CGI Email New Rules for .txt files - Any cgi webforms that have been set up to send an email back to the person who completed the webform must be redesigned to use a hardcoded Western email address.
Western's Campus Information Security Office has determined that email addresses input on cgiemail webforms can expose Western to security exploits from spammers if those email addresses are then used in the email created by the form.
We have seen many instances of spammers abusing Western web forms when they use faculty, staff, or student email addresses collected on cgiemail forms in their From:, CC:, or BCC: fields. This becomes email relaying and is considered a serious issue because university servers can be put on black lists and cause outgoing email to be rejected.
Any cgiemail webforms that have been set up to send an email back to the person who completed the webform must be redesigned to use a hardcoded Western email address.
For example, if your current .txt file is
Subject: How to correctly set up cgiemail forms
you must change the From: line to
where vaild-uwo-address is your own email address or a non-person account that your department uses. You can no longer take input from the form and use it in the From: line or in the CC: or BCC: lines.
The form information must always come from that hardcoded address.
This service is available to UWO information providers who use one of the corporate webserver at UWO:
What is Cgiemail
Cgiemail is a tool that enables you to send an email message based on a web form in a manner that gives you more control over the format of the message than using a simple mailto: . Cgiemail can handle many applications of web forms which means that custom CGI programs will not have to be written. The resulting message can be processed manually or used as input for your database.
Summary of the files involved
You need to create the files listed below. The rest of this How Do I... document will tell you exactly how you do this.
- something.html (This is the web form that people will fill out)
- something.txt (This is the template that determines what the e-mail message will look like)
- something-success.html (This is the optional file that the user will see after submitting the form)
Note: Here and elsewhere we will use the word server to indicate one of either www , instruct or publish .
The Steps Involved
This document will help you write a web form that sends an e-mail message to you. The following are the steps involved:
- Create an email template ( something.txt )
- Upload the template to the server
- Create the HTML form ( something.html )
- Make sure the ACTION is correct
- Try out your form with cgiecho
- Go live with cgiemail
- Add text to the success page (optional)
- Make some inputs required (optional)
- Specify formatting for some inputs (optional)
Before you start receiving email messages through the web, you should decide what these messages should look like. Create an ASCII file, called an email template , that looks something like this:
From: firstname.lastname@example.org (valid uwo id or mailing list) HEADER LINES To: From: email@example.com (valid uwo id or mailing list)
Subject: questions three blank line Your email address (required): [required-email]
What is your name? [yourname]
What is your quest? [quest] BODY What is your favourite colour? [colour]
You would store this template in a file, e.g. questions3.txt .
The template will be used by the cgiemail program, so before you upload the file to your web server, be careful to follow these guidelines:
- Wherever you want the user of your form to supply information, use a single word inside square brackets with no spaces, e.g. Your name: [yourname] . Not [Put your name here] . The names you put between the square brackets will establish where the fields in the web form will be put in the email message.
- Make sure the address in the To: field is a vaild uwo id or mailing list. Do not use any email addresses from the form.
- If there are blank lines among the header lines, remove them.
- If there are blank lines before the header lines, remove them.
- Make sure all your header lines are valid. The first character on the line must be a letter. Most information should go in the message body; don't make up your own headers.
- Make sure there is a blank line between the header lines and the body.
- Make sure you save it as ASCII text. For example, if you are using Microsoft Word, use "Save As" and choose "Text Only with Line Breaks."
- If you created the file on a Mac, be sure to upload it as text, i.e. CR's translated. (Unix computers have different codes denoting the end of a line than Mac's do, so your file might look like one long line to the Unix computer.)
Within these guidelines there is a lot of flexibility. However, we suggest you confine yourself to the following header lines:
Subject: an appropriate subject
Cc: firstname.lastname@example.org Do not use any email addresses from the form.
The Cc: is optional. It will send a copy of the message to other people in addition to the primary addressee. If you have more than one address to put there, use commas to separate them. Make sure that all addresses in the To: and Cc: lines are correct, otherwise the message will bounce. Bounced messages go to the webmaster!
