27 lines
		
	
	
		
			707 B
		
	
	
	
		
			Markdown
		
	
	
	
			
		
		
	
	
			27 lines
		
	
	
		
			707 B
		
	
	
	
		
			Markdown
		
	
	
	
| ---
 | |
| layout: news_item
 | |
| title: 'Jekyll 1.5.1 Released'
 | |
| date: 2014-03-27 22:43:48 -0400
 | |
| author: parkr
 | |
| version: 1.5.1
 | |
| categories: [release]
 | |
| ---
 | |
| 
 | |
| The hawk-eyed [@gregose](https://github.com/gregose) spotted a bug in our
 | |
| `Jekyll.sanitized_path` code:
 | |
| 
 | |
| {% highlight ruby %}
 | |
| > sanitized_path("/tmp/foobar/jail", "..c:/..c:/..c:/etc/passwd")
 | |
| => "/tmp/foobar/jail/../../../etc/passwd"
 | |
| {% endhighlight %}
 | |
| 
 | |
| Well, we can't have that! In 1.5.1, you'll instead see:
 | |
| 
 | |
| {% highlight ruby %}
 | |
| > sanitized_path("/tmp/foobar/jail", "..c:/..c:/..c:/etc/passwd")
 | |
| => "/tmp/foobar/jail/..c:/..c:/..c:/etc/passwd"
 | |
| {% endhighlight %}
 | |
| 
 | |
| Luckily not affecting 1.4.x, this fix will make 1.5.0 that much safer for
 | |
| the masses. Thanks, Greg!
 |