wb.cgi "Rakugaki" Tutorial

1. Abstract
2. Setting informations
   1. Get files
   2. Check wb.cgi and configure
      1. Set perl path of first line in wb.cgi
      2. Set variables in wb.cgi
   3. Configure template file for display
      1. Edit standard.html as you like
      2. Edit helpe.html, help.html as you like
      3. Edit wbpw.html for password input page
   4. Transfer files to web server
      1. Make a directory for BBS
      2. Transfer files, set permission
      3. Make a directory for BBS data files
   5. End
3. Administration
   1. Delete article
      1. Lock data
      2. Get db
      3. 3.1.3 Edit db
      4. Put db
      5. Unlock data
4. Security
   • CGI executed in the file owner authorize
   • CGI executed in nobody or WWW user
5. BUGS
6. Changes

1. Abstract

wb.cgi "Rakugaki" is a web bulletin board system.

Good

• Free definition of displaying styles
• Browse with table tag supported/unsupported web browsers
• HTML article posting
• Simple HTML syntax checking
• Selectable output character encoding jis/euc/sjis
• Access control only proples who know password

Bad

• Complex displaying style definition
• Delete function is not supported now - v0.08 resolved
• No limit for multiplex posting - v1.12 resolved

For example, access Rakugaki in Kissin Institute of Softwear Kumamoto.

2. Setting informations

2.1. Get files

At first, Get following distribution package.

Distribution package

• wb120.lzh wb120.tgz - Rakugaki v1.20 distribution package
• wb119.lzh - Rakugaki v1.19 distribution package
• wb118.lzh - Rakugaki v1.18 distribution package
• wb117.lzh - Rakugaki v1.17 distribution package
• wb116.lzh - Rakugaki v1.16 distribution package
• wb115.lzh - Rakugaki v1.15 distribution package
• wb113.lzh - Rakugaki v1.13 distribution package
• wb112.lzh - Rakugaki v1.12 distribution package
• wb111.lzh - Rakugaki v1.11 distribution package
• wb110.lzh - Rakugaki v1.10 distribution package
• wb109.lzh - Rakugaki v1.9 distribution package
• wb108.lzh - Rakugaki v1.8 distribution package
• wb106.lzh - Rakugaki v1.6 distribution package
• wb105.lzh - Rakugaki v1.5 distribution package
• wb103.lzh - Rakugaki v1.3 distribution package
• wb008.lzh - Rakugaki v0.08 distribution package

You can look the current version file on following table.

Files

File	Permission *1	Comment
wb.cgi *2	rwxr-xr-x (755)	Main CGI script file
config.pl *3	rwxr-xr-x (755)	Configuration file Write settings in this file to override settings in wb.cgi Sample file config.txt is contained in distribution archive. Rename this file to config.pl, and edit Password for administrator and etc.
jcode.pl	rwxr-xr-x (755)	Japanese character encoding library by Kazumasa Utashiro
htmlck.pl	rwxr-xr-x (755)	Simple HTML syntax checking library
cgi-lib.pl	rwxr-xr-x (755)	multipart-form parse library for uploading file by Steven E. Brenner The cgi-lib.pl Home Page
standard.html	rw-r--r-- (644)	Output HTML template file If you want to use alternate file, Define it $template.
ftype.pl	rwxr-xr-x (755)	File type analyze library for uploading file
notable.html	rw-r--r-- (644)	Output HTML template file 2 None table style output template file.
japanese.html	rw-r--r-- (644)	Output HTML template (sample 3) Only Japanese.
english.html	rw-r--r-- (644)	Output HTML template (sample 4) Only English.
minibbs.html	rw-r--r-- (644)	Output HTML template (sample 5) MiniBBS like layout.
minibbs9.html	rw-r--r-- (644)	Output HTML template (sample 6) MiniBBS v9 like layout.
imode.html imodew.html	rw-r--r-- (644)	Output HTML template (sample 7) For Docomo iMODE.
compact.html	rw-r--r-- (644)	Output HTML template (sample 8) Compact
help.html	rw-r--r-- (644)	Help tamplate in Japanese
helpe.html	rw-r--r-- (644)	Help template in English
wbpw.html	rw-r--r-- (644)	Template for password input page (Need only Member mode *4)
wb.gif	rw-r--r-- (644)	Put on your web server, If you change wb.cgi in standard.html.
bg.gif	rw-r--r-- (644)	Background image used by standard standard.html
nshelp.gif	rw-r--r-- (644)	Screen snapshot image for help.
nghost	rw-r--r-- (644)	Posting DENY host ID or Domain name list Default @nghosts.
ngword spamsub spamlist spambody	rw-r--r-- (644)	Posting DENY words list Default @ngfiles.

