#!/usr/bin/perl
# Blosxom
-# Author: Rael Dornfest <rael@oreilly.com>
-# Version: 2.0.2
+# Author: Rael Dornfest (2002-2003), The Blosxom Development Team (2005-2009)
+# Version: 2.1.2 ($Id: blosxom.cgi,v 1.98 2009/07/19 17:18:37 xtaran Exp $)
# Home/Docs/Licensing: http://blosxom.sourceforge.net/
# Development/Downloads: http://sourceforge.net/projects/blosxom
package blosxom;
+=head1 NAME
+
+blosxom - A lightweight yet feature-packed weblog
+
+=head1 SYNOPSIS
+
+B<blosxom> is a simple web log (blog) CGI script written in perl.
+
+=head1 DESCRIPTION
+
+B<Blosxom> (pronounced "I<blossom>") is a lightweight yet feature-packed
+weblog application designed from the ground up with simplicity,
+usability, and interoperability in mind.
+
+Fundamental is its reliance upon the file system, folders and files
+as its content database. Blosxom's weblog entries are plain text
+files like any other. Write from the comfort of your favorite text
+editor and hit the Save button. Create, edit, rename, and delete entries
+on the command-line, via FTP, WebDAV, or anything else you
+might use to manipulate your files. There's no import or export; entries
+are nothing more complex than title on the first line, body being
+everything thereafter.
+
+Despite its tiny footprint, Blosxom doesn't skimp on features, sporting
+the majority of features one would find in any other Weblog application.
+
+Blosxom is simple, straightforward, minimalist Perl affording even the
+dabbler an opportunity for experimentation and customization. And
+last, but not least, Blosxom is open source and free for the taking and
+altering.
+
+=head1 USAGE
+
+Write a weblog entry, and place it into the main data directory. Place
+the the title is on the first line; the body is everything afterwards.
+For example, create a file named I<first.txt> and put in it something
+like this:
+
+ First Blosxom Post!
+
+ I have successfully installed blosxom on this system. For more
+ information on blosxom, see the author's <a
+ href="http://blosxom.sourceforge.net/">blosxom site</a>.
+
+Place the file in the directory under the I<$datadir> points to. Be
+sure to change the default location to be somewhere accessable by the
+web server that runs blosxom as a CGI program.
+
+=cut
+
# --- Configurable variables -----
# What's this blog's title?
# Where are this blog's entries kept?
$datadir = "/Library/WebServer/Documents/blosxom";
-# What's my preferred base URL for this blog (leave blank for automatic)?
+# What's my preferred base URL for this blog (leave blank for
+# automatic)?
$url = "";
# Should I stick only to the datadir for items or travel down the
# directory hierarchy looking for items? If so, to what depth?
-# 0 = infinite depth (aka grab everything), 1 = datadir only, n = n levels down
+#
+# 0 = infinite depth (aka grab everything), 1 = datadir only,
+# n = n levels down
+
$depth = 0;
# How many entries should I show on the home page?
# --- Plugins (Optional) -----
-# File listing plugins blosxom should load
-# (if empty blosxom will load all plugins in $plugin_dir and $plugin_path directories)
+# File listing plugins blosxom should load (if empty blosxom will load
+# all plugins in $plugin_dir and $plugin_path directories)
$plugin_list = "";
# Where are my plugins kept?
# Where should my plugins keep their state information?
$plugin_state_dir = "$plugin_dir/state";
-# Additional plugins location
-# List of directories, separated by ';' on windows, ':' everywhere else
+# Additional plugins location. A list of directories, separated by ';'
+# on windows, ':' everywhere else.
$plugin_path = "";
# --- Static Rendering -----
# Where are this blog's static files to be created?
$static_dir = "/Library/WebServer/Documents/blog";
-# What's my administrative password (you must set this for static rendering)?
+# What's my administrative password (you must set this for static
+# rendering)?
