X-Git-Url: https://git.deb.at/?p=pkg%2Fblosxom.git;a=blobdiff_plain;f=blosxom.cgi;h=ff6bd665233727b600ea96997e8e65c1de3fc374;hp=6476df1eb54d95214b7742b122491947ae8024f8;hb=cf8524c9718dd6ac31c92ff8742a59a80d7284b9;hpb=7b68aaee7ca44bbdcafab5f6296527e265b440ca diff --git a/blosxom.cgi b/blosxom.cgi index 6476df1..ff6bd66 100755 --- a/blosxom.cgi +++ b/blosxom.cgi @@ -1,13 +1,63 @@ #!/usr/bin/perl # Blosxom -# Author: Rael Dornfest (2003), The Blosxom Development Team (2005-2008) -# Version: 2.1.0 +# Author: Rael Dornfest (2002-2003), The Blosxom Development Team (2005-2008) +# Version: 2.1.2 ($Id: blosxom.cgi,v 1.87 2008/11/13 16:39:59 alfie Exp $) # Home/Docs/Licensing: http://blosxom.sourceforge.net/ # Development/Downloads: http://sourceforge.net/projects/blosxom package blosxom; +=head1 NAME + +blosxom - A lightweight yet feature-packed weblog + +=head1 SYNOPSIS + +B is a simple web log (blog) CGI script written in perl. + +=head1 DESCRIPTION + +B (pronounced "I") is a lightweight yet feature-packed +weblog application designed from the ground up with simplicity, +usability, and interoperability in mind. + +Fundamental is its reliance upon the file system, folders and files +as its content database. Blosxom's weblog entries are plain text +files like any other. Write from the comfort of your favorite text +editor and hit the Save button. Create, edit, rename, and delete entries +on the command-line, via FTP, WebDAV, or anything else you +might use to manipulate your files. There's no import or export; entries +are nothing more complex than title on the first line, body being +everything thereafter. + +Despite its tiny footprint, Blosxom doesn't skimp on features, sporting +the majority of features one would find in any other Weblog application. + +Blosxom is simple, straightforward, minimalist Perl affording even the +dabbler an opportunity for experimentation and customization. And +last, but not least, Blosxom is open source and free for the taking and +altering. + +=head1 USAGE + +Write a weblog entry, and place it into the main data directory. Place +the the title is on the first line; the body is everything afterwards. +For example, create a file named I and put in it something +like this: + + First Blosxom Post! + + I have successfully installed blosxom on this system. For more + information on blosxom, see the author's blosxom site. + +Place the file in the directory under the I<$datadir> points to. Be +sure to change the default location to be somewhere accessable by the +web server that runs blosxom as a CGI program. + +=cut + # --- Configurable variables ----- # What's this blog's title? @@ -76,6 +126,9 @@ $static_password = ""; # 0 = no, 1 = yes $static_entries = 0; +# Should I encode entities for xml content-types? (plugins can turn this off if they do it themselves) +$encode_xml_entities = 1; + # -------------------------------- use vars @@ -88,10 +141,7 @@ use File::stat; use Time::Local; use CGI qw/:standard :netscape/; -$version = "2.1.0"; - -# Should I encode entities for xml content-types? (plugins can turn this off if they do it themselves) -$encode_xml_entities = 1; +$version = "2.1.2"; # Load configuration from $ENV{BLOSXOM_CONFIG_DIR}/blosxom.conf, if it exists my $blosxom_config; @@ -142,20 +192,39 @@ my $fh = new FileHandle; ); @num2month = sort { $month2num{$a} <=> $month2num{$b} } keys %month2num; -# Use the stated preferred URL or figure it out automatically -$url ||= url( -path_info => 1 ); -# Unescape %XX hex codes (from URI::Escape::uri_unescape) -$url =~ s/%([0-9A-Fa-f]{2})/chr(hex($1))/eg; -$url =~ s/^included:/http:/ if $ENV{SERVER_PROTOCOL} eq 'INCLUDED'; - -# NOTE: Since v3.12, it looks as if CGI.pm misbehaves for SSIs and -# always appends path_info to the url. To fix this, we always -# request an url with path_info, and always remove it from the end of the -# string. -my $pi_len = length $ENV{PATH_INFO}; -my $might_be_pi = substr( $url, -$pi_len ); -substr( $url, -length $ENV{PATH_INFO} ) = '' - if $might_be_pi eq $ENV{PATH_INFO}; +# Use the stated preferred URL or figure it out automatically. Set +# $url manually in the config section above if CGI.pm doesn't guess +# the base URL correctly, e.g. when called from a Server Side Includes +# document or so. +unless ($url) { + $url = url(); + + # Unescape %XX hex codes (from URI::Escape::uri_unescape) + $url =~ s/%([0-9A-Fa-f]{2})/chr(hex($1))/eg; + + # Support being called from inside a SSI document + $url =~ s/^included:/http:/ if $ENV{SERVER_PROTOCOL} eq 'INCLUDED'; + + # Remove PATH_INFO if it is set but not removed by CGI.pm. This + # seems to happen when used with Apache's Alias directive or if + # called from inside a Server Side Include document. If that + # doesn't help either, set $url manually in the configuration. + $url =~ s/\Q$ENV{PATH_INFO}\E$// if defined $ENV{PATH_INFO}; + + # NOTE: + # + # There is one case where this code does more than necessary, too: + # If the URL requested is e.g. http://example.org/blog/blog and + # the base URL is correctly determined as http://example.org/blog + # by CGI.pm, then this code will incorrectly normalize the base + # URL down to http://example.org, because the same string as + # PATH_INFO is part of the base URL, too. But this is such a + # seldom case and can be fixed by setting $url in the config file, + # too. +} + +# The only modification done to a manually set base URL is to strip +# a trailing slash if present. $url =~ s!/$!!; @@ -195,6 +264,23 @@ if (! ($flavour = param('flav'))) { } $flavour ||= $default_flavour; +# Fix XSS in flavour name (CVE-2008-2236) +$flavour = blosxom_html_escape($flavour); + +sub blosxom_html_escape { + my $string = shift; + my %escape = ( + '<' => '<', + '>' => '>', + '&' => '&', + '"' => '"', + "'" => ''' + ); + my $escape_re = join '|' => keys %escape; + $string =~ s/($escape_re)/$escape{$1}/g; + $string; +} + # Global variable to be used in head/foot.{flavour} templates $path_info = ''; # Add all @path_info elements to $path_info till we come to one that could be a year @@ -674,19 +760,11 @@ sub generate { $fn =~ s($url_escape_re)(sprintf('%%%02X', ord($&)))eg; # Escape <, >, and &, and to produce valid RSS - my %escape = ( - '<' => '<', - '>' => '>', - '&' => '&', - '"' => '"', - "'" => ''' - ); - my $escape_re = join '|' => keys %escape; - $title =~ s/($escape_re)/$escape{$1}/g; - $body =~ s/($escape_re)/$escape{$1}/g; - $url =~ s/($escape_re)/$escape{$1}/g; - $path =~ s/($escape_re)/$escape{$1}/g; - $fn =~ s/($escape_re)/$escape{$1}/g; + $title = blosxom_html_escape($title); + $body = blosxom_html_escape($body); + $url = blosxom_html_escape($url); + $path = blosxom_html_escape($path); + $fn = blosxom_html_escape($fn); } $story = &$interpolate($story); @@ -795,7 +873,7 @@ rss story $title rss story $dw, $da $mo $yr $ti:00 $utc_offset rss story $url/$yr/$mo_num/$da#$fn rss story $path -rss story $url$path/$fn +rss story $url$path/$fn rss story $body rss story