Merge pull request #2563 from jekyll/fix-read-vuln

features/site_configuration.feature

@@ -273,3 +273,11 @@ Feature: Site configuration
     And I should see "Whatever" in "_site/index.html"
     And the "_site/test.txt" file should exist
     And I should see "this is a test" in "_site/test.txt"
+
+  Scenario: arbitrary file reads via layouts
+    Given I have an "index.html" page with layout "page" that contains "FOO"
+    And I have a "_config.yml" file that contains "layouts: '../../../../../../../../../../../../../../usr/include'"
+    When I run jekyll build
+    Then the _site directory should exist
+    And I should see "FOO" in "_site/index.html"
+    And I should not see " " in "_site/index.html"

lib/jekyll/convertible.rb

@@ -43,7 +43,7 @@ module Jekyll
     # Returns nothing.
     def read_yaml(base, name, opts = {})
       begin
-        self.content = File.read(File.join(base, name),
+        self.content = File.read(Jekyll.sanitized_path(base, name),
                                  merged_file_read_opts(opts))
         if content =~ /\A(---\s*\n.*?\n?)^((---|\.\.\.)\s*$\n?)/m
           self.content = $POSTMATCH

lib/jekyll/site.rb

@@ -195,7 +195,7 @@ module Jekyll
     #
     # Returns nothing
     def read_data(dir)
-      base = File.join(source, dir)
+      base = Jekyll.sanitized_path(source, dir)
       read_data_to(base, self.data)
     end
 
@@ -214,7 +214,7 @@ module Jekyll
       end
 
       entries.each do |entry|
-        path = File.join(dir, entry)
+        path = Jekyll.sanitized_path(dir, entry)
         next if File.symlink?(path) && safe
 
         key = sanitize_filename(File.basename(entry, '.*'))