jekyll 1.4.2 → 1.4.3

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA1:
-  metadata.gz: c1c80d86509b422187561c937696fdea84af56a9
-  data.tar.gz: 5fa354c59193e539e3e1f695c425232a64cf54f4
+  metadata.gz: 41f4d1152cea6d1a690bda7f499ddadf0574f529
+  data.tar.gz: 367da80ef10a4c54a33b94be074f8a9e410ca6f6
 SHA512:
-  metadata.gz: ec82371ae5ccfdc0cc2d569b07bd3317e3d0f64bedc26bd21e7d9d2b1d2e100365441c71fdeb0ccb851dc7a63ce33f034607b36ab1d3ad9d4614b523d3ef6e9a
-  data.tar.gz: d32097a6783de0f1dfade3fcd4b2dda43ac139c7b585c62536297da1ff65f7997009f64a0cd246ebee09ccf6c40b7e932ea4a7bc4a47071d06bac8727b4633d3
+  metadata.gz: 1f16ac96c8e7864c467604d7b9c2ca0e9a9e2a6817abe4b3277a06162a7279b1472ba72a0954e61d09d6c842617ae64184ed613cd6d8734c71a66b8e7b954de1
+  data.tar.gz: 06622291bb62457541c5bffe376df91f04fcd52cf3a7f7fdb80c73fc26f4d0fe1e3fbd89185a81c3a93b9a4ac2ace6bc84a40fcde971e702a933fb9c2d64117b

data/History.markdown

@@ -10,6 +10,12 @@
 
 ### Site Enhancements
 
+## 1.4.3 / 2014-01-13
+
+### Bug Fixes
+
+  * Patch show-stopping security vulnerabilities (#1944)
+
 ## 1.4.2 / 2013-12-16
 
 ### Bug Fixes
@@ -17,17 +23,9 @@
 
 ## 1.4.1 / 2013-12-09
 
-### Major Enhancements
-
-### Minor Enhancements
-
 ### Bug Fixes
   * Don't allow nil entries when loading posts (#1796)
 
-### Development Fixes
-
-### Site Enhancements
-
 ## 1.4.0 / 2013-12-07
 
 ### Major Enhancements

data/jekyll.gemspec

@@ -4,9 +4,9 @@ Gem::Specification.new do |s|
   s.rubygems_version = '1.3.5'
 
   s.name              = 'jekyll'
-  s.version           = '1.4.2'
+  s.version           = '1.4.3'
   s.license           = 'MIT'
-  s.date              = '2013-12-16'
+  s.date              = '2014-01-13'
   s.rubyforge_project = 'jekyll'
 
   s.summary     = "A simple, blog aware, static site generator."
@@ -23,7 +23,7 @@ Gem::Specification.new do |s|
   s.rdoc_options = ["--charset=UTF-8"]
   s.extra_rdoc_files = %w[README.markdown LICENSE]
 
-  s.add_runtime_dependency('liquid', "~> 2.5.2")
+  s.add_runtime_dependency('liquid', "~> 2.5.5")
   s.add_runtime_dependency('classifier', "~> 1.3")
   s.add_runtime_dependency('listen', "~> 1.3")
   s.add_runtime_dependency('maruku', "~> 0.7.0")
@@ -161,6 +161,7 @@ Gem::Specification.new do |s|
     site/_posts/2013-11-26-jekyll-1-3-1-released.markdown
     site/_posts/2013-12-07-jekyll-1-4-0-released.markdown
     site/_posts/2013-12-16-jekyll-1-4-2-released.markdown
+    site/_posts/2014-01-13-jekyll-1-4-3-released.markdown
     site/css/gridism.css
     site/css/normalize.css
     site/css/pygments.css
@@ -220,6 +221,7 @@ Gem::Specification.new do |s|
     test/source/_data/products.yml
     test/source/_includes/params.html
     test/source/_includes/sig.markdown
+    test/source/_includes/tmp
     test/source/_layouts/default.html
     test/source/_layouts/post/simple.html
     test/source/_layouts/simple.html
@@ -257,6 +259,7 @@ Gem::Specification.new do |s|
     test/source/_posts/2013-05-10-number-category.textile
     test/source/_posts/2013-07-22-post-excerpt-with-layout.markdown
     test/source/_posts/2013-08-01-mkdn-extension.mkdn
+    test/source/_posts/2014-01-06-permalink-traversal.md
     test/source/_posts/es/2008-11-21-nested.textile
     test/source/about.html
     test/source/category/_posts/2008-9-23-categories.textile
@@ -265,6 +268,7 @@ Gem::Specification.new do |s|
     test/source/contacts/index.html
     test/source/css/screen.css
     test/source/deal.with.dots.html
+    test/source/exploit.md
     test/source/foo/_posts/bar/2008-12-12-topical-post.textile
     test/source/index.html
     test/source/products.yml

