X-Git-Url: https://git.deb.at/?p=pkg%2Fblosxom.git;a=blobdiff_plain;f=blosxom.cgi;h=687038dd08b927239b2629961179a43ca99db1de;hp=674ff10f7a691e686b3d42cad6555ef2b76c3348;hb=6d921935464bcc7923d9feec12eabf44467763f7;hpb=9f94051f5dd9294a6d2a6e474087dd94bf1ebfe4 diff --git a/blosxom.cgi b/blosxom.cgi index 674ff10..687038d 100755 --- a/blosxom.cgi +++ b/blosxom.cgi @@ -1,8 +1,8 @@ #!/usr/bin/perl # Blosxom -# Author: Rael Dornfest -# Version: 2.0.2 +# Author: Rael Dornfest (2002-2003), The Blosxom Development Team (2005-2008) +# Version: 2.1.2 ($Id: blosxom.cgi,v 1.86 2008/11/11 10:37:16 alfie Exp $) # Home/Docs/Licensing: http://blosxom.sourceforge.net/ # Development/Downloads: http://sourceforge.net/projects/blosxom @@ -76,10 +76,13 @@ $static_password = ""; # 0 = no, 1 = yes $static_entries = 0; +# Should I encode entities for xml content-types? (plugins can turn this off if they do it themselves) +$encode_xml_entities = 1; + # -------------------------------- use vars - qw! $version $blog_title $blog_description $blog_language $blog_encoding $datadir $url %template $template $depth $num_entries $file_extension $default_flavour $static_or_dynamic $config_dir $plugin_list $plugin_path $plugin_dir $plugin_state_dir @plugins %plugins $static_dir $static_password @static_flavours $static_entries $path_info_full $path_info $path_info_yr $path_info_mo $path_info_da $path_info_mo_num $flavour $static_or_dynamic %month2num @num2month $interpolate $entries $output $header $show_future_entries %files %indexes %others $encode_xml_entities !; + qw! $version $blog_title $blog_description $blog_language $blog_encoding $datadir $url %template $template $depth $num_entries $file_extension $default_flavour $static_or_dynamic $config_dir $plugin_list $plugin_path $plugin_dir $plugin_state_dir @plugins %plugins $static_dir $static_password @static_flavours $static_entries $path_info_full $path_info $path_info_yr $path_info_mo $path_info_da $path_info_mo_num $flavour $static_or_dynamic %month2num @num2month $interpolate $entries $output $header $show_future_entries %files %indexes %others $encode_xml_entities $content_type !; use strict; use FileHandle; @@ -88,10 +91,7 @@ use File::stat; use Time::Local; use CGI qw/:standard :netscape/; -$version = "2.0.2"; - -# Should I encode entities for xml content-types? (plugins can turn this off if they do it themselves) -$encode_xml_entities = 1; +$version = "2.1.2"; # Load configuration from $ENV{BLOSXOM_CONFIG_DIR}/blosxom.conf, if it exists my $blosxom_config; @@ -142,20 +142,39 @@ my $fh = new FileHandle; ); @num2month = sort { $month2num{$a} <=> $month2num{$b} } keys %month2num; -# Use the stated preferred URL or figure it out automatically -$url ||= url( -path_info => 1 ); -# Unescape %XX hex codes (from URI::Escape::uri_unescape) -$url =~ s/%([0-9A-Fa-f]{2})/chr(hex($1))/eg; -$url =~ s/^included:/http:/ if $ENV{SERVER_PROTOCOL} eq 'INCLUDED'; - -# NOTE: Since v3.12, it looks as if CGI.pm misbehaves for SSIs and -# always appends path_info to the url. To fix this, we always -# request an url with path_info, and always remove it from the end of the -# string. -my $pi_len = length $ENV{PATH_INFO}; -my $might_be_pi = substr( $url, -$pi_len ); -substr( $url, -length $ENV{PATH_INFO} ) = '' - if $might_be_pi eq $ENV{PATH_INFO}; +# Use the stated preferred URL or figure it out automatically. Set +# $url manually in the config section above if CGI.pm doesn't guess +# the base URL correctly, e.g. when called from a Server Side Includes +# document or so. +unless ($url) { + $url = url(); + + # Unescape %XX hex codes (from URI::Escape::uri_unescape) + $url =~ s/%([0-9A-Fa-f]{2})/chr(hex($1))/eg; + + # Support being called from inside a SSI document + $url =~ s/^included:/http:/ if $ENV{SERVER_PROTOCOL} eq 'INCLUDED'; + + # Remove PATH_INFO if it is set but not removed by CGI.pm. This + # seems to happen when used with Apache's Alias directive or if + # called from inside a Server Side Include document. If that + # doesn't help either, set $url manually in the configuration. + $url =~ s/\Q$ENV{PATH_INFO}\E$// if defined $ENV{PATH_INFO}; + + # NOTE: + # + # There is one case where this code does more than necessary, too: + # If the URL requested is e.g. http://example.org/blog/blog and + # the base URL is correctly determined as http://example.org/blog + # by CGI.pm, then this code will incorrectly normalize the base + # URL down to http://example.org, because the same string as + # PATH_INFO is part of the base URL, too. But this is such a + # seldom case and can be fixed by setting $url in the config file, + # too. +} + +# The only modification done to a manually set base URL is to strip +# a trailing slash if present. $url =~ s!/$!!; @@ -195,6 +214,23 @@ if (! ($flavour = param('flav'))) { } $flavour ||= $default_flavour; +# Fix XSS in flavour name (CVE-2008-2236) +$flavour = blosxom_html_escape($flavour); + +sub blosxom_html_escape { + my $string = shift; + my %escape = ( + '<' => '<', + '>' => '>', + '&' => '&', + '"' => '"', + "'" => ''' + ); + my $escape_re = join '|' => keys %escape; + $string =~ s/($escape_re)/$escape{$1}/g; + $string; +} + # Global variable to be used in head/foot.{flavour} templates $path_info = ''; # Add all @path_info elements to $path_info till we come to one that could be a year @@ -436,7 +472,7 @@ if ( !$ENV{GATEWAY_INTERFACE} mkdir "$static_dir/$p", 0755 unless ( -d "$static_dir/$p" or $p =~ /\.$file_extension$/ ); foreach $flavour (@static_flavours) { - my $content_type + $content_type = ( &$template( $p, 'content_type', $flavour ) ); $content_type =~ s!\n.*!!s; my $fn = $p =~ m!^(.+)\.$file_extension$! ? $1 : "$p/index"; @@ -473,7 +509,7 @@ if ( !$ENV{GATEWAY_INTERFACE} # Dynamic else { - my $content_type = ( &$template( $path_info, 'content_type', $flavour ) ); + $content_type = ( &$template( $path_info, 'content_type', $flavour ) ); $content_type =~ s!\n.*!!s; $content_type =~ s/(\$\w+(?:::\w+)*)/"defined $1 ? $1 : ''"/gee; @@ -660,18 +696,25 @@ sub generate { } } - if ( $encode_xml_entities && $content_type =~ m{\bxml\b} ) { + if ( $encode_xml_entities && + $content_type =~ m{\bxml\b} && + $content_type !~ m{\bxhtml\b} ) { + # Escape special characters inside the container + + # The following line should be moved more towards to top for + # performance reasons -- Axel Beckert, 2008-07-22 + my $url_escape_re = qr([^-/a-zA-Z0-9:._]); + + $url =~ s($url_escape_re)(sprintf('%%%02X', ord($&)))eg; + $path =~ s($url_escape_re)(sprintf('%%%02X', ord($&)))eg; + $fn =~ s($url_escape_re)(sprintf('%%%02X', ord($&)))eg; # Escape <, >, and &, and to produce valid RSS - my %escape = ( - '<' => '<', - '>' => '>', - '&' => '&', - '"' => '"' - ); - my $escape_re = join '|' => keys %escape; - $title =~ s/($escape_re)/$escape{$1}/g; - $body =~ s/($escape_re)/$escape{$1}/g; + $title = blosxom_html_escape($title); + $body = blosxom_html_escape($body); + $url = blosxom_html_escape($url); + $path = blosxom_html_escape($path); + $fn = blosxom_html_escape($fn); } $story = &$interpolate($story); @@ -738,7 +781,7 @@ html content_type text/html; charset=$blog_encoding html head html head html head -html head +html head html head html head $blog_title $path_info_da $path_info_mo $path_info_yr html head @@ -780,7 +823,7 @@ rss story $title rss story $dw, $da $mo $yr $ti:00 $utc_offset rss story $url/$yr/$mo_num/$da#$fn rss story $path -rss story $path/$fn +rss story $url$path/$fn rss story $body rss story