X-Git-Url: https://git.stderr.nl/gitweb?p=matthijs%2Fupstream%2Fblosxom.git;a=blobdiff_plain;f=blosxom.cgi;h=f6473743edd2d5e229b24526b00583902e3c3fa4;hp=4e19e64a27e20e423427d02a3fdf93045d616553;hb=1d9899f2726e343ccc813414d0d369e7360638ba;hpb=e9efcd432994620d4294f322ff04152134a1c1f4 diff --git a/blosxom.cgi b/blosxom.cgi index 4e19e64..f647374 100755 --- a/blosxom.cgi +++ b/blosxom.cgi @@ -1,13 +1,63 @@ #!/usr/bin/perl # Blosxom -# Author: Rael Dornfest -# Version: 2.0.2 +# Author: Rael Dornfest (2002-2003), The Blosxom Development Team (2005-2009) +# Version: 2.1.2 ($Id: blosxom.cgi,v 1.98 2009/07/19 17:18:37 xtaran Exp $) # Home/Docs/Licensing: http://blosxom.sourceforge.net/ # Development/Downloads: http://sourceforge.net/projects/blosxom package blosxom; +=head1 NAME + +blosxom - A lightweight yet feature-packed weblog + +=head1 SYNOPSIS + +B is a simple web log (blog) CGI script written in perl. + +=head1 DESCRIPTION + +B (pronounced "I") is a lightweight yet feature-packed +weblog application designed from the ground up with simplicity, +usability, and interoperability in mind. + +Fundamental is its reliance upon the file system, folders and files +as its content database. Blosxom's weblog entries are plain text +files like any other. Write from the comfort of your favorite text +editor and hit the Save button. Create, edit, rename, and delete entries +on the command-line, via FTP, WebDAV, or anything else you +might use to manipulate your files. There's no import or export; entries +are nothing more complex than title on the first line, body being +everything thereafter. + +Despite its tiny footprint, Blosxom doesn't skimp on features, sporting +the majority of features one would find in any other Weblog application. + +Blosxom is simple, straightforward, minimalist Perl affording even the +dabbler an opportunity for experimentation and customization. And +last, but not least, Blosxom is open source and free for the taking and +altering. + +=head1 USAGE + +Write a weblog entry, and place it into the main data directory. Place +the the title is on the first line; the body is everything afterwards. +For example, create a file named I and put in it something +like this: + + First Blosxom Post! + + I have successfully installed blosxom on this system. For more + information on blosxom, see the author's blosxom site. + +Place the file in the directory under the I<$datadir> points to. Be +sure to change the default location to be somewhere accessable by the +web server that runs blosxom as a CGI program. + +=cut + # --- Configurable variables ----- # What's this blog's title? @@ -25,12 +75,16 @@ $blog_encoding = "UTF-8"; # Where are this blog's entries kept? $datadir = "/Library/WebServer/Documents/blosxom"; -# What's my preferred base URL for this blog (leave blank for automatic)? +# What's my preferred base URL for this blog (leave blank for +# automatic)? $url = ""; # Should I stick only to the datadir for items or travel down the # directory hierarchy looking for items? If so, to what depth? -# 0 = infinite depth (aka grab everything), 1 = datadir only, n = n levels down +# +# 0 = infinite depth (aka grab everything), 1 = datadir only, +# n = n levels down + $depth = 0; # How many entries should I show on the home page? @@ -47,8 +101,8 @@ $show_future_entries = 0; # --- Plugins (Optional) ----- -# File listing plugins blosxom should load -# (if empty blosxom will load all plugins in $plugin_dir and $plugin_path directories) +# File listing plugins blosxom should load (if empty blosxom will load +# all plugins in $plugin_dir and $plugin_path directories) $plugin_list = ""; # Where are my plugins kept? @@ -57,8 +111,8 @@ $plugin_dir = ""; # Where should my plugins keep their state information? $plugin_state_dir = "$plugin_dir/state"; -# Additional plugins location -# List of directories, separated by ';' on windows, ':' everywhere else +# Additional plugins location. A list of directories, separated by ';' +# on windows, ':' everywhere else. $plugin_path = ""; # --- Static Rendering ----- @@ -66,7 +120,8 @@ $plugin_path = ""; # Where are this blog's static files to be created? $static_dir = "/Library/WebServer/Documents/blog"; -# What's my administrative password (you must set this for static rendering)? +# What's my administrative password (you must set this for static +# rendering)? $static_password = ""; # What flavours should I generate statically? @@ -76,10 +131,118 @@ $static_password = ""; # 0 = no, 1 = yes $static_entries = 0; +# --- Advanced Encoding Options ----- + +# Should I encode entities for xml content-types? (plugins can turn +# this