Reorganizing login sessions, cookie support for CGIservlet

[CGIscriptor.git] / CGIscriptor.html

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<HTML>

<HEAD>

<TITLE>CGIscriptor 2.0 Manual</TITLE>


</HEAD>

<BODY>

<H1 ALIGN="CENTER">
<I>CGIscriptor 2.0</I>: An implementation of integrated server side CGI scripts
</H1>

<UL>
    <P>
    <LI><A HREF="#HYPE">HYPE</A>
    <LI><A HREF="#HOWITWORKS">THIS IS HOW IT WORKS</A>
    <LI><A HREF="#HTML4">HTML 4 COMPLIANCE</A>
    <LI><A HREF="#SECURITY">SECURITY</A>
    </P>
    
    <P>
    <LI><A HREF="#MANUAL">USER MANUAL</A>
    <UL>
        <LI><A HREF="#INTRODUCTION">INTRODUCTION</A>
        <LI><A HREF="#NON-HTML">NON-HTML CONTENT TYPES</A>
        <LI><A HREF="#BINFILES">NON-HTML FILES</A>
        <LI><A HREF="#META">THE META TAG</A>
        <LI><A HREF="#DIV">THE DIV/INS TAG</A>
        <LI><A HREF="#IFUNLESS">CONDITIONAL PROCESSING: THE 'IF' AND 'UNLESS' ATTRIBUTES</A>
        <LI><A HREF="#SRC">THE MAGIC SOURCE ATTRIBUTE (SRC=)</A>
        <LI><A HREF="#ROOT">THE CGISCRIPTOR ROOT DIRECTORIES ~/ AND ./</A>
        <LI><A HREF="#OSSHELL">OS SHELL SCRIPT EVALUATION (CONTENT-TYPE=TEXT/OSSHELL)</A>
        <LI><A HREF="#TRANSLATIONS">RUN TIME TRANSLATION OF INPUT FILES</A>
        <LI><A HREF="#LANGUAGES">EVALUATION OF OTHER SCRIPTING LANGUAGES</A>
        <LI><A HREF="#APPLIC">APPLICATION MIME TYPES</A>
        <LI><A HREF="#PIPES">SHELL SCRIPT PIPING</A>
        <LI><A HREF="#SSPERL">PERL CODE EVALUATION (CONTENT-TYPE=TEXT/SSPERL)</A>
                <LI><A HREF="#SESSIONTICKETS">SERVER SIDE SESSIONS AND ACCESS CONTROL (LOGIN)</A>
        <LI><A HREF="#USEREXTENSIONS">USER EXTENSIONS</A>
        <LI><A HREF="#RESULTSSTACK">THE RESULTS STACK: @CGIscriptorResults</A>
        <LI><A HREF="#CGIPREDEFINED">USEFULL CGI PREDEFINED VARIABLES</A>
        <LI><A HREF="#ENVIRONMENT">USEFULL CGI ENVIRONMENT VARIABLES</A>
        <LI><A HREF="#RUNNING">INSTRUCTIONS FOR RUNNING CGIscriptor ON UNIX</A>
        <LI><A HREF="#NON-UNIX">NON-UNIX OS-PLATFORMS</A>
    </UL>
    <LI><A HREF="#license">license</A>
    </P>
    
    </UL>

<A NAME="HYPE"><H2 ALIGN="CENTER">HYPE</H2></A>

<P>
CGIscriptor merges plain ASCII HTML files transparantly and safely 
with CGI variables, in-line PERL code, shell commands, and executable 
scripts in many languages (on-line and real-time). It combines the 
"ease of use" of HTML files with the versatillity of specialized 
scripts and PERL programs. It hides all the specifics and 
idiosyncrasies of correct output and CGI coding and naming. Scripts 
do not have to be aware of HTML, HTTP, or CGI conventions just as HTML 
files can be ignorant of scripts and the associated values. CGIscriptor 
complies with the W3C HTML 4.0 recommendations.
</P>

<P>
In addition to its use as a WWW embeded CGI processor, it can
be used as a command-line document preprocessor (text-filter).
</P>

<A NAME="HOWITWORKS"><H2 ALIGN="CENTER">THIS IS HOW IT WORKS</H2></A>

<P>
The aim of CGIscriptor is to execute "plain" scripts inside a text file
using any required CGIparameters and environment variables. It 
is optimized to transparantly process HTML files inside a WWW server.
The native language is Perl, but many other scripting languages
can be used.
</P>

<P>
CGIscriptor reads text files from the requested input file (i.e., from
$YOUR_HTML_FILES$PATH_INFO) and writes them to &lt;STDOUT&gt; (i.e., the client 
requesting the service) preceded by the obligatory 
"Content-type: text/html\n\n" or "Content-type: text/plain\n\n" string
(except for "raw" files which supply their own Content-type message
and only if the SERVER_PROTOCOL contains HTTP, FTP, GOPHER, MAIL, or MIME).
</P>

<P>
When CGIscriptor encounters an embedded script, indicated by an HTML4 tag
</P>

<PRE>
&lt;SCRIPT TYPE="text/ssperl" [CGI="$name='default value'"] [SRC="ScriptSource"]&gt;
PERL script
&lt;/SCRIPT&gt;
</PRE>

or

<PRE>
&lt;SCRIPT TYPE="text/osshell" [CGI="$name='default value'"] [SRC="ScriptSource"]&gt;
OS Shell script
&lt;/SCRIPT&gt;
</PRE>

<P>
construct (anything between []-brackets is optional, other MIME-types are 
supported), the embedded script is removed and both the contents of the 
source file (i.e., "do 'ScriptSource'") AND the script are evaluated as a 
PERL program (i.e., by eval()), a shell script (i.e., by a "safe" version 
of `Command`, qx) or an external interpreter. The output of the eval() 
function takes the place of the original &lt;SCRIPT&gt;&lt;/SCRIPT&gt; 
construct in the output string. Any CGI parameters declared by the CGI 
attribute are available as simple perl variables, and can subsequently 
be made available as variables to other scripting languages (e.g., bash,
python, or lisp).
</P>

<P>
Example: printing "Hello World"
</P>

<PRE>
&lt;HTML>&lt;HEAD>&lt;TITLE>Hello World&lt;/TITLE&gt;
&lt;BODY&gt;
&lt;H1&gt;&lt;SCRIPT TYPE="text/ssperl"&gt;"Hello World"&lt;/SCRIPT&gt;&lt;/H1&gt;
&lt;/BODY&gt;&lt;/HTML&gt;
</PRE>

<P>
Save this in a file, hello.html, in the directory you indicated with 
$YOUR_HTML_FILES and access http://your_server/SHTML/hello.html
(or to whatever name you use as an alias for CGIscriptor.pl). 
This is realy ALL you need to do to get going.
</P>

<P>
You can use any values that are delivered in CGI-compliant form (i.e., 
the "?name=value" type URL additions) transparently as "$name" variables 
in your scripts IFF you have declared them in a META or SCRIPT tag before e.g.:
</P>

<PRE>
&lt;META CONTENT="text/ssperl; CGI='$name = `default value`' 
[SRC='ScriptSource']"&gt;
</PRE>
or
<PRE>
&lt;SCRIPT TYPE=text/ssperl CGI="$name = 'default value'" 
[SRC='ScriptSource']&gt;
</PRE>
 
<P>
After such a 'CGI' attribute, you can use $name as an ordinary PERL variable
(the ScriptSource file is immediately evaluated with "do 'ScriptSource'"). 
The CGIscriptor script allows you to write ordinary HTML files which will 
include dynamic CGI aware (run time) features, such as on-line answers 
to specific CGI requests, queries, or the results of calculations.
</P>

<P>
For example, if you wanted to answer questions of clients, you could write 
a Perl program called "Answer.pl" with a function "AnswerQuestion()"
that prints out the answer to requests given as arguments. You then write 
a HTML page "Respond.html" containing the following fragment:
</P>

<hr>
<PRE>
&lt;CENTER&gt;
The Answer to your question
&lt;META CONTENT="text/ssperl; CGI='$Question'"&gt;
&lt;h3&gt;&lt;SCRIPT TYPE="text/ssperl"&gt;$Question&lt;/SCRIPT&gt;&lt;/h3&gt;
is
&lt;h3&gt;&lt;SCRIPT TYPE="text/ssperl" SRC="./PATH/Answer.pl"&gt;
AnswerQuestion($Question);
&lt;/SCRIPT&gt;&lt;/h3&gt;
&lt;CENTER&gt;
&lt;FORM ACTION=Respond.html METHOD=GET&gt;
Next question: &lt;INPUT NAME="Question" TYPE=TEXT SIZE=40&gt;&lt;br&gt;
&lt;INPUT TYPE=SUBMIT VALUE="Ask"&gt;
&lt;/FORM&gt;
</PRE>
<hr>

<P>
The output could look like the following (in HTML-speak):
</P>

<hr>
<PRE>
<CENTER>
The Answer to your question
<h3>What is the capital of the Netherlands?</h3>
is
<h3>Amsterdam</h3>
</CENTER>
<FORM ACTION=Respond.html METHOD=GET>
Next question: <INPUT NAME="Question" TYPE=TEXT SIZE=40><br>
<INPUT TYPE=SUBMIT VALUE="Ask">
</PRE>
<hr>

<P>
Note that the function "Answer.pl" does know nothing about CGI or HTML,
it just prints out answers to arguments. Likewise, the text has no 
provisions for scripts or CGI like constructs. Also, it is completely 
trivial to extend this "program" to use the "Answer" later in the page 
to call up other information or pictures/sounds. The final text never 
shows any cue as to what the original "source" looked like, i.e., 
where you store your scripts and how they are called.
</P>

<P>
There are some extra's. The argument of the files called in a SRC= tag 
can access the CGI variables declared in the preceding META tag from
the @ARGV array. Executable files are called as: 
`file '$ARGV[0]' ... ` (e.g., `Answer.pl \'$Question\'`;)
The files called from SRC can even be (CGIscriptor) html files which are 
processed in-line. Furthermore, the SRC= tag can contain a perl block 
that is evaluated. That is,
</P>

<PRE>
&lt;META CONTENT="text/ssperl; CGI='$Question' SRC='{$Question}'"&gt;
</PRE>

<P>
will result in the evaluation of "print do {$Question};" and the VALUE
of $Question will be printed. Note that these "SRC-blocks" can be 
preceded and followed by other file names, but only a single block is 
allowed in a SRC= tag.
</P>

