diff --git a/History.markdown b/History.markdown index 2b24a9eb..fe27a924 100644 --- a/History.markdown +++ b/History.markdown @@ -38,6 +38,8 @@ * Change short opts for host and port for `jekyll docs` to be consistent with other subcommands (#1877) * Fix typos (#1910) + * Lock Maruku at 0.7.0 to prevent bugs caused by Maruku 0.7.1 (#1958) + * Fixes full path leak to source directory when using include tag (#1951) ### Development Fixes * Add a link to the site in the README.md file (#1795) @@ -51,6 +53,8 @@ (#1927) * Rename `read_things` to `read_content` (#1928) * Add `script/branding` script for ASCII art lovin' (#1936) + * Update the README to reflect the repo move (#1943) + * Add the project vision to the README (#1935) ### Site Enhancements * Document Kramdown's GFM parser option (#1791) @@ -71,6 +75,20 @@ * Disallow selection of path and prompt in bash examples * Add jekyll-compass to the plugin list (#1923) * Add note in Posts docs about stripping `

` tags from excerpt (#1933) + * Add additional info about the new exclude behavior (#1938) + * Linkify 'awesome contributors' to point to the contributors graph on + GitHub (#1940) + * Update `docs/sites.md` link to GitHub Training materials (#1949) + * Update `master` with the release info from 1.4.3 (#1947) + * Define docs nav in datafile (#1953) + * Clarify the docs around the naming convention for posts (#1971) + * Add missing `next` and `previous` docs for post layouts and templates (#1970) + * Add note to `Writing posts` page about how to strip html from excerpt (#1962) + +## 1.4.3 / 2014-01-13 + +### Bug Fixes + * Patch show-stopping security vulnerabilities (#1944) ## 1.4.2 / 2013-12-16 diff --git a/README.markdown b/README.markdown index 05ade2f9..228881db 100644 --- a/README.markdown +++ b/README.markdown @@ -7,9 +7,13 @@ [![Dependency Status](https://gemnasium.com/jekyll/jekyll.png)](https://gemnasium.com/jekyll/jekyll) [![Coverage Status](https://coveralls.io/repos/jekyll/jekyll/badge.png)](https://coveralls.io/r/jekyll/jekyll) -By Tom Preston-Werner, Nick Quaranto, and many awesome contributors! +By Tom Preston-Werner, Nick Quaranto, and many [awesome contributors](https://github.com/jekyll/jekyll/graphs/contributors)! -Jekyll is a simple, blog aware, static site generator. It takes a template directory (representing the raw form of a website), runs it through Textile or Markdown and Liquid converters, and spits out a complete, static website suitable for serving with Apache or your favorite web server. This is also the engine behind [GitHub Pages](http://pages.github.com), which you can use to host your project's page or blog right here from GitHub. +Jekyll is a simple, blog-aware, static site generator perfect for personal, project, or organization sites. Think of it like a file-based CMS, without all the complexity. Jekyll takes your content, renders Markdown and Liquid templates, and spits out a complete, static website ready to be served by Apache, Nginx or another web server. Jekyll is the engine behind [GitHub Pages](http://pages.github.com), which you can use to host sites right from your GitHub repositories. + +## Philosophy + +Jekyll does what you tell it to do — no more, no less. It doesn't try to outsmart users by making bold assumptions, nor does it burden them with needless complexity and configuration. Put simply, Jekyll gets out of your way and allows you to concentrate on what truly matters: your content. ## Getting Started diff --git a/jekyll.gemspec b/jekyll.gemspec index 04a20e23..f5011ba9 100644 --- a/jekyll.gemspec +++ b/jekyll.gemspec @@ -24,10 +24,10 @@ Gem::Specification.new do |s| s.rdoc_options = ["--charset=UTF-8"] s.extra_rdoc_files = %w[README.markdown LICENSE] - s.add_runtime_dependency('liquid', "~> 2.5.2") + s.add_runtime_dependency('liquid', "~> 2.5.5") s.add_runtime_dependency('classifier', "~> 1.3") s.add_runtime_dependency('listen', "~> 1.3") - s.add_runtime_dependency('maruku', "~> 