action="process_check.py">
Red<input type="checkbox" name="color" value="red">
Green<input type="checkbox" name="color" value="green">
</form>
</body></html>
And the corresponding process_check.py script:

import cgi
form = cgi.FieldStorage()
# getlist() returns a list containing the

# values of the fields with the given name
colors = form.getlist('color')
print "Content-Type: text/html\n"

print '<html><body>'
print 'The colors list:', colors
for color in colors:
print '<p>', cgi.escape(color), '</p>'
print '</body></html>'
3.3 File Upload

The python scripts in this page and in the next one will try to save an uploaded file in a
directory named files in the directory where it is running. If the directory where the script
is running is /path/to/dir then the /path/to/dir/files directory must exist. If it does not it will
fail.
To upload a file the HTML form must have the enctype attribute set to multipart/form-data.
The input tag with the file type will create a "Browse" button.
<html><body>
<form enctype="multipart/form-data" action="save_file.py" method="post">
<p>File: <input type="file" name="file"></p>
<p><input type="submit" value="Upload"></p>
</form>
</body></html>
The getfirst() and getlist() methods will only return the file(s) content. To also get the
filename it is necessary to access a nested FieldStorage instance by its index in the top
FieldStorage instance.
import cgi, os
try: # Windows needs stdio set for binary mode.

import msvcrt
msvcrt.setmode (0, os.O_BINARY) # stdin = 0
msvcrt.setmode (1, os.O_BINARY) # stdout = 1
except ImportError:
pass
# A nested FieldStorage instance holds the file

fileitem = form['file']
# Test if the file was uploaded

if fileitem.filename:
# strip leading path from file name to avoid directory traversal attacks
fn = os.path.basename(fileitem.filename)
open('files/' + fn, 'wb').write(fileitem.file.read())
message = 'The file "' + fn + '" was uploaded successfully'
else:
message = 'No file was uploaded'
print """\
<html><body>
<p>%s</p>
</body></html>
""" % (message,)
A directory traversal attack is one where the attacker submits a file with a leading path like
in ../../attacker_program. This way he can save a program wherever the Apache user has
write permission. Or read a file if the target script reads files.
3.4 Big File Upload

To handle big files without using all the available memory a generator can be used. The
generator will return the file in small chunks:
import cgi, os
try: # Windows needs stdio set for binary mode.

import msvcrt
msvcrt.setmode (0, os.O_BINARY) # stdin = 0
msvcrt.setmode (1, os.O_BINARY) # stdout = 1
except ImportError:
pass
# Generator to buffer file chunks

def fbuffer(f, chunk_size=10000):
while True:
chunk = f.read(chunk_size)
if not chunk: break
yield chunk
# A nested FieldStorage instance holds the file

fileitem = form['file']
# Test if the file was uploaded

if fileitem.filename:
# strip leading path from file name to avoid directory traversal attacks
fn = os.path.basename(fileitem.filename)
f = open('files/' + fn, 'wb', 10000)
# Read the file in chunks

for chunk in fbuffer(fileitem.file):
f.write(chunk)
f.close()
message = 'The file "' + fn + '" was uploaded successfully'
else:
message = 'No file was uploaded'
print """\
<html><body>
<p>%s</p>
</body></html>
""" % (message,)
4. Shell Command
It is possible to execute shell commands through CGI. The subprocess.Popen class is what is
necessary. This module is new in python 2.4. os.popen4 can also be used if a hosting
provider does not offer 2.4.
The script in this page is for educational purposes only. Read the warning. If you need a CGI
Shell use the one on the next page.
This handy getshellcmd.py script gets anything in its query string and execute it as a shell
command. It works for Unix with a bash shell only.
# The subprocess module is new in 2.4

import os, urllib, subprocess as sub
# Retrieve the command from the query string