off if they do it themselves) +$encode_xml_entities = 1; + +# Should I encode 8 bit special characters, e.g. umlauts in URLs, e.g. +# convert an ISO-Latin-1 \"o to %F6? (off by default for now; plugins +# can change this, too) +$encode_8bit_chars = 0; + +# RegExp matching all characters which should be URL encoded in links. +# Defaults to anything but numbers, letters, slash, colon, dash, +# underscore and dot. +$url_escape_re = qr([^-/a-zA-Z0-9:._]); + # -------------------------------- -use vars - qw! $version $blog_title $blog_description $blog_language $blog_encoding $datadir $url %template $template $depth $num_entries $file_extension $default_flavour $static_or_dynamic $config_dir $plugin_list $plugin_path $plugin_dir $plugin_state_dir @plugins %plugins $static_dir $static_password @static_flavours $static_entries $path_info $path_info_yr $path_info_mo $path_info_da $path_info_mo_num $flavour $static_or_dynamic %month2num @num2month $interpolate $entries $output $header $show_future_entries %files %indexes %others !; +=head1 ENVIRONMENT + +=over + +=item B + +Points to the location of the configuration file. This will be +considered as first option, if it's set. + + +=item B + +The here named directory will be tried unless the above mentioned +environment variable is set and tested for a contained blosxom.conf +file. + + +=back + + +=head1 FILES + +=over + +=item B + +The CGI script itself. Please note that the location might depend on +your installation. + +=item B + +The default configuration file location. This is rather taken as last +ressort if no other configuration location is set through environment +variables. + +=back + + +=head1 AUTHOR + +Rael Dornfest was the original author of blosxom. The +development was picked up by a team of dedicated users of blosxom since +2005. See > for more information. + +=cut + +use vars qw! + $version + $blog_title + $blog_description + $blog_language + $blog_encoding + $datadir + $url + %template + $template + $depth + $num_entries + $file_extension + $default_flavour + $static_or_dynamic + $config_dir + $plugin_list + $plugin_path + $plugin_dir + $plugin_state_dir + @plugins + %plugins + $static_dir + $static_password + @static_flavours + $static_entries + $path_info_full + $path_info + $path_info_yr + $path_info_mo + $path_info_da + $path_info_mo_num + $flavour + %month2num + @num2month + $interpolate + $entries + $output + $header + $show_future_entries + %files + %indexes + %others + $encode_xml_entities + $encode_8bit_chars + $url_escape_re + $content_type + !; use strict; use FileHandle; @@ -88,7 +251,7 @@ use File::stat; use Time::Local; use CGI qw/:standard :netscape/; -$version = "2.0.2"; +$version = "2.1.2+dev"; # Load configuration from $ENV{BLOSXOM_CONFIG_DIR}/blosxom.conf, if it exists my $blosxom_config; @@ -139,18 +302,39 @@ my $fh = new FileHandle; ); @num2month = sort { $month2num{$a} <=> $month2num{$b} } keys %month2num; -# Use the stated preferred URL or figure it out automatically -$url ||= url( -path_info => 1 ); -$url =~ s/^included:/http:/ if $ENV{SERVER_PROTOCOL} eq 'INCLUDED'; +# Use the stated preferred URL or figure it out automatically. Set +# $url manually in the config section above if CGI.pm doesn't guess +# the base URL correctly, e.g. when called from a Server Side Includes +# document or so. +unless ($url) { + $url = url(); + + # Unescape %XX hex codes (from URI::Escape::uri_unescape) + $url =~ s/%([0-9A-Fa-f]{2})/chr(hex($1))/eg; + + # Support being called from inside a SSI document + $url =~ s/^included:/http:/ if $ENV{SERVER_PROTOCOL} eq 'INCLUDED'; + + # Remove PATH_INFO if it is set but not removed by CGI.pm. This + # seems to happen when used with Apache's Alias directive or if + # called from inside a Server Side Include document. If that + # doesn't help either, set $url manually in the configuration. + $url =~ s/\Q$ENV{PATH_INFO}\E$// if defined $ENV{PATH_INFO}; + + # NOTE: + # + # There is one case where this code does more than necessary, too: + # If the URL requested is e.g. http://example.org/blog/blog and + # the base URL is correctly determined as http://example.org/blog + # by CGI.pm, then this code will incorrectly normalize the base + # URL down to http://example.org, because the same string as + # PATH_INFO is part of the base URL, too. But this is such a + # seldom case and can be fixed by setting $url in the config file, + # too. +} -# NOTE: Since v3.12, it looks as if CGI.pm misbehaves for SSIs and -# always appends path_info to the url. To fix this, we always -# request an url with path_info, and always remove it from the end of the -# string. -my $pi_len = length $ENV{PATH_INFO}; -my $might_be_pi = substr( $url, -$pi_len ); -substr( $url, -length $ENV{PATH_INFO} ) = '' - if $might_be_pi eq $ENV{PATH_INFO}; +# The only modification done to a manually set base URL is to strip +# a trailing slash if present. $url =~ s!