0.7.0") + s.add_runtime_dependency('maruku', "0.7.0") s.add_runtime_dependency('pygments.rb', "~> 0.5.0") s.add_runtime_dependency('mercenary', "~> 0.2.0") s.add_runtime_dependency('safe_yaml', "~> 1.0") @@ -129,6 +129,8 @@ Gem::Specification.new do |s| lib/site_template/css/syntax.css lib/site_template/index.html script/bootstrap + script/branding + script/cibuild site/.gitignore site/CNAME site/README @@ -168,6 +170,9 @@ Gem::Specification.new do |s| site/_posts/2013-11-04-jekyll-1-3-0-released.markdown site/_posts/2013-11-26-jekyll-1-3-1-released.markdown site/_posts/2013-12-07-jekyll-1-4-0-released.markdown + site/_posts/2013-12-09-jekyll-1-4-1-released.markdown + site/_posts/2013-12-16-jekyll-1-4-2-released.markdown + site/_posts/2014-01-13-jekyll-1-4-3-released.markdown site/css/screen.css site/docs/configuration.md site/docs/contributing.md @@ -196,6 +201,7 @@ Gem::Specification.new do |s| site/docs/upgrading.md site/docs/usage.md site/docs/variables.md + site/docs/windows.md site/favicon.png site/feed.xml site/freenode.txt @@ -222,6 +228,7 @@ Gem::Specification.new do |s| test/source/_data/languages.yml test/source/_data/members.yaml test/source/_data/products.yml + test/source/_includes/include.html test/source/_includes/params.html test/source/_includes/sig.markdown test/source/_layouts/default.html @@ -261,6 +268,8 @@ Gem::Specification.new do |s| test/source/_posts/2013-05-10-number-category.textile test/source/_posts/2013-07-22-post-excerpt-with-layout.markdown test/source/_posts/2013-08-01-mkdn-extension.mkdn + test/source/_posts/2013-12-17-include-variable-filters.markdown + test/source/_posts/2013-12-20-properties.text test/source/_posts/es/2008-11-21-nested.textile test/source/about.html test/source/category/_posts/2008-9-23-categories.textile @@ -272,6 +281,7 @@ Gem::Specification.new do |s| test/source/foo/_posts/bar/2008-12-12-topical-post.textile test/source/index.html test/source/products.yml + test/source/properties.html test/source/sitemap.xml test/source/symlink-test/_data test/source/symlink-test/symlinked-dir diff --git a/lib/jekyll/tags/include.rb b/lib/jekyll/tags/include.rb index 5c679dc1..adc7c2bf 100644 --- a/lib/jekyll/tags/include.rb +++ b/lib/jekyll/tags/include.rb @@ -102,7 +102,7 @@ eos validate_file_name(file) path = File.join(dir, file) - validate_file(path, context.registers[:site].safe) + validate_file(context.registers[:site].source, path, context.registers[:site].safe) begin partial = Liquid::Template.parse(source(path, context)) @@ -122,11 +122,12 @@ eos end end - def validate_file(file, safe) + def validate_file(sourcedir, file, safe) + relative_file = Pathname.new(file).relative_path_from(Pathname.new(sourcedir)) if !File.exists?(file) - raise IOError.new "Included file '#{file}' not found" + raise IOError.new "Included file '#{relative_file}' not found" elsif File.symlink?(file) && safe - raise IOError.new "The included file '#{file}' should not be a symlink" + raise IOError.new "The included file '#{relative_file}' should not be a symlink" end end diff --git a/site/_data/docs.yml b/site/_data/docs.yml new file mode 100644 index 00000000..1c790636 --- /dev/null +++ b/site/_data/docs.yml @@ -0,0 +1,44 @@ +- title: Getting Started + docs: + - home + - quickstart + - installation + - usage + - structure + - configuration + +- title: Your Content + docs: + - frontmatter + - posts + - drafts + - pages + - variables + - datafiles + - assets + - migrations + +- title: Customization + docs: + - templates + - permalinks + - pagination + - plugins + - extras + +- title: Deployment + docs: + - github-pages + - deployment-methods + +- title: Miscellaneous + docs: + - troubleshooting + - sites + - resources + - upgrading + +- title: Meta + docs: + - contributing + - history diff --git a/site/_includes/docs_contents.html b/site/_includes/docs_contents.html index bed2a66c..2ac64bb4 100644 --- a/site/_includes/docs_contents.html +++ b/site/_includes/docs_contents.html @@ -1,16 +1,8 @@

