3 files changed, 66 insertions, 40 deletions
diff --git a/cgi-bin/provisioning.cgi b/cgi-bin/provisioning.cgi
index bf7a6a2..ee12e22 100755
--- a/cgi-bin/provisioning.cgi
+++ b/cgi-bin/provisioning.cgi
@@ -106,15 +106,6 @@ if ( request_method == "GET" ) then
 				local func = haserl.loadfile(data.value.values.value.device.template)
 				func(data.value.values.value)
 			else
-				if data.errtxt then
-				APP.logevent("data.errtxt")
-				elseif not data.value.values then
-				APP.logevent("not data.value.values")
-				elseif not data.value.values.value.device then
-				APP.logevent("not data.value.values.value.device")
-				elseif not data.value.values.value.device.template then
-				APP.logevent("not data.value.values.value.device.template")
-				end
 				http_code(404)
 			end
 		end
@@ -130,36 +121,59 @@ if ( request_method == "GET" ) then
 	ENV.PATH_INFO = pathinfo
 elseif ( request_method == "PUT" ) then
 	local data = io.stdin:read("*all")
+	local success = true
 
-	log:write("Checking PROV Table for results\n")
-	-- Load the ACF mvc
-	local PATH = package.path
-	package.path = "/usr/share/acf/www/cgi-bin/?.lua;" .. package.path
-	require("mvc")
-	package.path = PATH
-	-- We'll use the cli controller, but change the view resolver to report HTTP code
-	local pathinfo = ENV.PATH_INFO
-	FRAMEWORK=mvc:new()
-	FRAMEWORK:read_config("acf")
-	APP=FRAMEWORK:new("acf_cli")
-	APP.view_resolver = function(self)
-		return function (data)
-			if data.errtxt then
-				http_code(400)
-			else
-				http_code(200)
+	-- Protect against writing to arbitrary paths
+	if string.match(path_info, "%.%.") then
+		http_code(403)
+		log:close()
+		os.exit()
+	end
+
+	-- Don't bother for .log files
+	if not string.match(path_info, "%.log$") then
+		log:write("Checking PROV Table for results\n")
+		-- Load the ACF mvc
+		local PATH = package.path
+		package.path = "/usr/share/acf/www/cgi-bin/?.lua;" .. package.path
+		require("mvc")
+		package.path = PATH
+		-- We'll use the cli controller, but change the view resolver to report HTTP code
+		local pathinfo = ENV.PATH_INFO
+		FRAMEWORK=mvc:new()
+		FRAMEWORK:read_config("acf")
+		APP=FRAMEWORK:new("acf_cli")
+		APP.view_resolver = function(self)
+			return function (output)
+				if output.errtxt then
+					success = false
+					http_code(400)
+				else
+					data = output.value
+				end
 			end
 		end
-	end
-	-- Set up the action and parameters
-	ENV.PATH_INFO = "/provisioning/provisioning/putfile"
-	APP.clientdata = {file=path_info, root=root, data=data, ip=ip_address, agent=user_agent}
-	-- Dispatch the command
-	APP:dispatch()
-	APP:destroy()
-	FRAMEWORK:destroy()
+		-- Set up the action and parameters
+		ENV.PATH_INFO = "/provisioning/provisioning/putfile"
+		APP.clientdata = {mac=mac, data=data}
+		-- Dispatch the command
+		APP:dispatch()
+		APP:destroy()
+		FRAMEWORK:destroy()
 
-	ENV.PATH_INFO = pathinfo
+		ENV.PATH_INFO = pathinfo
+	end
+	if success then
+		local path = root..path_info
+		log:write("Writing to "..path.."\n")
+		posix.mkdir(posix.dirname(path))
+		local f = io.open(path, "w+")
+		f:write(data)
+		f:close()
+		http_code(200)
+	else
+		http_code(400)
+	end
 end
 log:close() 
 %>
diff --git a/provisioning-controller.lua b/provisioning-controller.lua
index eaf5b8d..f4386d9 100644
--- a/provisioning-controller.lua
+++ b/provisioning-controller.lua
@@ -150,5 +150,5 @@ getfile = function( self )
 end
 
 putfile = function( self )
-	return self.model.put_file(self.clientdata.file, self.clientdata.root, self.clientdata.data, self.clientdata.ip, self.clientdata.agent)
+	return self.model.put_file(self.clientdata.mac, self.clientdata.data)
 end
diff --git a/provisioning-model.lua b/provisioning-model.lua
index 4ada401..16bfd15 100644
--- a/provisioning-model.lua
+++ b/provisioning-model.lua
@@ -20,7 +20,8 @@ local updatedevicescriptfile = "/etc/provisioning/update_device.lua"
 local updatedeviceparamsscriptfile = "/etc/provisioning/update_device_params.lua"
 local deletedevicescriptfile = "/etc/provisioning/delete_device.lua"
 local determineclassscriptfile = "/etc/provisioning/determine_class.lua"
-local scriptfiles = {updatedevicescriptfile, updatedeviceparamsscriptfile, deletedevicescriptfile, determineclassscriptfile}
+local processputscriptfile = "/etc/provisioning/process_put.lua"
+local scriptfiles = {updatedevicescriptfile, updatedeviceparamsscriptfile, deletedevicescriptfile, determineclassscriptfile, processputscriptfile}
 local env
 local con
 
@@ -275,7 +276,7 @@ local function callscript(script, ...)
 			result = f(functions, ...)
 		end, ...)
 		if not res and err then
-			assert(res, "Update Successful\nException in post update script\n"..err)
+			assert(res, "Exception in "..script.." script\n"..err)
 		end
 	end
 	setfenv (0, _G)
@@ -1912,6 +1913,17 @@ function get_file(mac, ip, agent)
 	return result
 end
 
-function put_file(file, root, data, ip, agent)
-	return cfe({errtxt="Not implemented"})
+function put_file(mac, data)
+	local retval = cfe({ label="PUT Data" })
+	local res, err = pcall(function()
+		local connected = databaseconnect()
+		retval.value, retval.errtxt = callscript(processputscriptfile, mac, data)
+		-- If the script doesn't exist, allow the write
+		retval.value = retval.value or data
+		if connected then databasedisconnect() end
+	end)
+	if not res and err then
+		retval.errtxt = err
+	end
+	return retval
 end