#!/usr/bin/perl
# Blosxom
-# Author: Rael Dornfest <rael@oreilly.com>
-# Version: 2.0.2
+# Author: Rael Dornfest (2002-2003), The Blosxom Development Team (2005-2008)
+# Version: 2.1.2 ($Id: blosxom.cgi,v 1.85 2008/10/02 01:09:41 xtaran Exp $)
# Home/Docs/Licensing: http://blosxom.sourceforge.net/
# Development/Downloads: http://sourceforge.net/projects/blosxom
# 0 = no, 1 = yes
$static_entries = 0;
+# Should I encode entities for xml content-types? (plugins can turn this off if they do it themselves)
+$encode_xml_entities = 1;
+
# --------------------------------
use vars
- qw! $version $blog_title $blog_description $blog_language $blog_encoding $datadir $url %template $template $depth $num_entries $file_extension $default_flavour $static_or_dynamic $config_dir $plugin_list $plugin_path $plugin_dir $plugin_state_dir @plugins %plugins $static_dir $static_password @static_flavours $static_entries $path_info $path_info_yr $path_info_mo $path_info_da $path_info_mo_num $flavour $static_or_dynamic %month2num @num2month $interpolate $entries $output $header $show_future_entries %files %indexes %others !;
+ qw! $version $blog_title $blog_description $blog_language $blog_encoding $datadir $url %template $template $depth $num_entries $file_extension $default_flavour $static_or_dynamic $config_dir $plugin_list $plugin_path $plugin_dir $plugin_state_dir @plugins %plugins $static_dir $static_password @static_flavours $static_entries $path_info_full $path_info $path_info_yr $path_info_mo $path_info_da $path_info_mo_num $flavour $static_or_dynamic %month2num @num2month $interpolate $entries $output $header $show_future_entries %files %indexes %others $encode_xml_entities $content_type !;
use strict;
use FileHandle;
use Time::Local;
use CGI qw/:standard :netscape/;
-$version = "2.0.2";
+$version = "2.1.2";
# Load configuration from $ENV{BLOSXOM_CONFIG_DIR}/blosxom.conf, if it exists
my $blosxom_config;
);
@num2month = sort { $month2num{$a} <=> $month2num{$b} } keys %month2num;
-# Use the stated preferred URL or figure it out automatically
-$url ||= url( -path_info => 1 );
-$url =~ s/^included:/http:/ if $ENV{SERVER_PROTOCOL} eq 'INCLUDED';
+# Use the stated preferred URL or figure it out automatically. Set
+# $url manually in the config section above if CGI.pm doesn't guess
+# the base URL correctly, e.g. when called from a Server Side Includes
+# document or so.
+unless ($url) {
+ $url = url();
+
+ # Unescape %XX hex codes (from URI::Escape::uri_unescape)
+ $url =~ s/%([0-9A-Fa-f]{2})/chr(hex($1))/eg;
+
+ # Support being called from inside a SSI document
+ $url =~ s/^included:/http:/ if $ENV{SERVER_PROTOCOL} eq 'INCLUDED';
+
+ # Remove PATH_INFO if it is set but not removed by CGI.pm. This
+ # seems to happen when used with Apache's Alias directive or if
+ # called from inside a Server Side Include document. If that
+ # doesn't help either, set $url manually in the configuration.
+ $url =~ s/\Q$ENV{PATH_INFO}\E$// if defined $ENV{PATH_INFO};
+
+ # NOTE:
+ #
+ # There is one case where this code does more than necessary, too:
+ # If the URL requested is e.g. http://example.org/blog/blog and
+ # the base URL is correctly determined as http://example.org/blog
+ # by CGI.pm, then this code will incorrectly normalize the base
+ # URL down to http://example.org, because the same string as
+ # PATH_INFO is part of the base URL, too. But this is such a
+ # seldom case and can be fixed by setting $url in the config file,
+ # too.
+}
-# NOTE: Since v3.12, it looks as if CGI.pm misbehaves for SSIs and
-# always appends path_info to the url. To fix this, we always
-# request an url with path_info, and always remove it from the end of the
-# string.
-my $pi_len = length $ENV{PATH_INFO};
-my $might_be_pi = substr( $url, -$pi_len );
-substr( $url, -length $ENV{PATH_INFO} ) = ''
- if $might_be_pi eq $ENV{PATH_INFO};
+# The only modification done to a manually set base URL is to strip
+# a trailing slash if present.
