#!/usr/bin/perl
# Blosxom
-# Author: Rael Dornfest <rael@oreilly.com>
-# Version: 2.0.2
+# Author: Rael Dornfest (2002-2003), The Blosxom Development Team (2005-2009)
+# Version: 2.1.2 ($Id: blosxom.cgi,v 1.98 2009/07/19 17:18:37 xtaran Exp $)
# Home/Docs/Licensing: http://blosxom.sourceforge.net/
# Development/Downloads: http://sourceforge.net/projects/blosxom
package blosxom;
+=head1 NAME
+
+blosxom - A lightweight yet feature-packed weblog
+
+=head1 SYNOPSIS
+
+B<blosxom> is a simple web log (blog) CGI script written in perl.
+
+=head1 DESCRIPTION
+
+B<Blosxom> (pronounced "I<blossom>") is a lightweight yet feature-packed
+weblog application designed from the ground up with simplicity,
+usability, and interoperability in mind.
+
+Fundamental is its reliance upon the file system, folders and files
+as its content database. Blosxom's weblog entries are plain text
+files like any other. Write from the comfort of your favorite text
+editor and hit the Save button. Create, edit, rename, and delete entries
+on the command-line, via FTP, WebDAV, or anything else you
+might use to manipulate your files. There's no import or export; entries
+are nothing more complex than title on the first line, body being
+everything thereafter.
+
+Despite its tiny footprint, Blosxom doesn't skimp on features, sporting
+the majority of features one would find in any other Weblog application.
+
+Blosxom is simple, straightforward, minimalist Perl affording even the
+dabbler an opportunity for experimentation and customization. And
+last, but not least, Blosxom is open source and free for the taking and
+altering.
+
+=head1 USAGE
+
+Write a weblog entry, and place it into the main data directory. Place
+the the title is on the first line; the body is everything afterwards.
+For example, create a file named I<first.txt> and put in it something
+like this:
+
+ First Blosxom Post!
+
+ I have successfully installed blosxom on this system. For more
+ information on blosxom, see the author's <a
+ href="http://blosxom.sourceforge.net/">blosxom site</a>.
+
+Place the file in the directory under the I<$datadir> points to. Be
+sure to change the default location to be somewhere accessable by the
+web server that runs blosxom as a CGI program.
+
+=cut
+
# --- Configurable variables -----
# What's this blog's title?
# Where are this blog's entries kept?
$datadir = "/Library/WebServer/Documents/blosxom";
-# What's my preferred base URL for this blog (leave blank for automatic)?
+# What's my preferred base URL for this blog (leave blank for
+# automatic)?
$url = "";
# Should I stick only to the datadir for items or travel down the
# directory hierarchy looking for items? If so, to what depth?
-# 0 = infinite depth (aka grab everything), 1 = datadir only, n = n levels down
+#
+# 0 = infinite depth (aka grab everything), 1 = datadir only,
+# n = n levels down
+
$depth = 0;
# How many entries should I show on the home page?
# --- Plugins (Optional) -----
-# File listing plugins blosxom should load
-# (if empty blosxom will load all plugins in $plugin_dir and $plugin_path directories)
+# File listing plugins blosxom should load (if empty blosxom will load
+# all plugins in $plugin_dir and $plugin_path directories)
$plugin_list = "";
# Where are my plugins kept?
# Where should my plugins keep their state information?
$plugin_state_dir = "$plugin_dir/state";
-# Additional plugins location
-# List of directories, separated by ';' on windows, ':' everywhere else
+# Additional plugins location. A list of directories, separated by ';'
+# on windows, ':' everywhere else.
$plugin_path = "";
# --- Static Rendering -----
# Where are this blog's static files to be created?
$static_dir = "/Library/WebServer/Documents/blog";
-# What's my administrative password (you must set this for static rendering)?
+# What's my administrative password (you must set this for static
+# rendering)?
