dan
/
jekyll
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

escape relative post permalinks, cleanup 

Signed-off-by: Parker Moore <parkrmoore@gmail.com>
This commit is contained in:
Ben Balter 2014-01-06 23:34:13 -05:00 committed by Parker Moore
parent a799e41b70
commit c84cb5c007
2 changed files with 4 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
lib/jekyll/post.rb
View File

@ -270,7 +270,7 @@ module Jekyll
# Returns destination file path String. # Returns destination file path String.
def destination(dest) def destination(dest)
# The url needs to be unescaped in order to preserve the correct filename # The url needs to be unescaped in order to preserve the correct filename
path = File.join(dest, CGI.unescape(self.url)) path = File.join(dest, File.expand_path(CGI.unescape(self.url), "/"))
path = File.join(path, "index.html") if path[/\.html$/].nil? path = File.join(path, "index.html") if path[/\.html$/].nil?
path path
end end

4
test/test_post.rb
View File

@ -104,11 +104,13 @@ class TestPost < Test::Unit::TestCase
end end
should "not be writable outside of destination" do should "not be writable outside of destination" do
unexpected = File.expand_path("../../../baddie.html", dest_dir)
File.delete unexpected if File.exist?(unexpected)
post = setup_post("2014-01-06-permalink-traversal.md") post = setup_post("2014-01-06-permalink-traversal.md")
do_render(post) do_render(post)
post.write(dest_dir) post.write(dest_dir)
assert !File.exist?(File.expand_path("../../../baddie.html", dest_dir)) assert !File.exist?(unexpected)
assert File.exist?(File.expand_path("baddie.html", dest_dir)) assert File.exist?(File.expand_path("baddie.html", dest_dir))
end end