dan
/
jekyll
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Merge pull request #2175 from jekyll/security-yo

This commit is contained in:
Parker Moore 2014-03-29 23:18:07 -04:00
parent 24e4c2706a 009e2c200d
commit 840ef35be9
2 changed files with 5 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
lib/jekyll.rb
View File

@ -111,7 +111,7 @@ module Jekyll
def self.sanitized_path(base_directory, questionable_path) def self.sanitized_path(base_directory, questionable_path)
clean_path = File.expand_path(questionable_path, fs_root) clean_path = File.expand_path(questionable_path, fs_root)
clean_path.gsub!(/\w\:\//, '/') clean_path.gsub!(/\A\w\:\//, '/')
unless clean_path.start_with?(base_directory) unless clean_path.start_with?(base_directory)
File.join(base_directory, clean_path) File.join(base_directory, clean_path)
else else

4
test/test_path_sanitization.rb
View File

@ -10,5 +10,9 @@ class TestPathSanitization < Test::Unit::TestCase
should "strip drive name from path" do should "strip drive name from path" do
assert_equal "C:/Users/xmr/Desktop/mpc-hc.org/_site", Jekyll.sanitized_path(@source, @dest) assert_equal "C:/Users/xmr/Desktop/mpc-hc.org/_site", Jekyll.sanitized_path(@source, @dest)
end end
should "strip just the initial drive name" do
assert_equal "/tmp/foobar/jail/..c:/..c:/..c:/etc/passwd", Jekyll.sanitized_path("/tmp/foobar/jail", "..c:/..c:/..c:/etc/passwd")
end
end end
end end