$static_password = "";
# What flavours should I generate statically?
# 0 = no, 1 = yes
$static_entries = 0;
+# --- Advanced Encoding Options -----
+
+# Should I encode entities for xml content-types? (plugins can turn
+# this off if they do it themselves)
+$encode_xml_entities = 1;
+
+# Should I encode 8 bit special characters, e.g. umlauts in URLs, e.g.
+# convert an ISO-Latin-1 \"o to %F6? (off by default for now; plugins
+# can change this, too)
+$encode_8bit_chars = 0;
+
+# RegExp matching all characters which should be URL encoded in links.
+# Defaults to anything but numbers, letters, slash, colon, dash,
+# underscore and dot.
+$url_escape_re = qr([^-/a-zA-Z0-9:._]);
+
# --------------------------------
-use vars
- qw! $version $blog_title $blog_description $blog_language $blog_encoding $datadir $url %template $template $depth $num_entries $file_extension $default_flavour $static_or_dynamic $config_dir $plugin_list $plugin_path $plugin_dir $plugin_state_dir @plugins %plugins $static_dir $static_password @static_flavours $static_entries $path_info_full $path_info $path_info_yr $path_info_mo $path_info_da $path_info_mo_num $flavour $static_or_dynamic %month2num @num2month $interpolate $entries $output $header $show_future_entries %files %indexes %others $encode_xml_entities !;
+=head1 ENVIRONMENT
+
+=over
+
+=item B<BLOSXOM_CONFIG_FILE>
+
+Points to the location of the configuration file. This will be
+considered as first option, if it's set.
+
+
+=item B<BLOSXOM_CONFIG_DIR>
+
+The here named directory will be tried unless the above mentioned
+environment variable is set and tested for a contained blosxom.conf
+file.
+
+
+=back
+
+
+=head1 FILES
+
+=over
+
+=item B</usr/lib/cgi-bin/blosxom>
+
+The CGI script itself. Please note that the location might depend on
+your installation.
+
+=item B</etc/blosxom/blosxom.conf>
+
+The default configuration file location. This is rather taken as last
+ressort if no other configuration location is set through environment
+variables.
+
+=back
+
+
+=head1 AUTHOR
+
+Rael Dornfest <rael@oreilly.com> was the original author of blosxom. The
+development was picked up by a team of dedicated users of blosxom since
+2005. See <I<http://blosxom.sourceforge.net/>> for more information.
+
+=cut
+
+use vars qw!
+ $version
+ $blog_title
+ $blog_description
+ $blog_language
+ $blog_encoding
+ $datadir
+ $url
+ %template
+ $template
+ $depth
+ $num_entries
+ $file_extension
+ $default_flavour
+ $static_or_dynamic
+ $config_dir
+ $plugin_list
+ $plugin_path
+ $plugin_dir
+ $plugin_state_dir
+ @plugins
+ %plugins
+ $static_dir
+ $static_password
+ @static_flavours
+ $static_entries
+ $path_info_full
+ $path_info
+ $path_info_yr
+ $path_info_mo
+ $path_info_da
+ $path_info_mo_num
+ $flavour
+ %month2num
+ @num2month
+ $interpolate
+ $entries
+ $output
+ $header
+ $show_future_entries
+ %files
+ %indexes
+ %others
+ $encode_xml_entities
+ $encode_8bit_chars
+ $url_escape_re
+ $content_type
+ !;
use strict;
use FileHandle;
use Time::Local;
use CGI qw/:standard :netscape/;
-$version = "2.0.2";
-
-# Should I encode entities for xml content-types? (plugins can turn this off if they do it themselves)
-$encode_xml_entities = 1;
+$version = "2.1.2+dev";
# Load configuration from $ENV{BLOSXOM_CONFIG_DIR}/blosxom.conf, if it exists
my $blosxom_config;
);
@num2month = sort { $month2num{$a} <=> $month2num{$b} } keys %month2num;
-# Use the stated preferred URL or figure it out automatically
-$url ||= url( -path_info => 1 );
-$url =~ s/^included:/http:/ if $ENV{SERVER_PROTOCOL} eq 'INCLUDED';
+# Use the stated preferred URL or figure it out automatically. Set
+# $url manually in the config section above if CGI.pm doesn't guess
+# the base URL correctly, e.g. when called from a Server Side Includes
+# document or so.
