ASForm is a general-purpose, powerful, highly configurable HTML form-to-email processor for use on the World Wide Web and/or intranets. It was developed by Art Sackett of Art Sackett Professional Web Design for free distribution to meet the needs of many who have been unable to find a similar tool that adequately meets their needs.
ASForm includes a debugging utility that is, to the best of the developer's knowledge, unique in the free CGI application arena. Once ASForm is runnable, switching on the debug mode and invoking (running) ASForm will cause it to analyze your installation and configuration, and explain it to you in English as plain as is possible. Anything that might keep ASForm from working as you expect is called to your attention and explained, and the tests it performs are explained as they're done. You shouldn't have to guess why the thing might be doing things you didn't intend. As an aid in developing configuration files, debugging can be switched on in any configuration files you need to debug, while leaving those that are working in normal operation. You can be processing forms from the web normally while you create and test new configuration files without affecting those "live" configurations. The only exception to this is the main, default configuration -- setting debugging to on in this configuration turns it on for all configurations.
ASForm is at present a single-user, single domain application. Although it will support as many individual configurations as you care to write for it, it is not designed for a multi-user environment, as would be required by an ISP who needs to provide its functionality for many different users. A multi-user version will eventually follow, based upon the final release. (At this time, ASForm is in beta release. There may be bugs, but there are none that are known as of this writing. The intent is that the final release will be compatible with the beta version's configuration files, but this is not in any way guaranteed.)
Please note that although the distribution is free, ASForm comes with some restrictions regarding how you can use it, the Term of Use:
If it happens that you really like ASForm, especially if it helps you to make money, feel free to send a postcard, preferably with a picture of your home town on it, to the address that's all over at http://www.artsackett.com -- and feel free to contact Art Sackett Professional Web Design for your custom CGI application programming needs. ;-)
ASForm is like most other free CGI applications, in that it comes with absolutely no guarantees whatsoever. If it breaks things, you get to keep whatever little pieces might be left. It comes with no support unless you are or are willing to become a client of Art Sackett Professional Web Design. During the beta period for ASForm, feel free to send an email to email@example.com if you are pretty certain that you've found a bug or need a quick question answered, after checking at http://www.artsackett.com/freebies/asform for a more recent version than the one you have. (The version number will always appear in the output of debug mode and in the headers of mail from ASForm.) Whether or not you hear back from me in a timely fashion, or at all, will be determined by my workload. We all gotta make a living.
ASForm is intended to be about as secure as any similar application can be, but at this time it still won't run with perl's -T flag set. This is mainly because it's time for me to get on with paying work, and will eventually be corrected. As ASForm runs, it is just looking for an excuse to die, and will not allow some of the more common security mistakes to be made. It checks to make sure that it ought to be sending files that are either mailed or returned to the internet user, and it refuses to cooperate if it finds that it lives in a file that is writable by the HTTP ("web") server. Because it does not accept email addresses for form submission report recipients from the web, it is not really very abusable. It does not expose recipients' email addresses on the web for harvesting spambots, and includes a very configurable HTTP_REFERER filter to ensure that other sites can't count on abusing your installation. It is simply not possible for a remote site to use ASForm as a conduit to your SMTP server for spamming -- with the exception of the address accepted from the web for Autoresponder messages, the only possible recipients of mail from ASForm are those you list in your configuration file(s). Because ASForm does not rely upon any Mail Transfer Agent (such as sendmail) it does not expose any security holes that are part and parcel of the "piped open" that has to happen if an MTA is used. ASForm is its own MTA, and talks to the SMTP server itself -- attempts to get a "shell" will end up as email if the transaction completes at all.
As an aid to maintaining security, once ASForm is properly configured, any event that causes a fatal error is handled by rejecting the transaction, returning an error message to the internet user, and sending an email to the webmaster (named in the configuration file(s)) explaining what went wrong. Optionally, if a transaction is rejected because the non-null value of the HTTP environment variable HTTP_REFERER did not match against the filtering you defined, an Abuse Report can be mailed to the webmaster(s). In short, if someone does manage to get into your installation somehow, all it takes is one mistake on their part and you'll hear about it.
