Allow symlinks iff they point to stuff inside site.source

2016-03-25 14:15:39 +01:00 · 2016-03-25 14:15:39 +01:00 · f60d3a8dbc
parent 9234fa7510
commit f60d3a8dbc
2 changed files with 10 additions and 6 deletions
--- a/lib/jekyll/entry_filter.rb
+++ b/lib/jekyll/entry_filter.rb
@ -52,7 +52,11 @@ module Jekyll
    end

    def symlink?(entry)
-      File.symlink?(entry) && site.safe
+      site.safe && File.symlink?(entry) && bad_symlink?(entry)
+    end
+
+    def bad_symlink?(entry)
+      ! File.realpath(entry).start_with?(File.realpath(@site.source))
    end

    def ensure_leading_slash(path)
--- a/test/test_entry_filter.rb
+++ b/test/test_entry_filter.rb
@ -46,11 +46,11 @@ class TestEntryFilter < JekyllUnitTest
      assert_equal files, @site.reader.filter_entries(files)
    end

-    should "filter symlink entries when safe mode enabled" do
+    should "keep safe symlink entries when safe mode enabled" do
      site = Site.new(site_configuration('safe' => true))
      allow(File).to receive(:symlink?).with('symlink.js').and_return(true)
      files = %w[symlink.js]
-      assert_equal [], site.reader.filter_entries(files)
+      assert_equal files, @site.reader.filter_entries(files)
    end

    should "not filter symlink entries when safe mode disabled" do
@ -59,12 +59,12 @@ class TestEntryFilter < JekyllUnitTest
      assert_equal files, @site.reader.filter_entries(files)
    end

-    should "not include symlinks in safe mode" do
+    should "include only safe symlinks in safe mode" do
      site = Site.new(site_configuration('safe' => true))

      site.reader.read_directories("symlink-test")
-      assert_equal [], site.pages
-      assert_equal [], site.static_files
+      assert_equal %w[main.scss symlinked-file].length, site.pages.length
+      refute_equal [], site.static_files
    end

    should "include symlinks in unsafe mode" do