Merge pull request #2175 from jekyll/security-yo

2014-03-29 23:18:07 -04:00 · 2014-03-29 23:18:07 -04:00 · 840ef35be9
parent 24e4c2706a 009e2c200d
commit 840ef35be9
2 changed files with 5 additions and 1 deletions
--- a/lib/jekyll.rb
+++ b/lib/jekyll.rb
@ -111,7 +111,7 @@ module Jekyll

  def self.sanitized_path(base_directory, questionable_path)
    clean_path = File.expand_path(questionable_path, fs_root)
-    clean_path.gsub!(/\w\:\//, '/')
+    clean_path.gsub!(/\A\w\:\//, '/')
    unless clean_path.start_with?(base_directory)
      File.join(base_directory, clean_path)
    else
--- a/test/test_path_sanitization.rb
+++ b/test/test_path_sanitization.rb
@ -10,5 +10,9 @@ class TestPathSanitization < Test::Unit::TestCase
    should "strip drive name from path" do
      assert_equal "C:/Users/xmr/Desktop/mpc-hc.org/_site", Jekyll.sanitized_path(@source, @dest)
    end
+
+    should "strip just the initial drive name" do
+      assert_equal "/tmp/foobar/jail/..c:/..c:/..c:/etc/passwd", Jekyll.sanitized_path("/tmp/foobar/jail", "..c:/..c:/..c:/etc/passwd")
+    end
  end
 end