data/lib/jekyll.rb

@@ -63,7 +63,7 @@ require_all 'jekyll/tags'
 SafeYAML::OPTIONS[:suppress_warnings] = true
 
 module Jekyll
-  VERSION = '1.4.2'
+  VERSION = '1.4.3'
 
   # Public: Generate a Jekyll configuration Hash by merging the default
   # options with anything in _config.yml, and adding the given options on top.

data/lib/jekyll/core_ext.rb

@@ -78,6 +78,10 @@ class File
     def self.read_with_options(path, opts = {})
       self.read(path)
     end
+
+    def self.realpath(filename)
+      Pathname.new(filename).realpath.to_s
+    end
   else
     def self.read_with_options(path, opts = {})
       self.read(path, opts)

data/lib/jekyll/page.rb

@@ -133,7 +133,7 @@ module Jekyll
     #
     # Returns the destination file path String.
     def destination(dest)
-      path = File.join(dest, self.url)
+      path = File.join(dest, File.expand_path(self.url, "/"))
       path = File.join(path, "index.html") if self.url =~ /\/$/
       path
     end

data/lib/jekyll/post.rb

@@ -266,7 +266,7 @@ module Jekyll
     # Returns destination file path String.
     def destination(dest)
       # The url needs to be unescaped in order to preserve the correct filename
-      path = File.join(dest, CGI.unescape(self.url))
+      path = File.join(dest, File.expand_path(CGI.unescape(self.url), "/"))
       path = File.join(path, "index.html") if path[/\.html$/].nil?
       path
     end

data/lib/jekyll/tags/include.rb

@@ -87,14 +87,13 @@ eos
       end
 
       def render(context)
-        dir = File.join(context.registers[:site].source, INCLUDES_DIR)
-        validate_dir(dir, context.registers[:site].safe)
+        dir = File.join(File.realpath(context.registers[:site].source), INCLUDES_DIR)
 
         file = retrieve_variable(context) || @file
         validate_file_name(file)
 
         path = File.join(dir, file)
-        validate_file(path, context.registers[:site].safe)
+        validate_path(path, dir, context.registers[:site].safe)
 
         begin
           partial = Liquid::Template.parse(source(path, context))
@@ -108,18 +107,16 @@ eos
         end
       end
 
-      def validate_dir(dir, safe)
-        if File.symlink?(dir) && safe
-          raise IOError.new "Includes directory '#{dir}' cannot be a symlink"
+      def validate_path(path, dir, safe)
+        if safe && !realpath_prefixed_with?(path, dir)
+          raise IOError.new "The included file '#{path}' should exist and should not be a symlink"
+        elsif !File.exist?(path)
+          raise IOError.new "Included file '#{path}' not found"
         end
       end
 
-      def validate_file(file, safe)
-        if !File.exists?(file)
-          raise IOError.new "Included file '#{@file}' not found in '#{INCLUDES_DIR}' directory"
-        elsif File.symlink?(file) && safe
-          raise IOError.new "The included file '#{INCLUDES_DIR}/#{@file}' should not be a symlink"
-        end
+      def realpath_prefixed_with?(path, dir)
+        File.exist?(path) && File.realpath(path).start_with?(dir)
       end
 
       def blank?

data/lib/jekyll/url.rb

@@ -50,6 +50,7 @@ module Jekyll
 
     # Returns a sanitized String URL
     def sanitize_url(in_url)
+
       # Remove all double slashes
       url = in_url.gsub(/\/\//, "/")
 
@@ -61,6 +62,7 @@ module Jekyll
 
       # Always add a leading slash
       url.gsub!(/\A([^\/])/, '/\1')
+
       url
     end
   end

data/site/_posts/2013-12-16-jekyll-1-4-2-released.markdown

@@ -14,3 +14,5 @@ default to `true`.
 
