dan
/
jekyll
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Jekyll.sanitized_path: sanitizing a questionable path should handle tildes

This commit is contained in:
Parker Moore 2016-02-07 17:52:15 -08:00
parent 2d0c572d29
commit a040af37c0
2 changed files with 11 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
lib/jekyll.rb
View File

@ -153,8 +153,9 @@ module Jekyll
def sanitized_path(base_directory, questionable_path)
return base_directory if base_directory.eql?(questionable_path)
questionable_path.insert(0, '/') if questionable_path.start_with?('~')
clean_path = File.expand_path(questionable_path, "/")
clean_path = clean_path.sub(/\A\w\:\//, '/')
clean_path.sub!(/\A\w\:\//, '/')
if clean_path.start_with?(base_directory.sub(/\A\w\:\//, '/'))
clean_path

9
test/test_path_sanitization.rb
View File

@ -15,4 +15,13 @@ class TestPathSanitization < JekyllUnitTest
assert_equal "/tmp/foobar/jail/..c:/..c:/..c:/etc/passwd", Jekyll.sanitized_path("/tmp/foobar/jail", "..c:/..c:/..c:/etc/passwd")
end
end
should "escape tilde" do
assert_equal source_dir("~hi.txt"), Jekyll.sanitized_path(source_dir, "~hi.txt")
assert_equal source_dir("files", "~hi.txt"), Jekyll.sanitized_path(source_dir, "files/../files/~hi.txt")
end
should "remove path traversals" do
assert_equal source_dir("files", "hi.txt"), Jekyll.sanitized_path(source_dir, "f./../../../../../../files/hi.txt")
end
end