<p>
One of the major hassles of dynamic WWW pages is the fact that several
mutually incompatible browsers and platforms must be supported. For example,
the way sound is played automatically is different for Netscape and 
Internet Explorer, and for each browser it is different again on 
Unix, MacOS, and Windows. Realy dangerous is processing user-supplied 
(form-) values to construct email addresses, file names, or database
queries. All Apache WWW-server exploits reported in the media are 
based on faulty CGI-scripts that didn't check their user-data properly.
</p>

<p>
There is no panacee for these problems, but a lot of work and problems
can be safed by allowing easy and transparent control over which 
&lt;SCRIPT&gt;&lt;/SCRIPT&gt; blocks are executed on what CGI-data. CGIscriptor
supplies such a method in the form of a pair of attributes:
IF='...condition..' and UNLESS='...condition...'. When added to a
script tag, the whole block (including the SRC attribute) will be
ignored if the condition is false (IF) or true (UNLESS).
For example, the following block will NOT be evaluated if the value
of the  CGI variable FILENAME is NOT a valid filename:
</p>

<pre>
&lt;SCRIPT TYPE='text/ssperl' CGI='$FILENAME' IF='CGIscriptor::CGIsafeFileName($FILENAME)'&gt;
.....
&lt;/SCRIPT&gt;
</pre>

<p>
(the function CGIsafeFileName(String) returns an empty string ("") 
if the String argument is not a valid filename).
The UNLESS attribute is the mirror image of IF.
</p>

<P>
A user manual follows the HTML 4 and security paragraphs below.
</P>


<A NAME="HTML4"><H2 ALIGN="CENTER">HTML 4 COMPLIANCE</H2></A>

<P>
In general, CGIscriptor.pl complies with the HTML 4 recommendations of 
the W3C. This means that any software to manage Web sites will be able
to handle CGIscriptor files, as will web agents.
</P>

<P>
All script code should be placed between &lt;SCRIPT&gt;&lt;/SCRIPT&gt; tags, the 
script type is indicated with TYPE="mime-type", the LANGUAGE
feature is ignored, and a SRC feature is implemented.  All CGI specific 
features are delegated to the CGI attribute.
</P>

<P>
However, the behavior deviates from the W3C recommendations at some 
points. Most notably:
</P>

<DL>
    <dt>0- The scripts are executed at the server side, invisible to the 
    client (i.e., the browser)
    <dt>1- The mime-types are personal and idiosyncratic, but can be adapted.   
    <dt>2- Code in the body of a &lt;SCRIPT&gt;&lt;/SCRIPT&gt; tag-pair is still evaluated 
    when a SRC feature is present.
    <dt>3- The SRC feature reads a list of files.
    <dt>4- The files in a SRC feature are processed according to file type.
    <dt>5- The SRC feature evaluates inline Perl code.
    <dt>6- Processed META, INS, and DIV tags are removed from the output document.
    <dt>7- All attributes of the processed META tags, except CONTENT, are ignored 
    (i.e., deleted from the output).
    <dt>8- META tags can be placed ANYWHERE in the document.
    <dt>9- Through the SRC feature, META tags can have visible output in the
    document.
    <dt>10- The CGI attribute that declares CGI parameters, can be used
    inside the &lt;SCRIPT&gt; tag.
    <dt>11- Use of an extended quote set, i.e., '', "", ``, (), {}, []
     and their \-slashed combinations: \'\', \"\", \`\`, \(\), 
     \{\}, \[\].
    <dt>12- IF and UNLESS attributes to &lt;SCRIPT&gt;, &lt;META&gt;, 
            &lt;INS&gt;, and &lt;DIV&gt; tags.
    <dt>13- &lt;DIV&gt; tags cannot be nested, &lt;DIV&gt; tags are not
        rendered with new-lines.
    <dt>14- The XML style &lt;TAG .... /&gt; is recognized and handled correctly.
        (i.e., no content is processed)
</DL>
    
<P>
The reasons for these choices are:
</P>

<P>
You can still write completely HTML4 compliant documents. CGIscriptor 
will not force you to write "deviant" code. However, it allows you to 
do so (which is, in fact, just as bad). The prime design principle 
was to allow users to include plain Perl code. The code itself should 
be "enhancement free". Therefore, extra features were needed to 
supply easy access to CGI and Web site components. For security 
reasons these have to be declared explicitly. The SRC feature 
transparently manages access to external files, especially the safe 
use of executable files.
</P>

<P>
The CGI attribute handles the declarations of external (CGI) variables
in the SCRIPT and META tag's.<BR>
EVERYTHING THE CGI ATTRIBUTE AND THE META TAG DO CAN BE DONE INSIDE 
A &lt;SCRIPT&gt;&lt;/SCRIPT&gt; TAG CONSTRUCT.
</P>

<P>
The reason for the IF, UNLESS, and SRC attributes (and its Perl code evaluation) 
were build into the META and SCRIPT tags is part laziness, part security. The SRC 
blocks allows more compact documents and easier debugging. The values of the 
CGI variables can be immediately screened for security by IF or UNLESS 
conditions, and even SRC attributes (e.g., email addresses and file names), and 
a few commands can be called without having to add another Perl TAG pair. 
This is especially important for documents that require the use of other 
(restricted) "scripting" languages that lag transparent control structures.
</P>


<A NAME="SECURITY"><H2 ALIGN="CENTER">SECURITY</H2></A>

<P>
Your WWW site is a few keystrokes away from a few hundred million internet 
users. A fair percentage of these users knows more about your computer 
than you do. And some of these just might have bad intentions.
</P>

<P>
To ensure uncompromized operation of your server and platform, several 
features are incorporated in CGIscriptor.pl to enhance security.
First of all, you should check the source of this program. No security
measures will help you when you download programs from anonymous sources.
If you want to use THIS file, please make sure that it is uncompromized.
The best way to do this is to contact the source and try to determine
whether s/he is reliable (and accountable).
</P>

<P>
BE AWARE THAT ANY PROGRAMMER CAN CHANGE THIS PROGRAM IN SUCH A WAY THAT
IT WILL SET THE DOORS TO YOUR SYSTEM WIDE OPEN
</P>

<P>
I would like to ask any user who finds bugs that could compromise 
security to report them to me (and any other bug too,
Email: R.J.J.H.vanSon@uva.nl or ifa@hum.uva.nl).
</P>

<H2 ALIGN="CENTER">Security features</H2>

<dl>
<dt>1 Invisibility  
<dd>The inner workings of the HTML source files are completely hidden  
from the client. Only the HTTP header and the ever changing content 
of the output distinguish it from the output of a plain, fixed HTML
file. Names, structures, and arguments of the "embedded" scripts 
are invisible to the client. Error output is suppressed except
during debugging (user configurable).

<dt>2 Separate directory trees
<dd>Directories containing Inline text and script files can reside on
separate trees, distinct from those of the HTTP server. This means
that NEITHER the text files, NOR the script files can be read by
clients other than through CGIscriptor.pl, UNLESS they are 
EXPLICITELY made available. 

<dt>3 Requests are NEVER "evaluated"
<dd>All client supplied values are used as literal values (''-quoted). 
Client supplied ''-quotes are ALWAYS removed. Therefore, as long as the 
embedded scripts do NOT themselves evaluate these values, clients CANNOT 
supply executable commands. Be sure to AVOID scripts like:

<PRE>
&lt;META CONTENT="text/ssperl; CGI='$UserValue'"&gt;
&lt;SCRIPT TYPE="text/ssperl"&gt;$dir = `ls -1 $UserValue`;&lt;/SCRIPT&gt;
</PRE>

<P>
These are a recipe for disaster. However, the following quoted
form should be save (but is still not adviced):
</P>

<PRE>
&lt;SCRIPT TYPE="text/ssperl"&gt;$dir = `ls -1 \'$UserValue\'`;&lt;/SCRIPT&gt;
</PRE>

<P>
A special function, SAFEqx(), will automatically do exactly this, 
e.g., SAFEqx('ls -1 $UserValue') will execute `ls -1 \'$UserValue\'`
with $UserValue interpolated. I recommend to use SAFEqx() instead
of backticks whenever you can. The OS shell scripts inside
</P>

<PRE>
&lt;SCRIPT TYPE="text/osshell"&gt;ls -1 $UserValue&lt;/SCRIPT&gt;
</PRE>

<P>
are handeld by SAFEqx and automatically ''-quoted.
</P>

<dt>4 Logging of requests
<dd>All requests can be logged separate from the Host server. The level of
detail is user configurable: Including or excluding the actual queries. 
This allows for the inspection of (im-) proper use.

<dt>5 Access control: Clients
<dd>The Remote addresses can be checked against a list of authorized 
(i.e., accepted) or non-authorized (i.e., rejected) clients. Both 
REMOTE_HOST and REMOTE_ADDR are tested so clients without a proper 
HOST name can be (in-) excluded by their IP-address. Client patterns 
containing all numbers and dots are considered IP-addresses, all others
domain names. No wild-cards or regexp's are allowed, only partial 
addresses.<br>
Matching of names is done from the back to the front (domain first, 
i.e., $REMOTE_HOST =~ /\Q$pattern\E$/is), so including ".edu" will 
accept or reject all clients from the domain EDU. Matching of 
IP-addresses is done from the front to the back (domain first, i.e., 
$REMOTE_ADDR =~ /^\Q$pattern\E/is), so including "128." will (in-) 
exclude all clients whose IP-address starts with 128.
There are two special symbols: "-" matches HOSTs with no name and "*"
matches ALL HOSTS/clients.<br>

<P>
For those needing more expressional power, lines starting with 
"-e" are evaluated by the perl eval() function. E.g., 
'-e $REMOTE_HOST =~ /\.edu$/is;' will accept/reject clients from the 
domain '.edu'.
</P>

<dt>6 Access control: Files
<dd>In principle, CGIscriptor could read ANY file in the directory 
tree as discussed in 1. However, for security reasons this is 
restricted to text files. It can be made more restricted by entering 
a global file pattern (e.g., ".html"). This is done by default. 
For each client requesting access, the file pattern(s) can be made
more restrictive than the global pattern by entering client specific
file patterns in the Access Control files (see 5).
For example: if the ACCEPT file contained the lines

