WebFile - Simple Actions for Simple Files

Download this program

See a demonstration (Refresh demo)

See config file for demo


Use this program as a CGI script to apply various rules against a file, that is, a file and rule are identified and this program generates the resulting HTML page.

Originally it was intended to allow one to edit and save simple ASCII files. The need at the time was to allow individuals to modify individual files using a web interface. A simple web page was provided with links to allow one to upload a file and save it in a particular place, or edit the file or save it.

This evolved to a design to allow more general functions (rules) to be applied. For instance one might want to have the recently changed file to be verified for errors.

Of course wider applicaitons are possible too with user-provided subroutines. In the end this just became a more generalized driver to general simple web pages against a file.


This script is inherently insecure - it's purpose is to modify data using a web browser. While this is very convenient, it always introduces some level of risk.

The CGI script can be placed in your /cgi-bin (or whatever you call it) or if your web server permits, in a directory in HTDOC. If using this latter method, you can create a .htaccess file which will require a userid/password combination before the CGI can even be invoked. This seems like a good idea.

Choose your protocol carefully. All data passed between the browser and the web server (including password prompts, invoking CGI scripts and data) are sent in clear text if you use HTTP. A more secure protocol is to use HTTPS.

You are encouraged to use HTTPS and the auth=, validfcns= and validusers= keys in the configuration file for the best security. Realize though, that the only way to be completely secure is to not use a web browser to directly change data.


Required. Specifies a 'RULE' to be applied against the file. See the configuration file description for more details.

Required. Specifies the name of a configuration file. See the configuration file description for more details.


Each invocation of this CGI must provide at least two keywords: fcn= and name=

The value for NAME is used to identify a configuration file. This file is found in a directory specified by the variable $cfgdir. It is the sole 'hardcoded' variable that must be set up by the user. One should set $cfgdir to be some fully qualified path OUTSIDE the web doucments area (e.g. outside $DOCUMENT_ROOT).

Each configuration file is a set of key=value strings. You may include blank lines for readability and if the first character is '#', the line is ignored as a comment. The following keys may be put in a configuration file:

Specifies if access to the file requires that the CGI script has been invoked with a userid/password authorization set up by .htaccess. This is a better choice than using the password= key, but it is still not completely secure. If your web page uses the HTTPS protocol, then the passwords from the web server to your browser are more secure.

Specifies the number of columns for the textarea used for editting.

Specifies a CVS command to issue to check the file into CVS. Requires that the web server has write access to the 'file' directory WebFile will append '-m ``some reason'' filename' to your cvs= value and then execute the command. Your CVS command should probably include -d CVSROOT and you may want to include the options '-f and -l'. The command should probably also be fully qualified since the web server $PATH may not find the command. cvs=/usr/sph/bin/cvs -f -l -d /group/boehnke/cvsroot commit

Required. Specifies the fully qualified path to the file/directory. The string '%DOCUMENT_ROOT%' will be replaced with the value for the environment variable DOCUMENT_ROOT.

Specifies the maximum size this file may be. Default is 100,000 characters.

Specifies the fully qualified path to a file containing a fragment of HTML which is placed at the bottom of the HTML to be generated. The string '%DOCUMENT_ROOT%' will be replaced with the value for the environment variable DOCUMENT_ROOT.

Specifies the fully qualified path to a file containing a fragment of HTML which is placed at the top of the HTML to be generated. The string '%DOCUMENT_ROOT%' will be replaced with the value for the environment variable DOCUMENT_ROOT.

Specifies a password value required to access the file. This is generally a poor choice since the password is passewd in clear text and can observed. A better choice is to use auth=.

Specifies the number of rows for the textarea used for editting.

Specifies a title used in the HTML that is generated.

Specifies a URL for a ``Continue'' button when an action finishes with no errors. This may be a full URL (http:// etc) or a partial (/webfile).

validfcns=fcn1 fcn2 ...
Required. Specifies a list of valid functions that can be applied to the file. You may specify 'validfcns=*' to allow any valid function to be used. The values here must be recognized functions supported by the CGI script:
Displays the file in a TEXTAREA so it can be changed.

Saves the data in a TEXTAREA to the file.

Allows a file to be uploaded as a multipart/form-data stream and saved to the file.

Allows the file to be downloaded as a multipart/text stream so your browser can save the file locally.

validusers=user1 user2 ...
Specifies a list of users who may use this file. The user name is taken from the variable $REMOTE_USER which is set when .htaccess is used to control access to the CGI script. This requires one make use of the auth= keyword.

Specifies that when data is editted or uploaded, the file be verified. If you specify 'internal', the file will be expected to be a set of key=value lines. Comments may be specified using # in column one. Blank lines are acceptable.

Alternatively, you may provide the path to a Perl include file which will be require'd by WebFile. This code must provide a function called 'LocalVerify'. The string '%DOCUMENT_ROOT%' will be replaced with the value for the environment variable DOCUMENT_ROOT.

Your code will be called with one parameter - a reference to the array of lines of the data. Your code must return FALSE if the lines are acceptable (this is backwards from what you might expect). If your code detects an error, it should return two values: an error message and the line number of the line in error.

Here is a sample of what you code might look like:

  sub LocalVerify {
    my ($linesref) = @_;
    for (my $i=0; $i<$#{$linesref}; $i++) {
        my $l = $linesref->[$i];
        if ($l =~ /^#/) { next; }
        $l =~ s/\r//g;                  # Avoid all newline confusion
        if ($l =~ /^\s*$/) { next; }    # Ignore blanks
        if ($l =~ /(.+)=(.+)/) { next; }    # Looks OK
        #   Stop on first error
        return ('Invalid key=value data', $i);
    return (undef(), 0);                # Success!
  1;          # Perl requires includes to return true


This is a CGI script and while the program exits with the proper return codes for an application, they are ignored.


Written by Terry Gliedt <tpg@hps.com> in 2003 and is is free software. You can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation; See http://www.gnu.org/copyleft/gpl.html