+unless ($url) {
+ $url = url();
+
+ # Unescape %XX hex codes (from URI::Escape::uri_unescape)
+ $url =~ s/%([0-9A-Fa-f]{2})/chr(hex($1))/eg;
+
+ # Support being called from inside a SSI document
+ $url =~ s/^included:/http:/ if $ENV{SERVER_PROTOCOL} eq 'INCLUDED';
+
+ # Remove PATH_INFO if it is set but not removed by CGI.pm. This
+ # seems to happen when used with Apache's Alias directive or if
+ # called from inside a Server Side Include document. If that
+ # doesn't help either, set $url manually in the configuration.
+ $url =~ s/\Q$ENV{PATH_INFO}\E$// if defined $ENV{PATH_INFO};
+
+ # NOTE:
+ #
+ # There is one case where this code does more than necessary, too:
+ # If the URL requested is e.g. http://example.org/blog/blog and
+ # the base URL is correctly determined as http://example.org/blog
+ # by CGI.pm, then this code will incorrectly normalize the base
+ # URL down to http://example.org, because the same string as
+ # PATH_INFO is part of the base URL, too. But this is such a
+ # seldom case and can be fixed by setting $url in the config file,
+ # too.
+}
-# NOTE: Since v3.12, it looks as if CGI.pm misbehaves for SSIs and
-# always appends path_info to the url. To fix this, we always
-# request an url with path_info, and always remove it from the end of the
-# string.
-my $pi_len = length $ENV{PATH_INFO};
-my $might_be_pi = substr( $url, -$pi_len );
-substr( $url, -length $ENV{PATH_INFO} ) = ''
- if $might_be_pi eq $ENV{PATH_INFO};
+# The only modification done to a manually set base URL is to strip
+# a trailing slash if present.
$url =~ s!/$!!;
# Path Info Magic
# Take a gander at HTTP's PATH_INFO for optional blog name, archive yr/mo/day
my @path_info = split m{/}, path_info() || param('path');
-$path_info_full = join '/', @path_info; # Equivalent to $ENV{PATH_INFO}
+$path_info_full = join '/', @path_info; # Equivalent to $ENV{PATH_INFO}
shift @path_info;
# Flavour specified by ?flav={flav} or index.{flav}
$flavour = '';
-if (! ($flavour = param('flav'))) {
+if ( !( $flavour = param('flav') ) ) {
if ( $path_info[$#path_info] =~ /(.+)\.(.+)$/ ) {
- $flavour = $2;
+ $flavour = $2;
pop @path_info if $1 eq 'index';
}
}
$flavour ||= $default_flavour;
+# Fix XSS in flavour name (CVE-2008-2236)
+$flavour = blosxom_html_escape($flavour);
+
+sub blosxom_html_escape {
+ my $string = shift;
+ my %escape = (
+ '<' => '<',
+ '>' => '>',
+ '&' => '&',
+ '"' => '"',
+ "'" => '''
+ );
+ my $escape_re = join '|' => keys %escape;
+ $string =~ s/($escape_re)/$escape{$1}/g;
+ $string;
+}
+
# Global variable to be used in head/foot.{flavour} templates
$path_info = '';
+