# and unencode the escaped %xx chars
str_command = urllib.unquote(os.environ['QUERY_STRING'])
p = sub.Popen(['/bin/bash', '-c', str_command],

stdout=sub.PIPE, stderr=sub.STDOUT)
output = urllib.unquote(p.stdout.read())
print """\
<html><body>
<pre>
$ %s
%s
</pre>
</body></html>
""" % (str_command, output)
Say you want to install Django in your site. Without this script you would have to download
it to your local host, decompress it, and upload the uncompressed files by FTP.
With CGI you download it using curl or wget directly to a directory in your site's hierarchy
like a tmp directory:
http://my_site.tld/getshellcmd.py?curl -o tmp/Django-0.95.tar.gz
http://media.djangoproject.com/releases/0.95/Django-0.95.tar.gz
The above is one only line. And the output in the browser:
$ curl -o tmp/Django-0.95.tar.gz http://media.djangoproject.com/releases/0.95/Django-0.95.tar.gz
% Total % Received % Xferd Average Speed Time Curr.
Dload Upload Total Current Left Speed
0 1257k 0 2479 0 0 7042 0 0:03:02 0:00:00 0:03:02 7042

4 1257k 4 62727 0 0 98k 0 0:00:12 0:00:00 0:00:12 217k
32 1257k 32 404k 0 0 241k 0 0:00:05 0:00:01 0:00:03 303k
49 1257k 49 623k 0 0 235k 0 0:00:05 0:00:02 0:00:02 270k
78 1257k 78 983k 0 0 271k 0 0:00:04 0:00:03 0:00:01 299k
100 1257k 100 1257k 0 0 309k 0 0:00:04 0:00:04 0:00:00 338k
Four seconds to download 1,257k in my host provider. Now to untar it issue the tar
command as the query string:
http://my_site.tld/getshellcmd.py?tar -xzvf tmp/Django-0.95.tar.gz
Depending on the host absolute directory paths should be declared.
Warning: If you ever use this sample code save it with another name and chmod it to 600
immediately after its use. Otherwise any one in the whole world will be able to execute
whatever he wants in your host.
4.1 Safer CGI Shell

This is a CGI Shell for Unix servers with a bash shell. It has authentication and state
management. It needs the session module. The latest version can be downloaded from the
project's site. Get help in this topic.
import sys, os
sys.path.append(os.path.dirname(os.environ['SCRIPT_FILENAME']))
import session, time, cgi, urllib, subprocess as sub
def login(form, sess):

# You absolutely need to change these !!!
passwords = {'me':'mine', 'friend':'his'}
username = form.getfirst('username', '')
password = form.getfirst('password', '')
if username and passwords.get(username) == password:
sess.set_expires(365 * 24 * 60 * 60)
sess.data['logged'] = True
sess.data['logged_until'] = time.time() + 10 * 60
sess.data['empty_cmd'] = False
return True
if not username or not password:
message = 'Enter user name and password to log into CGI Shell'
elif username not in passwords or passwords.get(username) != password:
message = 'Wrong username or password'
onload = """var el = document.getElementById('un'); el.focus();
el.select()"""
header(sess, onload)
print """\
<div style="border:3px solid gray;width:350px;height:130px;
margin:auto;padding:20px;" class="shell">
<p>%s</p>
<form method="post" action="./cgi-shell.py">
<p>Username: <input type="text" name="username" id="un" value="%s"
class="shell" style="border:1px lime solid;padding:2px 4px;" /></p>
<p>Password: <input type="password" name="password"
class="shell" style="border:1px lime solid;padding:2px 4px;" /></p>
<p style="text-align:center;"><input type="submit" value="Login"
class="button" /></p>
</form>
</div>
""" % (message, username)
return False
def end(sess):
print '</body>\n</html>'
sess.close()
sys.exit(0)
def shell(form, sess):

