From: Gerfried Fuchs <rhonda@debian.at>
Date: Thu, 2 Oct 2008 10:49:50 +0000 (+0200)
Subject: Merge commit 'v2_1_2' into debian
X-Git-Tag: debian/2.1.2-1~2
X-Git-Url: https://git.stderr.nl/gitweb?p=matthijs%2Fupstream%2Fblosxom.git;a=commitdiff_plain;h=9933e52ba4bf69b14908f2d76a3e083d51ed9df6;hp=ab610a555d860fd48269af15fae725e640489914

Merge commit 'v2_1_2' into debian
---

diff --git a/ChangeLog b/ChangeLog
index 70ce5f4..f2650e4 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,7 @@
+v2.1.2
+    * Fix XSS in $flavour (CVE-2008-2236). Thanks to Yoshinori Ohta of
+      Business Architects Inc. for making us aware of this issue.
+
 v2.1.1
     * The "never trust a dot zero release" bugfix release for 2.1.0.
     * Added CVS Id keyword to file header.
diff --git a/blosxom.cgi b/blosxom.cgi
index eae39bf..712b8e2 100755
--- a/blosxom.cgi
+++ b/blosxom.cgi
@@ -2,7 +2,7 @@
 
 # Blosxom
 # Author: Rael Dornfest (2002-2003), The Blosxom Development Team (2005-2008)
-# Version: 2.1.1 ($Id: blosxom.cgi,v 1.83 2008/07/30 22:27:02 xtaran Exp $)
+# Version: 2.1.2 ($Id: blosxom.cgi,v 1.85 2008/10/02 01:09:41 xtaran Exp $)
 # Home/Docs/Licensing: http://blosxom.sourceforge.net/
 # Development/Downloads: http://sourceforge.net/projects/blosxom
 
@@ -91,7 +91,7 @@ use File::stat;
 use Time::Local;
 use CGI qw/:standard :netscape/;
 
-$version = "2.1.1";
+$version = "2.1.2";
 
 # Load configuration from $ENV{BLOSXOM_CONFIG_DIR}/blosxom.conf, if it exists
 my $blosxom_config;
@@ -214,6 +214,23 @@ if (! ($flavour = param('flav'))) {
 }
 $flavour ||= $default_flavour;
 
+# Fix XSS in flavour name (CVE-2008-2236)
+$flavour = blosxom_html_escape($flavour);
+
+sub blosxom_html_escape {
+  my $string = shift;
+  my %escape = (
+                '<' => '&lt;',
+                '>' => '&gt;',
+                '&' => '&amp;',
+                '"' => '&quot;',
+                "'" => '&apos;'
+                );
+  my $escape_re = join '|' => keys %escape;
+  $string =~ s/($escape_re)/$escape{$1}/g;
+  $string;
+}
+
 # Global variable to be used in head/foot.{flavour} templates
 $path_info = '';
 # Add all @path_info elements to $path_info till we come to one that could be a year
diff --git a/t/smoketest/expected.rss b/t/smoketest/expected.rss
index e95492e..6836cf6 100644
--- a/t/smoketest/expected.rss
+++ b/t/smoketest/expected.rss
@@ -8,14 +8,14 @@ Content-Type: text/xml; charset=ISO-8859-1
     <description>Yet another Blosxom weblog.</description>
     <language>en</language>
     <docs>http://blogs.law.harvard.edu/tech/rss</docs>
-    <generator>blosxom/2.1.0</generator>
+    <generator>blosxom/2.1.2</generator>
 
   <item>
     <title>Lorem ipsum</title>
     <pubDate>Wed, 19 Jul 2006 22:54:00 +0000</pubDate>
     <link>http://localhost/2006/07/19#1</link>
     <category></category>
-    <guid isPermaLink="true">http://localhost/1</guid>
+    <guid isPermaLink="false">http://localhost/1</guid>
     <description>Lorem ipsum dolor sit amet ipso facto.Lorem ipsum dolor sit amet ipso
 facto.Lorem ipsum dolor sit amet ipso facto. Lorem ipsum dolor sit
 amet ipso facto.Lorem ipsum dolor sit amet ipso facto.