# Add all @path_info elements to $path_info till we come to one that could be a year
-while ( $path_info[0] && $path_info[0] !~ /^(19|20)\d{2}$/) {
+while ( $path_info[0] && $path_info[0] !~ /^(19|20)\d{2}$/ ) {
$path_info .= '/' . shift @path_info;
}
# Pull date elements out of path
-if ($path_info[0] && $path_info[0] =~ /^(19|20)\d{2}$/) {
- $path_info_yr = shift @path_info;
- if ($path_info[0] &&
- ($path_info[0] =~ /^(0\d|1[012])$/ ||
- exists $month2num{ ucfirst lc $path_info_mo })) {
- $path_info_mo = shift @path_info;
- # Map path_info_mo to numeric $path_info_mo_num
- $path_info_mo_num = $path_info_mo =~ /^\d{2}$/
- ? $path_info_mo
- : $month2num{ ucfirst lc $path_info_mo };
- if ($path_info[0] && $path_info[0] =~ /^[0123]\d$/) {
- $path_info_da = shift @path_info;
+if ( $path_info[0] && $path_info[0] =~ /^(19|20)\d{2}$/ ) {
+ $path_info_yr = shift @path_info;
+ if ($path_info[0]
+ && ( $path_info[0] =~ /^(0\d|1[012])$/
+ || exists $month2num{ ucfirst lc $path_info_mo } )
+ )
+ {
+ $path_info_mo = shift @path_info;
+
+ # Map path_info_mo to numeric $path_info_mo_num
+ $path_info_mo_num
+ = $path_info_mo =~ /^\d{2}$/
+ ? $path_info_mo
+ : $month2num{ ucfirst lc $path_info_mo };
+ if ( $path_info[0] && $path_info[0] =~ /^[0123]\d$/ ) {
+ $path_info_da = shift @path_info;
+ }
}
- }
}
# Add remaining path elements to $path_info
-$path_info .= '/' . join('/', @path_info);
+$path_info .= '/' . join( '/', @path_info );
# Strip spurious slashes
$path_info =~ s!(^/*)|(/*$)!!g;
my %plugin_hash = ();
# If $plugin_list is set, read plugins to use from that file
-if ( $plugin_list ) {
+if ($plugin_list) {
if ( -r $plugin_list and $fh->open("< $plugin_list") ) {
@plugin_list = map { chomp $_; $_ } grep { /\S/ && !/^#/ } <$fh>;
$fh->close;
}
# Otherwise walk @plugin_dirs to get list of plugins to use
-if ( ! @plugin_list && @plugin_dirs ) {
+if ( !@plugin_list && @plugin_dirs ) {
for my $plugin_dir (@plugin_dirs) {
next unless -d $plugin_dir;
if ( opendir PLUGINS, $plugin_dir ) {
my $on_off = $off eq '_' ? -1 : 1;
# Allow perl module plugins
- # The -z test is a hack to allow a zero-length placeholder file in a
+ # The -z test is a hack to allow a zero-length placeholder file in a
# $plugin_path directory to indicate an @INC module should be loaded
if ( $plugin =~ m/::/ && ( $plugin_list || -z $plugin_hash{$plugin} ) ) {
# Define default entries subroutine
$entries = sub {
my ( %files, %indexes, %others );
+ my $param_all = param('-all');
find(
sub {
- my $d;
my $curr_depth = $File::Find::dir =~ tr[/][];
return if $depth and $curr_depth > $depth;
+ return if !-r $File::Find::name;
- if (
-
- # a match
- $File::Find::name
- =~ m!^$datadir/(?:(.*)/)?(.+)\.$file_extension$!