sess.data['logged_until'] = time.time() + 10 * 60
sess.data.setdefault('output', [])
cmd = form.getfirst('cmd', '')
cur_dir = sess.data.setdefault('pwd', os.environ['DOCUMENT_ROOT'])
if cmd or cmd == '' and sess.data['empty_cmd']:
sess.data['cmd'] = cmd
cmd = urllib.unquote(cmd)
p = sub.Popen(['/bin/bash', '-c', cmd + '\necho $PWD'],
stdout=sub.PIPE, stderr=sub.STDOUT, cwd=cur_dir)
prompt = '[@' + os.environ['SERVER_NAME'] + ' '
prompt += os.path.basename(cur_dir) + ']$ '
output = [prompt + cmd + '\n'] + p.stdout.readlines()
sess.data['pwd'] = (output[-1:])[0].rstrip()
sess.data['output'] = (sess.data['output'] + output)[-501:-1]
else:
cmd = urllib.unquote(sess.data.setdefault('cmd', ''))
sess.data['empty_cmd'] = True
cur_dir = sess.data['pwd']
output = cgi.escape(''.join(sess.data['output']).rstrip(), True)
onload = """window.location.href = '#last';
var el = document.getElementById('cmd');el.focus();el.select();"""
prompt = '[@' + os.environ['SERVER_NAME'] + ' '
prompt += os.path.basename(cur_dir) + ']$ '
header(sess, onload)
print """\
<div style="width:98%%;margin:0;">
<pre style="border-bottom:0;margin:0;padding:6px;width:100%%;
overflow:auto;height:430px;border:3px solid gray;border-bottom:0;"
class="shell" id="output">%s<span id="last"></span></pre>
<form method="post" action="#last">
<p style="margin:0;padding:6px 6px 8px;width:100%%;border:3px solid gray;
border-top:0;" class="shell">%s
<input type="text" name="cmd" value="%s" class="shell" id="cmd"
style="width:55%%;border:1px lime solid;padding:2px 4px;" />
<input type="submit" value="Submit" name="submit" class="button" />
<input type="submit" value="Logout" name="submit" class="button" /></p>
</form>
</div>
""" % (output, prompt, cgi.escape(cmd, True))
end(sess)
def header(sess, onload=''):

print """\
%s
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html>\n<head><title>CGI Shell</title>
<style type="text/css">
.shell {font-size:12px;font-family:monospace;background-color:black;color:lime;}
</style>\n</head>
<body onload="%s" style="background-color:lightgray;font-family:monospace;">
<h2 style="text-align:center;margin:8px auto">CGI Shell</h2>
""" % (sess.cookie, onload)
def main():
sess = session.Session()
if form.getfirst('submit') == 'Logout' or \
sess.data.get('logged_until', 0) < time.time():
sess.data['logged'] = False
if not sess.data.get('logged') and not login(form, sess):
end(sess)
shell(form, sess)
main()
5. Cookies
HTTP is said to be a stateless protocol. What this means for web programmers is that every
time a user loads a page it is the first time for the server. The server can't say whether this
user has ever visited that site, if is he in the middle of a buying transaction, if he has
already authenticated, etc.
A cookie is a tag that can be placed on the user's computer. Whenever the user loads a page
from a site the site's script can send him a cookie. The cookie can contain anything the site
needs to identify that user. Then within the next request the user does for a new page there
goes back the cookie with all the pertinent information to be read by the script.
• Set the Cookie
• Retrieve the Cookie
• Morsels
5.1 Set the Cookie

There are two basic cookie operations. The first is to set the cookie as an HTTP header to be
sent to the client. The second is to read the cookie returned from the client also as an HTTP
header.
This script will do the first one placing a cookie on the client's browser:
import time
# This is the message that contains the cookie

# and will be sent in the HTTP header to the client
print 'Set-Cookie: lastvisit=' + str(time.time());
# To save one line of code

# we replaced the print command with a '\n'
print 'Content-Type: text/html\n'
# End of HTTP header
print 'Server time is', time.asctime(time.localtime())
The Set-Cookie header contains the cookie. Save and run this code from your browser and
take a look at the cookie saved there. Search for the cookie name, lastvisit, or for the
domain name, or the server IP like 10.1.1.1 or 127.0.0.1.
The Cookie Object

The Cookie module can save us a lot of coding and errors and the next pages will use it in
all cookie operations.
import time, Cookie
# Instantiate a SimpleCookie object

cookie = Cookie.SimpleCookie()
# The SimpleCookie instance is a mapping

cookie['lastvisit'] = str(time.time())
# Output the HTTP message containing the cookie

print cookie
print 'Server time is', time.asctime(time.localtime())
It does not seem as much for this extremely simple code, but wait until it gets complex and
the Cookie module will be your friend.
5.2 Retrieve the Cookie