We strongly suggest that you always include a required field containing the email address of the person who filled out the form. In the example, this is the field required-email . As explained in the section Make some inputs required , any field whose name starts with required- has to be filled out, otherwise the submission of the form will be rejected.
You should upload this file (as ASCII) to the web server in the usual way. For example, if the name of the file is questions3.txt and you are in department somedept on the university's central web server www.uwo.ca , the file will end up as questions3.txt in the departmental directory somedept . The exact file specification would be /web/www/somedept/questions3.txt .
If you are using the instruct server, you would put the file somewhere in /web/instruct .
If you use the publish server, you would put the file in your public_html area.
Next you have to create a form that will use the template. Here is an example:
Your email address (required):
This is the HTML source ( questions3.html ):
The example assumes you are using the www server. See the section Make sure the ACTION is correct, below, for details on how to specify the action for the form.
This is a very simple example. To learn to create more complicated forms, read http://www.w3schools.com/html/html_forms.asp or your favorite book on HTML. All types of inputs (radio buttons etc.) work the same way.
For now, simply note that the NAME of each INPUT corresponds to what you previously put in the e-mail template. In this example they are required-email, yourname, quest , and colour . Remember that a name that starts with required- indicates that that field has to be filled out in the form, otherwise the form will not be submitted.
The trickiest part of the HTML form is getting the ACTION set correctly. The following paragraphs show how to do this on the various central UWO servers.
NOTE: You must use https
In general, please note that the way in which you indicate where your .txt file resides is as if you were specifying a URL: you do not specify the full file path. In other words, on www you leave out /web/www , on instruct you leave out /web/instruct and on publish you use ~loginname/file.txt without mention of public_html .
On www.uwo.ca the ACTION should be set as follows:
\ / \ /
`------- Part 1 ------' ` ----- Part 2 -----'
Part 1 must be https, part 2 indicates where your e-mail template is stored. The XXXXXXXX , in the middle, is the program that will convert the form to an email message. XXXXXXXX is of course not the real name of the program, you have to substitute either cgiecho or cgiemail . As shown in the next section, for testing purposes, it is best to first try out the form using cgiecho , and when you like the results switch to cgiemail .
On instruct.uwo.ca the ACTION should be set as follows:
\ / \ /
`--------- Part 1 ---------' ` ------------ Part 2 ------------'
Here /somecourse/somenumber indicates the web area assigned to the course in question. Otherwise the same applies as under www , above.
On publish.uwo.ca the ACTION should be set as follows:
\ / \ /
`-------- Part 1 ---------' ` ------- Part 2 ------'
Here loginname is the first portion of your Western email address. Otherwise the same applies as under www , above.
We recommend putting your forms in a restricted folder to minimize spamming.
To test your form, put in an ACTION with cgiecho , for example:
https://www.uwo.ca/cgi-bin/ cgiecho /somedept/questions3.txt
Then view your form in your favorite web browser, fill in the inputs, and submit it. You should see what the processed form looks like. If instead you see an error with a number near 500, your ACTION is probably set wrong. Go back to the previous step .
If some of your inputs don't seem to be showing up in the processed form, make sure that the inputs have the exact same names in the HTML form as in the ASCII template. E.g. NAME="yourname" in the HTML form and [yourname] in the e-mail template.
Now change cgiecho to cgiemail in the ACTION of your HTML form:
https://www.uwo.ca/cgi-bin/ cgiemail /somedept/questions3.txt
Try it out. You should receive an email message with the processed form (provided the To: address in the e-mail template is yours!). If not, go back and make sure you correctly followed the instructions in step 1 .
If it works, congratulations!