/$!!; @@ -162,9 +346,6 @@ $static_dir =~ s!/$!!; # Fix depth to take into account datadir's path $depth += ( $datadir =~ tr[/][] ) - 1 if $depth; -# Global variable to be used in head/foot.{flavour} templates -$path_info = ''; - if ( !$ENV{GATEWAY_INTERFACE} and param('-password') and $static_password @@ -180,39 +361,71 @@ else { # Path Info Magic # Take a gander at HTTP's PATH_INFO for optional blog name, archive yr/mo/day my @path_info = split m{/}, path_info() || param('path'); +$path_info_full = join '/', @path_info; # Equivalent to $ENV{PATH_INFO} shift @path_info; -while ( $path_info[0] - and $path_info[0] =~ /^[a-zA-Z].*$/ - and $path_info[0] !~ /(.*)\.(.*)/ ) -{ - $path_info .= '/' . shift @path_info; -} - # Flavour specified by ?flav={flav} or index.{flav} $flavour = ''; +if ( !( $flavour = param('flav') ) ) { + if ( $path_info[$#path_info] =~ /(.+)\.(.+)$/ ) { + $flavour = $2; + pop @path_info if $1 eq 'index'; + } +} +$flavour ||= $default_flavour; + +# Fix XSS in flavour name (CVE-2008-2236) +$flavour = blosxom_html_escape($flavour); + +sub blosxom_html_escape { + my $string = shift; + my %escape = ( + '<' => '<', + '>' => '>', + '&' => '&', + '"' => '"', + "'" => ''' + ); + my $escape_re = join '|' => keys %escape; + $string =~ s/($escape_re)/$escape{$1}/g; + $string; +} + +# Global variable to be used in head/foot.{flavour} templates +$path_info = ''; -if ( $path_info[$#path_info] =~ /(.+)\.(.+)$/ ) { - $flavour = $2; - $path_info .= "/$1.$2" if $1 ne 'index'; - pop @path_info; +# Add all @path_info elements to $path_info till we come to one that could be a year +while ( $path_info[0] && $path_info[0] !~ /^(19|20)\d{2}$/ ) { + $path_info .= '/' . shift @path_info; } -else { - $flavour = param('flav') || $default_flavour; + +# Pull date elements out of path +if ( $path_info[0] && $path_info[0] =~ /^(19|20)\d{2}$/ ) { + $path_info_yr = shift @path_info; + if ($path_info[0] + && ( $path_info[0] =~ /^(0\d|1[012])$/ + || exists $month2num{ ucfirst lc $path_info_mo } ) + ) + { + $path_info_mo = shift @path_info; + + # Map path_info_mo to numeric $path_info_mo_num + $path_info_mo_num + = $path_info_mo =~ /^\d{2}$/ + ? $path_info_mo + : $month2num{ ucfirst lc $path_info_mo }; + if ( $path_info[0] && $path_info[0] =~ /^[0123]\d$/ ) { + $path_info_da = shift @path_info; + } + } } +# Add remaining path elements to $path_info +$path_info .= '/' . join( '/', @path_info ); + # Strip spurious slashes $path_info =~ s!(^/*)|(/*$)!!g; -# Date fiddling -( $path_info_yr, $path_info_mo, $path_info_da ) = @path_info; -$path_info_mo_num - = $path_info_mo - ? ( $path_info_mo =~ /\d{2}/ - ? $path_info_mo - : ( $month2num{ ucfirst( lc $path_info_mo ) } || undef ) ) - : undef; - # Define standard template subroutine, plugin-overridable at Plugins: Template $template = sub { my ( $path, $chunk, $flavour ) = @_; @@ -251,7 +464,7 @@ my @plugin_list = (); my %plugin_hash = (); # If $plugin_list is set, read plugins to use from that file -if ( $plugin_list ) { +if ($plugin_list) { if ( -r $plugin_list and $fh->open("< $plugin_list") ) { @plugin_list = map { chomp $_; $_ } grep { /\S/ && !/^#/ } <$fh>; $fh->close; @@ -263,7 +476,7 @@ if ( $plugin_list ) { } # Otherwise walk @plugin_dirs to get list of plugins to use -if ( ! @plugin_list && @plugin_dirs ) { +if ( !@plugin_list && @plugin_dirs ) { for my $plugin_dir (@plugin_dirs) { next unless -d $plugin_dir; if ( opendir PLUGINS, $plugin_dir ) { @@ -293,7 +506,7 @@ foreach my $plugin (@plugin_list) { my $on_off = $off eq '_' ? -1 : 1; # Allow perl module plugins - # The -z test is a hack to allow a zero-length placeholder file in a + # The -z test is a hack to allow a zero-length placeholder file in a # $plugin_path directory to indicate an @INC module should be loaded if ( $plugin =~ m/::/ && ( $plugin_list || -z $plugin_hash{$plugin} ) ) { @@ -337,22 +550,18 @@ sub load_template { # Define default entries subroutine $entries = sub { my ( %files, %indexes, %others ); + my $param_all = param('-all'); find( sub { - my $d; my $curr_depth = $File::Find::dir =~ tr[/][]; return if $depth and $curr_depth > $depth; + return if !-r $File::Find::name; - if ( - - # a match - $File::Find::name - =~ m!^$datadir/(?:(.*)/)?(.+)\.$file_extension$! - - # not an index, .file, and is readable - and $2 ne 'index' and $2 !