Chapter 31. Web Sharing Control Panel

Chapter 31. Web Sharing Control Panel

Personal Web Sharing is a powerful (but potentially hazardous) technology that was introduced with Mac OS 8.5. Using the Web Sharing control panel and extension, you can turn your computer into a web server over an intranet or the Internet. As long as they know your IP address and/or domain name, people can connect to a home page that you designate in the Web Sharing control panel just by entering your address in their web browsers. Domain names are the plain English versions of numerical IP addresses, such as www.nateweb.net.

You know you have Web Sharing installed if you have a Web Sharing control panel and a Web Pages folder on your hard drive. Web Sharing is installed by default with Mac OS 9.

For example, if your IP address on the Web happened to be 207.169.50.110 and you have started up Web Sharing on your machine, then another person on the Web would just have to enter http://207.169.50.110 in their web browser and up pops your designated home page or a directory listing of your web folder. This also applies to people who have dial-up connections to the Web and are dynamically assigned IP addresses by their Internet Service Providers. When they are online, they can use the TCP/IP control panel to find out their IP address at the moment, and as long as they have started up Web Sharing on their machines, a web user can connect to their designated web page by using that IP address as the URL. You can even run Common Gateway Interface (CGI) programs written in AppleScript using Personal Web Sharing. I'll demonstrate AppleScript and Web Sharing CGIs in this chapter. If you just need to serve some files and directories and run CGI scripts over an Appleshare TCP/IP network, for instance, then who needs to install an expensive and time-consuming server suite?

However, all of this nifty technology comes with a large security caveat. Offering remote access to your computer over the Web should never be done without carefully restricting the users' access to directories. The Web Sharing control panel (see Figure 31-1) gives you the option to use File Sharing to control user access to files and folders.

Figure 31-1. Web Sharing control panel

It is a good idea to use properly generated usernames and passwords to restrict web access to your files. Make sure that you do not blithely leave on Web Sharing when you don't really need it. Figure 31-2 shows what a directory listing looks like in a browser accessing a Web Sharing computer. This careless user has offered web access to their System Folder!

Figure 31-2. A directory listing of someone's System Folder displayed in a browser

The Web Sharing control panel has a dictionary, but the program's developers have not yet exposed Web Sharing's object model to scripters. In other words, you can use basic commands such as:

tell app "Web Sharing" to run

However, you cannot do things like designate Web Sharing home pages, open the log file, or start and stop Web Sharing with a script. For that reason, I am not going to use this space to describe Web Sharing's dictionary, which is depicted in Figure 31-3. Chapter 1, has more information on how an object model relates to AppleScript.

Figure 31-3. Web Sharing control panel's dictionary

A program's dictionary describes in barebones fashion the AppleScript commands you can use to control the software. Open an application's dictionary by choosing the program in Script Editor's File Open Dictionary... menu. See Chapter 2, for more information on Script Editor and dictionaries. This chapter will describe two CGI scripts that you can use with Personal Web Sharing.

What are CGI programs? A CGI program is software that executes and processes web information in response to an HTTP request. Instead of delivering a static HyperText Markup Language (HTML) file to a web user, a server can launch a CGI program in response to the request and then dynamically generate some data for the user, such as delivering product information from a database. A popular use of CGI programs on the Web has been to process form data that a user submits (usually by filling out a form and clicking the Submit button). The CGI program processes the form entries (by storing the submitted data in a database, for example), and then generates an acknowledgement in the form of a web page for the submitting user. CGI programs can be written in AppleScript for Macintosh servers. This chapter uses CGIs running under Personal Web Sharing server software, but these scripts could be used with a full-fledged web server such as StarNine's WebStar.

When you save an AppleScript web server script you should remember a few important tips:

Make sure to save the script with a suffix of .cgi or .acgi or else Personal Web Sharing will not run it properly. "Myscript.acgi" is an example. The "a" in "acgi" stands for asynchronous. This suffix instructs the server that the script can simultaneously initiate its processing while the computer is busy with other tasks. Using this suffix usually helps the script execute more efficiently.
Make sure that the checkboxes "Never Show Startup Screen" and "Stay Open" are checked when you save the script in Script Editor (Figure 31-4 shows this Save script as... window). These are checked so that the first time the script is executed, it stays open on the server, processing new requests more quickly. Also, when the script is executed, you do not want the startup screen to display on the server, waiting for someone to click a Run or Quit button. Checking "Never Show Startup Screen" ensures that the applet starts up without this interruption.