$url =~ s!/$!!;
# Fix depth to take into account datadir's path
$depth += ( $datadir =~ tr[/][] ) - 1 if $depth;
-# Global variable to be used in head/foot.{flavour} templates
-$path_info = '';
-
if ( !$ENV{GATEWAY_INTERFACE}
and param('-password')
and $static_password
# Path Info Magic
# Take a gander at HTTP's PATH_INFO for optional blog name, archive yr/mo/day
my @path_info = split m{/}, path_info() || param('path');
+$path_info_full = join '/', @path_info; # Equivalent to $ENV{PATH_INFO}
shift @path_info;
-while ( $path_info[0]
- and $path_info[0] =~ /^[a-zA-Z].*$/
- and $path_info[0] !~ /(.*)\.(.*)/ )
-{
- $path_info .= '/' . shift @path_info;
-}
-
# Flavour specified by ?flav={flav} or index.{flav}
$flavour = '';
+if (! ($flavour = param('flav'))) {
+ if ( $path_info[$#path_info] =~ /(.+)\.(.+)$/ ) {
+ $flavour = $2;
+ pop @path_info if $1 eq 'index';
+ }
+}
+$flavour ||= $default_flavour;
+
+# Fix XSS in flavour name (CVE-2008-2236)
+$flavour = blosxom_html_escape($flavour);
+
+sub blosxom_html_escape {
+ my $string = shift;
+ my %escape = (
+ '<' => '<',
+ '>' => '>',
+ '&' => '&',
+ '"' => '"',
+ "'" => '''
+ );
+ my $escape_re = join '|' => keys %escape;
+ $string =~ s/($escape_re)/$escape{$1}/g;
+ $string;
+}
-if ( $path_info[$#path_info] =~ /(.+)\.(.+)$/ ) {
- $flavour = $2;
- $path_info .= "/$1.$2" if $1 ne 'index';
- pop @path_info;
+# Global variable to be used in head/foot.{flavour} templates
+$path_info = '';
+# Add all @path_info elements to $path_info till we come to one that could be a year
+while ( $path_info[0] && $path_info[0] !~ /^(19|20)\d{2}$/) {
+ $path_info .= '/' . shift @path_info;
}
-else {
- $flavour = param('flav') || $default_flavour;
+
+# Pull date elements out of path
+if ($path_info[0] && $path_info[0] =~ /^(19|20)\d{2}$/) {
+ $path_info_yr = shift @path_info;
+ if ($path_info[0] &&
+ ($path_info[0] =~ /^(0\d|1[012])$/ ||
+ exists $month2num{ ucfirst lc $path_info_mo })) {
+ $path_info_mo = shift @path_info;
+ # Map path_info_mo to numeric $path_info_mo_num
+ $path_info_mo_num = $path_info_mo =~ /^\d{2}$/
+ ? $path_info_mo
+ : $month2num{ ucfirst lc $path_info_mo };
+ if ($path_info[0] && $path_info[0] =~ /^[0123]\d$/) {
+ $path_info_da = shift @path_info;
+ }
+ }
}
+# Add remaining path elements to $path_info
+$path_info .= '/' . join('/', @path_info);
+
# Strip spurious slashes
$path_info =~ s!(^/*)|(/*$)!!g;
-# Date fiddling
-( $path_info_yr, $path_info_mo, $path_info_da ) = @path_info;
-$path_info_mo_num
- = $path_info_mo
- ? ( $path_info_mo =~ /\d{2}/
- ? $path_info_mo
- : ( $month2num{ ucfirst( lc $path_info_mo ) } || undef ) )
- : undef;
-
# Define standard template subroutine, plugin-overridable at Plugins: Template
$template = sub {
my ( $path, $chunk, $flavour ) = @_;
my %plugin_hash = ();
# If $plugin_list is set, read plugins to use from that file
-$plugin_list = "$config_dir/$plugin_list"
- if $plugin_list && $plugin_list !~ m!^\s*/!;
-if ( $plugin_list and -r $plugin_list and $fh->open("< $plugin_list") ) {
- @plugin_list = map { chomp $_; $_ } grep { /\S/ && !/^#/ } <$fh>;
- $fh->close;
+if ( $plugin_list ) {
+ if ( -r $plugin_list and $fh->open("< $plugin_list") ) {
+ @plugin_list = map { chomp $_; $_ } grep { /\S/ && !/^#/ } <$fh>;
+ $fh->close;
+ }
+ else {
+ warn "unable to read or open plugin_list '$plugin_list': $!";
+ $plugin_list = '';
+ }
}
# Otherwise walk @plugin_dirs to get list of plugins to use
-elsif (@plugin_dirs) {
+if ( ! @plugin_list && @plugin_dirs ) {
for my $plugin_dir (@plugin_dirs) {
next unless -d $plugin_dir;
