Prevents disclosure of file existence

Signed-off-by: Parker Moore <parkrmoore@gmail.com>
2014-01-06 23:39:39 -05:00 · 2014-01-06 23:39:39 -05:00 · a8dd34420b
parent c84cb5c007
commit a8dd34420b
2 changed files with 25 additions and 6 deletions
--- a/lib/jekyll/tags/include.rb
+++ b/lib/jekyll/tags/include.rb
@ -95,13 +95,13 @@ eos
      end

      def render(context)
-        dir = File.join(context.registers[:site].source, INCLUDES_DIR)
+        dir = File.join(File.realpath(context.registers[:site].source), INCLUDES_DIR)

        file = render_variable(context) || @file
        validate_file_name(file)

        path = File.join(dir, file)
-        validate_path(path, context.registers[:site].safe)
+        validate_path(path, dir, context.registers[:site].safe)

        begin
          partial = Liquid::Template.parse(source(path, context))
@ -115,14 +115,18 @@ eos
        end
      end

-      def validate_path(path, safe)
-        if !File.exist?(path)
+      def validate_path(path, dir, safe)
+        if safe && !realpath_prefixed_with?(path, dir)
+          raise IOError.new "The included file '#{path}' should exist and should not be a symlink"
+        elsif !File.exist?(path)
          raise IOError.new "Included file '#{path}' not found"
-        elsif path != File.realpath(path) && safe
-          raise IOError.new "The included file '#{path}' should not be a symlink"
        end
      end

+      def realpath_prefixed_with?(path, dir)
+        File.exist?(path) && File.realpath(path).start_with?(dir)
+      end
+
      def blank?
        false
      end
--- a/test/test_tags.rb
+++ b/test/test_tags.rb
@ -381,6 +381,21 @@ CONTENT
        end
        assert_no_match /SYMLINK TEST/, @result
      end
+
+      should "not expose the existence of symlinked files" do
+        ex = assert_raise IOError do
+          content = <<CONTENT
+---
+title: Include symlink
+---
+
+{% include tmp/pages-test-does-not-exist %}
+
+CONTENT
+          create_post(content, {'permalink' => 'pretty', 'source' => source_dir, 'destination' => dest_dir, 'read_posts' => true, 'safe' => true })
+        end
+        assert_match /should exist and should not be a symlink/, ex.message
+      end
    end

    context "with one parameter" do