<PRE>
*           DEMO
.hum.uva.nl LET 
145.18.230.
</PRE>

<P>
Then all clients could request paths containing "DEMO" or "demo", e.g. 
"/my/demo/file.html" ($PATH_INFO =~ /\Q$pattern\E/), Clients from 
*.hum.uva.nl could also request paths containing  "LET or "let", e.g. 
"/my/let/file.html", and clients from the local cluster 
145.18.230.[0-9]+ could access ALL files.
Again, for those needing more expressional power, lines starting with 
"-e" are evaluated. For instance: <br />
'-e $REMOTE_HOST =~ /\.edu$/is && $PATH_INFO =~ m@/DEMO/@is;' <br />
will accept/reject requests for files from the directory "/demo/" from
clients from the domain '.edu'.
</P>
<p>
<dt>7 Access control: Server side session tickets
<dd>Specific paths can be controlled by Session Tickets which must be 
present as a SESSIONTICKET=&lt;value&gt; CGI variable in the request. These paths 
are defined in %TicketRequiredPatterns as pairs of:<br />
('regexp' =&gt; 'SessionPath\tPasswordPath\tLogin.html\tExpiration').<br />
Session Tickets are stored in a separate directory (SessionPath, e.g., 
"Private/.Session") as files with the exact same name of the SESSIONTICKET CGI.
The following is an example:
<pre>
Type: SESSION
IPaddress: 127.0.0.1
AllowedPaths: ^/Private/Name/
Expires: +3600
Username: test
...
</pre>
Other content can follow. <br />
<br />
It is adviced that Session Tickets should be deleted 
after some (idle) time. The IP address should be the IP number at login, and
the SESSIONTICKET will be rejected if it is presented from another IP address.
AllowedPaths is a perl regexp. Be careful how they match. Make sure to delimit 
the names to prevent access to overlapping names, eg, "^/Private/Rob" will also
match "^/Private/Robert", however, "^/Private/Rob/" will not. Expires is the
time the ticket will remain valid after creation (file ctime). Time can be given
in s[econds] (default), m[inutes], h[hours], or d[ays], eg, "24h" means 24 hours.
None of these need be present, but the Ticket must have a non-zero size.<br />
<br />
Next to Session Tickets, there are two other type of ticket files:<br />
- LOGIN tickets store information about a current login request<br />
- PASSWORD ticket store account information to authorize login requests<br />
</p>
<P>
<dt>8 Query length limiting
<dd>The length of the Query string can be limited. If CONTENT_LENGTH is larger
than this limit, the request is rejected. The combined length of the 
Query string and the POST input is checked before any processing is done. 
This will prevent clients from overloading the scripts.
The actual, combined, Query Size is accessible as a variable through 
$CGI_Content_Length.
</P>

<P>
<dt>9 Illegal filenames, paths, and protected directories
<dd>One of the primary security concerns in handling CGI-scripts is the
use of "funny" characters in the requests that con scripts in executing
malicious commands. Examples are inserting ';', null bytes, or &lt;newline&gt; characters
in URL's and filenames, followed by executable commands. A special 
variable $FileAllowedChars stores a string of all allowed characters.
Any request that translates to a filename with a character OUTSIDE
this set will be rejected.<br>
In general, all (readable files) in the ServerRoot tree are accessible.
This might not be what you want. For instance, your ServerRoot directory
might be the working directory of a CVS project and contain sensitive
information (e.g., the password to get to the repository). You can block
access to these subdirectories by adding the corresponding patterns to
the $BlockPathAccess variable. For instance, $BlockPathAccess = '/CVS/'
will block any request that contains '/CVS/' or:<br>
<pre> 
die if $BlockPathAccess && $ENV{'PATH_INFO'} =~ m@$BlockPathAccess@;
</pre>
</P>

<P>
<dt>10 The execution of code blocks can be controlled in a transparent way
    by adding IF or UNLESS conditions in the tags themselves. 
    <dd>That is, a simple check of the validity of filenames or email 
     addresses can be done before any code is executed.
</p>
     
</dl>

<hr>

<A NAME="MANUAL"><H1 ALIGN="CENTER">USER MANUAL</H1></A>

<UL>
    <LI><A HREF="#INTRODUCTION">INTRODUCTION</A>
    <LI><A HREF="#NON-HTML">NON-HTML CONTENT TYPES</A>
    <LI><A HREF="#BINFILES">NON-HTML FILES</A>
    <LI><A HREF="#META">THE META TAG</A>
    <LI><A HREF="#DIV">THE DIV/INS TAG</A>
    <LI><A HREF="#IFUNLESS">CONDITIONAL PROCESSING: THE 'IF' AND 'UNLESS' ATTRIBUTES</A>
    <LI><A HREF="#SRC">THE MAGIC SOURCE ATTRIBUTE (SRC=)</A>
    <LI><A HREF="#ROOT">THE CGISCRIPTOR ROOT DIRECTORIES ~/ AND ./</A>
    <LI><A HREF="#OSSHELL">OS SHELL SCRIPT EVALUATION (CONTENT-TYPE=TEXT/OSSHELL)</A>
    <LI><A HREF="#TRANSLATIONS">RUN TIME TRANSLATION OF INPUT FILES</A>
    <LI><A HREF="#LANGUAGES">EVALUATION OF OTHER SCRIPTING LANGUAGES</A>
    <LI><A HREF="#PIPES">SHELL SCRIPT PIPING</A>
    <LI><A HREF="#SSPERL">PERL CODE EVALUATION (CONTENT-TYPE=TEXT/SSPERL)</A>
    <LI><A HREF="#SESSIONTICKETS">SERVER SIDE SESSIONS AND ACCESS CONTROL (LOGIN)</A>
    <LI><A HREF="#USEREXTENSIONS">USER EXTENSIONS</A>
    <LI><A HREF="#RESULTSSTACK">THE RESULTS STACK: @CGIscriptorResults</A>
    <LI><A HREF="#CGIPREDEFINED">USEFULL CGI PREDEFINED VARIABLES</A>
    <LI><A HREF="#ENVIRONMENT">USEFULL CGI ENVIRONMENT VARIABLES</A>
    <LI><A HREF="#RUNNING">INSTRUCTIONS FOR RUNNING CGIscriptor ON UNIX</A>
    <LI><A HREF="#NON-UNIX">NON-UNIX OS-PLATFORMS</A>
</UL>

<A NAME="INTRODUCTION"><H2 ALIGN="CENTER">INTRODUCTION</H2></A>

<P>
CGIscriptor removes embedded scripts, indicated by an HTML 4 type 
&lt;SCRIPT TYPE='text/ssperl'&gt; &lt;/SCRIPT&gt; or &lt;SCRIPT TYPE='text/osshell'&gt; 
&lt;/SCRIPT&gt; constructs. The contents of the directive are executed by 
the PERL eval() and `` functions (in a separate name space). The 
result of the eval() function replaces the &lt;SCRIPT&gt; &lt;/SCRIPT&gt; construct 
in the output file. You can use the values that are delivered in 
CGI-compliant form (i.e., the "?name=value&.." type URL additions) 
transparently as "$name" variables in your directives after they are 
defined in a &lt;META&gt; or &lt;SCRIPT&gt; tag. 
If you define the variable "$CGIscriptorResults" in a CGI attribute, all 
subsequent &lt;SCRIPT&gt; and &lt;META&gt; results (including the defining  
tag) will also be pushed onto a stack: @CGIscriptorResults. This list 
behaves like any other, ordinary list and can be manipulated.
</P>

<P>
Both GET and POST requests are accepted. These two methods are treated 
equal. Variables, i.e., those values that are determined when a file is 
processed, are indicated in the CGI attribute by $&lt;name&gt; or 
$&lt;name&gt;=&lt;default&gt; in which  &lt;name&gt; is the name of the 
variable and &lt;default&gt; is the value used when there is NO current CGI 
value for &lt;name&gt; (you can use white-spaces in 
$&lt;name&gt;=&lt;default&gt; but really DO make sure that the default 
value is followed by white space or is quoted). Names can contain any 
alphanumeric characters and _ (i.e., names match /[\w]+/).<br>
If the <i>Content-type:</i> is 'multipart/*', the input is treated as a 
MIME multipart message and automatically delimited. CGI variables get the 
"raw" (i.e., undecoded) body of the corresponding message part.
</P>

<P>
Variables can be CGI variables, i.e., those from the QUERY_STRING, 
environment variables, e.g., REMOTE_USER, REMOTE_HOST, or REMOTE_ADDR, 
or predefined values, e.g., CGI_Decoded_QS (The complete, decoded, 
query string), CGI_Content_Length (the length of the decoded query 
string), CGI_Year, CGI_Month, CGI_Time, and CGI_Hour (the current 
date and time).
</P>

<P>
All these are available when defined in a CGI attribute. All environment 
variables are accessible as $ENV{'name'}. So, to access the REMOTE_HOST 
and the REMOTE_USER, use, e.g.:
</P>

<PRE>
&lt;SCRIPT TYPE='text/ssperl'&gt;
($ENV{'REMOTE_HOST'}||"-")." $ENV{'REMOTE_USER'}"
&lt;/SCRIPT&gt;
</PRE>

<P>
(This will print a "-" if REMOTE_HOST is not known)
Another way to do this is:
</P>

<PRE>
&lt;META CONTENT="text/ssperl; CGI='$REMOTE_HOST = - $REMOTE_USER'"&gt;
&lt;SCRIPT TYPE='text/ssperl'&gt;"$REMOTE_HOST $REMOTE_USER"&lt;/SCRIPT&gt;
</PRE>

or

<PRE>
&lt;META CONTENT='text/ssperl; CGI="$REMOTE_HOST = - $REMOTE_USER"
SRC={"$REMOTE_HOST $REMOTE_USER\n"}'&gt;
</PRE>

<P>
This is possible because ALL environment variables are available as 
CGI variables. The environment variables take precedence over CGI 
names in case of a "name clash". For instance:
</P>

<PRE>
&lt;META CONTENT="text/ssperl; CGI='$HOME' SRC={$HOME}"&gt;
</PRE>

<P>
Will print the current HOME directory (environment) irrespective whether
there is a CGI variable from the query 
(e.g., Where do you live? &lt;INPUT TYPE="TEXT" NAME="HOME"&gt;)
THIS IS A SECURITY FEATURE. It prevents clients from changing
the values of defined environment variables (e.g., by supplying
a bogus $REMOTE_ADDR). Although $ENV{} is not changed by the META tags, 
it would make the use of declared variables insecure. You can still 
access CGI variables after a name clash with 
CGIscriptor::CGIparseValue(&lt;name&gt;).
</P>

