#!/usr/bin/perl
# Blosxom
-# Author: Rael Dornfest (2002-2003), The Blosxom Development Team (2005-2008)
-# Version: 2.1.1 ($Id: blosxom.cgi,v 1.83 2008/07/30 22:27:02 xtaran Exp $)
+# Author: Rael Dornfest (2002-2003), The Blosxom Development Team (2005-2009)
+# Version: 2.1.2 ($Id: blosxom.cgi,v 1.98 2009/07/19 17:18:37 xtaran Exp $)
# Home/Docs/Licensing: http://blosxom.sourceforge.net/
# Development/Downloads: http://sourceforge.net/projects/blosxom
package blosxom;
+=head1 NAME
+
+blosxom - A lightweight yet feature-packed weblog
+
+=head1 SYNOPSIS
+
+B<blosxom> is a simple web log (blog) CGI script written in perl.
+
+=head1 DESCRIPTION
+
+B<Blosxom> (pronounced "I<blossom>") is a lightweight yet feature-packed
+weblog application designed from the ground up with simplicity,
+usability, and interoperability in mind.
+
+Fundamental is its reliance upon the file system, folders and files
+as its content database. Blosxom's weblog entries are plain text
+files like any other. Write from the comfort of your favorite text
+editor and hit the Save button. Create, edit, rename, and delete entries
+on the command-line, via FTP, WebDAV, or anything else you
+might use to manipulate your files. There's no import or export; entries
+are nothing more complex than title on the first line, body being
+everything thereafter.
+
+Despite its tiny footprint, Blosxom doesn't skimp on features, sporting
+the majority of features one would find in any other Weblog application.
+
+Blosxom is simple, straightforward, minimalist Perl affording even the
+dabbler an opportunity for experimentation and customization. And
+last, but not least, Blosxom is open source and free for the taking and
+altering.
+
+=head1 USAGE
+
+Write a weblog entry, and place it into the main data directory. Place
+the the title is on the first line; the body is everything afterwards.
+For example, create a file named I<first.txt> and put in it something
+like this:
+
+ First Blosxom Post!
+
+ I have successfully installed blosxom on this system. For more
+ information on blosxom, see the author's <a
+ href="http://blosxom.sourceforge.net/">blosxom site</a>.
+
+Place the file in the directory under the I<$datadir> points to. Be
+sure to change the default location to be somewhere accessable by the
+web server that runs blosxom as a CGI program.
+
+=cut
+
# --- Configurable variables -----
# What's this blog's title?
# Where are this blog's entries kept?
$datadir = "/Library/WebServer/Documents/blosxom";
-# What's my preferred base URL for this blog (leave blank for automatic)?
+# What's my preferred base URL for this blog (leave blank for
+# automatic)?
$url = "";
# Should I stick only to the datadir for items or travel down the
# directory hierarchy looking for items? If so, to what depth?
-# 0 = infinite depth (aka grab everything), 1 = datadir only, n = n levels down
+#
+# 0 = infinite depth (aka grab everything), 1 = datadir only,
+# n = n levels down
+
$depth = 0;
# How many entries should I show on the home page?
# --- Plugins (Optional) -----
-# File listing plugins blosxom should load
-# (if empty blosxom will load all plugins in $plugin_dir and $plugin_path directories)
+# File listing plugins blosxom should load (if empty blosxom will load
+# all plugins in $plugin_dir and $plugin_path directories)
$plugin_list = "";
# Where are my plugins kept?
# Where should my plugins keep their state information?
$plugin_state_dir = "$plugin_dir/state";
-# Additional plugins location
-# List of directories, separated by ';' on windows, ':' everywhere else
+# Additional plugins location. A list of directories, separated by ';'
+# on windows, ':' everywhere else.
$plugin_path = "";
# --- Static Rendering -----
# Where are this blog's static files to be created?
$static_dir = "/Library/WebServer/Documents/blog";
-# What's my administrative password (you must set this for static rendering)?
+# What's my administrative password (you must set this for static
+# rendering)?
$static_password = "";
# What flavours should I generate statically?
# 0 = no, 1 = yes
$static_entries = 0;
-# Should I encode entities for xml content-types? (plugins can turn this off if they do it themselves)
+# --- Advanced Encoding Options -----
+
+# Should I encode entities for xml content-types? (plugins can turn
+# this off if they do it themselves)
$encode_xml_entities = 1;
+# Should I encode 8 bit special characters, e.g. umlauts in URLs, e.g.
+# convert an ISO-Latin-1 \"o to %F6? (off by default for now; plugins
+# can change this, too)
+$encode_8bit_chars = 0;
+
+# RegExp matching all characters which should be URL encoded in links.
+# Defaults to anything but numbers, letters, slash, colon, dash,
+# underscore and dot.
+$url_escape_re = qr([^-/a-zA-Z0-9:._]);
+
# --------------------------------
-use vars
- qw! $version $blog_title $blog_description $blog_language $blog_encoding $datadir $url %template $template $depth $num_entries $file_extension $default_flavour $static_or_dynamic $config_dir $plugin_list $plugin_path $plugin_dir $plugin_state_dir @plugins %plugins $static_dir $static_password @static_flavours $static_entries $path_info_full $path_info $path_info_yr $path_info_mo $path_info_da $path_info_mo_num $flavour $static_or_dynamic %month2num @num2month $interpolate $entries $output $header $show_future_entries %files %indexes %others $encode_xml_entities $content_type !;
+=head1 ENVIRONMENT
+
+=over
+
+=item B<BLOSXOM_CONFIG_FILE>
+
+Points to the location of the configuration file. This will be
+considered as first option, if it's set.
