diff -Nru blosxom-2.1.0/blosxom.cgi blosxom-2.1.2/blosxom.cgi --- blosxom-2.1.0/blosxom.cgi 2008-07-22 22:40:01.000000000 +0100 +++ blosxom-2.1.2/blosxom.cgi 2008-10-02 02:09:41.000000000 +0100 @@ -1,8 +1,8 @@ #!/usr/bin/perl # Blosxom -# Author: Rael Dornfest (2003), The Blosxom Development Team (2005-2008) -# Version: 2.1.0 +# Author: Rael Dornfest (2002-2003), The Blosxom Development Team (2005-2008) +# Version: 2.1.2 ($Id: blosxom.cgi,v 1.85 2008/10/02 01:09:41 xtaran Exp $) # Home/Docs/Licensing: http://blosxom.sourceforge.net/ # Development/Downloads: http://sourceforge.net/projects/blosxom @@ -76,6 +76,9 @@ # 0 = no, 1 = yes $static_entries = 0; +# Should I encode entities for xml content-types? (plugins can turn this off if they do it themselves) +$encode_xml_entities = 1; + # -------------------------------- use vars @@ -88,10 +91,7 @@ use Time::Local; use CGI qw/:standard :netscape/; -$version = "2.1.0"; - -# Should I encode entities for xml content-types? (plugins can turn this off if they do it themselves) -$encode_xml_entities = 1; +$version = "2.1.2"; # Load configuration from $ENV{BLOSXOM_CONFIG_DIR}/blosxom.conf, if it exists my $blosxom_config; @@ -142,20 +142,39 @@ ); @num2month = sort { $month2num{$a} <=> $month2num{$b} } keys %month2num; -# Use the stated preferred URL or figure it out automatically -$url ||= url( -path_info => 1 ); -# Unescape %XX hex codes (from URI::Escape::uri_unescape) -$url =~ s/%([0-9A-Fa-f]{2})/chr(hex($1))/eg; -$url =~ s/^included:/http:/ if $ENV{SERVER_PROTOCOL} eq 'INCLUDED'; - -# NOTE: Since v3.12, it looks as if CGI.pm misbehaves for SSIs and -# always appends path_info to the url. To fix this, we always -# request an url with path_info, and always remove it from the end of the -# string. -my $pi_len = length $ENV{PATH_INFO}; -my $might_be_pi = substr( $url, -$pi_len ); -substr( $url, -length $ENV{PATH_INFO} ) = '' - if $might_be_pi eq $ENV{PATH_INFO}; +# Use the stated preferred URL or figure it out automatically. Set +# $url manually in the config section above if CGI.pm doesn't guess +# the base URL correctly, e.g. when called from a Server Side Includes +# document or so. +unless ($url) { + $url = url(); + + # Unescape %XX hex codes (from URI::Escape::uri_unescape) + $url =~ s/%([0-9A-Fa-f]{2})/chr(hex($1))/eg; + + # Support being called from inside a SSI document + $url =~ s/^included:/http:/ if $ENV{SERVER_PROTOCOL} eq 'INCLUDED'; + + # Remove PATH_INFO if it is set but not removed by CGI.pm. This + # seems to happen when used with Apache's Alias directive or if + # called from inside a Server Side Include document. If that + # doesn't help either, set $url manually in the configuration. + $url =~ s/\Q$ENV{PATH_INFO}\E$// if defined $ENV{PATH_INFO}; + + # NOTE: + # + # There is one case where this code does more than necessary, too: + # If the URL requested is e.g. http://example.org/blog/blog and + # the base URL is correctly determined as http://example.org/blog + # by CGI.pm, then this code will incorrectly normalize the base + # URL down to http://example.org, because the same string as + # PATH_INFO is part of the base URL, too. But this is such a + # seldom case and can be fixed by setting $url in the config file, + # too. +} + +# The only modification done to a manually set base URL is to strip +# a trailing slash if present. $url =~ s!