<P>
Some CGI variables are present several times in the query string
(e.g., from multiple selections). These should be defined as
@VARIABLENAME=default in the CGI attribute. The list @VARIABLENAME
will contain ALL VARIABLENAME values from the query, or a single
default value. If there is an ENVIRONMENT variable of the
same name, it will be used instead of the default AND the query
values. The corresponding function is 
CGIscriptor::CGIparseValueList(&lt;name&gt;)
</P>

<P>
CGI variables collected in a @VARIABLENAME list are unordered.
When more structured variables are needed, a hash table can be used.
A variable defined as %VARIABLE=default will collect all 
CGI-parameter values whose name start with 'VARIABLE' in a hash table 
with the remainder of the name as a key. For instance, %PERSON will 
collect PERSONname='John Doe', PERSONbirthdate='01 Jan 00', and 
PERSONspouse='Alice' into a hash table %PERSON such that 
$PERSON{'spouse'} equals 'Alice'. Any default value or environment 
value will be stored under the "" key. If there is an ENVIRONMENT 
variable of the same name, it will be used instead of the default 
AND the query values. The corresponding function is 
CGIscriptor::CGIparseValueHash(&lt;name&gt;)
</P>

<P>
This method of first declaring your environment and CGI variables
before being able to use them in the scripts might seem somewhat 
clumsy, but it protects you from inadvertedly printing out the values of 
system environment variables when their names coincide with those used 
in the CGI forms. It also prevents "clients" from supplying CGI parameter
values for your private variables.
THIS IS A SECURITY FEATURE!
</P>

<A NAME="NON-HTML"><H2 ALIGN="CENTER">NON-HTML CONTENT TYPES</H2></A>

<P>
Normally, CGIscriptor prints the standard "Content-type: text/html\n\n" 
message before anything is printed.  This has been extended to include 
plain text (.txt) files, for which the Content-type (MIME type) 
'text/plain' is printed. In all other respects, text files are treated as 
HTML files (this can be switched off by removing '.txt' from the 
$FilePattern variable). When the content type should be something else, 
e.g., with multipart files, use the $RawFilePattern (.xmr, see also next 
item). CGIscriptor will not print a Content-type message for this file type 
(which must supply its OWN Content-type message). Raw files must still 
conform to the &lt;SCRIPT&gt;&lt;/SCRIPT&gt; and &lt;META&gt; tag 
specifications.
</P>

<A NAME="BINFILES"><H2 ALIGN="CENTER">NON-HTML FILES</H2></A>

<P>
CGIscriptor is intended to process HTML and text files only. You can 
create documents of any mime-type on-the-fly using "raw" text files, e.g., 
with the .xmr extension. However, CGIscriptor will not process binary files 
of any type, e.g., pictures or sounds. Given the sheer number of formats, I 
do not have any intention to do so. However, an escape route has been 
provided. You can construct a genuine raw (.xmr) text file that contains 
the perl code to service any file type you want. If the global 
$BinaryMapFile variable contains the path to this file (e.g., 
/BinaryMapFile.xmr), this  file will be called whenever an unsupported 
(non-HTML) file type is  requested. The path to the requested binary file 
is stored in  $ENV('CGI_BINARY_FILE') and can be used like any other 
CGI-variable. Servicing binary files then becomes supplying the correct 
Content-type (e.g., print "Content-type: image/jpeg\n\n";) and reading the 
file and writing it to STDOUT (e.g., using sysread() and syswrite()).
</P>

<A NAME="META"><H2 ALIGN="CENTER">THE META TAG</H2></A>

<P>
All attributes of a META tag are ignored, except the 
CONTENT='text/ssperl; CGI=" ... " [SRC=" ... "]' attribute. The string
inside the quotes following the CONTENT= indication (white-space is
ignored, "'` (){}[]-quotes are allowed, plus their \ versions) MUST 
start with any of the CGIscriptor mime-types (e.g.: text/ssperl or 
text/osshell) and a comma or semicolon. 
The quoted string following CGI= contains a white-space separated list 
of declarations of the CGI (and Environment) values and default values 
used when no CGI values are supplied by the query string.
</P>

<P>
If the default value is a longer string containing special characters, 
possibly spanning several lines, the string must be enclosed in quotes. 
You may use any pair of quotes or brackets from the list '', "", ``, (), 
[], or {} to distinguish default values (or preceded by \, e.g., \(...\) 
is different from (...)). The outermost pair will always be used and any 
other quotes inside the string are considered to be part of the string 
value, e.g.,
</P>

<PRE>
$Value = {['this'
"and" (this)]}
</PRE>

<P>
will result in $Value getting the default value
</P>

<PRE>
['this'
"and" (this)]
</PRE>

<P>
(NOTE that the newline is part of the default value!).
</P>

<P>
Internally, for defining and initializing CGI (ENV) values, the META 
and SCRIPT tags use the function "defineCGIvariable($name, $default)" 
(scalars) and "defineCGIvariableList($name, $default)" (lists). 
These functions can be used inside scripts as 
"CGIscriptor::defineCGIvariable($name, $default)" and
"CGIscriptor::defineCGIvariableList($name, $default)".
</P>

<P>
The CGI attribute will be processed exactly identical when used inside
the  &lt;SCRIPT&gt; tag. However, this use is not according to the 
HTML 4.0 specifications of the W3C.
</P>

<A NAME="DIV"><H2 ALIGN="CENTER">THE DIV/INS TAG</H2></A>

<P>
There is a problem when constructing html files containing
server-side perl scripts with standard HTML tools. These
tools will refuse to process any text between 
&lt;SCRIPT&gt;&lt;/SCRIPT&gt;
tags. This is quite annoying when you want to use large
HTML templates where you will fill in values.
</P>

<P>
For this purpose, CGIscriptor will read the neutral 
&lt;DIV CLASS="ssperl" ID="varname"&gt;&lt;/DIV&gt;
&lt;INS CLASS="ssperl" ID="varname"&gt;&lt;/INS&gt;
tag (in Cascading Style Sheet manner) Note that "varname" has
NO '$' before it, it is a bare name. Any text between
these &lt;DIV ...&gt;&lt;/DIV&gt; or 
&lt;INS ...&gt;&lt;/INS&gt; tags will be assigned
to '$varname' as is (e.g., as a literal). No 
processing or interpolation will be performed. 
There is also NO nesting possible. Do NOT nest
&lt;/DIV&gt; inside a &lt;DIV&gt;&lt;/DIV&gt;! 
Moreover, DIV tags do NOT ensure a block structure in 
the final rendering (i.e., no empty lines).
</P>

<P>
Note that &lt;DIV CLASS="ssperl" ID="varname"/&gt;
is handled the XML way. No content is processed,
but varname is defined, and any SRC directives are
processed.
</P>

<P>
You can use $varname like any other variable name. 
However, $varname is NOT a CGI variable and will be 
completely internal to your script. There is NO 
interaction between $varname and the outside world.
</P>

<P>
To interpolate a DIV derived text, you can use:
<pre>
$varname =~ s/([\]])/\\\1/g; # Mark ']'-quotes
$varname = eval("qq[$varname]"); # Interpolate all values
</pre>
</P>

<p>
The DIV tag will process IF, UNLESS, CGI and SRC attributes. 
The SRC files will be pre-pended to the body
text of the tag.
</p>

<A NAME="IFUNLESS"><H2 ALIGN="CENTER">
CONDITIONAL PROCESSING: THE 'IF' AND 'UNLESS' ATTRIBUTES
</H2></A>

<p>
It is often necessary to include code-blocks that should be executed
conditionally, e.g., only for certain browsers or operating system.
Furthermore, quite often sanity and security checks are necessary
before user (form) data can be processed, e.g., with respect to
email addresses and filenames.
</p>

<p>
Checks added to the code are often difficult to find, interpret or 
maintain and in general mess up the code flow. This kind of confussion 
is dangerous. Also, for many of the supported "foreign" scripting 
languages, adding these checks is cumbersome or even impossible. 
</p>

<p>
As a uniform method for asserting the correctness of "context", two 
attributes are added to all supported tags: IF and UNLESS. 
They both evaluate their value and block execution when the
result is &lt;FALSE&gt; (IF) or &lt;TRUE&gt; (UNLESS) in Perl, e.g., 
UNLESS='$NUMBER \&gt; 100;' blocks execution if $NUMBER &lt;= 100. Note that
the backslash in the '\&gt;' is removed and only used to differentiate 
this conditional '&gt;' from the tag-closing '&gt;'. For symmetry, the
backslash in '\&lt;' is also removed. Inside these conditionals, 
~/ and ./ are expanded to their respective directory root paths.
</p>

<p>
For example, the following tag will be ignored when the filename is 
invalid:
</p>

<pre>
&lt;SCRIPT TYPE='text/ssperl' CGI='$FILENAME' 
IF='CGIscriptor::CGIsafeFileName($FILENAME);'&gt;
...
&lt;/SCRIPT&gt;
</pre>

<p>
The IF and UNLESS values must be quoted. The same quotes are supported
as with the other attributes. The SRC attribute is ignored when IF and 
UNLESS block execution.
</p>

<A NAME="SRC"><H2 ALIGN="CENTER">
THE MAGIC SOURCE ATTRIBUTE (SRC=)</H2></A>

<P>
The SRC attribute inside tags accepts a list of filenames and URL's
separated by "," comma's (or ";" semicolons).
</P>

<P>
ALL the variable values defined in the CGI attribute are available in 
@ARGV as if the file was executed from the command line, in 
the exact order in which they were declared in the preceding CGI 
attribute.
</P>

<P>
First, a SRC={}-block will be evaluated as if the code inside the 
block was part of a &lt;SCRIPT&gt;&lt;/SCRIPT&gt; construct, i.e.,
"print do { code };'';" or `code` (i.e., SAFEqx('code)). 
Only a single block is evaluated. Note that this is processed less 
efficiently than &lt;SCRIPT&gt; &lt;/SCRIPT&gt; blocks. Type of evaluation 
depends on the content-type: Perl for text/ssperl and OS shell for 
text/osshell. For other mime types (scripting languages), anything in 
the source block is put in front of the code block "inside" the tag.
</P>

<P>
Second, executable files (i.e., -x filename != 0) are evaluated as:
print `filename \'$ARGV[0]\' \'$ARGV[1]\' ...`
That is, you can actually call executables savely from the SRC tag.
</P>

<P>
Third, text files that match the file pattern, used by CGIscriptor to
check whether files should be processed ($FilePattern), are 
processed in-line (i.e., recursively) by CGIscriptor as if the code
was inserted in the original source file. Recursions, i.e., calling
a file inside itself, are blocked. If you need them, you have to code
them explicitely using "main::ProcessFile($file_path)".
</P>