(Those timed-out transactions that other form processors often provide are due to the program waiting on a Mail Transfer Agent, such as sendmail, to return an acknowledgment that it has accepted the mail. On a heavily used system, this can sometimes take several minutes. Time that your users don't want to spend hanging around waiting for their browsers to time out. ASForm has to hang around waiting on the SMTP server to achnowledge that it has accepted the data, but it gets the user on his way first.)
ASForm is a fairly large program that does a lot of things, but by getting the user on his way as quickly as possible, it appears to be pretty zippy, especially if your server is configured to keep a perl interpreter running all the time. The only time you might run into trouble is if your installation of ASForm is running very many copies at once, to the point where your system has to start swapping it out to the hard drive(s). This will certainly cause sluggish response.
Also unlike many other free form processors (and part of the reason that ASForm is so big), ASForm does not expect you to put all of the configuration information for a transaction into the HTML form. Usually, you can expect a hard drive access to be a lot faster than the network connection -- so ASForm takes advantage of this by requiring only a couple of things to be in your HTML, and keeping the rest in files on the server's hard drive(s).
There are additional tags that ASForm makes available to you that need not appear in your form data, such as <time>.
The Autoresponder can be enabled, disabled, or set to "user mode" within your configuration file(s). In user mode, your HTML form dictates whether or not an Autoresponder message should be sent, and you can then leave it to the discretion of either the internet user or to a hidden form field whether to send or suppress the Autoresponder message.
If you don't want to write your own Autoresponder message, a default can be generated -- you can opt to send or suppress a data "echo", which is a dump of raw form data. The mail From address must be configured within the configuration file, but may also appear in your document template which will override that specified in the configuration file. (It must appear in your configuration file so that if your template cannot be used for some reason and the default message must be sent, it has a return address to use.)
If you use a mail file and/or a data file, the default message will indicate that the mail/data was copied to the file(s) -- at this time, it is just assumed to have been successful if the program gets to the point that it sends you mail.
Messages that are undeliverable for any reason (excluding Autoresponder messages) get a one-line message placed at the top, telling when the delivery was attempted and why delivery failed, for each time they fail. You should only expect mail to be undeliverable if the SMTP server is down or rejects a recipient's address for some reason. ASForm will make several attempts before considering a message undeliverable, and first tries to use the SMTP server with the more efficient multiple recipients mode, and failing that falls back to mailing the recipients individually.
(Autoresponder messages either go or don't, and are not cached. If for some reason an Autoresponder message is rejected by the SMTP server, the default report configuration, and any well-written report template, will tell you.)
Because ASForm is its own MTA, it doesn't rely upon a "piped open" to a program like sendmail -- a security hole that is never opened is pretty darned hard to exploit. (If you don't know what a "piped open" is, don't sweat it.)
As noted above, if ASForm discovers that it came from a file that is writable by the server, it will only return error messages -- and it will send an email to the webmaster(s) named in the configuration file telling how to fix the insecure installation. In debug mode, it will only return a message indicating the problem and how to fix it, and will refuse to complete the debug run.
ASForm knows without your telling it the name of the server (or virtual host) it is installed on, and will not cooperate with any hosts outside of its own domain. You can configure the filter to work with any host in your domain, and then with referrers from only certain directories within each host's file system. Although it is very flexible and powerful, the configuration of the filter is straightforward.
With all of these features, ASForm is a big dude, but it ought to do what you want done, and without any guesswork or frustrating debugging as so often is required when deploying free CGI applications. If you're reading this because you have downloaded your own copy of ASForm, I hope you find it easy to deploy and powerful enough to meet your needs. Enjoy!
|Writing Forms for
Use With ASForm
© 1999 - Art Sackett