dan
/
jekyll
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Merge pull request #3077 from jekyll/fix-windows-path-sanitation

This commit is contained in:
Parker Moore 2014-11-08 22:07:52 -08:00
parent ad745702ca 067f8b6be7
commit 95b62e564b
2 changed files with 51 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

46
benchmark/jekyll-sanitize-path Normal file
View File

@ -0,0 +1,46 @@
#!/usr/bin/env ruby
require_relative '../lib/jekyll'
require 'benchmark/ips'
base_directory = Dir.pwd
Benchmark.ips do |x|
#
# Does not include the base_directory
#
x.report('with no questionable path') do
Jekyll.sanitized_path(base_directory, '')
end
x.report('with a single-part questionable path') do
Jekyll.sanitized_path(base_directory, 'thingy')
end
x.report('with a multi-part questionable path') do
Jekyll.sanitized_path(base_directory, 'thingy/in/my/soup')
end
x.report('with a single-part traversal path') do
Jekyll.sanitized_path(base_directory, '../thingy')
end
x.report('with a multi-part traversal path') do
Jekyll.sanitized_path(base_directory, '../thingy/in/my/../../soup')
end
#
# Including the base_directory
#
x.report('with the exact same paths') do
Jekyll.sanitized_path(base_directory, base_directory)
end
x.report('with a single-part absolute path including the base_directory') do
Jekyll.sanitized_path(base_directory, File.join(base_directory, 'thingy'))
end
x.report('with a multi-part absolute path including the base_directory') do
Jekyll.sanitized_path(base_directory, File.join(base_directory, 'thingy/in/my/soup'))
end
x.report('with a single-part traversal path including the base_directory') do
Jekyll.sanitized_path(base_directory, File.join(base_directory, 'thingy/..'))
end
x.report('with a multi-part traversal path including the base_directory') do
Jekyll.sanitized_path(base_directory, File.join('thingy/in/my/../../soup'))
end
end

7
lib/jekyll.rb
View File

@ -141,9 +141,12 @@ module Jekyll
# #
# Returns the sanitized path. # Returns the sanitized path.
def sanitized_path(base_directory, questionable_path) def sanitized_path(base_directory, questionable_path)
return base_directory if base_directory.eql?(questionable_path)
clean_path = File.expand_path(questionable_path, "/") clean_path = File.expand_path(questionable_path, "/")
clean_path.gsub!(/\A\w\:\//, '/') clean_path = clean_path.sub(/^\A\w\:\//, '/')
unless clean_path.start_with?(base_directory)
unless clean_path.start_with?(base_directory.sub(/^\A\w\:\//, '/'))
File.join(base_directory, clean_path) File.join(base_directory, clean_path)
else else
clean_path clean_path