restrict include filenames

History.txt

@@ -6,6 +6,7 @@
     * Added new date filter that shows the full month name [github.com/mreid]
     * Make post's YAML front matter available as post.data [github.com/remi]
     * Merge Post's YAML front matter into its to_liquid payload [github.com/remi]
+    * Restrict includes to regular files underneath _includes
   * Bug Fixes
     * Change YAML delimiter matcher so as to not chew up 2nd level markdown headers [github.com/mreid]
     * Fix bug that meant page data (such as the date) was not available in templates [github.com/mreid]

lib/jekyll/tags/include.rb

@@ -7,7 +7,18 @@ module Jekyll
     end
     
     def render(context)
-      File.read(File.join(Jekyll.source, '_includes', @file))
+      if @file !~ /^[a-zA-Z0-9_\/\.-]+$/ || @file =~ /\.\// || @file =~ /\/\./
+        return "Include file '#{@file}' contains invalid characters or sequences"
+      end
+      
+      Dir.chdir(File.join(Jekyll.source, '_includes')) do
+        choices = Dir['**/*'].reject { |x| File.symlink?(x) }
+        if choices.include?(@file)
+          File.read(@file)
+        else
+          "Included file '#{@file}' not found in _includes directory"
+        end
+      end
     end
   end