/$!!; @@ -195,6 +214,23 @@ } $flavour ||= $default_flavour; +# Fix XSS in flavour name (CVE-2008-2236) +$flavour = blosxom_html_escape($flavour); + +sub blosxom_html_escape { + my $string = shift; + my %escape = ( + '<' => '<', + '>' => '>', + '&' => '&', + '"' => '"', + "'" => ''' + ); + my $escape_re = join '|' => keys %escape; + $string =~ s/($escape_re)/$escape{$1}/g; + $string; +} + # Global variable to be used in head/foot.{flavour} templates $path_info = ''; # Add all @path_info elements to $path_info till we come to one that could be a year @@ -795,7 +831,7 @@ rss story $dw, $da $mo $yr $ti:00 $utc_offset rss story $url/$yr/$mo_num/$da#$fn rss story $path -rss story $url$path/$fn +rss story $url$path/$fn rss story $body rss story diff -Nru /tmp/Qk7NyI42xN/blosxom-2.1.0/ChangeLog /tmp/nDGUXsC5oH/blosxom-2.1.2/ChangeLog --- blosxom-2.1.0/ChangeLog 2008-07-22 23:11:15.000000000 +0100 +++ blosxom-2.1.2/ChangeLog 2008-10-02 02:07:26.000000000 +0100 @@ -1,12 +1,40 @@ +v2.1.2 + * Fix XSS in $flavour (CVE-2008-2236). Thanks to Yoshinori Ohta of + Business Architects Inc. for making us aware of this issue. + +v2.1.1 + * The "never trust a dot zero release" bugfix release for 2.1.0. + * Added CVS Id keyword to file header. + * Declaring $encode_xml_entities as a config option by moving it into + the config section -- no functionality change. + * Changing isPermalink back to "false" for the default RSS story + template because it won't be a working link in many situations. + This won't change the GUID, but don't let it be used as + anymore. That's what the tag is for anyway. Thanks to Lilo + von Hanffstengel for pointing this out. + * Rewrote the (at least with Apache 2.2's environment) no more working + manual base URL detection code. Made it simpler, easier to + understand and let it only apply, if the base URL was not set + manually. The concept since 2.0.2 was: Always ask for the whole URI + and then remove the PATH_INFO in some cases again. This caused some + havoc. New concept is: Strip PATH_INFO from base URL if CGI.pm + didn't manage to do it. In those rare cases where neither CGI.pm nor + Blosxom manages to correctly determine the base URL, you can easily + set $url in the config file to the correct value and no base URL + magic happens anymore (except the removing of a trailing slash if + present -- as before). Closes: #2032685 + * Added a lot of comments explaining the fixed problems and the + remaining seldom cases where manual configuration is necessary. + v2.1.0 * unescape url returned from CGI.pm to match PATH_INFO escaping * redo path_info handling with much stricter date tests * added support for multiple plugin directories using $plugin_path - * changed plugin loading to use @INC instead of hardcoded - $plugin_dir - * added support for external config file via BLOSXOM_CONFIG_DIR - and/or BLOSXOM_CONFIG_FILE environment variables - * added support for $plugin_list plugin config file + * changed plugin loading to use @INC instead of hardcoded + $plugin_dir + * added support for external config file via BLOSXOM_CONFIG_DIR + and/or BLOSXOM_CONFIG_FILE environment variables + * added support for $plugin_list plugin config file * fixed several RSS and XHTML escaping issues (Closes: #1717980) * made the default templates conforming to HTML 4.01 (Closes: #1609595) @@ -20,15 +48,15 @@ * some code refactoring (including a .perltidyrc) v2.0.2 - * fixed path_info to have correct extension in static mode (bug - 1368882) - * fixed filtering bug in static mode (bug 1356997) - * changed DATA section template parsing to allow newlines for - greater readability, and to allow empty templates. - * work-around for bug in CGI::url() when using SSI + * fixed path_info to have correct extension in static mode (bug + 1368882) + * fixed