*1 Permission

Sample permission of files are for any web servers. If you need more securities, Please set few permissons. Please read Security section for more informations.

*2 wb.cgi

wb.cgi is renamed to wb.txt. Because, *.cgi executed as CGI. Please rename wb.txt to wb.cgi.

*3 wb.cgi

By some reasons, Renamed to config.txt. Rename to config.pl after download.

*4 Member mode

Only peoples who know password can access BBS. Use in this case,

2.2. Check wb.cgi and configure

2.2.1. Set perl path of first line in wb.cgi

Edit wb.cgi with text editor, and change the first line /usr/local/bin/perl5 to perl path that you can use on the web server. I write these scripts for perl version 4 and/or 5. But, coredumped on perl version 4. Why? If you cannot to understand, Try /usr/local/bin/perl5 or /usr/local/bin/perl or /usr/bin/perl5 or /usr/bin/perl.

2.2.2. Set variables in wb.cgi

And change setting sentence of setting following variables. Look (*) mark in comment.

At v1.3 or later version, following settings are described in config.pl Recommend to edit config.pl instead of wb.cgi.

$rootpasswd

Password for administrator. (But, nothing special functions for admin, Now)
Use only ASCII alphabet and digit characters for password.

$userpasswd

Normal users password. Use only ASCII alphabet and digit characters for password.
$userpasswd = ''; # Public mode Everybody can access BBS
$userpasswd = 'foo'; # Member mode Only people who know it

$dbdir

On this directory data files put on. (Initial db)
Change from initial in Secure mode.

$secure

Secure mode switch. 0:Insecure mode, 1:Secure mode.

$author

Set your name. (%author% in tamplate is substituted to it)

$email

Set your E-mail address. (%email% in tamplate is substituted to it)

$top

Set URL of your web top page. (%top% in tamplate is substituted to it)

$tope

Set URL of your web top page in English. (%tope% in tamplate is substituted to it)
If you not support Japanese language,
$tope = '';

$topi

Set URL of your web top page for iMODE. (%topi% in tamplate is substituted to it)

$dbfilemax

Maximum number of data files. (0:Inifinity)
(For optimized access feature, But not implemented now)

$dbsizemax

Maximum size of a data file. (0:Infinity)
If data file size exceed it, Rename db -> db0001, db0001 -> db0002, ... , and new db is created. So, $dbsizemax * $dbfilemax bytes needed for store data.

$artsizemax

Miximum size of writing text. (0:Infinity)

$maximgwidth

Maximum width of image
If image width is over this, Image width is reduced.
(0 unlimited)

$maximgheight

Maximum width of image
If image height is over this, Image height is reduced.
(0 unlimited)

@nghosts

List of files described IP and domain names post rejected. Refer: comment in nghost
Default ("nghost")

@ngfiles

List of files described words post rejected. Refer: nghost
Default ("ngword", "spamsub", "spamlist", "spambody")

$template

Output web page template file. By default, standard.html defined.
If you want to use another template file, define it.

@template

List of output HTML tamplate files.

$cookietime

Cookie expire time.
Inital time is 60*60*24*31 seconds = 31 days.

$denc

Database file encoding. Set sjis for Shift-JIS, jis for JIS, euc for EUC. sjis is selected by default
v1.5 or later, sjis is default. Old version, jis is default.

2.3. Configure template file for display

2.3.1. Edit template files as you like

Look standard.html or english.html with web browser, and you will know that the display styles defined in this file. If you want to change diplay styles, You must change this file. I recomment to use TEXT EDITOR for edit this. (Because, some HTML editor will change many part of this file)

%%foo_begin%% ... %%foo_end%% is a control string for conditional output. %foo% is substituted to something strong. If you cannot understand this, Don't change!

