dan
/
jekyll
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

fix full path leak to source directory when using include tag

This commit is contained in:
Jens Nazarenus 2014-01-14 22:56:47 +01:00
parent ea94e5dd1c
commit 4c140efba8
1 changed files with 5 additions and 4 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

9
lib/jekyll/tags/include.rb
View File

@ -102,7 +102,7 @@ eos
validate_file_name(file) validate_file_name(file)
path = File.join(dir, file) path = File.join(dir, file)
validate_file(path, context.registers[:site].safe) validate_file(context.registers[:site].source, path, context.registers[:site].safe)
begin begin
partial = Liquid::Template.parse(source(path, context)) partial = Liquid::Template.parse(source(path, context))
@ -122,11 +122,12 @@ eos
end end
end end
def validate_file(file, safe) def validate_file(sourcedir, file, safe)
relative_file = Pathname.new(file).relative_path_from(Pathname.new(sourcedir))
if !File.exists?(file) if !File.exists?(file)
raise IOError.new "Included file '#{file}' not found" raise IOError.new "Included file '#{relative_file}' not found"
elsif File.symlink?(file) && safe elsif File.symlink?(file) && safe
raise IOError.new "The included file '#{file}' should not be a symlink" raise IOError.new "The included file '#{relative_file}' should not be a symlink"
end end
end end