$static_password = "";
# What flavours should I generate statically?
# 0 = no, 1 = yes
$static_entries = 0;
+# --- Advanced Encoding Options -----
+
+# Should I encode entities for xml content-types? (plugins can turn
+# this off if they do it themselves)
+$encode_xml_entities = 1;
+
+# Should I encode 8 bit special characters, e.g. umlauts in URLs, e.g.
+# convert an ISO-Latin-1 \"o to %F6? (off by default for now; plugins
+# can change this, too)
+$encode_8bit_chars = 0;
+
+# RegExp matching all characters which should be URL encoded in links.
+# Defaults to anything but numbers, letters, slash, colon, dash,
+# underscore and dot.
+$url_escape_re = qr([^-/a-zA-Z0-9:._]);
+
# --------------------------------
-use vars
- qw! $version $blog_title $blog_description $blog_language $blog_encoding $datadir $url %template $template $depth $num_entries $file_extension $default_flavour $static_or_dynamic $config_dir $plugin_list $plugin_path $plugin_dir $plugin_state_dir @plugins %plugins $static_dir $static_password @static_flavours $static_entries $path_info $path_info_yr $path_info_mo $path_info_da $path_info_mo_num $flavour $static_or_dynamic %month2num @num2month $interpolate $entries $output $header $show_future_entries %files %indexes %others !;
+=head1 ENVIRONMENT
+
+=over
+
+=item B<BLOSXOM_CONFIG_FILE>
+
+Points to the location of the configuration file. This will be
+considered as first option, if it's set.
+
+
+=item B<BLOSXOM_CONFIG_DIR>
+
+The here named directory will be tried unless the above mentioned
+environment variable is set and tested for a contained blosxom.conf
+file.
+
+
+=back
+
+
+=head1 FILES
+
+=over
+
+=item B</usr/lib/cgi-bin/blosxom>
+
+The CGI script itself. Please note that the location might depend on
+your installation.
+
+=item B</etc/blosxom/blosxom.conf>
+
+The default configuration file location. This is rather taken as last
+ressort if no other configuration location is set through environment
+variables.
+
+=back
+
+
+=head1 AUTHOR
+
+Rael Dornfest <rael@oreilly.com> was the original author of blosxom. The
+development was picked up by a team of dedicated users of blosxom since
+2005. See <I<http://blosxom.sourceforge.net/>> for more information.
+
+=cut
+
+
+use vars qw!
+ $version
+ $blog_title
+ $blog_description
+ $blog_language
+ $blog_encoding
+ $datadir
+ $url
+ %template
+ $template
+ $depth
+ $num_entries
+ $file_extension
+ $default_flavour
+ $static_or_dynamic
+ $config_dir
+ $plugin_list
+ $plugin_path
+ $plugin_dir
+ $plugin_state_dir
+ @plugins
+ %plugins
+ $static_dir
+ $static_password
+ @static_flavours
+ $static_entries
+ $path_info_full
+ $path_info
+ $path_info_yr
+ $path_info_mo
+ $path_info_da
+ $path_info_mo_num
+ $flavour
+ $static_or_dynamic
+ %month2num
+ @num2month
+ $interpolate
+ $entries
+ $output
+ $header
+ $show_future_entries
+ %files
+ %indexes
+ %others
+ $encode_xml_entities
+ $encode_8bit_chars
+ $url_escape_re
+ $content_type
+!;
use strict;
use FileHandle;
use Time::Local;
use CGI qw/:standard :netscape/;
-$version = "2.0.2";
+$version = "2.1.2+dev";
# Load configuration from $ENV{BLOSXOM_CONFIG_DIR}/blosxom.conf, if it exists
my $blosxom_config;
);
@num2month = sort { $month2num{$a} <=> $month2num{$b} } keys %month2num;
-# Use the stated preferred URL or figure it out automatically
-$url ||= url( -path_info => 1 );
-$url =~ s/^included:/http:/ if $ENV{SERVER_PROTOCOL} eq 'INCLUDED';
+# Use the stated preferred URL or figure it out automatically. Set
+# $url manually in the config section above if CGI.pm doesn't guess
+# the base URL correctly, e.g. when called from a Server Side Includes
+# document or so.