Figure 31-4. The options for saving an AppleScript CGI program

The CGI program in Example 31-1 uses the handle CGI request scripting addition. This is a handler or function (as in on handle CGI request...) that fills in several built-in string variables, giving you, as the server, scripter information about the request. This information includes the client IP address and the data that follows the "?" character in the URL (e.g., the "first=Bruce&last=Perry" part of "http://www.parkerriver.com?first=Bruce&last=Perry"). The handle CGI request function returns an HTML page, so you should generate an HTTP response header and page as the function's return value.

To use this script with Web Sharing, you have to add it to the server's list of actions by using the Web Sharing control panel's Preferences window (see Figure 31-5). Configure the script in this window as a Filter-type action. Users can execute the CGI by requesting it in their browser, as in the http://207.169.50.110/cgi/do_it.acgi address.

Figure 31-5. Configure CGI actions in Web Sharing's Preferences window

Example 31-1 stores the submitted query string ("first=Bruce&last=Perry") in the theString variable. It also tries to get the URL from which the user linked to the CGI program. The web server stores this data in the referred by labeled parameter (if there is an identifiable referer) for the handle CGI request function.

Example 31-1. A Simple CGI Script for Web Sharing

on handle CGI request searching for theString referred by referer

   set crlf to (ASCII character 13) & (ASCII character 10)

   set theHTML to "HTTP/ 1.1 200 OK" & crlf & "Content-type: text/html" &¬

   set theHTML to theHTML & "<html><head><title>First page</title>¬

   </head><body bgcolor=#ffffff>" & "You were referred by: " & referer &¬

   "The search string is: " & theString & "</body></html>"

   return theHTML

end handle CGI request

Notice that Example 31-1 returns a web page (return theHTML) as the return value for handle CGI request. The theHTML variable is a string that contains the source code for the HTTP response. Example 31-2 shows the power and the danger of Web Sharing. It executes a CGI that delivers sensitive information about the server computer, such as how much free space is left on all of its disks. The handle CGI request function calls the getfreespace method, which then scripts the Finder. This shows that a CGI program is not limited in what it can script, which is exciting in your hands but perhaps malicious in another's. A CGI script could just as well exhibit behavior like the "I Love You" virus by grabbing all the contacts in OutLook Express's contact list and sending thousands of unwanted emails to these contacts. OutLook Express is a scriptable program, and it is easy to grab email addresses from its contact list.

Example 31-2. Scripting the Finder from a CGI Script

on handle CGI request

   set crlf to (ASCII character 13) & (ASCII character 10)

   set theHTML to "HTTP/ 1.1 200 OK" & crlf & "Content-type: text/html" &¬

   set theHTML to theHTML & "<html><head><title>¬

   Freespace CGI</title></head><body bgcolor=#ffffff>" &  "The total free¬

   on this computer is: " & getfreespace(  ) & "</body></html>"

   return theHTML

end handle CGI request

on getfreespace(  )

   tell application "Finder"

      set total_space to 0

      set dsk to (items of desktop whose kind is "disk")

      repeat with d in dsk

         set total_space to total_space + (free space of d) (* returns free 

space of each disk in bytes *)

      end repeat

      set total_space to (total_space / 1024 / 1024) (* get free space as 

megabytes *)

      return total_space

   end tell

end getfreespace

If you want to test Personal Web Sharing on your own machine, turn it on in the Web Sharing control panel. Then enter the following IP address into your browser: http://127.0.0.1. This address connects with your local web server (and loads up your designated web page or web folder if they are configured properly).

You can include aliases to folders in your Web Sharing folder, as in my cautionary example of serving up your System Folder over the Web (Don't try this at home!). A user can request the alias file in their browser, and they then see a directory listing of that folder. Let's say you have a folder full of MP3 files, and you create an alias to this folder called MP3fol. Place that alias in your designated web folder. The web user can then request a directory listing of the alias with a URL similar to http://169.210.110.40/MP3fol. To use aliases in your Web Sharing folder, you have to enable the checkbox with the following label in Web Sharing Preferences: "Allow aliases to open files outside the Web folder."