Merge commit 'v2_1_2' into debian

diff --git a/ChangeLog b/ChangeLog
index 70ce5f4126cfadb6a287a70a8373b3b12899f76e..f2650e46b71b46b947952e5d4bb1da7877eb9ed8 100644 (file)
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,7 @@
+v2.1.2
+    * Fix XSS in $flavour (CVE-2008-2236). Thanks to Yoshinori Ohta of
+      Business Architects Inc. for making us aware of this issue.
+
 v2.1.1
     * The "never trust a dot zero release" bugfix release for 2.1.0.
     * Added CVS Id keyword to file header.

diff --git a/blosxom.cgi b/blosxom.cgi
index eae39bf4becfc5bef9134b7196dd3769b84ebbc1..712b8e2bd4795984e9cb90d8af85a6c1530478d2 100755 (executable)
--- a/blosxom.cgi
+++ b/blosxom.cgi
@@ -2,7 +2,7 @@
 
 # Blosxom
 # Author: Rael Dornfest (2002-2003), The Blosxom Development Team (2005-2008)
-# Version: 2.1.1 ($Id: blosxom.cgi,v 1.83 2008/07/30 22:27:02 xtaran Exp $)
+# Version: 2.1.2 ($Id: blosxom.cgi,v 1.85 2008/10/02 01:09:41 xtaran Exp $)
 # Home/Docs/Licensing: http://blosxom.sourceforge.net/
 # Development/Downloads: http://sourceforge.net/projects/blosxom
 
@@ -91,7 +91,7 @@ use File::stat;
 use Time::Local;
 use CGI qw/:standard :netscape/;
 
-$version = "2.1.1";
+$version = "2.1.2";
 
 # Load configuration from $ENV{BLOSXOM_CONFIG_DIR}/blosxom.conf, if it exists
 my $blosxom_config;
@@ -214,6 +214,23 @@ if (! ($flavour = param('flav'))) {
 }
 $flavour ||= $default_flavour;
 
+# Fix XSS in flavour name (CVE-2008-2236)
+$flavour = blosxom_html_escape($flavour);
+
+sub blosxom_html_escape {
+  my $string = shift;
+  my %escape = (
+                '<' => '&lt;',
+                '>' => '&gt;',
+                '&' => '&amp;',
+                '"' => '&quot;',
+                "'" => '&apos;'
+                );
+  my $escape_re = join '|' => keys %escape;
+  $string =~ s/($escape_re)/$escape{$1}/g;
+  $string;
+}
+
 # Global variable to be used in head/foot.{flavour} templates
 $path_info = '';
 # Add all @path_info elements to $path_info till we come to one that could be a year

diff --git a/t/smoketest/expected.rss b/t/smoketest/expected.rss
index e95492e3c6fc80e1427df06a8737b391124267b9..6836cf660291ca5afa6a9e23f6a18daf26b24064 100644 (file)
--- a/t/smoketest/expected.rss
+++ b/t/smoketest/expected.rss
@@ -8,14 +8,14 @@ Content-Type: text/xml; charset=ISO-8859-1
     <description>Yet another Blosxom weblog.</description>
     <language>en</language>
     <docs>http://blogs.law.harvard.edu/tech/rss</docs>
-    <generator>blosxom/2.1.0</generator>
+    <generator>blosxom/2.1.2</generator>
 
   <item>
     <title>Lorem ipsum</title>
     <pubDate>Wed, 19 Jul 2006 22:54:00 +0000</pubDate>
     <link>http://localhost/2006/07/19#1</link>
     <category></category>
-    <guid isPermaLink="true">http://localhost/1</guid>
+    <guid isPermaLink="false">http://localhost/1</guid>
     <description>Lorem ipsum dolor sit amet ipso facto.Lorem ipsum dolor sit amet ipso
 facto.Lorem ipsum dolor sit amet ipso facto. Lorem ipsum dolor sit
 amet ipso facto.Lorem ipsum dolor sit amet ipso facto.