Common Gateway Interface

CGI (acronym for Common Gateway Interface), in Portuguese , Interface Comum de Porta de entrada.

Interface: element that provides a physical or logical link between two systems or parts of a system that could not be connected directly.

Overview

Generally, the server HTTP has a directory (folder), which is designated as a collection of documents(files), which can be sent to web browsers connected to this server. For example, if the Web server has the domain name exemplo.com , and its collection of documents is stored in /usr/local/apache/htdocs on the local file system, then the web server will respond to a request from http://exemplo.com/index.html sending the file to the browser /usr/local/apache/htdocs/index.html.

CGI extends this system, allowing the web server owner to designate a directory within the document collection containing executable scripts (or binary files) instead of pre-written pages, this is known as a directory CGI. For example, /usr/local/apache/htdocs/cgi-bin could be designated as a directory CGI on the web server. If a web browser asks URL that points to a file inside the directory CGI (for example, http://exemplo.com/cgi-bin/printenv.pl), instead of simply uploading the file ( /usr/local/apache/htdocs/cgi-bin/printenv.pl) for the web browser, the server HTTP runs the specified script and passes the script output to the web browser. That is, anything that the script sends the default output is passed to the Web client instead of being shown on the screen in a terminal window.

General structure of CGI scripts:

• Reading and decoding data (and/or information fields of a bundle HTTP);

• Data processing (storing information in databases,
  perform calculations, recover data);

• Creation of a web page with the results produced.

Application examples of CGI’s

• Processing of data submitted through forms;

• Interface with databases, converting the
  transaction of HTML for SQL and format in HTML the answers obtained,
  sending the results to the customer;

• Convert system data to HTML and return the result to the
  client;

• Creation of customized documents;

• Manage access counters;

• Map processing.

Transmission methods

The protocol HTTP, uses various methods of data manipulation and organization. The two most commonly used methods for submitting data forms are the GET and the POST. Both methods transfer data from the browser to the server, the biggest difference between them is the way information is passed to the program CGI:

GET

CGI called through the GET method

The browser adds a "?" to the URL specified in the attribute ACTION, and the coded values;

http://exemplo.com/cgi-bin/registra.pl?login=guest 

The server when receiving one URL with a query-string, calls the program cgi identified in the first part of the URL (before the '?') and save the part after the '?' in the environment variable QUERY_STRING (to string of consultations contained in URL after the '?') . Suppose the user typed "guest" in the login field, when the button Submit is clicked, the browser sends, to the server, a request of type:

GET /cgi-bin/registra.pl?login='guest' HTTP/1.0 
Accept: www/source
Accept: text/html
Accept: image.gif
User-Agent: Lynx/2.4 libwww/2.14
From: [email protected] 

The request GET identifies the document to be sent (cgi-bin/registra.pl). As long as the server is configured to recognize all files in the directory cgi-bin as being a program cgi, runs the program instead of sending the document directly to the browser, and puts the string login='guest' in the environment variable QUERY_STRING.

Source

CGI program capable of managing this information

#! /usr/local/bin/tclsh
/* Diz ao servidor para correr o interpretador tcl localizado no directório /usr/local/bin/ para executar o programa cgi/*

puts "Content-type: text/plain", "\n\n"
set query_string $ENV{'QUERY_STRING'}
set par [split $query_string = ] 
set field_name [lindex $par 0]
set command [lindex $par 1] 
if {$command == "guest"} {
puts "usr/local/bin/guest"
} elsif {$command == "mgi"} {
puts "usr/ucb/mgi"
} else {
puts "usr/local/bin/outro";
}
exit(0);

(Environment Variables in CGI Scripts)

POST

If using the Post method, the request sent to the server would be of the type:

POST /cgi-bin /registra.pl HTTP/1.0
.
. (informação do cabeçalho)
.
Content-length: 11
login=guest

CGI program capable of managing this information

#! /usr/local/bin/tclsh
set size_of_form_information $env(CONTENT_LENGTH)
set form_info [read stdin $size_of_form_information]
set par [split $form_info = ]
set field_name [lindex $par 0]
set command [lindex $par 1]

puts "Content-type: text/plain", "\n\n"
if {$command == "guest"} {
puts "usr/local/bin/guest"
} elsif {$command == "mgi"} {
puts "usr/ucb/mgi"
} else {
puts "usr/local/bin/outro";
}
exit(0);

The programmer of CGI’s cannot control by which method the program will be called. Thus scripts are usually written to support both methods.