+unless ($url) {
+ $url = url();
+
+ # Unescape %XX hex codes (from URI::Escape::uri_unescape)
+ $url =~ s/%([0-9A-Fa-f]{2})/chr(hex($1))/eg;
+
+ # Support being called from inside a SSI document
+ $url =~ s/^included:/http:/ if $ENV{SERVER_PROTOCOL} eq 'INCLUDED';
+
+ # Remove PATH_INFO if it is set but not removed by CGI.pm. This
+ # seems to happen when used with Apache's Alias directive or if
+ # called from inside a Server Side Include document. If that
+ # doesn't help either, set $url manually in the configuration.
+ $url =~ s/\Q$ENV{PATH_INFO}\E$// if defined $ENV{PATH_INFO};
+
+ # NOTE:
+ #
+ # There is one case where this code does more than necessary, too:
+ # If the URL requested is e.g. http://example.org/blog/blog and
+ # the base URL is correctly determined as http://example.org/blog
+ # by CGI.pm, then this code will incorrectly normalize the base
+ # URL down to http://example.org, because the same string as
+ # PATH_INFO is part of the base URL, too. But this is such a
+ # seldom case and can be fixed by setting $url in the config file,
+ # too.
+}
-# NOTE: Since v3.12, it looks as if CGI.pm misbehaves for SSIs and
-# always appends path_info to the url. To fix this, we always
-# request an url with path_info, and always remove it from the end of the
-# string.
-my $pi_len = length $ENV{PATH_INFO};
-my $might_be_pi = substr( $url, -$pi_len );
-substr( $url, -length $ENV{PATH_INFO} ) = ''
- if $might_be_pi eq $ENV{PATH_INFO};
+# The only modification done to a manually set base URL is to strip
+# a trailing slash if present.
$url =~ s!/$!!;
# Fix depth to take into account datadir's path
$depth += ( $datadir =~ tr[/][] ) - 1 if $depth;
-# Global variable to be used in head/foot.{flavour} templates
-$path_info = '';
-
if ( !$ENV{GATEWAY_INTERFACE}
and param('-password')
and $static_password
# Path Info Magic
# Take a gander at HTTP's PATH_INFO for optional blog name, archive yr/mo/day
my @path_info = split m{/}, path_info() || param('path');
+$path_info_full = join '/', @path_info; # Equivalent to $ENV{PATH_INFO}
shift @path_info;
-while ( $path_info[0]
- and $path_info[0] =~ /^[a-zA-Z].*$/
- and $path_info[0] !~ /(.*)\.(.*)/ )
-{
- $path_info .= '/' . shift @path_info;
-}
-
# Flavour specified by ?flav={flav} or index.{flav}
$flavour = '';
+if (! ($flavour = param('flav'))) {
+ if ( $path_info[$#path_info] =~ /(.+)\.(.+)$/ ) {
+ $flavour = $2;
+ pop @path_info if $1 eq 'index';
+ }
+}
+$flavour ||= $default_flavour;
+
+# Fix XSS in flavour name (CVE-2008-2236)
+$flavour = blosxom_html_escape($flavour);
+
+sub blosxom_html_escape {
+ my $string = shift;
+ my %escape = (
+ '<' => '<',
+ '>' => '>',
+ '&' => '&',
+ '"' => '"',
+ "'" => '''
+ );
+ my $escape_re = join '|' => keys %escape;
+ $string =~ s/($escape_re)/$escape{$1}/g;
+ $string;
+}
-if ( $path_info[$#path_info] =~ /(.+)\.(.+)$/ ) {
- $flavour = $2;
- $path_info .= "/$1.$2" if $1 ne 'index';
- pop @path_info;
+# Global variable to be used in head/foot.{flavour} templates
+$path_info = '';
+# Add all @path_info elements to $path_info till we come to one that could be a year
