X-Git-Url: https://git.stderr.nl/gitweb?p=matthijs%2Fupstream%2Fblosxom.git;a=blobdiff_plain;f=blosxom.cgi;h=a49237827cedb6cb6f9efd80753aae7abe269210;hp=eae39bf4becfc5bef9134b7196dd3769b84ebbc1;hb=15dfb8340ae2dcc2daf7f426a60fe5a8edeb950c;hpb=b9131697cef6d045ddae4970f610595227718ea3 diff --git a/blosxom.cgi b/blosxom.cgi index eae39bf..a492378 100755 --- a/blosxom.cgi +++ b/blosxom.cgi @@ -2,12 +2,62 @@ # Blosxom # Author: Rael Dornfest (2002-2003), The Blosxom Development Team (2005-2008) -# Version: 2.1.1 ($Id: blosxom.cgi,v 1.83 2008/07/30 22:27:02 xtaran Exp $) +# Version: 2.1.2 ($Id: blosxom.cgi,v 1.88 2008/11/13 17:19:51 alfie Exp $) # Home/Docs/Licensing: http://blosxom.sourceforge.net/ # Development/Downloads: http://sourceforge.net/projects/blosxom package blosxom; +=head1 NAME + +blosxom - A lightweight yet feature-packed weblog + +=head1 SYNOPSIS + +B is a simple web log (blog) CGI script written in perl. + +=head1 DESCRIPTION + +B (pronounced "I") is a lightweight yet feature-packed +weblog application designed from the ground up with simplicity, +usability, and interoperability in mind. + +Fundamental is its reliance upon the file system, folders and files +as its content database. Blosxom's weblog entries are plain text +files like any other. Write from the comfort of your favorite text +editor and hit the Save button. Create, edit, rename, and delete entries +on the command-line, via FTP, WebDAV, or anything else you +might use to manipulate your files. There's no import or export; entries +are nothing more complex than title on the first line, body being +everything thereafter. + +Despite its tiny footprint, Blosxom doesn't skimp on features, sporting +the majority of features one would find in any other Weblog application. + +Blosxom is simple, straightforward, minimalist Perl affording even the +dabbler an opportunity for experimentation and customization. And +last, but not least, Blosxom is open source and free for the taking and +altering. + +=head1 USAGE + +Write a weblog entry, and place it into the main data directory. Place +the the title is on the first line; the body is everything afterwards. +For example, create a file named I and put in it something +like this: + + First Blosxom Post! + + I have successfully installed blosxom on this system. For more + information on blosxom, see the author's blosxom site. + +Place the file in the directory under the I<$datadir> points to. Be +sure to change the default location to be somewhere accessable by the +web server that runs blosxom as a CGI program. + +=cut + # --- Configurable variables ----- # What's this blog's title? @@ -81,6 +131,53 @@ $encode_xml_entities = 1; # -------------------------------- +=head1 ENVIRONMENT + +=over + +=item B + +Points to the location of the configuration file. This will be +considered as first option, if it's set. + + +=item B + +The here named directory will be tried unless the above mentioned +environment variable is set and tested for a contained blosxom.conf +file. + + +=back + + +=head1 FILES + +=over + +=item B + +The CGI script itself. Please note that the location might depend on +your installation. + +=item B + +The default configuration file location. This is rather taken as last +ressort if no other configuration location is set through environment +variables. + +=back + + +=head1 AUTHOR + +Rael Dornfest was the original author of blosxom. The +development was picked up by a team of dedicated users of blosxom since +2005. See > for more information. + +=cut + + use vars qw! $version $blog_title $blog_description $blog_language $blog_encoding $datadir $url %template $template $depth $num_entries $file_extension $default_flavour $static_or_dynamic $config_dir $plugin_list $plugin_path $plugin_dir $plugin_state_dir @plugins %plugins $static_dir $static_password @static_flavours $static_entries $path_info_full $path_info $path_info_yr $path_info_mo $path_info_da $path_info_mo_num $flavour $static_or_dynamic %month2num @num2month $interpolate $entries $output $header $show_future_entries %files %indexes %others $encode_xml_entities $content_type !; @@ -91,7 +188,7 @@ use File::stat; use Time::Local; use CGI qw/:standard :netscape/; -$version = "2.1.1"; +$version = "2.1.2"; # Load configuration from $ENV{BLOSXOM_CONFIG_DIR}/blosxom.conf, if it exists my $blosxom_config; @@ -214,6 +311,23 @@ if (! ($flavour = param('flav'))) { } $flavour ||= $default_flavour; +# Fix XSS in flavour name (CVE-2008-2236) +$flavour = blosxom_html_escape($flavour); + +sub blosxom_html_escape { + my $string = shift; + my %escape = ( + '<' => '<', + '>' => '>', + '&' => '&', + '"' => '"', + "'" => ''' + ); + my $escape_re = join '|' => keys %escape; + $string =~ s/($escape_re)/$escape{$1}/g; + $string; +} + # Global variable to be used in head/foot.{flavour} templates $path_info = ''; # Add all @path_info elements to $path_info till we come to one that could be a year @@ -693,19 +807,11 @@ sub generate { $fn =~ s($url_escape_re)(sprintf('%%%02X', ord($&)))eg; # Escape <, >, and &, and to produce valid RSS - my %escape = ( - '<' => '<', - '>' => '>', - '&' => '&', - '"' => '"', - "'" => ''' - ); - my $escape_re = join '|' => keys %escape; - $title =~ s/($escape_re)/$escape{$1}/g; - $body =~ s/($escape_re)/$escape{$1}/g; - $url =~ s/($escape_re)/$escape{$1}/g; - $path =~ s/($escape_re)/$escape{$1}/g; - $fn =~ s/($escape_re)/$escape{$1}/g; + $title = blosxom_html_escape($title); + $body = blosxom_html_escape($body); + $url = blosxom_html_escape($url); + $path = blosxom_html_escape($path); + $fn = blosxom_html_escape($fn); } $story = &$interpolate($story);