#! /usr/local/bin/tclsh
set request_method $env(REQUEST_METHOD)
if {$request_method =="GET"}{
et form_info $env(QUERY_STRING)
} else {
set size_of_form_information $env(CONTENT_LENGTH)
set form_info [read stdin $size_of_form_information]
}

The data entered in a form is part of the body of the message sent to the server.

While the method GET passes the information through environment variables , the POST sends the data to the program CGI through standard input (standard input,stdio. h), as a length string specified in the environment variable CONTENT_LENGTH;

Make 2 connections to the server, one to contact the server and the other to send the parameters. In other words, if the server receives a request from a form using the POST, he knows he has to keep "waiting" for the rest of the information.

Advantages/Disadvantages

The advantage of GET is that allows access to the program CGI with a query without using a form, we are basically passing parameters to a program. Example: <A HREF="/cgi-bin/program.pl?user=Larry%20Bird&age=35&pass=testing"> Programa CGI </A>

The biggest disadvantage of GET is the lack of security and the fact that there has to be some care so that the browser or the server does not truncate the information exceeding the number of characters allowed.

The biggest advantage of the method POST is the size of the query can be unlimited. To get information through the method POST, the program CGI read from the standard input, for this reason it is not possible to access the CGI without using a form.

History

Taking into account the speed with which innovations happen, CGI can be considered old, taking into account the creation of the computer can be said to be in middle age.

In 1993, the National Center for Supercomputing Applications (NCSA) team wrote a specification to call command line executables in the www-talk mailing list. However, NCSA does not host the specification.

Other developers have adopted the specification, and it has been a standard for web servers ever since. A group chaired by Ken Coar started in November 1997 a work to obtain the NCSA definition of CGI more formally defined. This work resulted in RFC3875 , which specifies the version CGI 1.1. Specifically mentioned in RFC are the taxpayers who follow:

Rob Mccool (author of NCSA Httpd Web Server ) John Franks (author of Web Server GN) Ari Luotonen (the developer of CERN httpd web server) Tony Sanders (author of Plexus Web server) George Phillips (Web server maintainer at the University of British Columbia ).

Alternatively you may consider:

• Fastcgi

• PSGI(Perl Web Server Gateway Interface)

• Rack (web server interface)

• WSGI(Web Server Gateway Interface)

Simple example of a CGI script

<!DOCTYPE html>
<html>
 <body>
  <form action="add.cgi" method="POST">
   Coloque os dois números:<br />
   Primeiro número: <input type="text" name="num1" /><br />
   Segundo número: <input type="text" name="num2" /><br />
   <input type="submit" value="Enviar" />
  </form>
 </body>
</html>

Add.cgi file

#!/usr/bin/python

import cgi
import cgitb
cgitb.enable()

input_data=cgi.FieldStorage()

print 'Content-Type:text/html' #Envia o tipo HTML
print                          #deixa uma linha vazia entre o head e body
print '<h1>Resutados</h1>'
try:
  num1=int(input_data["num1"].value)
  num2=int(input_data["num2"].value)
except:
  print '<p>Desculpe não podemos converter os campos em números (integers).</p>'
  return 1
sum=num1+num2
print '<p>{0} + {1} = {2}</p>'.format(num1, num2, sum)

Sources: CGI/CGI complete

What is the CGI(common gateway interface) and what it does?

CGI(Common Gateway Interface) is a technology that allows generating dynamic pages with interaction between scripts HTTP servers with Gateway Scripts and Programs through parameters. Therefore CGI scripts are the small programs that interpret these parameters and generate a page after processing them.

But the use of CGI is not very safe, bearing in mind that it is necessary to take some security precautions. Just below will be discussed on what safety precautions to take based on some rules of the programs CGI after the explanation of how the CGI works.

How it works?

Example:

• CLIENT(Browser) requests a URL from the SERVER
• The requested URL refers to a CGI, so the SERVER executes the CGI
• CGI works by interacting with other system applications, retrieves data from these applications and returns the result to the SERVER
• The SERVER sends the data to the CLIENT, which formats the result and presents to the user

Why use CGI?

With the CGI, your server can access information that is not readable to the client (e.g. SQL database), and acts as a gateway between both to produce something the client can use. Gateways can be used for a variety of purposes, the most common are ISINDEX manipulation and HTTP form request.