2.3.2. Edit helpe.html, help.html as you like

helpe.html and help.html are template of HTML document when [HELP] link pressed. I advice how-to write on BBS in this document. If you want to give more good informations for peoples, edit it. %foo% is substituted.

2.3.3. Edit wbpw.html for password input page

wbpw.html is a template for password input page on Member mode. If you set non-NULL string to $userpasswd, Edit it to design password input page. Sample wbpw.html display password!

2.4. Transfer files to web server

2.4.1. Make a directory for BBS

Make a directory for BBS in for wep top page directory. (public_html is used on many web server) Set permission rwxr-xr-x (755).

On some web server, you can run CGI script on cgi-bin only. In this case, Use the directory.

2.4.2. Transfer files, set permission

Transfer files to the directory. Use ASCII mode.

Next, Set permission of the files to specified permmision in Files.

2.4.3. Make a directory for BBS data files

Make a directory for data files on the BBS directory. The directory named db (If you change $dbdir, user it). Set permission of it to rwxrwxrwx (777).

For more security on web server which execute CGI file owner, set permission to rwx------ (700).

For your informations, following data files are made by CGI script. (Case of $dbfilemax is 20)

2.5. End

Try to writing to your BBS, No problems? If you have some problems, Write the questions on Rakugaki in Kissin Institute of Softwear Kumamoto. I will support you, if I am free.

3. Administration

3.1. Delete article

Supported article delete function later v0.08. New!
Check the checkbox top of articles, Type keyword of article or admin password on password field, Press [Delete] button. And the articles will be deleted.

If you use wb.cgi v0.08 or later, No need to read followings.

Edit data file direct to delete articles. Now, delete on web browser not supported.

Look ~/wb/db/db, and You can understand which line to delete in ~/wb/db/db. If you can't understand, Don't edit!

If you use the web server which permitted telnet login and using Mule or Emacs like as www.oersted.co.jp, Edit ~/wb/db/db with Mule or Emacs on it. (Mule or Emacs warn if file is updated by other process)

If you cannot to login or use Emacs or Mule, use ftp to delete, read following sequence.

3.1.1 Lock data

Create db.lck on the directory data files put on. (db.lck length 0) Use binary mode, No kanji conversion for transfer.

3.1.2 Get db

Get db from data file directory on web server. Use binary mode, no kanji conversion.

3.1.3 Edit db

Edit db file. I recommend to use Meadow, Because, it support complate kanji code and end of line code.

3.1.4 Put db

Put new db to web server. Use binary mode, no kanji conversion.

3.1.5 Unlock data

Delete the lock file db.lck on the data files directory. While the lock file exist, writing is blocked.

4. Security

You cannot to keep security on the web server which execute CGI in nobody or WWW user. Because, Other user make a CGI script which print files on the web server, He can look the files CGI script and or data files. (Oh! Really? >yav)

For secutiry, Set owner of CGI script and datas yourself, and no permission for others.

• Web servers which execute CGI in the file owner
  • www2s.biglobe.ne.jp
  • www.oersted.co.jp
• Web servers which execute CGI in nobody/WWW user
  • Web servers which use Apache default settings
    • www.try-net.or.jp

4.a. CGI executed in the file owner authorize

Set wb.cgi permission rwx------ (700).

Set config.pl permission rw------- (600).

Set data file directory (specified with $dbdir) permission rwx------ (700).

4.b. CGI executed in nobody or WWW user

On this web server, SUID bit of CGI file for execution in file owner authorize. For example, On Apache server, executable file compiled with C compiler can run under file owner authorize. (But, perl script SUID ignored Why?)

So, On the web server permit telnet login and C compiler like as www.oersted.co.jp Look followings.

Rename wb.cgi to wb.pl. set permission rwx------ (700).

Make following C source code wb.c.

main()
{
  return system("/home/yav/public_html/bbs/wb.pl");
}

Replace /home/yav/public_html/bbs to absolute path of your BBS directory. Relative pathname makes security hole.

Compile this, And set created executable file permission rwsr-xr-x (4755).

  % cc wb.c -o wb.cgi
  % chmod 4755 wb.cgi

Set data file directory (specified with $dbdir) permission rwx------ (700).