 If you do not wish to use Maruku fenced code blocks, you may turn this option
 off in your site's configuration file.
+
+[a regression]: https://github.com/jekyll/jekyll/pull/1830

data/site/_posts/2014-01-13-jekyll-1-4-3-released.markdown

@@ -0,0 +1,27 @@
+---
+layout: news_item
+title: 'Jekyll 1.4.3 Released'
+date: 2014-01-13 17:43:32 -0800
+author: benbalter
+version: 1.4.3
+categories: [release]
+---
+
+Jekyll 1.4.3 contains two **critical** security fixes. If you run Jekyll locally
+and do not run Jekyll in "safe" mode (e.g. you do not build Jekyll sites on behalf
+of others), you are not affected and are not required to update at this time.
+([See pull request.]({{ site.repository }}/pull/1944))
+
+Versions of Jekyll prior to 1.4.3 and greater than 1.2.0 may allow malicious
+users to expose the content of files outside the source directory in the
+generated output via improper symlink sanitization, potentially resulting in an
+inadvertent information disclosure.
+
+Versions of Jekyll prior to 1.4.3 may also allow malicious users to write
+arbitrary `.html` files outside of the destination folder via relative path
+traversal, potentially overwriting otherwise-trusted content with arbitrary HTML
+or Javascript depending on your server's configuration.
+
+*Maintainer's note: Many thanks to @gregose and @charliesome for discovering
+these vulnerabilities, and to @BenBalter and @alindeman for writing the patch.
+-@parkr*

data/site/docs/history.md

@@ -1,10 +1,26 @@
----
-layout: docs
+--- 
+prev_section: contributing
 title: History
+layout: docs
 permalink: /docs/history/
-prev_section: contributing
 ---
 
+## 1.4.3 / 2014-01-13
+
+### Bug Fixes
+
+- Patch show-stopping security vulnerabilities ([#1944]({{ site.repository }}/issues/1944))
+
+## 1.4.2 / 2013-12-16
+
+### Bug Fixes
+- Turn on Maruku fenced code blocks by default ([#1830]({{ site.repository }}/issues/1830))
+
+## 1.4.1 / 2013-12-09
+
+### Bug Fixes
+- Don't allow nil entries when loading posts ([#1796]({{ site.repository }}/issues/1796))
+
 ## 1.4.0 / 2013-12-07
 
 ### Major Enhancements

data/test/source/_posts/2014-01-06-permalink-traversal.md

@@ -0,0 +1,5 @@
+---
+permalink: /%2e%2e/%2e%2e/%2e%2e/baddie.html
+---
+
+# Test

data/test/source/exploit.md

@@ -0,0 +1,5 @@
+---
+permalink: /%2e%2e/%2e%2e/%2e%2e/baddie.html
+---
+
+# Test

data/test/test_generated_site.rb

@@ -14,7 +14,7 @@ class TestGeneratedSite < Test::Unit::TestCase
     end
 
     should "ensure post count is as expected" do
-      assert_equal 36, @site.posts.size
+      assert_equal 37, @site.posts.size
     end
 
     should "insert site.posts into the index" do

data/test/test_page.rb

@@ -101,6 +101,16 @@ class TestPage < Test::Unit::TestCase
         assert_equal @page.permalink, @page.url
         assert_equal "/about/", @page.dir
       end
+
+      should "not be writable outside of destination" do
+        unexpected = File.expand_path("../../../baddie.html", dest_dir)
+        File.delete unexpected if File.exist?(unexpected)
+        page = setup_page("exploit.md")
+        do_render(page)
+        page.write(dest_dir)
+
+        assert !File.exist?(unexpected)
+      end
     end
 
     context "with specified layout of nil" do

data/test/test_post.rb

@@ -75,6 +75,17 @@ class TestPost < Test::Unit::TestCase
         assert_equal "/my_category/permalinked-post", @post.url
       end
 