-
- # not an index, .file, and is readable
- and $2 ne 'index' and $2 !~ /^\./ and ( -r $File::Find::name )
- )
+ # if a $file_extension file and not a .file or an index
+ if ( m/^([^.].*)\.$file_extension$/
+ and $1 ne 'index' )
{
+ my $basename_noext = $1;
# read modification time
my $mtime = stat($File::Find::name)->mtime or return;
$files{$File::Find::name} = $mtime;
# static rendering bits
+ (my $dirname = $File::Find::dir) =~ s!^$datadir/?!!;
my $static_file
- = "$static_dir/$1/index." . $static_flavours[0];
- if ( param('-all')
+ = "$static_dir/${dirname}index.$static_flavours[0]";
+ if ( $param_all
or !-f $static_file
or stat($static_file)->mtime < $mtime )
{
- $indexes{$1} = 1;
- $d = join( '/', ( nice_date($mtime) )[ 5, 2, 3 ] );
+ $indexes{$dirname} = 1;
+ my $d = join( '/', ( nice_date($mtime) )[ 5, 2, 3 ] );
$indexes{$d} = $d;
- $indexes{ ( $1 ? "$1/" : '' ) . "$2.$file_extension" } = 1
+ $indexes{"$dirname$basename_noext.$file_extension"} = 1
if $static_entries;
}
}
# not an entries match
- elsif ( !-d $File::Find::name and -r $File::Find::name ) {
+ elsif ( !-d $File::Find::name ) {
$others{$File::Find::name} = stat($File::Find::name)->mtime;
}
},
%indexes = %$indexes;
# Static
-if ( !$ENV{GATEWAY_INTERFACE}
- and param('-password')
- and $static_password
- and param('-password') eq $static_password )
-{
+if ( $static_or_dynamic eq 'static' ) {
param('-quiet') or print "Blosxom is generating static index pages...\n";
mkdir "$static_dir/$p", 0755
unless ( -d "$static_dir/$p" or $p =~ /\.$file_extension$/ );
foreach $flavour (@static_flavours) {
- my $content_type
+ $content_type
= ( &$template( $p, 'content_type', $flavour ) );
$content_type =~ s!\n.*!!s;
my $fn = $p =~ m!^(.+)\.$file_extension$! ? $1 : "$p/index";
# Dynamic
else {
- my $content_type = ( &$template( $path_info, 'content_type', $flavour ) );
+ $content_type = ( &$template( $path_info, 'content_type', $flavour ) );
$content_type =~ s!\n.*!!s;
$content_type =~ s/(\$\w+(?:::\w+)*)/"defined $1 ? $1 : ''"/gee;
# Define default interpolation subroutine
$interpolate = sub {
+
package blosxom;
my $template = shift;
+
# Interpolate scalars, namespaced scalars, and hash/hashref scalars
- $template =~ s/(\$\w+(?:::\w+)*(?:(?:->)?{(['"]?)[-\w]+\2})?)/"defined $1 ? $1 : ''"/gee;
+ $template
+ =~ s/(\$\w+(?:::\w+)*(?:(?:->)?{([\'\"]?)[-\w]+\2})?)/"defined $1 ? $1 : ''"/gee;
return $template;
};
# Define a default sort subroutine
my $sort = sub {
my ($files_ref) = @_;
- return
- sort { $files_ref->{$b} <=> $files_ref->{$a} }
+ return sort { $files_ref->{$b} <=> $files_ref->{$a} }
keys %$files_ref;
};
}
}
- if ( $encode_xml_entities && $content_type =~ m{\bxml\b} ) {
+ # Save unescaped versions and allow them to be used in
+ # flavour templates.
+ use vars qw/$url_unesc $path_unesc $fn_unesc/;
+ $url_unesc = $url;
+ $path_unesc = $path;
+ $fn_unesc = $fn;
+
+ # Fix special characters in links inside XML content
+ if ( $encode_xml_entities
+ && $content_type =~ m{\bxml\b}
+ && $content_type !~ m{\bxhtml\b} )
+ {
+
+ # Escape special characters inside the <link> container
+
+ &url_escape_url_path_and_fn();
# Escape <, >, and &, and to produce valid RSS
- my %escape = (
- '<' => '<',
- '>' => '>',
- '&' => '&',
- '"' => '"'
- );
- my $escape_re = join '|' => keys %escape;
- $title =~ s/($escape_re)/$escape{$1}/g;
- $body =~ s/($escape_re)/$escape{$1}/g;
+ $title = blosxom_html_escape($title);
+ $body = blosxom_html_escape($body);
+ $url = blosxom_html_escape($url);
+ $path = blosxom_html_escape($path);
+ $fn = blosxom_html_escape($fn);
+ }
+
+ # Fix special characters in links inside XML content
+ if ($encode_8bit_chars) {
+ &url_escape_url_path_and_fn();
}
$story = &$interpolate($story);
return ( $dw, $mo, $mo_num, $da, $ti, $yr, $utc_offset );