The returned cookie will be available as a string in the os.environ dictionary with the key
'HTTP_COOKIE':
cookie_string = os.environ.get('HTTP_COOKIE')
The load() method of the SimpleCookie object will parse that string rebuilding the object's
mapping:
cookie.load(cookie_string)
Complete code:
import Cookie, os, time
print cookie
print '<p>Server time is', time.asctime(time.localtime()), '</p>'
# The returned cookie is available in the os.environ dictionary

cookie_string = os.environ.get('HTTP_COOKIE')
# The first time the page is run there will be no cookies

if not cookie_string:
print '<p>First visit or cookies disabled</p>'
else: # Run the page twice to retrieve the cookie
print '<p>The returned cookie string was "' + cookie_string + '"</p>'
# load() parses the cookie string

cookie.load(cookie_string)
# Use the value attribute of the cookie to get it
lastvisit = float(cookie['lastvisit'].value)
print '<p>Your last visit was at',

print time.asctime(time.localtime(lastvisit)), '</p>'
When the client first loads the page there will be no cookie in the client's computer to be
returned. The second time the page is requested then the cookie saved in the last run will
be sent to the server.
5.3 Morsels
In the previous cookie retrieve program the lastvisit cookie value was retrieved through its
value attribute:
lastvisit = float(cookie['lastvisit'].value)
When a new key is set for a SimpleCookie object a Morsel instance is created:
>>> import Cookie
>>> import time
>>>
>>> cookie = Cookie.SimpleCookie()
>>> cookie
<SimpleCookie: >
>>>
>>> cookie['lastvisit'] = str(time.time())
>>> cookie['lastvisit']
<Morsel: lastvisit='1159535133.33'>
>>>
>>> cookie['lastvisit'].value
'1159535133.33'
Each cookie, a Morsel instance, can only have a predefined set of keys: expires, path,
commnent, domain, max-age, secure and version. Any other key will raise an exception.
import Cookie, time
# name/value pair
# expires in x seconds after the cookie is output.

# the default is to expire when the browser is closed
cookie['lastvisit']['expires'] = 30 * 24 * 60 * 60
# path in which the cookie is valid.

# if set to '/' it will valid in the whole domain.
# the default is the script's path.
cookie['lastvisit']['path'] = '/cgi-bin/'
# the purpose of the cookie to be inspected by the user

cookie['lastvisit']['comment'] = 'holds the last user\'s visit date'
# domain in which the cookie is valid. always stars with a dot.

# to make it available in all subdomains
# specify only the domain like .my_site.com
cookie['lastvisit']['domain'] = '.www.my_site.com'
# discard in x seconds after the cookie is output

# not supported in most browsers
cookie['lastvisit']['max-age'] = 30 * 24 * 60 * 60
# secure has no value. If set directs the user agent to use

# only (unspecified) secure means to contact the origin
# server whenever it sends back this cookie
cookie['lastvisit']['secure'] = ''
# a decimal integer, identifies to which version of

# the state management specification the cookie conforms.
cookie['lastvisit']['version'] = 1
print '<p>', cookie, '</p>'

for morsel in cookie:
print '<p>', morsel, '=', cookie[morsel].value
print '<div style="margin:-1em auto auto 3em;">'
for key in cookie[morsel]:
print key, '=', cookie[morsel][key], '<br />'
print '</div></p>'
6. Session
Sessions are the server side version of cookies. While a cookie persists data (or state) at the
client, sessions do it at the server. Sessions have the advantage that the data do not travel
the network thus making it both safer and faster although this not entirely true as shown in
the next paragraph
The session state is kept in a file or in a database at the server side. Each session is
identified by an id or session id (SID). To make it possible to the client to identify himself to
the server the SID must be created by the server and sent to the client and then sent back to
the server whenever the client makes a request. There is still data going through the net,
the SID.
The server can send the SID to the client in a link's query string or in a hidden form field or
as a Set-Cookie header. The SID can be sent back from the client to the server as a query
string parameter or in the body of the HTTP message if the post method is used or in a
Cookie HTTP header.
If a cookie is not used to store the SID then the session will only last until the browser is
closed, or the user goes to another site breaking the POST or query string transmission, or
in other words, the session will last only until the user leaves the site.
• Cookie Based SID
• Query String SID
• Hidden Field SID
• The shelve module
• Cookie and Shelve
• A Session Class
6.1 Cookie Based SID
A cookie based session has the advantage that it lasts until the cookie expires and, as only
the SID travels the net, it is faster and safer. The disadvantage is that the client must have
cookies enabled.
The only particularity with the cookie used to set a session is its value:
# The sid will be a hash of the server time
sid = sha.new(repr(time.time())).hexdigest()
The hash of the server time makes an unique SID for each session.
import sha, time, Cookie, os
string_cookie = os.environ.get('HTTP_COOKIE')
# If new session
if not string_cookie:
# Set the sid in the cookie
cookie['sid'] = sid
# Will expire in a year
cookie['sid']['expires'] = 12 * 30 * 24 * 60 * 60
# If already existent session
else:
cookie.load(string_cookie)
sid = cookie['sid'].value
print cookie
if string_cookie:
print '<p>Already existent session</p>'
else:
print '<p>New session</p>'
print '<p>SID =', sid, '</p>'