+while ( $path_info[0] && $path_info[0] !~ /^(19|20)\d{2}$/) {
+ $path_info .= '/' . shift @path_info;
}
-else {
- $flavour = param('flav') || $default_flavour;
+
+# Pull date elements out of path
+if ($path_info[0] && $path_info[0] =~ /^(19|20)\d{2}$/) {
+ $path_info_yr = shift @path_info;
+ if ($path_info[0] &&
+ ($path_info[0] =~ /^(0\d|1[012])$/ ||
+ exists $month2num{ ucfirst lc $path_info_mo })) {
+ $path_info_mo = shift @path_info;
+ # Map path_info_mo to numeric $path_info_mo_num
+ $path_info_mo_num = $path_info_mo =~ /^\d{2}$/
+ ? $path_info_mo
+ : $month2num{ ucfirst lc $path_info_mo };
+ if ($path_info[0] && $path_info[0] =~ /^[0123]\d$/) {
+ $path_info_da = shift @path_info;
+ }
+ }
}
+# Add remaining path elements to $path_info
+$path_info .= '/' . join('/', @path_info);
+
# Strip spurious slashes
$path_info =~ s!(^/*)|(/*$)!!g;
-# Date fiddling
-( $path_info_yr, $path_info_mo, $path_info_da ) = @path_info;
-$path_info_mo_num
- = $path_info_mo
- ? ( $path_info_mo =~ /\d{2}/
- ? $path_info_mo
- : ( $month2num{ ucfirst( lc $path_info_mo ) } || undef ) )
- : undef;
-
# Define standard template subroutine, plugin-overridable at Plugins: Template
$template = sub {
my ( $path, $chunk, $flavour ) = @_;
my %plugin_hash = ();
# If $plugin_list is set, read plugins to use from that file
-$plugin_list = "$config_dir/$plugin_list"
- if $plugin_list && $plugin_list !~ m!^\s*/!;
-if ( $plugin_list and -r $plugin_list and $fh->open("< $plugin_list") ) {
- @plugin_list = map { chomp $_; $_ } grep { /\S/ && !/^#/ } <$fh>;
- $fh->close;
+if ( $plugin_list ) {
+ if ( -r $plugin_list and $fh->open("< $plugin_list") ) {
+ @plugin_list = map { chomp $_; $_ } grep { /\S/ && !/^#/ } <$fh>;
+ $fh->close;
+ }
+ else {
+ warn "unable to read or open plugin_list '$plugin_list': $!";
+ $plugin_list = '';
+ }
}
# Otherwise walk @plugin_dirs to get list of plugins to use
-elsif (@plugin_dirs) {
+if ( ! @plugin_list && @plugin_dirs ) {
for my $plugin_dir (@plugin_dirs) {
next unless -d $plugin_dir;
if ( opendir PLUGINS, $plugin_dir ) {
unshift @INC, @plugin_dirs;
foreach my $plugin (@plugin_list) {
my ( $plugin_name, $off ) = $plugin =~ /^\d*([\w:]+?)(_?)$/;
+ my $plugin_file = $plugin_list ? $plugin_name : $plugin;
my $on_off = $off eq '_' ? -1 : 1;
# Allow perl module plugins
- if ( $plugin =~ m/::/ && -z $plugin_hash{$plugin} ) {
+ # The -z test is a hack to allow a zero-length placeholder file in a
+ # $plugin_path directory to indicate an @INC module should be loaded
+ if ( $plugin =~ m/::/ && ( $plugin_list || -z $plugin_hash{$plugin} ) ) {
# For Blosxom::Plugin::Foo style plugins, we need to use a string require
- eval "require $plugin_name";
+ eval "require $plugin_file";
}
else
{ # we try first to load from $plugin_dir before attempting from $plugin_path
- eval { require "$plugin_dir/$plugin" }
- or eval { require $plugin };
+ eval { require "$plugin_dir/$plugin_file" }
+ or eval { require $plugin_file };
}
if ($@) {
mkdir "$static_dir/$p", 0755
unless ( -d "$static_dir/$p" or $p =~ /\.$file_extension$/ );
foreach $flavour (@static_flavours) {
- my $content_type