5. BUGS

Security hole

Configuretion cache is created version 1.13 or lator. The security hole is exist at this cache file.

Condition

The configuration cache file config.pl.cache is made from configuration file config.pl at first. The umask is not set at this time. Anyone can read the configuration cache.

Treatment

Change the permission of the configuration cache file config.pl.cache to rw------- (600) with telnet or ftp.

6. Changes

Version 1.21 Under developping

Version 1.20

• SPAM posting redirection bug fix
• Some NG words are deleted
• Character substitution at reading list files eg. spambody is changed. And we can use \# string for # itself in list files

Version 1.19

• Make cache file for ngword, spambody

Version 1.18

• Apply ngword files $fileinfo

Version 1.17

• Bug fix URL link trancated after & letter
• Reduce image size width and height
• $artsizemaxK, $maxdataK Data size KILO, MEGA

Version 1.16

• nghost, ngfiles anti-spam
• Big size image reduced display

Version 1.15

• Add Cookie REQUEST_URI

Version 1.14

• Use jcode'tr for 2bytes Japanese character to ASCII conversion.
• Create config.pl.cache after eval configurations.

Version 1.13

• Make cache file of config.pl and style template files.
• Use style template file imodew.html for post from iMODE
• Use %topi% for iMODE top page

Version 1.12

• Add function for double post protection
• Writers IP and user agent display or hide selectable
• imode.html is changed
• multipart-post is not used for Mozilla/[0-3]
• private IP address id not resolved

Version 1.11

• File uploading function is supported
• The replace strings (%dd% etc.) in text replaced bug fix
• %%styleselect_begin%% described wrong position in compact.html. [Previous] is selected, No articles printed BUG fix.
• Cookie time changed to 31 days.

Version 1.10

• Add scheme https and shttp for auto URL link
• Not output style select form if only one style
• Check HTML text as HTML 4.01 Transitional
  But, no changes of rule
• If $gzip path defined, gzip compressed outout
• If $lastmodified is true, HTTP header Last-modified is output
• Add output charset encoding 'ascii'

Version 1.9

• Use cgi-lib.pl and ftype.pl for file transferring.
• Change Table, No-table to standard.html, notable.html of $style
• Add compact.html for output style
• Set charset at http header if charset encoding determined
• Change %%nhead_begin%% to %%head_begin%% in tamplete file
• Support #foo of auto URL link
• Support tel scheme of auto URL link
• Change stylesheet against for Netscape 4.* Stylesheet and blockquote Crash BUG!
  Caution! nscrash.html CRASH!! Look nscrash.txt - same, but SAFETY.
• Change HELP file
  Add Netscape screen image for input form

Version 1.8

• Over $dbsizemax BUG fix.
• Omit character code conversion if EUC.
• Change tag table making in htmlck.pl

Version 1.7

• Experimental inplement of Find function
• Everybody can delete an article without delete key

Version 1.6

• Replace %head_title% etc.
• Avoid template.html, New tamplate files standard.html and notable.html
• Check HTML text as "HTML 4.0 Transitional"
• Ignore comment lines which start '#' in database files
• NOT ignore lines which start # in template files
  for CSS ID selector

Version 1.5

• Change internal character set encoding EUC from SJIS
• Eval configuration file config.pl after convert EUC
• Define selectable template files list in configuration file config.pl
• Add %%styleoptions%%
• Check SJIS encoded database files
• Support database files which is changed end of line CR/LF

Version 1.4

• Change expire time format in cookie conformings to RFC-1123
• Template file selected by Style field
• REMOTE_ADDR REMOTE_HOST HTTP_USER_AGENT saved at writing

Version 1.3

• Change expire time format in cookie
• Read template file line by line
• If " character in Title, the title string cutted BUG fix
• require configuration file config.pl if exist

Version 1.2

• Ignore comment lines which start # character in template file

Version 1.1

• Select to use jcode and htmlck packages
• Use $^T instead of time

Version 0.08

• Add Subject of article
• Add writer's E-mail address and URL
• Add article delete function
• Add serial article number

Version 0.07

• Definable date style
• $artn User selectable number of articles

Version 0.06

• $artsizemax article writing text size limit

Version 0.05

• This tutorial page is made.

yav <yav@bigfoot.com>