In every page the existence of the cookie must be tested. If it does not exist then redirect to
a login page or just create it if a login or a previous state is not required.
6.2 Query String SID

Query string based session:
import sha, time, cgi, os
sid = cgi.FieldStorage().getfirst('sid')
if sid: # If session exists

message = 'Already existent session'
else: # New session
message = 'New session'
qs = 'sid=' + sid
print """\
<html><body>
<p>%s</p>
<p>SID = %s</p>
<p><a href="./set_sid_qs.py?sid=%s">reload</a></p>
</body></html>
""" % (message, sid, sid)
To mantain a session you will have to append the query string to all the links in the page.
Save this file as set_sid_qs.py and run it two or more times. Try to close the browser and
call the page again. The session is gone. The same happens if the page address is typed in
the address bar.
6.3 Hidden Field SID

The hidden form field SID is almost the same as the query string based one, sharing the
same problems.
import sha, time, cgi, os
sid = cgi.FieldStorage().getfirst('sid')
if sid: # If session exists

message = 'Already existent session'
else: # New session
qs = 'sid=' + sid
print """\
<html><body>
<p>%s</p>
<p>SID = %s</p>
<form method="post">
<input type="hidden" name=sid value="%s">
</form>
</body></html>
""" % (message, sid, sid)
6.4 The shelve module

Having a SID is not enough. It is necessary to save the session state in a file or in a database.
To save it into a file the shelve module is used. The shelve module opens a file and returns a
dictionary like object which is readable and writable as a dictionary.
# The shelve module will persist the session data
# and expose it as a dictionary
session = shelve.open('/tmp/.session/sess_' + sid, writeback=True)
The SID is part of file name making it a unique file. The apache user must have read and
write permission on the file's directory. 660 would be ok.
The values of the dictionary can be any Python object. The keys must be immutable objects.
# Save the current time in the session
session['lastvisit'] = repr(time.time())
# Retrieve last visit time from the session

lastvisit = session.get('lastvisit')
The dictionary like object must be closed as any other file should be:
session.close()
6.5 Cookie and Shelve

A sample of how to make cookies and shelve work together keeping session state at the
server side:
import sha, time, Cookie, os, shelve
string_cookie = os.environ.get('HTTP_COOKIE')
if not string_cookie:
cookie['sid'] = sid
else:
cookie.load(string_cookie)
sid = cookie['sid'].value
cookie['sid']['expires'] = 12 * 30 * 24 * 60 * 60
# The shelve module will persist the session data

# and expose it as a dictionary
session_dir = os.environ['DOCUMENT_ROOT'] + '/tmp/.session'
session = shelve.open(session_dir + '/sess_' + sid, writeback=True)
# Retrieve last visit time from the session

lastvisit = session.get('lastvisit')
if lastvisit:
message = 'Welcome back. Your last visit was at ' + \
time.asctime(time.gmtime(float(lastvisit)))
session['lastvisit'] = repr(time.time())
print """\
%s
<html><body>
<p>%s</p>
<p>SID = %s</p>
</body></html>
""" % (cookie, message, sid)
It first checks if there is a cookie already set. If not it creates a SID and attributes it to the
cookie value. An expiration time of one year is established.
The lastvisit data is what is maintained in the session.
6.6 A Session Class

Since session state maintenance happens in many pages a session class is in order.
Save the next program as session.py and import it in all pages in which session state is
required. The session object will try to create a directory named session in the document
root if it doesn't exist. If it can't you will have to create it yourself and chmod it to 2770.
import sha, shelve, time, Cookie, os
class Session(object):
def __init__(self, expires=None, cookie_path=None):

string_cookie = os.environ.get('HTTP_COOKIE', '')
self.cookie = Cookie.SimpleCookie()
self.cookie.load(string_cookie)
if self.cookie.get('sid'):
sid = self.cookie['sid'].value
# Clear session cookie from other cookies
self.cookie.clear()
else:
self.cookie.clear()
self.cookie['sid'] = sid
if cookie_path:
self.cookie['sid']['path'] = cookie_path
session_dir = os.environ['DOCUMENT_ROOT'] + '/session'