+ $content_type
= ( &$template( $p, 'content_type', $flavour ) );
$content_type =~ s!\n.*!!s;
my $fn = $p =~ m!^(.+)\.$file_extension$! ? $1 : "$p/index";
# Dynamic
else {
- my $content_type = ( &$template( $path_info, 'content_type', $flavour ) );
+ $content_type = ( &$template( $path_info, 'content_type', $flavour ) );
$content_type =~ s!\n.*!!s;
$content_type =~ s/(\$\w+(?:::\w+)*)/"defined $1 ? $1 : ''"/gee;
# Define default interpolation subroutine
$interpolate = sub {
-
package blosxom;
my $template = shift;
- $template =~ s/(\$\w+(?:::\w+)*)/"defined $1 ? $1 : ''"/gee;
+ # Interpolate scalars, namespaced scalars, and hash/hashref scalars
+ $template =~ s/(\$\w+(?:::\w+)*(?:(?:->)?{([\'\"]?)[-\w]+\2})?)/"defined $1 ? $1 : ''"/gee;
return $template;
};
}
}
- if ( $content_type =~ m{\bxml\b} ) {
+ # Save unescaped versions and allow them to be used in
+ # flavour templates.
+ use vars qw/$url_unesc $path_unesc $fn_unesc/;
+ $url_unesc = $url;
+ $path_unesc = $path;
+ $fn_unesc = $fn;
+
+ # Fix special characters in links inside XML content
+ if ( $encode_xml_entities &&
+ $content_type =~ m{\bxml\b} &&
+ $content_type !~ m{\bxhtml\b} ) {
+ # Escape special characters inside the <link> container
+
+ &url_escape_url_path_and_fn();
# Escape <, >, and &, and to produce valid RSS
- my %escape = (
- '<' => '<',
- '>' => '>',
- '&' => '&',
- '"' => '"'
- );
- my $escape_re = join '|' => keys %escape;
- $title =~ s/($escape_re)/$escape{$1}/g;
- $body =~ s/($escape_re)/$escape{$1}/g;
+ $title = blosxom_html_escape($title);
+ $body = blosxom_html_escape($body);
+ $url = blosxom_html_escape($url);
+ $path = blosxom_html_escape($path);
+ $fn = blosxom_html_escape($fn);
+ }
+
+ # Fix special characters in links inside XML content
+ if ($encode_8bit_chars) {
+ &url_escape_url_path_and_fn();
}
$story = &$interpolate($story);
my ($unixtime) = @_;
my $c_time = CORE::localtime($unixtime);
- my ( $dw, $mo, $da, $hr, $min, $yr )
+ my ( $dw, $mo, $da, $hr, $min, $sec, $yr )
= ( $c_time
- =~ /(\w{3}) +(\w{3}) +(\d{1,2}) +(\d{2}):(\d{2}):\d{2} +(\d{4})$/
+ =~ /(\w{3}) +(\w{3}) +(\d{1,2}) +(\d{2}):(\d{2}):(\d{2}) +(\d{4})$/
);
$ti = "$hr:$min";
$da = sprintf( "%02d", $da );
my $mo_num = $month2num{$mo};
my $offset
- = timegm( 00, $min, $hr, $da, $mo_num - 1, $yr - 1900 ) - $unixtime;
+ = timegm( $sec, $min, $hr, $da, $mo_num - 1, $yr - 1900 ) - $unixtime;
my $utc_offset = sprintf( "%+03d", int( $offset / 3600 ) )
. sprintf( "%02d", ( $offset % 3600 ) / 60 );
return ( $dw, $mo, $mo_num, $da, $ti, $yr, $utc_offset );
}
+sub url_escape_url_path_and_fn {
+ $url =~ s($url_escape_re)(sprintf('%%%02X', ord($&)))eg;
+ $path =~ s($url_escape_re)(sprintf('%%%02X', ord($&)))eg;
+ $fn =~ s($url_escape_re)(sprintf('%%%02X', ord($&)))eg;
+}
+
# Default HTML and RSS template bits
__DATA__
html content_type text/html; charset=$blog_encoding
+html head <!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
html head <html>
html head <head>
-html head <meta http-equiv="content-type" content="text/html;charset=$blog_encoding" />
-html head <link rel="alternate" type="type="application/rss+xml" title="RSS" href="$url/index.rss" />