~ /^\./ and ( -r $File::Find::name ) - ) + # if a $file_extension file and not a .file or an index + if ( m/^([^.].*)\.$file_extension$/ + and $1 ne 'index' ) { + my $basename_noext = $1; # read modification time my $mtime = stat($File::Find::name)->mtime or return; @@ -364,22 +573,23 @@ $entries = sub { $files{$File::Find::name} = $mtime; # static rendering bits + (my $dirname = $File::Find::dir) =~ s!^$datadir/?!!; my $static_file - = "$static_dir/$1/index." . $static_flavours[0]; - if ( param('-all') + = "$static_dir/${dirname}index.$static_flavours[0]"; + if ( $param_all or !-f $static_file or stat($static_file)->mtime < $mtime ) { - $indexes{$1} = 1; - $d = join( '/', ( nice_date($mtime) )[ 5, 2, 3 ] ); + $indexes{$dirname} = 1; + my $d = join( '/', ( nice_date($mtime) )[ 5, 2, 3 ] ); $indexes{$d} = $d; - $indexes{ ( $1 ? "$1/" : '' ) . "$2.$file_extension" } = 1 + $indexes{"$dirname$basename_noext.$file_extension"} = 1 if $static_entries; } } # not an entries match - elsif ( !-d $File::Find::name and -r $File::Find::name ) { + elsif ( !-d $File::Find::name ) { $others{$File::Find::name} = stat($File::Find::name)->mtime; } }, @@ -405,11 +615,7 @@ my ( $files, $indexes, $others ) = &$entries(); %indexes = %$indexes; # Static -if ( !$ENV{GATEWAY_INTERFACE} - and param('-password') - and $static_password - and param('-password') eq $static_password ) -{ +if ( $static_or_dynamic eq 'static' ) { param('-quiet') or print "Blosxom is generating static index pages...\n"; @@ -424,7 +630,7 @@ if ( !$ENV{GATEWAY_INTERFACE} mkdir "$static_dir/$p", 0755 unless ( -d "$static_dir/$p" or $p =~ /\.$file_extension$/ ); foreach $flavour (@static_flavours) { - my $content_type + $content_type = ( &$template( $p, 'content_type', $flavour ) ); $content_type =~ s!\n.*!!s; my $fn = $p =~ m!^(.+)\.$file_extension$! ? $1 : "$p/index"; @@ -461,7 +667,7 @@ if ( !$ENV{GATEWAY_INTERFACE} # Dynamic else { - my $content_type = ( &$template( $path_info, 'content_type', $flavour ) ); + $content_type = ( &$template( $path_info, 'content_type', $flavour ) ); $content_type =~ s!\n.*!!s; $content_type =~ s/(\$\w+(?:::\w+)*)/"defined $1 ? $1 : ''"/gee; @@ -510,10 +716,13 @@ sub generate { # Define default interpolation subroutine $interpolate = sub { + package blosxom; my $template = shift; + # Interpolate scalars, namespaced scalars, and hash/hashref scalars - $template =~ s/(\$\w+(?:::\w+)*(?:(?:->)?{(['"]?)[-\w]+\2})?)/"defined $1 ? $1 : ''"/gee; + $template + =~ s/(\$\w+(?:::\w+)*(?:(?:->)?{([\'\"]?)[-\w]+\2})?)/"defined $1 ? $1 : ''"/gee; return $template; }; @@ -561,8 +770,7 @@ sub generate { # Define a default sort subroutine my $sort = sub { my ($files_ref) = @_; - return - sort { $files_ref->{$b} <=> $files_ref->{$a} } + return sort { $files_ref->{$b} <=> $files_ref->{$a} } keys %$files_ref; }; @@ -648,18 +856,34 @@ sub generate { } } - if ( $content_type =~ m{\bxml\b} ) { + # Save unescaped versions and allow them to be used in + # flavour templates. + use vars qw/$url_unesc $path_unesc $fn_unesc/; + $url_unesc = $url; + $path_unesc = $path; + $fn_unesc = $fn; + + # Fix special characters in links inside XML content + if ( $encode_xml_entities + && $content_type =~ m{\bxml\b} + && $content_type !~ m{\bxhtml\b} ) + { + + # Escape special characters inside the container + + &url_escape_url_path_and_fn(); # Escape <, >, and &, and to produce valid RSS - my %escape = ( - '<' => '<', - '>' => '>', - '&' => '&', - '"' => '"' - ); - my $escape_re = join '|' => keys %escape; - $title =~ s/($escape_re)/$escape{$1}/g; - $body =~ s/($escape_re)/$escape{$1}/g; + $title = blosxom_html_escape($title); + $body = blosxom_html_escape($body); + $url = blosxom_html_escape($url); + $path = blosxom_html_escape($path); + $fn = blosxom_html_escape($fn); + } + + # Fix special characters in links inside XML content + if ($encode_8bit_chars) { + &url_escape_url_path_and_fn(); } $story = &$interpolate($story); @@ -719,38 +943,41 @@ sub nice_date { return ( $dw, $mo, $mo_num, $da, $ti, $yr, $utc_offset ); } +sub url_escape_url_path_and_fn { + $url =~ s($url_escape_re)(sprintf('%%%02X', ord($&)))eg; + $path =~ s($url_escape_re)(sprintf('%%%02X', ord($&)))eg; + $fn =~ s($url_escape_re)(sprintf('%%%02X', ord($&)))eg; +} + # Default HTML and RSS template bits __DATA__ html content_type text/html; charset=$blog_encoding +html head html head html head -html head -html head -html head $blog_title $path_info_da $path_info_mo $path_info_yr -html head +html head +html head +html head $blog_title $path_info_da $path_info_mo $path_info_yr html head html head -html head
-html head $blog_title
-html head $path_info_da $path_info_mo $path_info_yr -html head
-html head