if not os.path.exists(session_dir):
try:
os.mkdir(session_dir, 02770)
# If the apache user can't create it create it manualy
except OSError, e:
errmsg = """%s when trying to create the session directory. \
Create it as '%s'""" % (e.strerror, os.path.abspath(session_dir))
raise OSError, errmsg
self.data = shelve.open(session_dir + '/sess_' + sid, writeback=True)
os.chmod(session_dir + '/sess_' + sid, 0660)
# Initializes the expires data

if not self.data.get('cookie'):
self.data['cookie'] = {'expires':''}
self.set_expires(expires)
def close(self):
self.data.close()
def set_expires(self, expires=None):

if expires == '':
self.data['cookie']['expires'] = ''
elif isinstance(expires, int):
self.data['cookie']['expires'] = expires
self.cookie['sid']['expires'] = self.data['cookie']['expires']
An example of the session class usage:
# Some hosts will need to have document_root appended

# to sys.path to be able to find user modules
import sys, os
sys.path.append(os.environ['DOCUMENT_ROOT'])
import session, time
sess = session.Session(expires=365*24*60*60, cookie_path='/')

# expires can be reset at any moment:
sess.set_expires('')
# or changed:
sess.set_expires(30*24*60*60)
# Session data is a dictionary like object

lastvisit = sess.data.get('lastvisit')
if lastvisit:
message = 'Welcome back. Your last visit was at ' + \
time.asctime(time.gmtime(float(lastvisit)))
else:

sess.data['lastvisit'] = repr(time.time())
print """\
%s
Content-Type: text/plain\n
sess.cookie = %s
sess.data = %s
%s
""" % (sess.cookie, sess.cookie, sess.data, message)
sess.close()

CGI Tutorial

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

CGI Tutorial

Uploaded by

Copyright:

Available Formats

CGI Tutorial

To run a script saved at the root:

Many times the blank line will be written as \n:

Client versus Server

Will output this:

3.1 Unique field names

This is the process_form.py script:

# Avoid script injection escaping the user input

And the corresponding process_check.py script:

# getlist() returns a list containing the

print "Content-Type: text/html\n"

3.3 File Upload

try: # Windows needs stdio set for binary mode.

# A nested FieldStorage instance holds the file

# Test if the file was uploaded

3.4 Big File Upload

try: # Windows needs stdio set for binary mode.

# Generator to buffer file chunks

# A nested FieldStorage instance holds the file

# Test if the file was uploaded

# Read the file in chunks

# The subprocess module is new in 2.4

# Retrieve the command from the query string

p = sub.Popen(['/bin/bash', '-c', str_command],

0 1257k 0 2479 0 0 7042 0 0:03:02 0:00:00 0:03:02 7042

4.1 Safer CGI Shell

def login(form, sess):

def shell(form, sess):

def header(sess, onload=''):

5.1 Set the Cookie

# This is the message that contains the cookie

# To save one line of code

The Cookie Object

# Instantiate a SimpleCookie object

# The SimpleCookie instance is a mapping

# Output the HTTP message containing the cookie

5.2 Retrieve the Cookie

# The returned cookie is available in the os.environ dictionary

# The first time the page is run there will be no cookies

# load() parses the cookie string

print '<p>Your last visit was at',

# expires in x seconds after the cookie is output.

# path in which the cookie is valid.

# the purpose of the cookie to be inspected by the user

# domain in which the cookie is valid. always stars with a dot.

# discard in x seconds after the cookie is output

# secure has no value. If set directs the user agent to use

# a decimal integer, identifies to which version of

print 'Content-Type: text/html\n'

print '<p>', cookie, '</p>'

import sha, time, Cookie, os

print '<p>SID =', sid, '</p>'

6.2 Query String SID

import sha, time, cgi, os

if sid: # If session exists

6.3 Hidden Field SID

import sha, time, cgi, os

if sid: # If session exists

6.4 The shelve module

# Retrieve last visit time from the session

6.5 Cookie and Shelve

# The shelve module will persist the session data

# Retrieve last visit time from the session

6.6 A Session Class

def init(self, expires=None, cookie_path=None):

sess = session.Session(expires=3652460*60, cookie_path='/')