23 Jul 2016

Blosxom 'Feedback' plugin updated

As part of making comments great again, I did a little hacking on Frank Hecker’s Feedback plugin for Blosxom in order to make it work with Perl 5.22, which is what the SDF currently uses by default.

It’s not exactly great moments in software engineering or anything, but in case anybody else was running into the same problem, I put the changed – I won’t go so far as to say “improved”, since I’ve barely tested it yet – version up on Github.

For now, the changes are only in the “dev” branch, while “master” contains Hecker’s original:

Anyone else still using Blosxom and the Feedback plugin is encouraged to play with it and test it out. The most important change is probably this one, which may or may not fix a parameter-sanitization vulnerability. I have no evidence to suggest that Feedback actually had the vulnerability; the problem was discovered in Bugzilla, which also uses the Perl CGI module, which led to the addition of a security warning.

The (potential) issue that this solves is discussed in the article “New Class of Vulnerability in Perl Web Applications” by Gervase Markham, and the change to CGI.pm is mentioned in the comments.

Some other changes made to Feedback include adding support for SMTP Auth, and the ability to specify a port for SMTP mail submission. These are useful if you need to use a standalone mailhost that requires authentication and use of port 587, which is increasingly common in shared-hosting environments.

This entry was converted from an older version of the site; if desired, it can be viewed in its original format.