Examples of the use of CGI:

• Convert system manual pages to HTML and send the HTML result to the client.
• Interface with WAIS and Archie database, converting the results to HTML and sending the result to the client.
• Allow the user to feed his server through an HTML form and a decoder accompanying the CGI.

You may be writing these CGI’s through gateways that can be written in any bindings that allow it to run on the system, such as:

• C/C++
• Fortran
• Perl
• TCL
• Unix Shell
• Visual Basic
• Apple Script

What are the main rules of the CGI programmes?

CGI programs, or scripts, are executable programs that can be run by itself (which is not a safe way). So there are some safety precautions that need to be implemented when using CGI programs.

The main rules are:

• The CGI script has to be in a server-determined place for the CGI scripts or it has to have a special suffix, which the server is configured to recognize as a legal CGI script.

Most systems store CGI scripts in a root directory of the HTTP server, called cgi-bin, which is configured in such a way that only certain trusted users can write to it. This avoids obvious security issues, which arise by allowing remote anonymous users to run anything on the system.
Example: /usr/local/apache/htdocs/cgi-bin

• The script can collect its parameters, from the standard input (via keyboard), from environment variables or both.

• The script should give as output, one of the three standard header types, as a normal text string. Being the three types:

  • CONTEXT_TYPE: Content type refers to any type of MIME data that is accepted by the server.
    Common types include text/html, text/simple and data/gif.
    Since the browser/server cannot deduce this type of file from a file name location or suffix, this title will inform the browser what type of data to expect and how to use it.

    Format: type/type

  • LOCATION: Points to a document somewhere else on the server.
    Allows you to redirect requests to documents, based on some criteria submitted by a form or environment variable.

  • STATUS: It can be used to run a script, without sending a new page to the client. It can also be used to send an error message or other information to the customer.

• The script must be executable by the user the server has configured. (There is a special user called "NOBODY" which is the default user for most Web servers. You should make sure that the user "NOBODY" or the user your server is set to work for is allowed to run your scripts and read/write any files that the script can use).

More details of Security in CGI Scripts

How to get server information?

Each time a user requests the URL corresponding to their program CGI, the server will run it in real time. A misconception about CGI is that you can send optional command lines and arguments to your program, such as:

command% myprog -qa blorf

CGI uses the command line for other purposes. Gateway uses environment variables to send its parameters to the program.

Example of server environment variables DCC:

#!/bin/sh

# disable filename globbing
set -f

echo "Content-type: text/plain; charset=iso-8859-1"
echo

echo CGI/1.0 test script report:
echo

echo argc is $#. argv is "$*".
echo

echo SERVER_SOFTWARE = $SERVER_SOFTWARE
echo SERVER_NAME = $SERVER_NAME
echo GATEWAY_INTERFACE = $GATEWAY_INTERFACE
echo SERVER_PROTOCOL = $SERVER_PROTOCOL
echo SERVER_PORT = $SERVER_PORT
echo REQUEST_METHOD = $REQUEST_METHOD
echo HTTP_ACCEPT = "$HTTP_ACCEPT"
echo PATH_INFO = "$PATH_INFO"
echo PATH_TRANSLATED = "$PATH_TRANSLATED"
echo SCRIPT_NAME = "$SCRIPT_NAME"
echo QUERY_STRING = "$QUERY_STRING"
echo REMOTE_HOST = $REMOTE_HOST
echo REMOTE_ADDR = $REMOTE_ADDR
echo REMOTE_USER = $REMOTE_USER
echo AUTH_TYPE = $AUTH_TYPE
echo CONTENT_TYPE = $CONTENT_TYPE
echo CONTENT_LENGTH = $CONTENT_LENGTH

How to send documents to the user?

Programs CGI can return a large number of document types. They can return an image to the user, an HTML document, or perhaps an audio clip. They may also refer to other documents.

The client needs to know what kind of document he will receive, so that he can present it properly. Soon the program CGI should inform the server what kind of document is being sent.

In order to communicate to the server the type of document that is returning, if it is a full document or a reference to another, CGI requires a small header in the output. This header is a text ASCII, consisting of separate lines or by linefeeds or by Carriage Returns (or both) followed by a blank line.

Example:

• A full document with the corresponding mime type.

Sending an HTML document to the client.

Content-type: text/html

<html>
<head>
    <title>saída HTML de um script CGI</title>
</head>
<body>
    <h1>Saída de exemplo</h1>
    O que você acha <strong>disso?</strong>
</body>
</html>

One reference to another document.

