From 05f1fac2a7e1c1aacb7638948fe59f557f6aa67e Mon Sep 17 00:00:00 2001 From: Ben Balter Date: Tue, 1 Jul 2014 18:28:51 -0400 Subject: [PATCH 1/2] Add feature for layouts vuln. --- features/site_configuration.feature | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/features/site_configuration.feature b/features/site_configuration.feature index f42f3833..8aaa9e1d 100644 --- a/features/site_configuration.feature +++ b/features/site_configuration.feature @@ -273,3 +273,11 @@ Feature: Site configuration And I should see "Whatever" in "_site/index.html" And the "_site/test.txt" file should exist And I should see "this is a test" in "_site/test.txt" + + Scenario: arbitrary file reads via layouts + Given I have an "index.html" page with layout "page" that contains "FOO" + And I have a "_config.yml" file that contains "layouts: '../../../../../../../../../../../../../../usr/include'" + When I run jekyll build + Then the _site directory should exist + And I should see "FOO" in "_site/index.html" + And I should not see " " in "_site/index.html" From a66d96ce0a5dc8dad65ff5ca5cd9675e03f38a59 Mon Sep 17 00:00:00 2001 From: Parker Moore Date: Tue, 1 Jul 2014 18:29:15 -0400 Subject: [PATCH 2/2] Use Jekyll.sanitized_path more. --- lib/jekyll/convertible.rb | 2 +- lib/jekyll/site.rb | 4 ++-- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/lib/jekyll/convertible.rb b/lib/jekyll/convertible.rb index b423ac43..8e9700b2 100644 --- a/lib/jekyll/convertible.rb +++ b/lib/jekyll/convertible.rb @@ -43,7 +43,7 @@ module Jekyll # Returns nothing. def read_yaml(base, name, opts = {}) begin - self.content = File.read(File.join(base, name), + self.content = File.read(Jekyll.sanitized_path(base, name), merged_file_read_opts(opts)) if content =~ /\A(---\s*\n.*?\n?)^((---|\.\.\.)\s*$\n?)/m self.content = $POSTMATCH diff --git a/lib/jekyll/site.rb b/lib/jekyll/site.rb index eaa76aad..1015d5d9 100644 --- a/lib/jekyll/site.rb +++ b/lib/jekyll/site.rb @@ -195,7 +195,7 @@ module Jekyll # # Returns nothing def read_data(dir) - base = File.join(source, dir) + base = Jekyll.sanitized_path(source, dir) read_data_to(base, self.data) end @@ -214,7 +214,7 @@ module Jekyll end entries.each do |entry| - path = File.join(dir, entry) + path = Jekyll.sanitized_path(dir, entry) next if File.symlink?(path) && safe key = sanitize_filename(File.basename(entry, '.*'))