When mail is sent, a page titled ``Success'' appears with the text of the email message. You may use a hidden variable called ``addendum'' to add your own text. Here is a simple example:
If you are willing to assume that readers of your form are using recent browser software, then you may put HTML markup into this variable using the appropriate character entities . For example, if you wanted to add
then the HTML markup would be
meaning you would need the following in your form:
Note that besides being difficult to write, this feature won't work for people using older browser software.
Use an alternate success page
If you don't like the default page that comes up when email is successfully sent, you can specify an alternate URL using a hidden variable called ``success'' in your HTML form, e.g.
There is no way to make this alternate success page contain information about the user who submitted in the form.
The example assumes you use the www server. If you use instruct or publish , you should specify the URL of the alternate success page in the appropriate way:
If you would like to automatically reject forms with certain inputs left blank, add the prefix required- to the name of the input in both your HTML form and your e-mail template. Here is an example:
In the HTML form:
Your email address (required)
In the email template
Your email address: [required-email]
If, in your email template, the text inside square brackets begins with %, cgiemail will use the printf() function in C on the field name after the comma. If you're not familiar with this function, look in a book on C. If you are familiar with it, please note these two differences:
- The first character in the format string must be %.
- Characters like \n and \t must be literal. If you want a newline, you have to put a newline just before the comma, even though this looks strange.
An example could be in the tag onsubmit="document.charset = 'ISO-8859-1';"
Google automatically takes a "snapshot" of each page it crawls and archives it. This "cached" version allows a webpage to be retrieved if the original page is ever unavailable.
Removing a URL
In order to remove a URL from the Google index
- you must create an account with Google using your email address and a password
- Google will send a confirmation email that must be responded to within 24 hours or your account will be deleted
- once account activated, login to Google with your email address and a password
- Remove pages, subdirectories or images using a robots.txt file.
- Remove a single page using meta tags.
- Remove an outdated link.
- anything associated with this URL
- snippet portion of result (includes cached version)
- cached version only
- you can also review the status of any submitted requests through this account
To prevent all search engines from showing a cached copy of your page
< META NAME = "ROBOTS" CONTENT = "NOARCHIVE" >
If you would like to specify this restriction just for a specific search engine use "search engine name" in place of "robots".
To prevent the search engines from indexing page or following links from a particular page
< META NAME = "ROBOTS" CONTENT = "NOINDEX" >
The following commands tell the search engine to index the document, but not follow hyperlinks from it:
< META NAME = "ROBOTS" CONTENT = "NOFOLLOW" >
You may set all directives OFF by using the following:
< META NAME = "ROBOTS" CONTENT = "NONE" >
See http://www.robotstxt.org/wc/exclusion.html#meta for more information.
Before you begin
Please read the following questions and answers.
Question: Do I have a Western Identity?
All faculty, staff, and students at Western have a Western Identity automatically created for them. If you do not yet have a user Id and password please review the informaton at http://www.uwo.ca/wts/identity/identities_and_access/index.html.
Question: Where will my website be located?
Your website will be stored in a directory called public_html in your personal file space on the Western server.
Question: How do I get my website files from my computer to the Western server?
Using a secure file transfer program you will need to make a connection to the server: sftp.uwo.ca using your Western Identity user ID and password to upload the document from your local system to the sftp server.An example of some sftp applications are:
- Microsoft Windows
- SSH Secure FTP
- Mac OS X
Question: What will the url be for my website?
http://publish.uwo.ca/~user_ID/ (where user ID is your Western Identity username/user ID e.g. jsmith5555)
Question: What is appropriate content for my website?
Western faculty, staff, and students can create personal websites to disseminate information relevant to their roles in the University.
Individuals (faculty, staff, and students) are responsible for the content of their personal websites. Information made available via this service must meet the content policies defined by the Western Acceptable Use Agreement which you signed when you first activated your Western Identity.Remember that web pages are public; don't put in information that people could use to hurt you. Your web pages describe you and your interests to the world so put some thought into how you represent yourself. Consider that potential future employers may read your web pages.