<P>
Fourth, Perl text files (i.e., -T filename != 0) are evaluated as: 
"do FileName;'';".
</P>

<P>
Last, URL's (i.e., starting with 'HTTP://', 'FTP://', 'GOPHER://', 'TELNET://', 
'WHOIS://' etc.) are loaded and printed. The loading and handling of &lt;BASE&gt; 
and document header is done by main::GET_URL($URL [, 0]). You can enter your own 
code (default is <i>curl</i>, <i>snarf</i>, or <i>wget</i> and some 
post-processing to add a &lt;BASE&gt; tag).
</P>

<P>
There are two pseudo-file names: PREFIX and POSTFIX. These implement
a switch from prefixing the SRC code/files (PREFIX, default) before the content of
the tag to appending the code after the content of the tag (POSTFIX). The switches
are done in the order in which the PREFIX and POSTFIX labels are encountered.
You can mix PREFIX and POSTFIX labels in any order with the SRC files.
Note that the ORDER of file execution is determined for prefixed and
postfixed files seperately.
<P>

<P>
File paths can be preceded by the URL protocol prefix "file://". This
is simply STRIPPED from the name.
</P>

<P>
Example:
</P>

<P>
The request 
"http://cgi-bin/Action_Forms.pl/Statistics/Sign_Test.html?positive=8&negative=22
will result in printing "${SS_PUB}/Statistics/Sign_Test.html"
With QUERY_STRING = "positive=8&negative=22"
</P>

<P>
on encountering the lines:
</P>

<PRE>
&lt;META CONTENT="text/osshell; CGI='$positive=11 $negative=3'"&gt;
&lt;b&gt;&lt;SCRIPT TYPE="text/ssperl" SRC="./Statistics/SignTest.pl"&gt;
&lt;/SCRIPT&gt;&lt;/b&gt;&lt;p&gt;"
</PRE>

This line will be processed as:

<PRE>
"&lt;b&gt;`${SS_SCRIPT}/Statistics/SignTest.pl '8' '22'`&lt;/b&gt;&lt;p&gt;"
</PRE>

<P>
In which "${SS_SCRIPT}/Statistics/SignTest.pl" is an executable script, 
This line will end up printed as:
</P>

<PRE>
"&lt;b&gt;p &lt;= 0.0161&lt;/b&gt;&lt;p&gt;"
</PRE>

<P>
Note that the META tag itself will never be printed, and is invisible to 
the outside world.
</P>

<P>
The SRC files in a DIV/INS tag will be added (pre-pended) to the body
of the &lt;DIV&gt;&lt;/DIV&gt; tag. Blocks are NOT executed!
</P>

<A NAME="ROOT"><H2 ALIGN="CENTER">THE CGISCRIPTOR ROOT DIRECTORIES ~/ AND ./</H2></A>

<P>
Inside &lt;SCRIPT&gt;&lt;/SCRIPT&gt; tags, filepaths starting 
with "~/" are replaced by "$YOUR_HTML_FILES/", this way files in the 
public directories can be accessed without direct reference to the 
actual paths. Filepaths starting with "./" are replaced by 
"$YOUR_SCRIPTS/" and this should only be used for scripts.
The "$YOUR_SCRIPTS" directory is added to @INC so, e.g., the 
'require' command will load from the "$YOUR_SCRIPTS" directory.
</P>

<P>
<b>Note:</b> this replacement can seriously affect Perl scripts. Watch
out for constructs like $a =~ s/aap\./noot./g, use 
$a =~ s@aap\.@noot.@g instead.
</P>

<P>
CGIscriptor.pl will assign the values of $SS_PUB and $SS_SCRIPT
(i.e., $YOUR_HTML_FILES and $YOUR_SCRIPTS) to the environment variables 
$SS_PUB and $SS_SCRIPT. These can be accessed by the scripts that are 
executed. The "$SS_SCRIPT" ($YOUR_SCRIPTS) directory is added to 
@INC so, e.g., the 'require' command will load from the "$SS_SCRIPT" 
directory.<br>
Values not preceded by $, ~/, or ./ are used as literals
</P>

<A NAME="OSSHELL"><H2 ALIGN="CENTER">OS SHELL SCRIPT EVALUATION (CONTENT-TYPE=TEXT/OSSHELL)</H2></A>

<P>
OS scripts are executed by a "safe" version of the `` operator (i.e., 
SAFEqx(), see also below) and any output is printed. CGIscriptor will 
interpolate the script and replace all user-supplied CGI-variables by 
their ''-quoted values (actually, all variables defined in CGI attributes are 
quoted). Other Perl variables are interpolated in a simple fasion, i.e., 
$scalar by their value, @list by join(' ', @list), and %hash by their 
name=value pairs. Complex references, e.g., @$variable, are all 
evaluated in a scalar context. Quotes should be used with care. 
NOTE: the results of the shell script evaluation will appear in the
@CGIscriptorResults stack just as any other result.
</P>

<P>
All occurrences of $@% that should NOT be interpolated must be 
preceeded by a "\". Interpolation can be switched off completely by 
setting $CGIscriptor::NoShellScriptInterpolation = 1
(set to 0 or undef to switch interpolation on again)
i.e.,
</P>

<PRE>
&lt;SCRIPT TYPE="text/ssperl"&gt;
$CGIscriptor::NoShellScriptInterpolation = 1;
&lt;/SCRIPT&gt;
</PRE>

<A NAME="TRANSLATIONS">
<H2 ALIGN="CENTER">RUN TIME TRANSLATION OF INPUT FILES</h2>

<p>
Allows general and global conversions of files using Regular Expressions.
Very handy (but costly) to rewrite legacy pages to a new format.
Select files to use it on with <br>
my $TranslationPaths = 'filepattern';<br>
This is costly. For efficiency, define:<br>
$TranslationPaths = ''; when not using translations.<br>
Accepts general regular expressions: [$pattern, $replacement]
</p>

<p>
Define:</p>
<pre>
my $TranslationPaths = 'filepattern'; # Pattern matching PATH_INFO

push(@TranslationTable, ['pattern', 'replacement']);
# e.g. (for Ruby Rails):
push(@TranslationTable, ['&lt;%=', '&lt;SCRIPT TYPE="text/ssruby"&gt;']);
push(@TranslationTable, ['%&gt;', '&lt;/SCRIPT&gt;']);

# Runs:
my $currentRegExp;
foreach $currentRegExp (@TranslationTable)
{
    my ($pattern, $replacement) = @$currentRegExp;
    $$text =~ s!$pattern!$replacement!msg;
};
</pre>

<A NAME="LANGUAGES">
<H2 ALIGN="CENTER">EVALUATION OF OTHER SCRIPTING LANGUAGES</H2>
</A>

<P>
Adding a MIME-type and an interpreter command to 
%ScriptingLanguages automatically will catch any other 
scripting language in the standard 
&lt;SCRIPT TYPE="[mime]"&gt;&lt;/SCRIPT&gt; manner.
E.g., adding: $ScriptingLanguages{'text/sspython'} = 'python';
will actually execute the folowing code in an HTML page
(ignore 'REMOTE_HOST' for the moment):
</P>

<PRE>
&lt;SCRIPT TYPE="text/sspython"&gt;
# A Python script
x = ["A","real","python","script","Hello","World","and", REMOTE_HOST]
print x[4:8] # Prints the list ["Hello","World","and", REMOTE_HOST]
&lt;/SCRIPT&gt;
</PRE>

<P>
The script code is NOT interpolated by perl, EXCEPT for those 
interpreters that cannot handle variables themselves.
Currently, several interpreters are pre-installed:
</P>

<PRE>
Perl test -  "text/testperl" =&gt; 'perl',  
Python    -  "text/sspython" =&gt; 'python', 
Ruby      -  "text/ssruby"   =&gt; 'ruby',  
Tcl       -  "text/sstcl"    =&gt; 'tcl',    
Awk       -  "text/ssawk"    =&gt; 'awk -f-',  
Gnu Lisp  -  "text/sslisp"   =&gt; 'rep | tail +5 '.
#                                 "| egrep -v '&gt; |^rep. |^nil\\\$'",   
Gnu Prolog-  "text/ssprolog" =&gt; 'gprolog',  
M4 macro's-  "text/ssm4"     =&gt; 'm4',
Born shell-  "text/sh"       =&gt; 'sh',        
Bash      -  "text/bash"     =&gt; 'bash',
C-shell   -  "text/csh"      =&gt; 'csh',
Korn shell-  "text/ksh"      =&gt; 'ksh',
Praat     -  "text/sspraat"    =&gt; "praat - | sed 's/Praat &gt; //g'",            
R         -  "text/ssr" =&gt; "R --vanilla --slave | sed 's/^[\[0-9\]*] //g'",   
REBOL     -   "text/ssrebol" =&gt; 
              "rebol --quiet|egrep -v '^[&gt; ]* == '|sed 's/^\s*\[&gt; \]* //g'", 
PostgreSQL-  "text/postgresql" =&gt; 'psql 2&gt;/dev/null',
(psql)
</PRE>

<P>
Note that the "value" of $ScriptingLanguages{mime} must be a command
that reads Standard Input and writes to standard output. Any extra
output of interactive interpreters (banners, echo's, prompts)
should be removed by piping the output through 'tail', 'grep',
'sed', or even 'awk' or 'perl'.
</P>

<P>
For access to CGI variables there is a special hashtable:
%ScriptingCGIvariables. 
CGI variables can be accessed in three ways.
<dl>
<dt>1. If the mime type is not present in %ScriptingCGIvariables, 
nothing is done and the script itself should parse the relevant 
environment variables.
<dt>2. If the mime type IS present in %ScriptingCGIvariables, but it's
value is empty, e.g., $ScriptingCGIvariables{"text/sspraat"}  = '';,
the script text is interpolated by perl. That is, all $var, @array,
%hash, and \-slashes are replaced by their respective values.
<dt>3. In all other cases, the CGI and environment variables are added
in front of the script according to the format stored in 
%ScriptingCGIvariables. That is, the following (pseudo-)code is 
executed for each CGI- or Environment variable defined in the CGI-tag:
printf(INTERPRETER, $ScriptingCGIvariables{$mime}, $CGI_NAME, $CGI_VALUE);
</dl>
</P>

<P>
For instance, "text/testperl" =&gt; '$%s = "%s";' defines variable
definitions for Perl, and "text/sspython" =&gt; '%s = "%s"' for Python
(note that these definitions are not save, the real ones contain '-quotes).
</P>

