# Blosxom
# Author: Rael Dornfest (2002-2003), The Blosxom Development Team (2005-2008)
-# Version: 2.1.0+dev ($Id: blosxom.cgi,v 1.81 2008/07/30 17:52:26 xtaran Exp $)
+# Version: 2.1.2 ($Id: blosxom.cgi,v 1.90 2009/03/08 00:50:55 xtaran Exp $)
# Home/Docs/Licensing: http://blosxom.sourceforge.net/
# Development/Downloads: http://sourceforge.net/projects/blosxom
package blosxom;
+=head1 NAME
+
+blosxom - A lightweight yet feature-packed weblog
+
+=head1 SYNOPSIS
+
+B<blosxom> is a simple web log (blog) CGI script written in perl.
+
+=head1 DESCRIPTION
+
+B<Blosxom> (pronounced "I<blossom>") is a lightweight yet feature-packed
+weblog application designed from the ground up with simplicity,
+usability, and interoperability in mind.
+
+Fundamental is its reliance upon the file system, folders and files
+as its content database. Blosxom's weblog entries are plain text
+files like any other. Write from the comfort of your favorite text
+editor and hit the Save button. Create, edit, rename, and delete entries
+on the command-line, via FTP, WebDAV, or anything else you
+might use to manipulate your files. There's no import or export; entries
+are nothing more complex than title on the first line, body being
+everything thereafter.
+
+Despite its tiny footprint, Blosxom doesn't skimp on features, sporting
+the majority of features one would find in any other Weblog application.
+
+Blosxom is simple, straightforward, minimalist Perl affording even the
+dabbler an opportunity for experimentation and customization. And
+last, but not least, Blosxom is open source and free for the taking and
+altering.
+
+=head1 USAGE
+
+Write a weblog entry, and place it into the main data directory. Place
+the the title is on the first line; the body is everything afterwards.
+For example, create a file named I<first.txt> and put in it something
+like this:
+
+ First Blosxom Post!
+
+ I have successfully installed blosxom on this system. For more
+ information on blosxom, see the author's <a
+ href="http://blosxom.sourceforge.net/">blosxom site</a>.
+
+Place the file in the directory under the I<$datadir> points to. Be
+sure to change the default location to be somewhere accessable by the
+web server that runs blosxom as a CGI program.
+
+=cut
+
# --- Configurable variables -----
# What's this blog's title?
# 0 = no, 1 = yes
$static_entries = 0;
+# --- Advanced Encoding Options -----
+
# Should I encode entities for xml content-types? (plugins can turn this off if they do it themselves)
$encode_xml_entities = 1;
# --------------------------------
+=head1 ENVIRONMENT
+
+=over
+
+=item B<BLOSXOM_CONFIG_FILE>
+
+Points to the location of the configuration file. This will be
+considered as first option, if it's set.
+
+
+=item B<BLOSXOM_CONFIG_DIR>
+
+The here named directory will be tried unless the above mentioned
+environment variable is set and tested for a contained blosxom.conf
+file.
+
+
+=back
+
+
+=head1 FILES
+
+=over
+
+=item B</usr/lib/cgi-bin/blosxom>
+
+The CGI script itself. Please note that the location might depend on
+your installation.
+
+=item B</etc/blosxom/blosxom.conf>
+
+The default configuration file location. This is rather taken as last
+ressort if no other configuration location is set through environment
+variables.
+
+=back
+
+
+=head1 AUTHOR
+
+Rael Dornfest <rael@oreilly.com> was the original author of blosxom. The
+development was picked up by a team of dedicated users of blosxom since
+2005. See <I<http://blosxom.sourceforge.net/>> for more information.