filtering bug in static mode (bug 1356997) + * changed DATA section template parsing to allow newlines for + greater readability, and to allow empty templates. + * work-around for bug in CGI::url() when using SSI v2.0.1 - * Fixed XML escaping of RSS feeds - * Ignore editor backup files in the plugin directory - (i.e. "myplugin~") - * Set path_info variables correctly for all static pages. + * Fixed XML escaping of RSS feeds + * Ignore editor backup files in the plugin directory (i.e. + "myplugin~") + * Set path_info variables correctly for all static pages. diff -Nru /tmp/Qk7NyI42xN/blosxom-2.1.0/debian/blosxom.conf /tmp/nDGUXsC5oH/blosxom-2.1.2/debian/blosxom.conf --- blosxom-2.1.0/debian/blosxom.conf 2008-11-05 14:48:13.000000000 +0000 +++ blosxom-2.1.2/debian/blosxom.conf 2008-11-05 14:48:14.000000000 +0000 @@ -89,6 +89,9 @@ # 0 = no, 1 = yes # $static_entries = 0; +# Should I encode entities for xml content-types? (plugins can turn this off if they do it themselves) +# $encode_xml_entities = 1; + # ------------ leave this last line 1; diff -Nru /tmp/Qk7NyI42xN/blosxom-2.1.0/debian/changelog /tmp/nDGUXsC5oH/blosxom-2.1.2/debian/changelog --- blosxom-2.1.0/debian/changelog 2008-11-05 14:48:13.000000000 +0000 +++ blosxom-2.1.2/debian/changelog 2008-11-05 14:48:14.000000000 +0000 @@ -1,3 +1,29 @@ +blosxom (2.1.2-1) unstable; urgency=high + + * New upstream release: Fixes Cross-Site Scripting (XSS) vulnerability with + respect to unknown flavours (CVE-2008-2236) (closes: #500873) + * Corrected Axel's email address in Uploaders field, sorry. + + -- Gerfried Fuchs Thu, 02 Oct 2008 12:57:01 +0200 + +blosxom (2.1.1-1) unstable; urgency=low + + [ Gerfried Fuchs ] + * New upstream release which fixes a regression from the previous blosxom + 2.0 version we have currently in stable (closes: #492987) + * Add Vcs-* informations to source control file. + * Forgot to mention in the previous upload that I added Axel Beckert as + Co-Maintainer. Welcome on board. :) + * Update debian/README.Debian with more current informations, especially + related to referencing the proper URLs (closes: #492985) + * Add the moved $encode_xml_entities config option to blosxom.conf, too. + + [ Axel Beckert ] + * Clearified debian/NEWS.Debian with respect to rss aggregators. + * Fix copyright year information for Rael on blosxom.cgi. + + -- Gerfried Fuchs Thu, 07 Aug 2008 17:15:31 -0300 + blosxom (2.1.0-1) unstable; urgency=low * New upstream release which did incorporate all patches and in parts also diff -Nru /tmp/Qk7NyI42xN/blosxom-2.1.0/debian/control /tmp/nDGUXsC5oH/blosxom-2.1.2/debian/control --- blosxom-2.1.0/debian/control 2008-11-05 14:48:13.000000000 +0000 +++ blosxom-2.1.2/debian/control 2008-11-05 14:48:14.000000000 +0000 @@ -2,9 +2,11 @@ Section: web Priority: optional Maintainer: Gerfried Fuchs -Uploaders: Axel Beckert +Uploaders: Axel Beckert Standards-Version: 3.8.0 Homepage: http://blosxom.sourceforge.net/ +Vcs-Git: git://repo.or.cz/blosxom.git +Vcs-Browser: http://repo.or.cz/r/blosxom.git Package: blosxom Architecture: all diff -Nru /tmp/Qk7NyI42xN/blosxom-2.1.0/debian/copyright /tmp/nDGUXsC5oH/blosxom-2.1.2/debian/copyright --- blosxom-2.1.0/debian/copyright 2008-11-05 14:48:13.000000000 +0000 +++ blosxom-2.1.2/debian/copyright 2008-11-05 14:48:14.000000000 +0000 @@ -16,7 +16,7 @@ Copyright: ========== blosxom.cgi: - Copyright 2003, Rael Dornfest + Copyright 2002-2003, Rael Dornfest Copyright 2005-2008 The Blosxom Development Team plugins/00RssLimit: diff -Nru /tmp/Qk7NyI42xN/blosxom-2.1.0/debian/NEWS.Debian /tmp/nDGUXsC5oH/blosxom-2.1.2/debian/NEWS.Debian --- blosxom-2.1.0/debian/NEWS.Debian 2008-11-05 14:48:13.000000000 +0000 +++ blosxom-2.1.2/debian/NEWS.Debian 2008-11-05 14:48:14.000000000 +0000 @@ -8,12 +8,12 @@ * MOST IMPORTANTLY: This update adds a new tag into rss feeds: which helps to notice duplicates and not let - them appear again on planets. Though, for the time of switching it might - mean that your last entries might appear as new when planet doesn't check - (which already should be cached) when finding . This is - unfortunate but not really avoidable. To limit impact a new plugin was - added: 00RssLimit which turns the syndicated feed in only pick up the last - 5 entries. + them appear again for aggregators. Though, for the time of switching it + might mean that your last entries might appear as new when aggregators + (like e.g. PlanetPlanet on planet.debian.org) don't check (which + already should be cached) when finding . This is unfortunate but not + really avoidable. To limit impact a new plugin was added: 00RssLimit which + turns the syndicated feed in only pick up the last 5 entries. * The plugin timezone got disabled and gets only installed into a new /etc/blosxom/plugins-available directory which is the first step to the diff -Nru /tmp/Qk7NyI42xN/blosxom-2.1.0/debian/README.Debian /tmp/nDGUXsC5oH/blosxom-2.1.2/debian/README.Debian --- blosxom-2.1.0/debian/README.Debian 2008-11-05 14:48:13.000000000 +0000 +++ blosxom-2.1.2/debian/README.Debian 2008-11-05 14:48:14.000000000 +0000 @@ -4,12 +4,10 @@ The setup of blosxom has been recently revised to support more flexible setups. The plugins should now be stored below /etc/blosxom/plugins. If you want to disable a plugin you don't have to remove it but can just rename it to -a filename that ends in "_" (e.g. "mv timezone timezone_"). +a filename that ends in "_" (e.g. "mv flavourdir flavourdir_"). The data files has to be placed in /var/lib/blosxom/data including the flavours -in subdirectories below the appropriate blog level. The default flavours are -symlinked to their corresponding /etc/blosxom/flavours files -- if you want to -change them you have to change them there. +in subdirectories below the appropriate blog level. -- Gerfried Fuchs Fri, 01 Apr 2005 07:45:57 +0200 @@ -21,12 +19,12 @@ The plugins included are: -http://raelity.org/apps/blosxom/downloads/plugins/config -http://raelity.org/apps/blosxom/downloads/plugins/flavourdir +http://blosxom.cvs.sourceforge.net/blosxom/blosxom2-plugins/general/config +http://blosxom.cvs.sourceforge.net/blosxom/blosxom2-plugins/general/flavourdir For more plugins, check out: -http://raelity.org/apps/blosxom/plugins -http://www.blosxom.com/plugins/ +http://blosxom.cvs.sourceforge.net/blosxom/blosxom2-plugins/ +http://blosxom.ookee.com/blog/plugins/registry/v2/listing.html -- Dirk Eddelbuettel , Wed Jul 23 22:51:16 2003 diff -Nru /tmp/Qk7NyI42xN/blosxom-2.1.0/t/smoketest/expected.rss /tmp/nDGUXsC5oH/blosxom-2.1.2/t/smoketest/expected.rss --- blosxom-2.1.0/t/smoketest/expected.rss 2008-07-22 23:00:10.000000000 +0100 +++ blosxom-2.1.2/t/smoketest/expected.rss 2008-10-02 11:43:08.000000000 +0100 @@ -8,14 +8,14 @@ Yet another Blosxom weblog. en http://blogs.law.harvard.edu/tech/rss - blosxom/2.1.0 + blosxom/2.1.2 Lorem ipsum Wed, 19 Jul 2006 22:54:00 +0000 http://localhost/2006/07/19#1 - http://localhost/1 + http://localhost/1 Lorem ipsum dolor sit amet ipso facto.Lorem ipsum dolor sit amet ipso facto.Lorem ipsum dolor sit amet ipso facto. Lorem ipsum dolor sit amet ipso facto.Lorem ipsum dolor sit amet ipso facto.