<P>
THIS WILL NOT WORK FOR @VARIABLES, the (empty) $VARIABLES will be used
instead.
</P>

<P>
The $CGI_VALUE parameters are "shrubed" of all control characters
and quotes (by &shrubCGIparameter($CGI_VALUE)). Control characters
are replaced by \0&lt;octal ascii value&gt; and quotes by their HTML character
value (&#8217; -&gt; &amp;#8217; &#8216; -&gt; &amp;#8216; 
&quot; -&gt; &amp;quot;). For example:
if a client would supply the string value  (in standard perl)
</P>

<P>
<PRE>"/dev/null';\nrm -rf *;\necho '"</PRE>
it would be processed as 
<PRE>'/dev/null&amp;#8217;;\015rm -rf *;\015echo &amp;#8217;'</PRE>
(e.g., sh or bash would process the latter more according to your 
intentions).<br>
If your intepreter requires different protection measures, you will
have to supply these in %main::SHRUBcharacterTR (string =&gt; translation), 
e.g., 

<PRE>
$SHRUBcharacterTR{"\'"} = "&amp;#8217;";
</PRE>
</P>

<P>
Currently, the following definitions are used:
</P>

<PRE>
%ScriptingCGIvariables = (
"text/testperl" =&gt; "\$\%s = '\%s';",    # Perl          $VAR = 'value' (for testing)
"text/sspython" =&gt; "\%s = '\%s'",       # Python        VAR = 'value'
"text/ssruby"   =&gt; '@%s = "%s"',        # Ruby          @VAR = "value"
"text/sstcl"    =&gt; 'set %s "%s"',       # TCL           set VAR "value"
"text/ssawk"    =&gt; '%s = "%s";',        # Awk           VAR = "value"; 
"text/sslisp"   =&gt; '(setq %s "%s")',   # Gnu lisp (rep) (setq VAR "value")
"text/ssprolog" =&gt; '',                 # Gnu prolog    (interpolated)
"text/ssm4"     =&gt; "define(`\%s', `\%s')", # M4 macro's define(`VAR', `value')
"text/sh"       =&gt; "\%s='\%s';",       # Born shell    VAR='value'; 
"text/bash"     =&gt; "\%s='\%s';",       # Born again shell VAR='value';
"text/csh"      =&gt; "\$\%s = '\%s';",   # C shell       $VAR = 'value';
"text/ksh"      =&gt; "\$\%s = '\%s';",   # Korn shell    $VAR = 'value';
"text/sspraat"  =&gt; '',                  # Praat         (interpolation) 
"text/ssr"      =&gt; '%s &lt;- "%s";',       # R             VAR &lt;- "value";
"text/ssrebol"  =&gt; '%s: copy "%s"',     # REBOL         VAR: copy "value"
"text/postgresql" =&gt; '',                # PostgreSQL    (interpolation) 
"" =&gt; ""
);
</PRE>

<P>
Four tables allow fine-tuning of interpreter with code that should be 
added before and after each code block:
</P>

<P>
Code added before each script block
</P>

<PRE>
%ScriptingPrefix = (
"text/testperl" =&gt; "\# Prefix Code;",   # Perl script testing
"text/ssm4"     =&gt;  'divert(0)'        # M4 macro's (open STDOUT)
);
</PRE>

<P>
Code added at the end of each script block
</P>

<PRE>
%ScriptingPostfix = (
"text/testperl" =&gt; "\# Postfix Code;",  # Perl script testing
"text/ssm4"     =&gt;  'divert(-1)'       # M4 macro's (block STDOUT)
);
</PRE>

<P>
Initialization code, inserted directly after opening (NEVER interpolated)
</P>

<PRE>
%ScriptingInitialization = (
"text/testperl" =&gt; "\# Initialization Code;", # Perl script testing
"text/ssawk"    =&gt; 'BEGIN {',                # Server Side awk scripts
"text/sslisp"   =&gt; '(prog1 nil ',            # Lisp (rep)
"text/ssm4"     =&gt;  'divert(-1)'             # M4 macro's (block STDOUT)
);
</PRE>

<P>
Cleanup code, inserted before closing (NEVER interpolated)
</P>

<PRE>
%ScriptingCleanup = (
"text/testperl" =&gt; "\# Cleanup Code;",  # Perl script testing
"text/sspraat" =&gt; 'Quit',
"text/ssawk"    =&gt; '};',        # Server Side awk scripts
"text/sslisp"   =&gt;  '(princ "\n" standard-output)).'   # Closing print to rep
"text/postgresql" =&gt; '\q',
);
</PRE>

<P>
The SRC attribute is NOT magical for these interpreters. In short,
all code inside a source file or {} block is written verbattim
to the interpreter. No (pre-)processing or executional magic is done.
</P>

<P>
A serious shortcomming of the described mechanism for handling other
(scripting) languages, with respect to standard perl scripts 
(i.e., 'text/ssperl'), is that the code is only executed when 
the pipe to the interpreter is closed. So the pipe has to be 
closed at the end of each block. This means that the state of the 
interpreter (e.g., all variable values) is lost after the closing of 
the next &lt;/SCRIPT&gt; tag. The standard 'text/ssperl' scripts retain 
all values and definitions.
</P>


<A NAME="APPLIC"><H2 ALIGN="CENTER">APPLICATION MIME TYPES</H2></A>

<P>
To ease some important auxilliary functions from within the
html pages I have added them as MIME types. This uses
the mechanism that is also used for the evaluation of
other scripting languages, with interpolation of CGI
parameters (and perl-variables). Actually, these are
defined exactly like any other "scripting language".
</P>

<dl>
<dt>text/ssdisplay: 
<dd>display some (HTML) text with interpolated 
                 variables (uses `cat`).
<dt>text/sslogfile: 
<dd>write (append) the interpolated block to the file
                 mentioned on the first, non-empty line
                 (the filename can be preceded by 'File: ',
                 note the space after the ':', 
                 uses `awk .... &gt;&gt; &lt;filename&gt;`).
<dt>text/ssmailto:  
<dd>send email directly from within the script block. 
                 The first line of the body must contain
                 To:Name@Valid.Email.Address 
                 (note: NO space between 'To:' and the email adres)
                 For other options see the mailto man pages.
                 It works by directly sending the (interpolated) 
                 content of the text block to a pipe into the 
                 Linux program 'mailto'.
</dl>

<P>
In these script blocks, all Perl variables will be 
replaced by their values. All CGI variables are cleaned before 
they are used. These CGI variables must be redefined with a 
CGI attribute to restore their original values.
In general, this will be more secure than constructing
e.g., your own email command lines. For instance, Mailto will
not execute any odd (forged) email address, but just stops
when the email address is invalid and awk will construct 
any filename you give it (e.g. '&lt;File;rm\\\040-f' would end up
as a "valid" UNIX filename). Note that it will also gladly
store this file anywhere (/../../../etc/passwd will work!).
Use the CGIscriptor::CGIsafeFileName() function to clean the 
filename.
</P>

<A NAME="PIPES"><H2 ALIGN="CENTER">SHELL SCRIPT PIPING</H2></A>

<P>
If a shell script starts with the UNIX style "#! &lt;shell command&gt; \n"
line, the rest of the shell script is piped into the indicated command, 
i.e.,
open(COMMAND, "| command");print COMMAND $RestOfScript;
</P>

<P>
In many ways this is equivalent to the MIME-type profiling for 
evaluating other scripting languages as discussed above. The 
difference breaks down to convenience. Shell script piping is a 
"raw" implementation. It allows you to control all aspects of 
execution. Using the MIME-type profiling is easier, but has a 
lot of defaults built in that might get in the way. Another
difference is that shell script piping uses the SAFEqx() function, 
and MIME-type profiling does not.
</P>

<P>
Execution of shell scripts is under the control of the Perl Script blocks
in the document. The MIME-type triggered execution of <SCRIPT></SCRIPT>
blocks can be simulated easily. You can switch to a different shell, e.g. tcl, 
completely by executing the following Perl commands inside your document:
</P>

<PRE>
&lt;SCRIPT TYPE="text/ssperl"&gt;
$main::ShellScriptContentType = "text/ssTcl";     # Yes, you can do this
CGIscriptor::RedirectShellScript('/usr/bin/tcl'); # Pipe to Tcl
$CGIscriptor::NoShellScriptInterpolation = 1;
&lt;/SCRIPT&gt;
</PRE>

<P>
After this script is executed, CGIscriptor will parse scripts of
TYPE="text/ssTcl" and pipe their contents into '|/usr/bin/tcl'
WITHOUT interpolation (i.e., NO substitution of Perl variables).
The crucial function is :
</P>

<PRE>
CGIscriptor::RedirectShellScript('/usr/bin/tcl')
</PRE>

<P>
After executing this function, all shell scripts AND all 
calls to SAFEqx()) are piped into '|/usr/bin/tcl'. If the argument 
of RedirectShellScript is empty, e.g., '', the original (default) 
value is reset.
</P>

<P>
The standard output, STDOUT, of any pipe is send to the client. 
Currently, you should be carefull with quotes in such a piped script.
The results of a pipe is NOT put on the @CGIscriptorResults stack.
As a result, you do not have access to the output of any piped (#!)
process! If you want such access, execute
</P>

<PRE>
&lt;SCRIPT TYPE="text/ssperl"&gt;echo "script"|command&lt;/SCRIPT&gt;
</PRE>

<P>
or
</P>  

<PRE>
&lt;SCRIPT TYPE="text/ssperl"&gt;
$resultvar = SAFEqx('echo "script"|command');
&lt;/SCRIPT&gt;.
</PRE>

<P>
Safety is never complete. Although SAFEqx() prevents some of the 
most obvious forms of attacks and security slips, it cannot prevent 
them all. Especially, complex combinations of quotes and intricate 
variable references cannot be handled safely by SAFEqx. So be on  
guard.
</P>

<A NAME="SSPERL"><H2 ALIGN="CENTER">PERL CODE EVALUATION (CONTENT-TYPE=TEXT/SSPERL)</H2></A>

<P>
All PERL scripts are evaluated inside a PERL package. This package 
has a separate name space. This isolated name space protects the 
CGIscriptor.pl program against interference from user code. However, 
some variables, e.g., $_, are global and cannot be protected. You are 
advised NOT to use such global variable names. You CAN write 
directives that directly access the variables in the main program. 
You do so at your own risk (there is definitely enough rope available 
to hang yourself). The behavior of CGIscriptor becomes undefined if 
you change its private variables during run time. The PERL code 
directives are used as in:
</P>