+html head

+html head

$blog_title

+html head

$path_info_da $path_info_mo $path_info_yr

+html head
-html story

-html story $title
-html story $body
-html story
-html story posted at: $ti | path: $path | permanent link to this entry -html story

+html story
+html story

$title

+html story
$body
+html story

posted at: $ti | path: $path | permanent link to this entry

+html story
-html date

$dw, $da $mo $yr

+html date

$dw, $da $mo $yr

html foot -html foot

-html foot

-html foot -html foot
+html foot
+html foot powered by blosxom +html foot
html foot html foot @@ -771,7 +998,7 @@ rss story $title rss story $dw, $da $mo $yr $ti:00 $utc_offset rss story $url/$yr/$mo_num/$da#$fn rss story $path -rss story $path/$fn +rss story $url$path/$fn rss story $body rss story @@ -782,15 +1009,17 @@ rss foot error content_type text/html +error head error head -error head -error head

Error: I'm afraid this is the first I've heard of a "$flavour" flavoured Blosxom. Try dropping the "/+$flavour" bit from the end of the URL.

- +error head Error: unknown Blosxom flavour "$flavour" +error head +error head

Error: unknown Blosxom flavour "$flavour"

+error head

I'm afraid this is the first I've heard of a "$flavour" flavoured Blosxom. Try dropping the "/+$flavour" bit from the end of the URL.

-error story

$title
-error story $body #

+error story

$title

+error story
$body

#

-error date

$dw, $da $mo $yr

+error date

$dw, $da $mo $yr

error foot error foot