+      should "not be writable outside of destination" do
+        unexpected = File.expand_path("../../../baddie.html", dest_dir)
+        File.delete unexpected if File.exist?(unexpected)
+        post = setup_post("2014-01-06-permalink-traversal.md")
+        do_render(post)
+        post.write(dest_dir)
+
+        assert !File.exist?(unexpected)
+        assert File.exist?(File.expand_path("baddie.html", dest_dir))
+      end
+
       context "with CRLF linebreaks" do
         setup do
           @real_file = "2009-05-24-yaml-linebreak.markdown"

data/test/test_tags.rb

@@ -347,6 +347,41 @@ CONTENT
   end
 
   context "include tag with parameters" do
+
+    context "with symlink'd include" do
+
+      should "not allow symlink includes" do
+        File.open("/tmp/pages-test", 'w') { |file| file.write("SYMLINK TEST") }
+        assert_raise IOError do
+          content = <<CONTENT
+---
+title: Include symlink
+---
+
+{% include tmp/pages-test %}
+
+CONTENT
+          create_post(content, {'permalink' => 'pretty', 'source' => source_dir, 'destination' => dest_dir, 'read_posts' => true, 'safe' => true })
+        end
+        assert_no_match /SYMLINK TEST/, @result
+      end
+
+      should "not expose the existence of symlinked files" do
+        ex = assert_raise IOError do
+          content = <<CONTENT
+---
+title: Include symlink
+---
+
+{% include tmp/pages-test-does-not-exist %}
+
+CONTENT
+          create_post(content, {'permalink' => 'pretty', 'source' => source_dir, 'destination' => dest_dir, 'read_posts' => true, 'safe' => true })
+        end
+        assert_match /should exist and should not be a symlink/, ex.message
+      end
+    end
+
     context "with one parameter" do
       setup do
         content = <<CONTENT

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: jekyll
 version: !ruby/object:Gem::Version
-  version: 1.4.2
+  version: 1.4.3
 platform: ruby
 authors:
 - Tom Preston-Werner
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2013-12-16 00:00:00.000000000 Z
+date: 2014-01-13 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: liquid
@@ -16,14 +16,14 @@ dependencies:
     requirements:
     - - ~>
       - !ruby/object:Gem::Version
-        version: 2.5.2
+        version: 2.5.5
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - ~>
       - !ruby/object:Gem::Version
-        version: 2.5.2
+        version: 2.5.5
 - !ruby/object:Gem::Dependency
   name: classifier
   requirement: !ruby/object:Gem::Requirement
@@ -491,6 +491,7 @@ files:
 - site/_posts/2013-11-26-jekyll-1-3-1-released.markdown
 - site/_posts/2013-12-07-jekyll-1-4-0-released.markdown
 - site/_posts/2013-12-16-jekyll-1-4-2-released.markdown
+- site/_posts/2014-01-13-jekyll-1-4-3-released.markdown
 - site/css/gridism.css
 - site/css/normalize.css
 - site/css/pygments.css
@@ -587,6 +588,7 @@ files:
 - test/source/_posts/2013-05-10-number-category.textile
 - test/source/_posts/2013-07-22-post-excerpt-with-layout.markdown
 - test/source/_posts/2013-08-01-mkdn-extension.mkdn
+- test/source/_posts/2014-01-06-permalink-traversal.md
 - test/source/_posts/es/2008-11-21-nested.textile
 - test/source/about.html
 - test/source/category/_posts/2008-9-23-categories.textile
@@ -595,6 +597,7 @@ files:
 - test/source/contacts/index.html
 - test/source/css/screen.css
 - test/source/deal.with.dots.html
+- test/source/exploit.md
 - test/source/foo/_posts/bar/2008-12-12-topical-post.textile
 - test/source/index.html
 - test/source/products.yml