-html head <title>$blog_title $path_info_da $path_info_mo $path_info_yr
-html head </title>
+html head <meta http-equiv="content-type" content="$content_type" >
+html head <link rel="alternate" type="application/rss+xml" title="RSS" href="$url/index.rss" >
+html head <title>$blog_title $path_info_da $path_info_mo $path_info_yr</title>
html head </head>
html head <body>
-html head <center>
-html head <font size="+3">$blog_title</font><br />
-html head $path_info_da $path_info_mo $path_info_yr
-html head </center>
-html head <p />
+html head <div align="center">
+html head <h1>$blog_title</h1>
+html head <p>$path_info_da $path_info_mo $path_info_yr</p>
+html head </div>
-html story <p>
-html story <a name="$fn"><b>$title</b></a><br />
-html story $body<br />
-html story <br />
-html story posted at: $ti | path: <a href="$url$path">$path </a> | <a href="$url/$yr/$mo_num/$da#$fn">permanent link to this entry</a>
-html story </p>
+html story <div>
+html story <h3><a name="$fn">$title</a></h3>
+html story <div>$body</div>
+html story <p>posted at: $ti | path: <a href="$url$path">$path</a> | <a href="$url/$yr/$mo_num/$da#$fn">permanent link to this entry</a></p>
+html story </div>
-html date <h3>$dw, $da $mo $yr</h3>
+html date <h2>$dw, $da $mo $yr</h2>
html foot
-html foot <p />
-html foot <center>
-html foot <a href="http://blosxom.sourceforge.net/"><img src="http://blosxom.sourceforge.net/images/pb_blosxom.gif" border="0" /></a>
-html foot </center>
+html foot <div align="center">
+html foot <a href="http://blosxom.sourceforge.net/"><img src="http://blosxom.sourceforge.net/images/pb_blosxom.gif" alt="powered by blosxom" border="0" width="90" height="33" ></a>
+html foot </div>
html foot </body>
html foot </html>
rss story <pubDate>$dw, $da $mo $yr $ti:00 $utc_offset</pubDate>
rss story <link>$url/$yr/$mo_num/$da#$fn</link>
rss story <category>$path</category>
-rss story <guid isPermaLink="false">$path/$fn</guid>
+rss story <guid isPermaLink="false">$url$path/$fn</guid>
rss story <description>$body</description>
rss story </item>
error content_type text/html
+error head <!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
error head <html>
-error head <body>
-error head <p><font color="red">Error: I'm afraid this is the first I've heard of a "$flavour" flavoured Blosxom. Try dropping the "/+$flavour" bit from the end of the URL.</font></p>
-
+error head <head><title>Error: unknown Blosxom flavour "$flavour"</title></head>
+error head <body>
+error head <h1><font color="red">Error: unknown Blosxom flavour "$flavour"</font></h1>
+error head <p>I'm afraid this is the first I've heard of a "$flavour" flavoured Blosxom. Try dropping the "/+$flavour" bit from the end of the URL.</p>
-error story <p><b>$title</b><br />
-error story $body <a href="$url/$yr/$mo_num/$da#fn.$default_flavour">#</a></p>
+error story <h3>$title</h3>
+error story <div>$body</div> <p><a href="$url/$yr/$mo_num/$da#fn.$default_flavour">#</a></p>
-error date <h3>$dw, $da $mo $yr</h3>
+error date <h2>$dw, $da $mo $yr</h2>
error foot </body>
error foot </html>