27 lines
707 B
Markdown
27 lines
707 B
Markdown
---
|
|
layout: news_item
|
|
title: 'Jekyll 1.5.1 Released'
|
|
date: 2014-03-27 22:43:48 -0400
|
|
author: parkr
|
|
version: 1.5.1
|
|
categories: [release]
|
|
---
|
|
|
|
The hawk-eyed [@gregose](https://github.com/gregose) spotted a bug in our
|
|
`Jekyll.sanitized_path` code:
|
|
|
|
{% highlight ruby %}
|
|
> sanitized_path("/tmp/foobar/jail", "..c:/..c:/..c:/etc/passwd")
|
|
=> "/tmp/foobar/jail/../../../etc/passwd"
|
|
{% endhighlight %}
|
|
|
|
Well, we can't have that! In 1.5.1, you'll instead see:
|
|
|
|
{% highlight ruby %}
|
|
> sanitized_path("/tmp/foobar/jail", "..c:/..c:/..c:/etc/passwd")
|
|
=> "/tmp/foobar/jail/..c:/..c:/..c:/etc/passwd"
|
|
{% endhighlight %}
|
|
|
|
Luckily not affecting 1.4.x, this fix will make 1.5.0 that much safer for
|
|
the masses. Thanks, Greg!
|