Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

POST body value will become variable name if -form #114

Open
sgohl opened this issue Dec 2, 2024 · 1 comment
Open

POST body value will become variable name if -form #114

sgohl opened this issue Dec 2, 2024 · 1 comment

Comments

@sgohl
Copy link

sgohl commented Dec 2, 2024
edited
Loading

I use both -cgi and -form as a receiver for a bitbucket webhook (i can't control the format of the payload) and I'm hardwired to both options - I know with -cgi only, the payload would come as stdin, but i really need both (file uploads, etc)

To reproduce, try the example from #79

Run shell2http container:

docker run -it --rm -p 80:80 msoap/shell2http -port 80 -no-index -show-errors -export-all-vars -form -cgi -include-stderr -500 / 'env | grep ^v'

Send payload:

curl -X POST -d '{"id":123}' localhost/
v_{"id":123}=

as you see, the json payload is not the value of the variable as expected, but the variable name itself.
This could be prevented by modifying the post payload to a named one, like -d 'test={"id":123}'
but for payloads you can not control, you can't address the payload

To fix that, the payload should also not be transformed into a variable with a not fixed name depending on the content of the payload, rather than a fixed variable name for the actual raw body payload.

Perhaps there's a way to fix this while not making this a breaking change by checking if the resulting variable name would be $v_ ?

so instead of this

v_{"id":123}=

it should look like this.

v_={"id":123}
@msoap
Copy link
Owner

msoap commented Dec 30, 2024

Hi @sgohl,

there is conflict between -form and -cgi options, let me tell how they work:

  • -form - added parsing form data from url or from POST-data, this data looks like aaa=12&bbb=34. And using typically with headers Content-Type: application/x-www-form-urlencoded or multipart/form-data. And transfers uploaded data to the stdin as well.
  • -cgi - makes it work similar to cgi script, and make only three things:
    • parse http-headers from shell stdout and process it, like make redirection or change status code
    • setup environment variables with HTTP_* from request headers, and QUERY_STRING and another variables based on http-request
    • transfers all POST/PUT data to the stdin of shell script

And because POST data (-d '{"id":123}') already parsed by -form, nothing is sent to stdin anymore. And it parsed just by splitting by & and = in Go http stdlib.

So, looks like you need only -cgi option, for uploading and reading POST data from stdin?
Or do you need to parse parameters from url and get POST data in the same time?

A little later i will think about this problem, add a description of the conflict to the documentation and perhaps add a warning when using two options at the same time, or even prohibit their simultaneous use

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@msoap @sgohl