+
+
+=item B<BLOSXOM_CONFIG_DIR>
+
+The here named directory will be tried unless the above mentioned
+environment variable is set and tested for a contained blosxom.conf
+file.
+
+
+=back
+
+
+=head1 FILES
+
+=over
+
+=item B</usr/lib/cgi-bin/blosxom>
+
+The CGI script itself. Please note that the location might depend on
+your installation.
+
+=item B</etc/blosxom/blosxom.conf>
+
+The default configuration file location. This is rather taken as last
+ressort if no other configuration location is set through environment
+variables.
+
+=back
+
+
+=head1 AUTHOR
+
+Rael Dornfest <rael@oreilly.com> was the original author of blosxom. The
+development was picked up by a team of dedicated users of blosxom since
+2005. See <I<http://blosxom.sourceforge.net/>> for more information.
+
+=cut
+
+
+use vars qw!
+ $version
+ $blog_title
+ $blog_description
+ $blog_language
+ $blog_encoding
+ $datadir
+ $url
+ %template
+ $template
+ $depth
+ $num_entries
+ $file_extension
+ $default_flavour
+ $static_or_dynamic
+ $config_dir
+ $plugin_list
+ $plugin_path
+ $plugin_dir
+ $plugin_state_dir
+ @plugins
+ %plugins
+ $static_dir
+ $static_password
+ @static_flavours
+ $static_entries
+ $path_info_full
+ $path_info
+ $path_info_yr
+ $path_info_mo
+ $path_info_da
+ $path_info_mo_num
+ $flavour
+ $static_or_dynamic
+ %month2num
+ @num2month
+ $interpolate
+ $entries
+ $output
+ $header
+ $show_future_entries
+ %files
+ %indexes
+ %others
+ $encode_xml_entities
+ $encode_8bit_chars
+ $url_escape_re
+ $content_type
+!;
use strict;
use FileHandle;
use Time::Local;
use CGI qw/:standard :netscape/;
-$version = "2.1.1";
+$version = "2.1.2+dev";
# Load configuration from $ENV{BLOSXOM_CONFIG_DIR}/blosxom.conf, if it exists
my $blosxom_config;
}
$flavour ||= $default_flavour;
+# Fix XSS in flavour name (CVE-2008-2236)
+$flavour = blosxom_html_escape($flavour);
+
+sub blosxom_html_escape {
+ my $string = shift;
+ my %escape = (
+ '<' => '<',
+ '>' => '>',
+ '&' => '&',
+ '"' => '"',
+ "'" => '''
+ );
+ my $escape_re = join '|' => keys %escape;
+ $string =~ s/($escape_re)/$escape{$1}/g;
+ $string;
+}
+
# Global variable to be used in head/foot.{flavour} templates
$path_info = '';
# Add all @path_info elements to $path_info till we come to one that could be a year
package blosxom;
my $template = shift;
# Interpolate scalars, namespaced scalars, and hash/hashref scalars
- $template =~ s/(\$\w+(?:::\w+)*(?:(?:->)?{(['"]?)[-\w]+\2})?)/"defined $1 ? $1 : ''"/gee;
+ $template =~ s/(\$\w+(?:::\w+)*(?:(?:->)?{([\'\"]?)[-\w]+\2})?)/"defined $1 ? $1 : ''"/gee;
return $template;
};
}
}
+ # Save unescaped versions and allow them to be used in
+ # flavour templates.
+ use vars qw/$url_unesc $path_unesc $fn_unesc/;
+ $url_unesc = $url;
+ $path_unesc = $path;
+ $fn_unesc = $fn;
+
+ # Fix special characters in links inside XML content
if ( $encode_xml_entities &&
$content_type =~ m{\bxml\b} &&
$content_type !~ m{\bxhtml\b} ) {
# Escape special characters inside the <link> container
- # The following line should be moved more towards to top for
- # performance reasons -- Axel Beckert, 2008-07-22
- my $url_escape_re = qr([^-/a-zA-Z0-9:._]);
-
- $url =~ s($url_escape_re)(sprintf('%%%02X', ord($&)))eg;
- $path =~ s($url_escape_re)(sprintf('%%%02X', ord($&)))eg;
- $fn =~ s($url_escape_re)(sprintf('%%%02X', ord($&)))eg;
+ &url_escape_url_path_and_fn();
# Escape <, >, and &, and to produce valid RSS
- my %escape = (
- '<' => '<',
- '>' => '>',
- '&' => '&',
- '"' => '"',
- "'" => '''
- );
- my $escape_re = join '|' => keys %escape;
- $title =~ s/($escape_re)/$escape{$1}/g;
- $body =~ s/($escape_re)/$escape{$1}/g;
- $url =~ s/($escape_re)/$escape{$1}/g;
- $path =~ s/($escape_re)/$escape{$1}/g;
- $fn =~ s/($escape_re)/$escape{$1}/g;
+ $title = blosxom_html_escape($title);
+ $body = blosxom_html_escape($body);
+ $url = blosxom_html_escape($url);
+ $path = blosxom_html_escape($path);
+ $fn = blosxom_html_escape($fn);
+ }
+
+ # Fix special characters in links inside XML content
+ if ($encode_8bit_chars) {
+ &url_escape_url_path_and_fn();
}
$story = &$interpolate($story);
return ( $dw, $mo, $mo_num, $da, $ti, $yr, $utc_offset );
}
+sub url_escape_url_path_and_fn {
+ $url =~ s($url_escape_re)(sprintf('%%%02X', ord($&)))eg;
+ $path =~ s($url_escape_re)(sprintf('%%%02X', ord($&)))eg;
+ $fn =~ s($url_escape_re)(sprintf('%%%02X', ord($&)))eg;
+}
+
# Default HTML and RSS template bits
__DATA__
html content_type text/html; charset=$blog_encoding