<PRE>
$Result = eval($directive); print $Result;'';
</PRE>

<P>
($directive contains all text between &lt;SCRIPT&gt;&lt;/SCRIPT&gt;).
That is, the &lt;directive&gt; is treated as ''-quoted string and
the result is treated as a scalar. To prevent the VALUE of the code
block from appearing on the client's screen, end the directive with 
';""&lt;/SCRIPT&gt;'. Evaluated directives return the last value, just as 
eval(), blocks, and subroutines, but only as a scalar.
</P>

<P>
IMPORTANT: All PERL variables defined are persistent. Each &lt;SCRIPT&gt;
&lt;/SCRIPT&gt; construct is evaluated as a {}-block with associated scope
(e.g., for "my $var;" declarations). This means that values assigned 
to a PERL variable can be used throughout the document unless they
were declared with "my". The following will actually work as intended 
(note that the ``-quotes in this example are NOT evaluated, but used 
as simple quotes):
</P>

<PRE>
&lt;META CONTENT="text/ssperl; CGI=`$String='abcdefg'`"&gt;
anything ...
&lt;SCRIPT TYPE="text/ssperl"&gt;@List = split('', $String);&lt;/SCRIPT&gt;
anything ...
&lt;SCRIPT TYPE="text/ssperl"&gt;join(", ", @List[1..$#List]);&lt;/SCRIPT&gt;
</PRE>

<P>
The first &lt;SCRIPT TYPE="text/ssperl"&gt;&lt;/SCRIPT&gt; construct will return the 
value scalar(@List), the second &lt;SCRIPT TYPE="text/ssperl"&gt;&lt;/SCRIPT&gt; 
construct will print the elements of $String separated by commas, leaving 
out the first element, i.e., $List[0].
</P>

<p>
Another warning: './' and '~/' are ALWAYS replaced by the values of 
$YOUR_SCRIPTS and $YOUR_HTML_FILES, respectively . This can interfere
with pattern matching, e.g., $a =~ s/aap\./noot\./g will result in the
evaluations of $a =~ s/aap\\${YOUR_SCRIPTS}noot\./g. Use 
s@<i>regexp</i>@<i>replacement</i>@g instead.
</p>

<A NAME="SESSIONTICKETS"><H2 ALIGN="CENTER">SERVER SIDE SESSIONS AND ACCESS CONTROL (LOGIN)</H2></A>
<p>
An infrastructure for user acount authorization and file access control
is available. Each request is matched against a list of URL path patterns.
If the request matches, a Session Ticket is required to access the URL.
This Session Ticket should be present as a CGI parameter:
</p>
<p>SESSIONTICKET=&lt;value&gt;</p>
<p>
The example implementation stores Session Tickets as files in a local
directory. To create Session Tickets, a Login request must be given 
with a LOGIN=&lt;value&gt; CGI parameter, a user name and a (doubly hashed)
password. The user name and (singly hashed) password are stored in a
PASSWORD ticket with the same name as the user account (name cleaned up 
for security).
</p>
<p>
The example session model implements 3 functions:
<ol>
<li>Login<br />
The password is hashed with the server side salt, and then hashed with
a Random salt. Client and Server both perform these actions and the
Server only grants access if restults are the same. The server side only 
stores the password hashed with the
server side salt. Neither the plain password, nor the hashed password is
ever exchanged. Only values hashed with the one-time salt are exchanged.
</li>
<li>Session<br />
For every access to a restricted URL, the Session Ticket is checked before
access is granted. There are two session modes. The first uses a fixed
Session Ticket that is stored as a cookie value in the browser. The second
is a Challenge mode, where the client has to calculate the value of the
one-time Session Ticket from a value derived from the password and 
a random string.
</li>
<li>Password Change<br />
A new password is hashed with the server side salt, and then encrypted
(XORed)
with the old password hashed with the salt. That value is exchanged 
and XORed with the stored old hashed(salt+password). Again, the
stored password value is never exchanged unencrypted.
</li>
</ol>
</p>
<H3 ALIGN="CENTER">Implementation</H3>
<p>
The session authentication mechanism is based on the exchange of ticket
identifiers. A ticket identifier is just a string of characters, a name 
or a random 40 character hexadecimal string. There are four types of 
tickets:
<ul>
<li>PASSWORD: User account descriptors, including a user name and password</li>
<li>LOGIN: Temporary anonymous tickets used during login</li>
<li>SESSION: Reusable authetication tokens that allow access to specific URLs</li>
<li>CHALLENGE: One-time authetication tokens that allow access to specific URLs</li>
</ul>
All tickets can have an expiration date in the form of a time duration 
from creation, in seconds, minutes, hours, or days (<em>+duration</em>[smhd]).
An absolute time can be given in seconds since the epoch of the server host.
</p>
<p>
A Login page should create a LOGIN ticket file locally and send a
server specific SALT, a Random salt, and a LOGIN ticket 
identifier. The server side compares the username and hashed password, 
actually hashed(Random salt+hashed(SALT+password)) from the client with 
the values it calculates from the stored Random salt from the LOGIN 
ticket and the hashed(SALT+password) from the PASSWORD ticket. If 
successful, a new SESSION ticket is generated as a hash sum of the LOGIN 
ticket and the stored password. This SESSION ticket should also be 
generated by the client and stored as a cookie value. The Username, IP 
address and Path are available as $LoginUsername, $LoginIPaddress, and 
$LoginPath, respectively.
</p>
<p>
In the current example implementation, all random values are created as
a full, 160 bit SHA1 hash (Hex strings) of 32 bytes read from 
/dev/urandom.
</p>

<H3 ALIGN="CENTER">Security considerations with Session tickets</H3>
<p>
For strong security, please use end-to-end encryption. This can be 
achieved using a VPN (Virtual Private Network), SSH tunnel, or a HTTPS 
capable server with OpenSSL. The session ticket system of CGIscriptor.pl 
is intended to be used as a simple authentication mechanism WITHOUT
END-TO-END ENCRYPTION. The authenticating mechanism tries to use some
simple means to protect the authentication process from eavesdropping.
For this it uses a secure hash function, SHA1. For all practial purposes,
it is impossible to "decrypt" a SHA1 sum.
</p>
<p>
Humans tend to reuse passwords. A compromise of a site running 
CGIscriptor.pl could therefore lead to a compromise of user accounts at 
other sites. Therefore, plain text passwords are never stored, used, or 
even exchanged. Instead, a server site SALT value is "encrypted" with 
the plain password, actually, both are hashed with a one-way secure hash 
function (SHA1) into a single string. Whenever the word "password" is 
used, this hash sum is meant.
</p>
<p>
For the authentication and a change of password, the (old) password 
is used to "encrypt" a random one-time token or the new password, 
respectively. For authentication, decryption is not needed, so a secure 
hash function (SHA1) is used to create a one-way hash sum "encryption". 
A new password must be decrypted. New passwords are encryped by XORing 
them with the old password.
</p>

<A NAME="USEREXTENSIONS"><H2 ALIGN="CENTER">USER EXTENSIONS</H2></A>

<P>
A CGIscriptor package is attached to the bottom of this file. With
this package you can personalize your version of CGIscriptor by 
including often used perl routines. These subroutines can be 
accessed by prefixing their names with CGIscriptor::, e.g.,
</P>

<PRE>
&lt;SCRIPT TYPE="text/ssperl"&gt; 
CGIscriptor::ListDocs("/Books/*") # List all documents in /Books
&lt;/SCRIPT&gt;
</PRE>

<P>
It already contains some useful subroutines for Document Management.
As it is a separate package, it has its own namespace, isolated from
both the evaluator and the main program. To access variables from
the document &lt;SCRIPT&gt;&lt;/SCRIPT&gt; blocks, use $CGIexecute::&lt;var&gt;.
</P>

<P>
Currently, the following functions are implemented 
(precede them with CGIscriptor::, see below for more information)
</P>

<UL>
    <LI>SAFEqx ('String') -&gt; result of qx/"String"/ # Safe application of ``-quotes<br>
    Is used by text/osshell Shell scripts. Protects all CGI 
    (client-supplied) values with single quotes before executing the 
    commands (one of the few functions that also works WITHOUT CGIscriptor:: 
    in front)
    <LI>defineCGIvariable ($name[, $default) -&gt; 0/1 (i.e., 
    failure/success)<br>
    Is used by the META tag to define and initialize CGI and ENV 
    name/value pairs. Tries to obtain an initializing value from (in 
    order):<br>
    $ENV{$name}<br>
    The Query string<br>
    The default value given (if any)<br>
    (one of the few functions that also works WITHOUT CGIscriptor:: 
    in front)
    <LI>CGIsafeFileName (FileName) -> FileName or ""<br>
    Check a string against the Allowed File Characters (and ../ /..).
    Returns an empty string for unsafe filenames.
    <LI>CGIsafeEmailAddress (Email) -> Email or ""<br>
    Check a string against correct email address pattern.
    Returns an empty string for unsafe addresses.
    <LI>RedirectShellScript ('CommandString') -&gt; FILEHANDLER or undef<br>
    Open a named PIPE for SAFEqx to receive ALL shell scripts
    <LI>URLdecode (URL encoded string) -&gt; plain string # Decode URL encoded argument<br>
    <LI>URLencode (plain string) -&gt; URL encoded string # Encode argument as URL code<br>
    <LI>CGIparseValue (ValueName [, URL_encoded_QueryString]) -&gt; Decoded value<br>
    Extract the value of a CGI variable from the global or a private 
    URL-encoded query (multipart POST raw, NOT decoded)
    <li>CGIparseValueList (ValueName [, URL_encoded_QueryString]) 
     -&gt; List of decoded values.<br>
    As CGIparseValue, but now assembles ALL values of ValueName into a list.
    <LI>CGIparseHeader (ValueName [, URL_encoded_QueryString]) -> Header<br>
    Extract the header of a multipart CGI variable from the global or a private 
    URL-encoded query ("" when not a multipart variable or absent)
    <LI>CGIparseForm ([URL_encoded_QueryString]) -&gt; Decoded Form<br>
    Decode the complete global URL-encoded query or a private 
    URL-encoded query
    <LI>read_url(URL)<br>
    Returns the page from URL (with added base tag, both FTP and HTTP)
    Uses main::GET_URL(URL, 1) to get at the command to read the URL.
    <LI>BrowseDirs(RootDirectory [, Pattern, Startdir, CGIname]) # print browsable directories
    <LI>ListDocs(Pattern [,ListType])  # Prints a nested HTML directory listing of 
    all documents, e.g., ListDocs("/*", "dl");.<br>
    <LI>HTMLdocTree(Pattern [,ListType])  # Prints a nested HTML listing of all 
    local links starting from a given document, e.g., 
    HTMLdocTree("/Welcome.html", "dl");<br>
</UL>