Steps to Publishing on the Web
Step 1- Activate Your Personal Web Space
You must first create (activate) a special directory in your personal web space on. To set up your web space, go to the online form Activate My Personal Web Space.
The first time this activation is done, it creates a directory called public_html in your personal disk space. It also creates a default home page using a standard template to a file called index.html within your new public_html directory. It also sets appropriate permissions on the directory and files within so that the web server can read them.
If the directory public_html and the file index.html already exist, then only the permissions will be set. The index.html file will not be overwritten. Open a browser (e.g. Firefox, IE) and check to see whether you can access your homepage at http://publish.uwo.ca/~user_ID/. It should look like the template in this document. If you can view this page, everything is set up correctly.
Step 2 - Create Your HTML Content
Step 3 - Upload Your Content to the Server
Transfer the content you have created from your computer to the folder public_html on the server using a secure file transfer program (SFTP). The server or host name to connect to is sftp.uwo.ca
Note that you must transfer your files into the public_html directory. The file transfer usually sets the file protection to 'world readable'. If the permissions were not set this way during file transfer, you will need to correct this before you or anyone else can view your page. You can do this by returning to the Activate My Personal Web Space page and submitting your username and password again.
Note: If you are transferring images, you should click on the Binary button before transferring them to public_html.
Step 4 - Test Access to Your Web Space
Once your home page is safely in public_html, visitors to your site will use the following web URL to view your page:
This only works if you keep the name of your homepage as index.html. Other files in your public_html directory can be accessed directly. If you named a page mypage.html, then it could only be accessed by going to the URL
What is a Restricted Web Site?
A restricted web site or web area is a site that is only available for viewing by a certain group of people, such as members of a department. Restrictions can be made according to the IP number, subnet or domain of machines (e.g. people can only view the site from a certain location), or by user ID and password (e.g. only those people in the access list can view the page, no matter where they are viewing it from.
Restricted web sites on www.uwo.ca are available for UWO username/password accounts and the restricted area has to be setup by WTS staff. They are not available for publish.uwo.ca sites due to the different configuration of the personal site.
Restricted sites on instruct.uwo.ca are available for UWO username/password accounts and the restricted area has to be setup by WTS staff. WebCT is the area where coursesites that need restriction to individuals, whether with a UWO username or not, are now handled.
How do I create one?
The actual original setup and creation of the restricted area can only be performed by the web administrator of the web server who has special priviledges. If you need a restricted area on www.uwo.ca or instruct web server, please complete and submit the Restricted Site Request form. This request will be processed by Web Admin. You will need to specify:
- Your name and email address
- Name and email address of maintainer (if other than yourself)
- The URL of the site you wish created. This should be inside a site you already own and should not exist.
- The type of restriction you wish to have. The choices are:
- Restricted to campus (only on-campus machines have access)
- Restricted by password (must have a valid email login/password)
- Restricted to campus or by password (for those not on campus)
- Restricted to campus and by password
Web admin will create the site for you and set up the restrictions you requested. Any page that you add to this area will only be accessible to those specified by the restrictions.
What will the site look like?
- The new directory that is the restricted area will have the world readable rights to this directory removed. This means that only the owner of the files can look at them through the file system.
- The ownership of the directory will be the maintainer and the group ID set to guest.
- There will be a special file called .htaccess containing the restrictions that required. Do not delete or move this file.
- If the site is to be restricted by password, here will be a password file, usually called passwords. If you sent in a class list (see previoius section), then the password file will be populated with these entries.
- There will be a dummy index.html file in the area.
- A redirect will be added at the server level to ensure https secure connections.
- When viewing the restricted site, most web browsers will indicate that this is a secure site (e.g. in Netscape, the Security lock icon will be highlighted and closed and the icon of the lock at the bottom left of the window will also be closed; in Internet Explorer, an icon of a lock will appear in the bottom right corner).
See the next section for a description of what to do to start using the site.
Maintaining the Restricted site
- You should modify the file index.html so that it describes the area.