diff --git a/site/_includes/docs_contents_mobile.html b/site/_includes/docs_contents_mobile.html index 6313a59f..b3e0110c 100644 --- a/site/_includes/docs_contents_mobile.html +++ b/site/_includes/docs_contents_mobile.html @@ -1,23 +1,10 @@
diff --git a/site/_includes/docs_option.html b/site/_includes/docs_option.html index 8284ed96..a1e29cac 100644 --- a/site/_includes/docs_option.html +++ b/site/_includes/docs_option.html @@ -1,4 +1,4 @@ -{% assign items = include.items | split: ' ' %} +{% assign items = include.items %} {% for item in items %} {% assign item_url = item | prepend:'/docs/' | append:'/' %} diff --git a/site/_includes/docs_ul.html b/site/_includes/docs_ul.html index 4ba82479..99ac26ef 100644 --- a/site/_includes/docs_ul.html +++ b/site/_includes/docs_ul.html @@ -1,4 +1,4 @@ -{% assign items = include.items | split: ' ' %} +{% assign items = include.items %} diff --git a/site/_posts/2014-01-13-jekyll-1-4-3-released.markdown b/site/_posts/2014-01-13-jekyll-1-4-3-released.markdown new file mode 100644 index 00000000..a97bcec4 --- /dev/null +++ b/site/_posts/2014-01-13-jekyll-1-4-3-released.markdown @@ -0,0 +1,26 @@ +--- +layout: news_item +title: 'Jekyll 1.4.3 Released' +date: 2014-01-13 17:43:32 -0800 +author: benbalter +version: 1.4.3 +categories: [release] +--- + +Jekyll 1.4.3 contains two **critical** security fixes. If you run Jekyll locally +and do not run Jekyll in "safe" mode (e.g. you do not build Jekyll sites on behalf +of others), you are not affected and are not required to update at this time. +([See pull request.]({{ site.repository }}/pull/1944)) + +Versions of Jekyll prior to 1.4.3 and greater than 1.2.0 may allow malicious +users to expose the content of files outside the source directory in the +generated output via improper symlink sanitization, potentially resulting in an +inadvertent information disclosure. + +Versions of Jekyll prior to 1.4.3 may also allow malicious users to write +arbitrary `.html` files outside of the destination folder via relative path +traversal, potentially overwriting otherwise-trusted content with arbitrary HTML +or Javascript depending on your server's configuration. + +*Maintainer's note: Many thanks to @gregose and @charliesome for discovering +these vulnerabilities, and to @BenBalter and @alindeman for writing the patch.* diff --git a/site/docs/configuration.md b/site/docs/configuration.md index 10f5b10c..8ca54f86 100644 --- a/site/docs/configuration.md +++ b/site/docs/configuration.md @@ -67,7 +67,7 @@ class="flag">flags (specified on the command-line) that control them.

Exclude directories and/or files from the conversion. These exclusions are relative to the site's - source directory. + source directory and cannot be outside the source directory.

diff --git a/site/docs/posts.md b/site/docs/posts.md index f93eb6b5..a8f918f8 100644 --- a/site/docs/posts.md +++ b/site/docs/posts.md @@ -155,6 +155,8 @@ If you don't like the automatically-generated post excerpt, it can be overridden `excerpt` to your post's YAML front-matter. Completely disable it by setting your `excerpt_separator` to `""`. +Also, as with any output generated by Liquid tags, you can pass the `| strip_html` flag to remove any html tags in the output. This is particularly helpful if you wish to output a post excerpt as a `meta="description"` tag within the post `head`, or anywhere else having html tags along with the content is not desirable. + ## Highlighting code snippets Jekyll also has built-in support for syntax highlighting of code snippets using diff --git a/site/docs/structure.md b/site/docs/structure.md index d03baee0..c178a65f 100644 --- a/site/docs/structure.md +++ b/site/docs/structure.md @@ -113,7 +113,7 @@ An overview of what each of these does:

- Your dynamic content, so to speak. The format of these files is + Your dynamic content, so to speak. The naming convention of these files is important, and must follow the format: YEAR-MONTH-DAY-title.MARKUP. The permalinks can be customized for each diff --git a/site/docs/variables.md b/site/docs/variables.md index 89e11a52..96578311 100644 --- a/site/docs/variables.md +++ b/site/docs/variables.md @@ -244,6 +244,24 @@ following is a reference of the available data.

+ +

page.next

+

+ + The next post relative to the position of the current post in + site.posts. Returns nil for the last entry. + +

+ + +

page.previous

+

+ + The previous post relative to the position of the current post in + site.posts. Returns nil for the first entry. + +

+ diff --git a/test/test_entry_filter.rb b/test/test_entry_filter.rb index ce50b6a8..aea09601 100644 --- a/test/test_entry_filter.rb +++ b/test/test_entry_filter.rb @@ -72,7 +72,7 @@ class TestEntryFilter < Test::Unit::TestCase end end - context "glob_include?" do + context "#glob_include?" do setup do stub(Jekyll).configuration do Jekyll::Configuration::DEFAULTS.merge({'source' => source_dir, 'destination' => dest_dir}) diff --git a/test/test_tags.rb b/test/test_tags.rb index 8ecaf19b..efc108bd 100644 --- a/test/test_tags.rb +++ b/test/test_tags.rb @@ -487,6 +487,25 @@ CONTENT end end + context "include missing file" do + setup do + @content = < 'pretty', 'source' => source_dir, 'destination' => dest_dir, 'read_posts' => true}) + end + assert_equal 'Included file \'_includes/missing.html\' not found', exception.message + end + end + context "include tag with variable and liquid filters" do setup do stub(Jekyll).configuration do