}
+sub url_escape_url_path_and_fn {
+ $url =~ s($url_escape_re)(sprintf('%%%02X', ord($&)))eg;
+ $path =~ s($url_escape_re)(sprintf('%%%02X', ord($&)))eg;
+ $fn =~ s($url_escape_re)(sprintf('%%%02X', ord($&)))eg;
+}
+
# Default HTML and RSS template bits
__DATA__
html content_type text/html; charset=$blog_encoding
+html head <!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
html head <html>
html head <head>
-html head <meta http-equiv="content-type" content="text/html;charset=$blog_encoding" />
-html head <link rel="alternate" type="application/rss+xml" title="RSS" href="$url/index.rss" />
-html head <title>$blog_title $path_info_da $path_info_mo $path_info_yr
-html head </title>
+html head <meta http-equiv="content-type" content="$content_type" >
+html head <link rel="alternate" type="application/rss+xml" title="RSS" href="$url/index.rss" >
+html head <title>$blog_title $path_info_da $path_info_mo $path_info_yr</title>
html head </head>
html head <body>
-html head <center>
-html head <font size="+3">$blog_title</font><br />
-html head $path_info_da $path_info_mo $path_info_yr
-html head </center>
-html head <p />
+html head <div align="center">
+html head <h1>$blog_title</h1>
+html head <p>$path_info_da $path_info_mo $path_info_yr</p>
+html head </div>
-html story <p>
-html story <a name="$fn"><b>$title</b></a><br />
-html story $body<br />
-html story <br />
-html story posted at: $ti | path: <a href="$url$path">$path </a> | <a href="$url/$yr/$mo_num/$da#$fn">permanent link to this entry</a>
-html story </p>
+html story <div>
+html story <h3><a name="$fn">$title</a></h3>
+html story <div>$body</div>
+html story <p>posted at: $ti | path: <a href="$url$path">$path</a> | <a href="$url/$yr/$mo_num/$da#$fn">permanent link to this entry</a></p>
+html story </div>
-html date <h3>$dw, $da $mo $yr</h3>
+html date <h2>$dw, $da $mo $yr</h2>
html foot
-html foot <p />
-html foot <center>
-html foot <a href="http://blosxom.sourceforge.net/"><img src="http://blosxom.sourceforge.net/images/pb_blosxom.gif" border="0" /></a>
-html foot </center>
+html foot <div align="center">
+html foot <a href="http://blosxom.sourceforge.net/"><img src="http://blosxom.sourceforge.net/images/pb_blosxom.gif" alt="powered by blosxom" border="0" width="90" height="33" ></a>
+html foot </div>
html foot </body>
html foot </html>
rss story <pubDate>$dw, $da $mo $yr $ti:00 $utc_offset</pubDate>
rss story <link>$url/$yr/$mo_num/$da#$fn</link>
rss story <category>$path</category>
-rss story <guid isPermaLink="false">$path/$fn</guid>
+rss story <guid isPermaLink="false">$url$path/$fn</guid>
rss story <description>$body</description>
rss story </item>
error content_type text/html
+error head <!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
error head <html>
-error head <body>
-error head <p><font color="red">Error: I'm afraid this is the first I've heard of a "$flavour" flavoured Blosxom. Try dropping the "/+$flavour" bit from the end of the URL.</font></p>
-
+error head <head><title>Error: unknown Blosxom flavour "$flavour"</title></head>
+error head <body>
+error head <h1><font color="red">Error: unknown Blosxom flavour "$flavour"</font></h1>
+error head <p>I'm afraid this is the first I've heard of a "$flavour" flavoured Blosxom. Try dropping the "/+$flavour" bit from the end of the URL.</p>
-error story <p><b>$title</b><br />
-error story
$body <a href="$url/$yr/$mo_num/$da#fn.$default_flavour">#</a></p>
+error story <h3>$title</h3>
+error story
<div>$body</div> <p><a href="$url/$yr/$mo_num/$da#fn.$default_flavour">#</a></p>
-error date <h3>$dw, $da $mo $yr</h3>
+error date <h2>$dw, $da $mo $yr</h2>
error foot </body>
error foot </html>
projects / matthijs / upstream / blosxom.git / blobdiff