Content-type: text/html
Location: gopher://httprules.foobar.org/0

<html>
<head>
    <title>Desculpe...moveu-se</title>
</head>
<body>
    <h1>Ir para vez do Gopher</h1>
    Agora disponível em
    <a href="gopher://httprules.foobar.org/0">uma nova localização</a> no nosso servidor do Gopher.
</body>
</html>

How to build a form?

A form can be created within an html page using the FORM tag. A page may contain multiple forms, but forms may not be contained in each other.

<form method="Método GET ou POST" action="A URL">...</form>

Where the ACTION is the URL of the server that will receive the form data (that is, the address of the CGI program responsible for data processing) and METHOD is the way the data will be passed to the CGI program.

A form may contain several components, such as inputs, check boxes and radio.

How to get form data?

There are two methods that can be used to access the forms, GET and POST. Depending on the method used, you will receive the data differently.

• The method GET: If your form uses method="GET", your CGI program will receive the data encoded in the environment variable QUERY_STRING.

Example:

<form method="GET" action="get-query.cgi">
    Login: <input type="text" name="login" />
    Senha: <input type="text" name="senha" />
    <input type="submit" value="Enviar" />
</form>

get-query.cgi

#include  <stdio.h>
#include  <stdlib.h>

int main()
{
   char *query;

   printf("Content-type: text/plain\n\n");
   /* METHOD="GET" */
   query=getenv("QUERY_STRING");
   printf("Os dados recebidos do formulário são:\n\n");
   printf("%s\n", query);

   return(0);
}

Full example

• The method POST: If your form uses method="POST", your CGI program will receive the standard stdin input data. The server will NOT send an EOF at the end of the data. Instead you will have to use the environment variable CONTENT_LENGTH to determine the amount of data to be read from stdin.

Example:

<form method="POST" action="post-query.cgi">
    Login: <input type="text" name="login" />
    Senha: <input type="text" name="senha" />
    <input type="submit" value="Enviar" />
</form>

post-query.cgi

#include  <stdio.h>
#include  <stdlib.h>

int main()
{
   char *query;
   int  length;

   printf("Content-type: text/plain\n\n");
   /* METHOD="POST" */
   length=atoi(getenv("CONTENT_LENGTH"));
   query=(char *) malloc(sizeof(char)*(length+1));
   if (query!=NULL)
      fread(query, length, sizeof(char), stdin);
   printf("Os dados recebidos do formulário são:\n\n");
   printf("%s\n\n", query);
   printf("A variável de ambiente CONTENT_LENGTH tem o valor %d.\n", length);

   return(0);
}

Full example

How to read an environment variable will depend on the Operating System in which the CGI program will be run and the programming language in which it was written. A C program running on UNIX can use the function char *getenv(const char *name); that takes the variable name as argument and returns its value in a string.

It’s an ancient technology?

The CGI was conceived as the culmination of discussions by experts during the early days of the Internet, in 1993 by the NSCA (National Center for Supercomputing Applications) namely between Rob Mccool, John Franks, Ari Luotonen, George Phillips and Tony Sanders. What could make it an ancient technology.

Specification of CGI 1.1: RFC3875

Although the language typically associated with CGI is Perl, CGI is designed to be independent of the language used. Currently technologies such as ASP.NET, PHP, Python and Ruby continue to use the specification.

There are other alternatives to it(which)?

• Fastcgi: It is a binary protocol for interaction of program interfaces with a Web Server.
• PSGI: It’s an interface between web servers and PERL web applications and Frameworks which allows writing applications that can be run as standalone servers or using CGI.
• Rack: Provides a modular and adaptable interface for developing Ruby web applications.
• WRB: HTTP server technology similar to CGI distributed by Oracle.

Sources:
http://penta.ufrgs.br/edu/forms/cgi.html
https://www.w3.org/CGI/
https://en.wikipedia.org/wiki/Common_Gateway_Interface
https://en.wikipedia.org/wiki/Common_Gateway_Interface
http://homepages.dcc.ufmg.br/~mlbc/cursos/internet/cgi/intro.htm

CGI is a method for a web page to be dynamically generated by an executable, rather than a static file. Any text the executable sends to the "terminal" will appear on the page. In the early days of the Web, without many security concerns, it was common for dynamic pages to be generated even by shell scripts. Another CGI problem is that each page generation invokes a process, which weighs fast on a server with many accesses.