#!/usr/bin/perl
# Blosxom
-# Author: Rael Dornfest (2003), The Blosxom Development Team (2005-2008)
-# Version: 2.1.0
+# Author: Rael Dornfest (2002-2003), The Blosxom Development Team (2005-2008)
+# Version: 2.1.2 ($Id: blosxom.cgi,v 1.85 2008/10/02 01:09:41 xtaran Exp $)
# Home/Docs/Licensing: http://blosxom.sourceforge.net/
# Development/Downloads: http://sourceforge.net/projects/blosxom
# 0 = no, 1 = yes
$static_entries = 0;
+# Should I encode entities for xml content-types? (plugins can turn this off if they do it themselves)
+$encode_xml_entities = 1;
+
# --------------------------------
use vars
- qw! $version $blog_title $blog_description $blog_language $blog_encoding $datadir $url %template $template $depth $num_entries $file_extension $default_flavour $static_or_dynamic $config_dir $plugin_list $plugin_path $plugin_dir $plugin_state_dir @plugins %plugins $static_dir $static_password @static_flavours $static_entries $path_info_full $path_info $path_info_yr $path_info_mo $path_info_da $path_info_mo_num $flavour $static_or_dynamic %month2num @num2month $interpolate $entries $output $header $show_future_entries %files %indexes %others $encode_xml_entities !;
+ qw! $version $blog_title $blog_description $blog_language $blog_encoding $datadir $url %template $template $depth $num_entries $file_extension $default_flavour $static_or_dynamic $config_dir $plugin_list $plugin_path $plugin_dir $plugin_state_dir @plugins %plugins $static_dir $static_password @static_flavours $static_entries $path_info_full $path_info $path_info_yr $path_info_mo $path_info_da $path_info_mo_num $flavour $static_or_dynamic %month2num @num2month $interpolate $entries $output $header $show_future_entries %files %indexes %others $encode_xml_entities $content_type !;
use strict;
use FileHandle;
use Time::Local;
use CGI qw/:standard :netscape/;
-$version = "2.1.0";
-
-# Should I encode entities for xml content-types? (plugins can turn this off if they do it themselves)
-$encode_xml_entities = 1;
+$version = "2.1.2";
# Load configuration from $ENV{BLOSXOM_CONFIG_DIR}/blosxom.conf, if it exists
my $blosxom_config;
);
@num2month = sort { $month2num{$a} <=> $month2num{$b} } keys %month2num;
-# Use the stated preferred URL or figure it out automatically
-$url ||= url( -path_info => 1 );
-# Unescape %XX hex codes (from URI::Escape::uri_unescape)
-$url =~ s/%([0-9A-Fa-f]{2})/chr(hex($1))/eg;
-$url =~ s/^included:/http:/ if $ENV{SERVER_PROTOCOL} eq 'INCLUDED';
-
-# NOTE: Since v3.12, it looks as if CGI.pm misbehaves for SSIs and
-# always appends path_info to the url. To fix this, we always
-# request an url with path_info, and always remove it from the end of the
-# string.
-my $pi_len = length $ENV{PATH_INFO};
-my $might_be_pi = substr( $url, -$pi_len );
-substr( $url, -length $ENV{PATH_INFO} ) = ''
- if $might_be_pi eq $ENV{PATH_INFO};
+# Use the stated preferred URL or figure it out automatically. Set
+# $url manually in the config section above if CGI.pm doesn't guess
+# the base URL correctly, e.g. when called from a Server Side Includes
+# document or so.
+unless ($url) {
+ $url = url();
+
+ # Unescape %XX hex codes (from URI::Escape::uri_unescape)
+ $url =~ s/%([0-9A-Fa-f]{2})/chr(hex($1))/eg;
+
+ # Support being called from inside a SSI document
+ $url =~ s/^included:/http:/ if $ENV{SERVER_PROTOCOL} eq 'INCLUDED';
+
+ # Remove PATH_INFO if it is set but not removed by CGI.pm. This
+ # seems to happen when used with Apache's Alias directive or if
+ # called from inside a Server Side Include document. If that
+ # doesn't help either, set $url manually in the configuration.
+ $url =~ s/\Q$ENV{PATH_INFO}\E$// if defined $ENV{PATH_INFO};
+
+ # NOTE:
+ #
+ # There is one case where this code does more than necessary, too:
+ # If the URL requested is e.g. http://example.org/blog/blog and
+ # the base URL is correctly determined as http://example.org/blog
+ # by CGI.pm, then this code will incorrectly normalize the base
+ # URL down to http://example.org, because the same string as
+ # PATH_INFO is part of the base URL, too. But this is such a
+ # seldom case and can be fixed by setting $url in the config file,
+ # too.
+}
+
+# The only modification done to a manually set base URL is to strip
+# a trailing slash if present.
$url =~ s!/$!!;
}
$flavour ||= $default_flavour;
+# Fix XSS in flavour name (CVE-2008-2236)
+$flavour = blosxom_html_escape($flavour);
+
+sub blosxom_html_escape {
+ my $string = shift;
+ my %escape = (
+ '<' => '<',
+ '>' => '>',
+ '&' => '&',
+ '"' => '"',
+ "'" => '''
+ );
+ my $escape_re = join '|' => keys %escape;
+ $string =~ s/($escape_re)/$escape{$1}/g;
+ $string;
+}
+
# Global variable to be used in head/foot.{flavour} templates
$path_info = '';
# Add all @path_info elements to $path_info till we come to one that could be a year
mkdir "$static_dir/$p", 0755
unless ( -d "$static_dir/$p" or $p =~ /\.$file_extension$/ );
foreach $flavour (@static_flavours) {
- my $content_type
+ $content_type
= ( &$template( $p, 'content_type', $flavour ) );
$content_type =~ s!\n.*!!s;
my $fn = $p =~ m!^(.+)\.$file_extension$! ? $1 : "$p/index";
# Dynamic
else {
- my $content_type = ( &$template( $path_info, 'content_type', $flavour ) );
+ $content_type = ( &$template( $path_info, 'content_type', $flavour ) );
$content_type =~ s!\n.*!!s;
$content_type =~ s/(\$\w+(?:::\w+)*)/"defined $1 ? $1 : ''"/gee;
}
}
- if ( $encode_xml_entities && $content_type =~ m{\bxml\b} ) {
+ if ( $encode_xml_entities &&
+ $content_type =~ m{\bxml\b} &&
+ $content_type !~ m{\bxhtml\b} ) {
# Escape special characters inside the <link> container
# The following line should be moved more towards to top for
html head <!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
html head <html>
html head <head>
-html head <meta http-equiv="content-type" content="text/html;charset=$blog_encoding" >
+html head <meta http-equiv="content-type" content="$content_type" >
html head <link rel="alternate" type="application/rss+xml" title="RSS" href="$url/index.rss" >
html head <title>$blog_title $path_info_da $path_info_mo $path_info_yr</title>
html head </head>
rss story <pubDate>$dw, $da $mo $yr $ti:00 $utc_offset</pubDate>
rss story <link>$url/$yr/$mo_num/$da#$fn</link>
rss story <category>$path</category>
-rss story <guid isPermaLink="true">$url$path/$fn</guid>
+rss story <guid isPermaLink="false">$url$path/$fn</guid>
rss story <description>$body</description>
rss story </item>