dan
/
jekyll
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

url escape before sanitizing 

Signed-off-by: Parker Moore <parkrmoore@gmail.com>
This commit is contained in:
Ben Balter 2014-01-06 19:50:59 -05:00 committed by Parker Moore
parent 9e796d0627
commit 9b3068c15d
2 changed files with 8 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

9
lib/jekyll/url.rb
View File

@ -50,8 +50,12 @@ module Jekyll
# Returns a sanitized String URL # Returns a sanitized String URL
def sanitize_url(in_url) def sanitize_url(in_url)
# prevent escaped periods from bypassing sanitization
url = URI.unescape(in_url)
# Remove all double slashes # Remove all double slashes
url = in_url.gsub(/\/\//, "/") url = url.gsub(/\/\//, "/")
# Remove every URL segment that consists solely of dots # Remove every URL segment that consists solely of dots
url = url.split('/').reject{ |part| part =~ /^\.+$/ }.join('/') url = url.split('/').reject{ |part| part =~ /^\.+$/ }.join('/')
@ -61,7 +65,8 @@ module Jekyll
# Always add a leading slash # Always add a leading slash
url.gsub!(/\A([^\/])/, '/\1') url.gsub!(/\A([^\/])/, '/\1')
url
URI.escape url
end end
end end
end end

2
test/test_post.rb
View File

@ -109,7 +109,7 @@ class TestPost < Test::Unit::TestCase
post.write(dest_dir) post.write(dest_dir)
assert !File.exist?(File.expand_path("../baddie.html", dest_dir)) assert !File.exist?(File.expand_path("../baddie.html", dest_dir))
assert File.exist(File.expand_path("/baddie.html", dest_dir)) assert File.exist?(File.expand_path("baddie.html", dest_dir))
end end
context "with CRLF linebreaks" do context "with CRLF linebreaks" do