<A NAME="RESULTSSTACK"><H2 ALIGN="CENTER">THE RESULTS STACK: @CGIscriptorResults</H2></A>

<P>
If the pseudo-variable "$CGIscriptorResults" has been defined in a
META tag, all subsequent SCRIPT and META results are pushed 
on the @CGIscriptorResults stack. This list is just another
Perl variable and can be used and manipulated like any other list.
$CGIscriptorResults[-1] is always the last result.
This is only of limited use, e.g., to use the results of an OS shell
script inside a Perl script. Will NOT contain the results of Pipes
or code from MIME-profiling.
</P>

<A NAME="CGIPREDEFINED"><H2 ALIGN="CENTER">USEFULL CGI PREDEFINED VARIABLES (DO NOT ASSIGN TO THESE)</H2></A>

<ul>
<li>$CGI_HOME - The ServerRoot directory
<li>$CGI_Decoded_QS - The complete decoded Query String
<li>$CGI_Content_Length - The ACTUAL length of the Query String
<li>$CGI_Date - Current date and time
<li>$CGI_Year $CGI_Month $CGI_Day $CGI_WeekDay - Current Date
<li>$CGI_Time - Current Time
<li>$CGI_Hour $CGI_Minutes $CGI_Seconds - Current Time, split
GMT Date/Time:
<li>$CGI_GMTYear $CGI_GMTMonth $CGI_GMTDay $CGI_GMTWeekDay $CGI_GMTYearDay 
<li>$CGI_GMTHour $CGI_GMTMinutes $CGI_GMTSeconds $CGI_GMTisdst
</ul>

<A NAME="ENVIRONMENT"><H2 ALIGN="CENTER">USEFULL CGI ENVIRONMENT VARIABLES</H2></A>

<P>
Variables accessible (in APACHE) as $ENV{"&lt;name&gt;"}
(see: "http://hoohoo.ncsa.uiuc.edu/cgi/env.html"):
</P>

<UL>
    <LI>QUERY_STRING - The query part of URL, that is, everything that follows the 
    question mark.
    <LI>PATH_INFO    - Extra path information given after the script name
    <LI>PATH_TRANSLATED - Extra pathinfo translated through the rule system. 
    (This doesn't always make sense.)
    <LI>REMOTE_USER  - If the server supports user authentication, and the script is 
    protected, this is the username they have authenticated as.
    <LI>REMOTE_HOST  - The hostname making the request. If the server does not have 
    this information, it should set REMOTE_ADDR and leave this unset
    <LI>REMOTE_ADDR  - The IP address of the remote host making the request.
    <LI>REMOTE_IDENT - If the HTTP server supports RFC 931 identification, then this 
    variable will be set to the remote user name retrieved from 
    the server. Usage of this variable should be limited to logging 
    only.
    <LI>AUTH_TYPE    - If the server supports user authentication, and the script 
    is protected, this is the protocol-specific authentication 
    method used to validate the user.
    <LI>CONTENT_TYPE - For queries which have attached information, such as HTTP 
    POST and PUT, this is the content type of the data.
    <LI>CONTENT_LENGTH - The length of the said content as given by the client.
    <LI>SERVER_SOFTWARE - The name and version of the information server software 
    answering the request (and running the gateway). 
    Format: name/version
    <LI>SERVER_NAME  - The server's hostname, DNS alias, or IP address as it 
    would appear in self-referencing URLs
    <LI>GATEWAY_INTERFACE - The revision of the CGI specification to which this 
    server complies. Format: CGI/revision
    <LI>SERVER_PROTOCOL - The name and revision of the information protocol this 
    request came in with. Format: protocol/revision
    <LI>SERVER_PORT  - The port number to which the request was sent.
    <LI>REQUEST_METHOD - The method with which the request was made. For HTTP, 
    this is "GET", "HEAD", "POST", etc.
    <LI>SCRIPT_NAME  - A virtual path to the script being executed, used for 
    self-referencing URLs.
    <LI>HTTP_ACCEPT  - The MIME types which the client will accept, as given by 
    HTTP headers. Other protocols may need to get this 
    information from elsewhere. Each item in this list should 
    be separated by commas as per the HTTP spec. 
    Format: type/subtype, type/subtype
    <LI>HTTP_USER_AGENT - The browser the client is using to send the request. 
    General format: software/version library/version.
</UL>

<A NAME="RUNNING"><H2 ALIGN="CENTER">INSTRUCTIONS FOR RUNNING CGIscriptor ON UNIX</H2></A>

<P>
CGIscriptor.pl will run on any WWW server that runs Perl scripts,
just add a line like the following to your srm.conf file 
(Apache example):
</P>

<pre>
ScriptAlias /SHTML/ /real-path/CGIscriptor.pl/
</pre>

<p>
URL's that refer to http://www.your.address/SHTML/... will now be handled 
by CGIscriptor.pl, which can use a private directory tree (default is the 
DOCUMENT_ROOT directory tree, but it can be anywhere, see manual).
</P>

<p>
If your hosting ISP won't let you add ScriptAlias lines you can use
the following "rewrite"-based "scriptalias" in .htaccess
(from Gerd Franke)
</P>

<pre>
RewriteEngine   On
RewriteBase  /
RewriteCond %{REQUEST_FILENAME} .html$
RewriteCond %{SCRIPT_FILENAME}  !cgiscriptor.pl$
RewriteCond %{REQUEST_FILENAME} -f
RewriteRule     ^(.*)$  /cgi-bin/cgiscriptor.pl/$1?%{QUERY_STRING}
</Pre>

<p>
Everthing with the extension ".html" and not including "cgiscriptor.pl" 
in the url and where the file "path/filename.html" exists is redirected 
to "/cgi.bin/cgiscriptor.pl/path/filename.html?query".
The user configuration should get the same path-level as the 
.htaccess-file:
</P>

<pre>
# Just enter your own directory path here
$YOUR_HTML_FILES = "$ENV{'DOCUMENT_ROOT'}";     
# use DOCUMENT_ROOT only, if .htaccess lies in the root-directory.
</Pre>

<p>
If this .htaccess goes in a specific directory, the path to this 
directory must be added to $ENV{'DOCUMENT_ROOT'}.
</p>

<p>
The CGIscriptor file contains all documentation as comments. These comments
can be removed to speed up loading (e.g., `egrep -v '^#' CGIscriptor.pl` > 
leanScriptor.pl). A bare bones version of CGIscriptor.pl, lacking
documentation, most comments, access control, example functions etc.
(but still with the copyright notice and some minimal documentation)
can be obtained by calling CGIscriptor.pl on the command line with the 
'-slim' command line argument, e.g.,
</p>

<PRE>
&gt;CGIscriptor.pl -slim &gt; slimCGIscriptor.pl
</PRE>

<P>
CGIscriptor.pl can be run from the command line with &lt;path&gt; and &lt;query&gt; as
arguments, as `CGIscriptor.pl &lt;path&gt; &lt;query&gt;`, inside a perl script with 
'do CGIscriptor.pl' after setting $ENV{PATH_INFO} and $ENV{QUERY_STRING}, 
or CGIscriptor.pl can be loaded with 'require "/real-path/CGIscriptor.pl"'. 
In the latter case, requests are processed by 'Handle_Request();' 
(again after setting $ENV{PATH_INFO} and $ENV{QUERY_STRING}). 
</P>

<p>
The --help command line switch will print the manual. 
</p>

<P>
Using the command line execution option, CGIscriptor.pl can be used as a document
(meta-)preprocessor. If the first argument is '-', STDIN will be read. For example:
</P>

<PRE>
&gt; cat MyDynamicDocument.html | CGIscriptor.pl - '[QueryString]' &gt; MyStaticFile.html
</PRE>

<P>
This command line will produce a STATIC file with the DYNAMIC content of 
MyDocument.html "interpolated". This option would be very dangerous when
available over the internet. If someone could sneak a 
'http://www.your.domain/-' URL past your server, CGIscriptor could EXECUTE 
any POSTED contend. Therefore, for security reasons, STDIN will NOT 
be read if ANY of the HTTP server environment variables is set (e.g., SERVER_PORT,
SERVER_PROTOCOL, SERVER_NAME, SERVER_SOFTWARE, HTTP_USER_AGENT, 
REMOTE_ADDR).<br>
This block on processing STDIN on HTTP requests can be lifted by setting
<pre>
$BLOCK_STDIN_HTTP_REQUEST = 0;
</pre>
In the security configuration. But be carefull when doing this. 
It can be very dangerous.
</P>

<P>
Running demo's and more information can be found at 
http://www.fon.hum.uva.nl/~rob/OSS/OSS.html
</P>

<P>
A pocket-size HTTP daemon, CGIservlet.pl, is available from my web site
or CPAN that can use CGIscriptor.pl as the base of a µWWW server and 
demonstrates its use.
</P>

<A NAME="NON-UNIX"><H2 ALIGN="CENTER">NON-UNIX PLATFORMS</H2></A>

<P>
CGIscriptor.pl was mainly developed and tested on UNIX. However, as I 
coded part of the time on an Apple Macintosh under MacPerl, I made sure
CGIscriptor did run under MacPerl (with command line options). But only as
an independend script, not as part of a HTTP server. I have used it
under Apache in Windows XP.
</P>

<A NAME="license"><H2 ALIGN="CENTER">license</H2></A>                                                            

<P>
This program is free software; you can redistribute it and/or       
modify it under the terms of the GNU General Public License         
as published by the Free Software Foundation; either version 2      
of the License, or (at your option) any later version.
</P>

<P>
This program is distributed in the hope that it will be useful,     
but WITHOUT ANY WARRANTY; without even the implied warranty of      
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the       
GNU General Public License for more details.
</P>

<P>
You should have received a copy of the GNU General Public License   
along with this program; if not, write to the Free Software         
Foundation, Inc., 59 Temple Place - Suite 330,                      
Boston, MA  02111-1307, USA.
</P>

<PRE>
Author: Rob van Son 
        email:
        R.J.J.H.vanSon@uva.nl 
        University of Amsterdam

Date:   May 22, 2000
Ver:    2.0
Env:    Perl 5.002
</PRE>
</BODY>

</HTML>