if ( opendir PLUGINS, $plugin_dir ) {
unshift @INC, @plugin_dirs;
foreach my $plugin (@plugin_list) {
my ( $plugin_name, $off ) = $plugin =~ /^\d*([\w:]+?)(_?)$/;
+ my $plugin_file = $plugin_list ? $plugin_name : $plugin;
my $on_off = $off eq '_' ? -1 : 1;
# Allow perl module plugins
- if ( $plugin =~ m/::/ && -z $plugin_hash{$plugin} ) {
+ # The -z test is a hack to allow a zero-length placeholder file in a
+ # $plugin_path directory to indicate an @INC module should be loaded
+ if ( $plugin =~ m/::/ && ( $plugin_list || -z $plugin_hash{$plugin} ) ) {
# For Blosxom::Plugin::Foo style plugins, we need to use a string require
- eval "require $plugin_name";
+ eval "require $plugin_file";
}
else
{ # we try first to load from $plugin_dir before attempting from $plugin_path
- eval { require "$plugin_dir/$plugin" }
- or eval { require $plugin };
+ eval { require "$plugin_dir/$plugin_file" }
+ or eval { require $plugin_file };
}
if ($@) {
mkdir "$static_dir/$p", 0755
unless ( -d "$static_dir/$p" or $p =~ /\.$file_extension$/ );
foreach $flavour (@static_flavours) {
- my $content_type
+ $content_type
= ( &$template( $p, 'content_type', $flavour ) );
$content_type =~ s!\n.*!!s;
my $fn = $p =~ m!^(.+)\.$file_extension$! ? $1 : "$p/index";
# Dynamic
else {
- my $content_type = ( &$template( $path_info, 'content_type', $flavour ) );
+ $content_type = ( &$template( $path_info, 'content_type', $flavour ) );
$content_type =~ s!\n.*!!s;
- $content_type =~ s/(\$\w+(?:::)?\w*)/"defined $1 ? $1 : ''"/gee;
+ $content_type =~ s/(\$\w+(?:::\w+)*)/"defined $1 ? $1 : ''"/gee;
$header = { -type => $content_type };
print generate( 'dynamic', $path_info,
# Define default interpolation subroutine
$interpolate = sub {
-
package blosxom;
my $template = shift;
- $template =~ s/(\$\w+(?:::)?\w*)/"defined $1 ? $1 : ''"/gee;
+ # Interpolate scalars, namespaced scalars, and hash/hashref scalars
+ $template =~ s/(\$\w+(?:::\w+)*(?:(?:->)?{(['"]?)[-\w]+\2})?)/"defined $1 ? $1 : ''"/gee;
return $template;
};
}
}
- if ( $content_type =~ m{\bxml\b} ) {
+ if ( $encode_xml_entities &&
+ $content_type =~ m{\bxml\b} &&
+ $content_type !~ m{\bxhtml\b} ) {
+ # Escape special characters inside the <link> container
+
+ # The following line should be moved more towards to top for
+ # performance reasons -- Axel Beckert, 2008-07-22
+ my $url_escape_re = qr([^-/a-zA-Z0-9:._]);
+
+ $url =~ s($url_escape_re)(sprintf('%%%02X', ord($&)))eg;
+ $path =~ s($url_escape_re)(sprintf('%%%02X', ord($&)))eg;
+ $fn =~ s($url_escape_re)(sprintf('%%%02X', ord($&)))eg;
# Escape <, >, and &, and to produce valid RSS
my %escape = (
'<' => '<',
'>' => '>',
'&' => '&',
- '"' => '"'
+ '"' => '"',
+ "'" => '''
);
my $escape_re = join '|' => keys %escape;
$title =~ s/($escape_re)/$escape{$1}/g;
$body =~ s/($escape_re)/$escape{$1}/g;
+ $url =~ s/($escape_re)/$escape{$1}/g;
+ $path =~ s/($escape_re)/$escape{$1}/g;
+ $fn =~ s/($escape_re)/$escape{$1}/g;
}
$story = &$interpolate($story);
my ($unixtime) = @_;
my $c_time = CORE::localtime($unixtime);
- my ( $dw, $mo, $da, $hr, $min, $yr )
+ my ( $dw, $mo, $da, $hr, $min, $sec, $yr )
= ( $c_time
- =~ /(\w{3}) +(\w{3}) +(\d{1,2}) +(\d{2}):(\d{2}):\d{2} +(\d{4})$/
+ =~ /(\w{3}) +(\w{3}) +(\d{1,2}) +(\d{2}):(\d{2}):(\d{2}) +(\d{4})$/
);
$ti = "$hr:$min";
$da = sprintf( "%02d", $da );
my $mo_num = $month2num{$mo};
my $offset
- = timegm( 00, $min, $hr, $da, $mo_num - 1, $yr - 1900 ) - $unixtime;
+ = timegm( $sec, $min, $hr, $da, $mo_num - 1, $yr - 1900 ) - $unixtime;
my $utc_offset = sprintf( "%+03d", int( $offset / 3600 ) )
