FSP Conceptual version

What is FSPC?

FSP Conceptual version (FSPC) is preview test tool for embedding *ONLY* /bin/sh script into web pages. It is 100% finished and stable, ready to wok, but is preview, because is made for *different* mission.

Please make sure you are understand:

• IT IS NOT *FSP*
• IT IS NOT *HTSH*

(please go and see these pages for more information, go to http://core.nmmm.nu for information about CGI_Core)

Why FSPC was made?

FSPC was made for three different (or not so:) reasons:

1. Fixing bugs in HTSH tool

HTSH is clever, interesting tool, but is not so useful, when you try to do something very complicated with it, such as:

<body>
<`if [ "$name" = "nmmm" ]; then `>
<H1>Hello My Master</H1>
<`fi`>
</body>

or such as:

<body>
<`
x(){
   read a
   ....
}

x << input_file

`>
</body>

HTSH is *unstable* and *secureles* too.

2. Testing XML parser library

This same library will be implement in next (rebuild) version of CGI_Core. It actually is not more than HTML parser library, but if you are interested, you are able to download FSPC and see it yourself.

3. "Make path" for FSP.

Of course this "path" is very *known*, but anyway it is not *bad* if we walk on it again and again...

What this program show us?

 I tell that this program trace the path of every CGI program, and as I tell this path is well known:

1. (optional) Look after security
   • Who am I? (cgi version)
   • Where I am? (server IP, server software)
   • Look around (document root, cgi-bin root, look program name...)
   • Who request me? (remote IP, look IP restriction, remote user, look user defined authentification....)
   • Look request method (does script can run with this method?)
2. (optional) Look after HEAD request method
3. Why "HE" request me?
   • Look request method
   • Load proper QUERY_STRING (Try do not buffer overflow with POST:)
   • Parse QUERY_STRING into some way.
   • (optional) Parse incomming HTTP_Cookies
4. Output Content-Type and header (This include cookies if any)
5. DO_THE_REAL_JOB
6. Try DO NOT exit with code different by 0 :)
7. Try to make all this *as fast as can*, CGI "live" must be less 1 min :)

THE_REAL_JOB is depending on what are you doing. For embedded scripting processors or similar, it is:

1. (optional) Does HTML file exists? 
2. Try to read it (don't forget to check for errors or for buffer overflow)
3. In case error Output error message or some alike (blank screen) and *STOP*
4. Preprocess it (go tag-by-tag and do something).
5. Output preprocessed file.

What FSPC document look like?

<!-- demo 2 -->
<html>
<body>
<%>if [ "$ENV_name" = "nmmm" ]; then</%>
<H1>Hello My Master!</H1>
<%>else</%>
<H1>Hello $ENV_name, nice to meet with you!</H1>
<%>fi</%>
</body>
</html>

The text between <%> and </%> tags are interpreted as /bin/sh commands, all other text is interpreted as HTML (and will be part of one big "echo" or "printf", OF COURSE IT WILL BE WITH *PREPROCESSED* \" \' AND \`)

The tags can be "elastic" :)) such as:

<  %  >, <  /  %  >
<  %    param=value bla bla bla  >
<  /  % param=value bla bla bla  >

Still with us? Installation

Installation is same as every standard handler of web server. As you know this depends on your HTTPd. There are instructions for Apache HTTPd:

1. Copy executable in your cgi-bin directory.
2. Add following lines into Apache configuration file (httpd.conf for example)
3. Look at source and *Think* about security.
4. USE IT AT OWN RISK.

AddType text/fspc .fspc
Action  text/fspc /cgi-bin/fspc

Download:

Get it from HERE (70 KB, *.tar.gz)

Some tips.

• to extract files under Windows, use WinZip
• to compile under Windows, use your IDE and make new project (include all *.cpp files), then build.
• The archive include already compiled executable for Linux 2
• to compile product under UNIX, cd to fspc/ and type "make clean", "make all"

Copyleft 10.1999, FSP Development team
"Nikolay Mijaylov" <nmmm@nmmm.nu>