+
+=cut
+
+
use vars
qw! $version $blog_title $blog_description $blog_language $blog_encoding $datadir $url %template $template $depth $num_entries $file_extension $default_flavour $static_or_dynamic $config_dir $plugin_list $plugin_path $plugin_dir $plugin_state_dir @plugins %plugins $static_dir $static_password @static_flavours $static_entries $path_info_full $path_info $path_info_yr $path_info_mo $path_info_da $path_info_mo_num $flavour $static_or_dynamic %month2num @num2month $interpolate $entries $output $header $show_future_entries %files %indexes %others $encode_xml_entities $content_type !;
use Time::Local;
use CGI qw/:standard :netscape/;
-$version = "2.1.0";
+$version = "2.1.2+dev";
# Load configuration from $ENV{BLOSXOM_CONFIG_DIR}/blosxom.conf, if it exists
my $blosxom_config;
);
@num2month = sort { $month2num{$a} <=> $month2num{$b} } keys %month2num;
-# Use the stated preferred URL or figure it out automatically
-$url ||= url( -path_info => 1 );
-# Unescape %XX hex codes (from URI::Escape::uri_unescape)
-$url =~ s/%([0-9A-Fa-f]{2})/chr(hex($1))/eg;
-$url =~ s/^included:/http:/ if $ENV{SERVER_PROTOCOL} eq 'INCLUDED';
-
-# NOTE: Since v3.12, it looks as if CGI.pm misbehaves for SSIs and
-# always appends path_info to the url. To fix this, we always
-# request an url with path_info, and always remove it from the end of the
-# string.
-my $pi_len = length $ENV{PATH_INFO};
-my $might_be_pi = substr( $url, -$pi_len );
-substr( $url, -length $ENV{PATH_INFO} ) = ''
- if $might_be_pi eq $ENV{PATH_INFO};
+# Use the stated preferred URL or figure it out automatically. Set
+# $url manually in the config section above if CGI.pm doesn't guess
+# the base URL correctly, e.g. when called from a Server Side Includes
+# document or so.
+unless ($url) {
+ $url = url();
+
+ # Unescape %XX hex codes (from URI::Escape::uri_unescape)
+ $url =~ s/%([0-9A-Fa-f]{2})/chr(hex($1))/eg;
+
+ # Support being called from inside a SSI document
+ $url =~ s/^included:/http:/ if $ENV{SERVER_PROTOCOL} eq 'INCLUDED';
+
+ # Remove PATH_INFO if it is set but not removed by CGI.pm. This
+ # seems to happen when used with Apache's Alias directive or if
+ # called from inside a Server Side Include document. If that
+ # doesn't help either, set $url manually in the configuration.
+ $url =~ s/\Q$ENV{PATH_INFO}\E$// if defined $ENV{PATH_INFO};
+
+ # NOTE:
+ #
+ # There is one case where this code does more than necessary, too:
+ # If the URL requested is e.g. http://example.org/blog/blog and
+ # the base URL is correctly determined as http://example.org/blog
+ # by CGI.pm, then this code will incorrectly normalize the base
+ # URL down to http://example.org, because the same string as
+ # PATH_INFO is part of the base URL, too. But this is such a
+ # seldom case and can be fixed by setting $url in the config file,
+ # too.
+}
+
+# The only modification done to a manually set base URL is to strip
+# a trailing slash if present.
$url =~ s!/$!!;
}
$flavour ||= $default_flavour;
+# Fix XSS in flavour name (CVE-2008-2236)
+$flavour = blosxom_html_escape($flavour);
+
+sub blosxom_html_escape {
+ my $string = shift;
+ my %escape = (
+ '<' => '<',
+ '>' => '>',
+ '&' => '&',
+ '"' => '"',
+ "'" => '''
+ );
+ my $escape_re = join '|' => keys %escape;
+ $string =~ s/($escape_re)/$escape{$1}/g;
+ $string;
+}
+
# Global variable to be used in head/foot.{flavour} templates
$path_info = '';
# Add all @path_info elements to $path_info till we come to one that could be a year
$fn =~ s($url_escape_re)(sprintf('%%%02X', ord($&)))eg;
# Escape <, >, and &, and to produce valid RSS
- my %escape = (
- '<' => '<',
- '>' => '>',
- '&' => '&',
- '"' => '"',
- "'" => '''
- );
- my $escape_re = join '|' => keys %escape;
- $title =~ s/($escape_re)/$escape{$1}/g;
- $body =~ s/($escape_re)/$escape{$1}/g;
- $url =~ s/($escape_re)/$escape{$1}/g;
- $path =~ s/($escape_re)/$escape{$1}/g;
- $fn =~ s/($escape_re)/$escape{$1}/g;
+ $title = blosxom_html_escape($title);
+ $body = blosxom_html_escape($body);
+ $url = blosxom_html_escape($url);
+ $path = blosxom_html_escape($path);
+ $fn = blosxom_html_escape($fn);
}
$story = &$interpolate($story);