- Then the information pages or information files can be added as usual (e.g. using a SFTP client). If you need to create any subdirectories in the restricted area, don't change the default permissions of the new directories.
- If access is restricted by password, you need to edit the password file. The password file is a list of users you wish to allow or deny access. Currently, authentication is done against the WTS Unix systems, so we only require the login names. The name of the password file can be found from the first line of the .htacess file. For example:
- AuthUserFile /web/www/its/restricted/passwords
- where passwords is the name of the password file, found in the directory its/restricted. A vaild user is denoted by +loginname and someone you want to specifically deny access is denoted by -loginname. For example, to give access to user 'Jane Doe,' add the following line to the password file: +jdoe.
- Add as many users as desired. If the person does not have a Western email address, contact the webadmin. If you want everyone who has a vaild Western username and password to have access, use the line: +* (* is a wildcard character signifying "all").
- The password file needs to be kept up to date, adding and deleting users as needed.
- NOTE: If you sent in a class list with your request for the restricted area, the password file will already be set up with these people. Check to see if any need to be added or removed.
- Anyone accessing this area should use the URL https://... (notice the s). Notify those who will being this site of this information, as well as any other sites that are linking to this site.
- Follow these rules for linking to a restricted sites to maintain the security:
- Links to a restricted page or file from a non-restricted page- use https
- Links to a restricted page or file from a restricted page - use https or a relative path
- Links to a non-restricted page or file from a restricted page - use http
- Loading images into a restricted page (no matter where they are located) - use https or a relative path
- Running a CGI script from a restricted site - use https
- Remember the following:
- Do not change any of the ownerships, rights or group ID in this area or any areas under it.
- Do not delete, move, or modify the file .htaccess
- Do not delete or move the password file.
Request a Virtual Host on the Corporate Web Server - Learn how to request a Virtual Host on the Corporate Web Server
This How do I ... describes how to request the set up of a virtual host for your site on the main corporate web server. Note: There are set up and maintenance charges for virtual hosts. Please see Section 7. Hosting Domain Name and Web Services in the WTS Services Document for details on these charges.
Before you proceed with this process, you should already have a site set up on the main corporate web server (www.uwo.ca). If you are not already set up, please contact Web Admin <email@example.com> and request space for your site (Keep in mind that space on www.uwo.ca is allocated for official departmental web sites).
Choose a domainChoose one of the following:
- Within uwo.ca: While it is possible to have external domains, we strongly recommend that you stay within the .uwo.ca domain. This domain is the only one that is free to use and requires little or no set up on your part. If you wish to use this domain, you can go to Choose a Name for your virtual host below.
- External: If you want to have an external domain set up for your sitem it is your responsibility to register the domain with the proper authorities. Any fees associated with this registration are also your responsibility. Note that the Network Operations Center <firstname.lastname@example.org> to confirm that the setup of a virtual host in the desired domain is acceptable and that we will host the domain for you.
- To register a .ca domain, you need to contact one of the organizations on the Registar's List provided by the Canadian Internet Registration Authority (http://www.circa.ca).
- When registering a domain, you will be asked to provide certain information which will also be used for the hosting of the site. It will expedite matters if you know in advance what information you need to provide the group registering the domain that will also be required for hosting the site. Please contact the webadm <email@example.com> and discuss your plans for registering your domain.
Do I want stats?Statistics can be created for virtual hosts. The resulting stats will look exactly like the main corporate web stats (http://www.uwo.ca/Usage). There are charges associated with generating stats for your virtual host. You choose whether or not to have stats generated and this can be done at the beginning or added on at a later date, but it is easiest if it is done during the initial set up.
Submit the request for a virtual host.Once you have chosen your domain name (and registered it if external) and decided if you wants stats, please complete and submit the Virtual Host Request Form. This request will be processed by Web Admin. They will:
- follow up with the Network Operations Center to complete the domain set up (if external) and set up the DNS data for the host name
Published on and maintained in Cascade CMS.