Movuploader uses curl to upload mustache pictures to Movember. Normally this requires signing into the site, and then posting a status update with an image. We can automate these steps with two lines of curl. Curl was a natural choice for us since it’s installed by default on Snow Leopard and Lion.
The following command is part of the upload script and takes a username and password as parameters:
curl -L -s -c cookie \ -d email=$email \ -d password=$pass \ -d rememberme=0 \ -d process=1 \ -d submit=1 \ -d redirect=0 \ https://www.movember.com/us/auth/do-login
The first line passes three flags to curl: location (-L), silent (-s), and cookie (-c). Location will redirect your request if a redirect is seen. The silent flag suppresses the progress bar output, and the cookie flag lets you specify a file where cookie information is stored. The last part of the command sends the data (-d) in a POST request. The data flag lets you build a single string to pass instead, but I’ve opted to be more verbose here for clarity.
When someone logs in on Movember.com, they’re redirected with a “302 (Moved Temporarily)” request to their main page. We use the information on the user’s main page to figure out their ID number (Movember refers to this as the user’s “entity ID”). If we only needed the cookie file, we wouldn’t have to care about the redirect. (Note: the curl in the upload script pulls the entity ID into a variable and isn’t shown above).
We can see the redirect ourselves by adjusting the command above to include headers:
curl -is \ -d email=$email \ -d password=$pass \ -d rememberme=0 \ -d process=1 \ -d submit=1 \ -d redirect=0 \ https://www.movember.com/us/auth/do-login
The first line returns: HTTP/1.1 302 Found, which is the “Temporary redirect” mentioned earlier.
The last part of the command sends the necessary information to movember.com’s login form through a POST request. The form names are located within the page’s source. You’ll run into problems if you don’t submit all the information the form is expecting. Tamper Data for Firefox is a great tool for figuring out what exactly gets sent — turn it on, fill out the form, and examine the request being sent to the server. You can use this information to reconstruct the request with curl.
Now we have a cookie file that we can use to authenticate ourselves to the server with. We’ll use the silent flag again and pass the cookie file in with the -b flag:
curl -s -b cookie \ http://us.movember.com/mospace/your-donation-page/create-post/ -F content=$new -F entity_id=$entity -F name=image -F "filename=$new;image/jpeg;" -F "image=@$new"
The rest of the request is very similar to the last request. Instead of using the data flag, we’ve switched to the form (-F) flag. You need to use the form flag if the form you’re posting to specifies that it’s multipart/form-data. It also allows you to upload binary files (in this case, a picture of a mustache). Here we’re posting a:
- status update – the name of the file so we can track our growth
- our entity ID – saved from the last request.
- the name of the content – in this case, Movember expects either “image” or “video”.
- the filename of the image
- the contents of the image – the ‘@’ symbol tells curl to pull the information from a file on disk.