restrict include filenames
This commit is contained in:
Tom Preston-Werner
parent
d0fbfca205
commit
8a2a42ba71
|
|
@ -6,6 +6,7 @@
|
||||||
* Added new date filter that shows the full month name [github.com/mreid]
|
* Added new date filter that shows the full month name [github.com/mreid]
|
||||||
* Make post's YAML front matter available as post.data [github.com/remi]
|
* Make post's YAML front matter available as post.data [github.com/remi]
|
||||||
* Merge Post's YAML front matter into its to_liquid payload [github.com/remi]
|
* Merge Post's YAML front matter into its to_liquid payload [github.com/remi]
|
||||||
|
* Restrict includes to regular files underneath _includes
|
||||||
* Bug Fixes
|
* Bug Fixes
|
||||||
* Change YAML delimiter matcher so as to not chew up 2nd level markdown headers [github.com/mreid]
|
* Change YAML delimiter matcher so as to not chew up 2nd level markdown headers [github.com/mreid]
|
||||||
* Fix bug that meant page data (such as the date) was not available in templates [github.com/mreid]
|
* Fix bug that meant page data (such as the date) was not available in templates [github.com/mreid]
|
||||||
|
|
|
||||||
|
|
@ -7,7 +7,18 @@ module Jekyll
|
||||||
end
|
end
|
||||||
|
|
||||||
def render(context)
|
def render(context)
|
||||||
File.read(File.join(Jekyll.source, '_includes', @file))
|
if @file !~ /^[a-zA-Z0-9_\/\.-]+$/ || @file =~ /\.\// || @file =~ /\/\./
|
||||||
|
return "Include file '#{@file}' contains invalid characters or sequences"
|
||||||
|
end
|
||||||
|
|
||||||
|
Dir.chdir(File.join(Jekyll.source, '_includes')) do
|
||||||
|
choices = Dir['**/*'].reject { |x| File.symlink?(x) }
|
||||||
|
if choices.include?(@file)
|
||||||
|
File.read(@file)
|
||||||
|
else
|
||||||
|
"Included file '#{@file}' not found in _includes directory"
|
||||||
|
end
|
||||||
|
end
|
||||||
end
|
end
|
||||||
end
|
end
|
||||||
|
|
||||||
|
|
|
||||||
Loading…
Reference in New Issue