dan
/
jekyll
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

sanity check for pages permalink traversal 

Signed-off-by: Parker Moore <parkrmoore@gmail.com>
This commit is contained in:
Ben Balter 2014-01-06 23:51:13 -05:00 committed by Parker Moore
parent a8dd34420b
commit e3be74e376
5 changed files with 18 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
lib/jekyll/page.rb
View File

@ -135,7 +135,7 @@ module Jekyll
# #
# Returns the destination file path String. # Returns the destination file path String.
def destination(dest) def destination(dest)
path = File.join(dest, self.url) path = File.join(dest, File.expand_path(self.url, "/"))
path = File.join(path, "index.html") if self.url =~ /\/$/ path = File.join(path, "index.html") if self.url =~ /\/$/
path path
end end

5
test/source/exploit.md Normal file
View File

@ -0,0 +1,5 @@
---
permalink: /%2e%2e/%2e%2e/%2e%2e/baddie.html
---
# Test

2
test/test_filters.rb
View File

@ -131,7 +131,7 @@ class TestFilters < Test::Unit::TestCase
assert_equal 2, g["items"].size assert_equal 2, g["items"].size
when "" when ""
assert g["items"].is_a?(Array), "The list of grouped items for '' is not an Array." assert g["items"].is_a?(Array), "The list of grouped items for '' is not an Array."
assert_equal 5, g["items"].size assert_equal 6, g["items"].size
end end
end end
end end

10
test/test_page.rb
View File

@ -124,6 +124,16 @@ class TestPage < Test::Unit::TestCase
assert_equal @page.permalink, @page.url assert_equal @page.permalink, @page.url
assert_equal "/about/", @page.dir assert_equal "/about/", @page.dir
end end
should "not be writable outside of destination" do
unexpected = File.expand_path("../../../baddie.html", dest_dir)
File.delete unexpected if File.exist?(unexpected)
page = setup_page("exploit.md")
do_render(page)
page.write(dest_dir)
assert !File.exist?(unexpected)
end
end end
context "with specified layout of nil" do context "with specified layout of nil" do

2
test/test_site.rb
View File

@ -157,7 +157,7 @@ class TestSite < Test::Unit::TestCase
should "sort pages alphabetically" do should "sort pages alphabetically" do
stub.proxy(Dir).entries { |entries| entries.reverse } stub.proxy(Dir).entries { |entries| entries.reverse }
@site.process @site.process
sorted_pages = %w(.htaccess about.html bar.html contacts.html deal.with.dots.html foo.md index.html index.html properties.html sitemap.xml symlinked-file) sorted_pages = %w(.htaccess about.html bar.html contacts.html deal.with.dots.html exploit.md foo.md index.html index.html properties.html sitemap.xml symlinked-file)
assert_equal sorted_pages, @site.pages.map(&:name) assert_equal sorted_pages, @site.pages.map(&:name)
end end