. sprintf( "%02d", ( $offset % 3600 ) / 60 );
__DATA__
html content_type text/html; charset=$blog_encoding
+html head <!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
html head <html>
html head <head>
-html head <meta http-equiv="content-type" content="text/html;charset=$blog_encoding" />
-html head <link rel="alternate" type="type="application/rss+xml" title="RSS" href="$url/index.rss" />
-html head <title>$blog_title $path_info_da $path_info_mo $path_info_yr
-html head </title>
+html head <meta http-equiv="content-type" content="$content_type" >
+html head <link rel="alternate" type="application/rss+xml" title="RSS" href="$url/index.rss" >
+html head <title>$blog_title $path_info_da $path_info_mo $path_info_yr</title>
html head </head>
html head <body>
-html head <center>
-html head <font size="+3">$blog_title</font><br />
-html head $path_info_da $path_info_mo $path_info_yr
-html head </center>
-html head <p />
+html head <div align="center">
+html head <h1>$blog_title</h1>
+html head <p>$path_info_da $path_info_mo $path_info_yr</p>
+html head </div>
-html story <p>
-html story <a name="$fn"><b>$title</b></a><br />
-html story $body<br />
-html story <br />
-html story posted at: $ti | path: <a href="$url$path">$path </a> | <a href="$url/$yr/$mo_num/$da#$fn">permanent link to this entry</a>
-html story </p>
+html story <div>
+html story <h3><a name="$fn">$title</a></h3>
+html story <div>$body</div>
+html story <p>posted at: $ti | path: <a href="$url$path">$path</a> | <a href="$url/$yr/$mo_num/$da#$fn">permanent link to this entry</a></p>
+html story </div>
-html date <h3>$dw, $da $mo $yr</h3>
+html date <h2>$dw, $da $mo $yr</h2>
html foot
-html foot <p />
-html foot <center>
-html foot <a href="http://blosxom.sourceforge.net/"><img src="http://blosxom.sourceforge.net/images/pb_blosxom.gif" border="0" /></a>
-html foot </center>
+html foot <div align="center">
+html foot <a href="http://blosxom.sourceforge.net/"><img src="http://blosxom.sourceforge.net/images/pb_blosxom.gif" alt="powered by blosxom" border="0" width="90" height="33" ></a>
+html foot </div>
html foot </body>
html foot </html>
rss story <pubDate>$dw, $da $mo $yr $ti:00 $utc_offset</pubDate>
rss story <link>$url/$yr/$mo_num/$da#$fn</link>
rss story <category>$path</category>
-rss story <guid isPermaLink="false">$path/$fn</guid>
+rss story <guid isPermaLink="false">$url$path/$fn</guid>
rss story <description>$body</description>
rss story </item>
error content_type text/html
+error head <!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
error head <html>
-error head <body>
-error head <p><font color="red">Error: I'm afraid this is the first I've heard of a "$flavour" flavoured Blosxom. Try dropping the "/+$flavour" bit from the end of the URL.</font></p>
-
+error head <head><title>Error: unknown Blosxom flavour "$flavour"</title></head>
+error head <body>
+error head <h1><font color="red">Error: unknown Blosxom flavour "$flavour"</font></h1>
+error head <p>I'm afraid this is the first I've heard of a "$flavour" flavoured Blosxom. Try dropping the "/+$flavour" bit from the end of the URL.</p>
-error story <p><b>$title</b><br />
-error story
$body <a href="$url/$yr/$mo_num/$da#fn.$default_flavour">#</a></p>
+error story <h3>$title</h3>
+error story
<div>$body</div> <p><a href="$url/$yr/$mo_num/$da#fn.$default_flavour">#</a></p>
-error date <h3>$dw, $da $mo $yr</h3>
+error date <h2>$dw, $da $mo $yr</h2>
error foot </body>
error foot </html>
projects / pkg / blosxom.git / blobdiff