jekyll 1.4.2 → 1.4.3

Sign up to get free protection for your applications and to get access to all the features.

Potentially problematic release.


This version of jekyll might be problematic. Click here for more details.

checksums.yaml CHANGED
@@ -1,7 +1,7 @@
1
1
  ---
2
2
  SHA1:
3
- metadata.gz: c1c80d86509b422187561c937696fdea84af56a9
4
- data.tar.gz: 5fa354c59193e539e3e1f695c425232a64cf54f4
3
+ metadata.gz: 41f4d1152cea6d1a690bda7f499ddadf0574f529
4
+ data.tar.gz: 367da80ef10a4c54a33b94be074f8a9e410ca6f6
5
5
  SHA512:
6
- metadata.gz: ec82371ae5ccfdc0cc2d569b07bd3317e3d0f64bedc26bd21e7d9d2b1d2e100365441c71fdeb0ccb851dc7a63ce33f034607b36ab1d3ad9d4614b523d3ef6e9a
7
- data.tar.gz: d32097a6783de0f1dfade3fcd4b2dda43ac139c7b585c62536297da1ff65f7997009f64a0cd246ebee09ccf6c40b7e932ea4a7bc4a47071d06bac8727b4633d3
6
+ metadata.gz: 1f16ac96c8e7864c467604d7b9c2ca0e9a9e2a6817abe4b3277a06162a7279b1472ba72a0954e61d09d6c842617ae64184ed613cd6d8734c71a66b8e7b954de1
7
+ data.tar.gz: 06622291bb62457541c5bffe376df91f04fcd52cf3a7f7fdb80c73fc26f4d0fe1e3fbd89185a81c3a93b9a4ac2ace6bc84a40fcde971e702a933fb9c2d64117b
@@ -10,6 +10,12 @@
10
10
 
11
11
  ### Site Enhancements
12
12
 
13
+ ## 1.4.3 / 2014-01-13
14
+
15
+ ### Bug Fixes
16
+
17
+ * Patch show-stopping security vulnerabilities (#1944)
18
+
13
19
  ## 1.4.2 / 2013-12-16
14
20
 
15
21
  ### Bug Fixes
@@ -17,17 +23,9 @@
17
23
 
18
24
  ## 1.4.1 / 2013-12-09
19
25
 
20
- ### Major Enhancements
21
-
22
- ### Minor Enhancements
23
-
24
26
  ### Bug Fixes
25
27
  * Don't allow nil entries when loading posts (#1796)
26
28
 
27
- ### Development Fixes
28
-
29
- ### Site Enhancements
30
-
31
29
  ## 1.4.0 / 2013-12-07
32
30
 
33
31
  ### Major Enhancements
@@ -4,9 +4,9 @@ Gem::Specification.new do |s|
4
4
  s.rubygems_version = '1.3.5'
5
5
 
6
6
  s.name = 'jekyll'
7
- s.version = '1.4.2'
7
+ s.version = '1.4.3'
8
8
  s.license = 'MIT'
9
- s.date = '2013-12-16'
9
+ s.date = '2014-01-13'
10
10
  s.rubyforge_project = 'jekyll'
11
11
 
12
12
  s.summary = "A simple, blog aware, static site generator."
@@ -23,7 +23,7 @@ Gem::Specification.new do |s|
23
23
  s.rdoc_options = ["--charset=UTF-8"]
24
24
  s.extra_rdoc_files = %w[README.markdown LICENSE]
25
25
 
26
- s.add_runtime_dependency('liquid', "~> 2.5.2")
26
+ s.add_runtime_dependency('liquid', "~> 2.5.5")
27
27
  s.add_runtime_dependency('classifier', "~> 1.3")
28
28
  s.add_runtime_dependency('listen', "~> 1.3")
29
29
  s.add_runtime_dependency('maruku', "~> 0.7.0")
@@ -161,6 +161,7 @@ Gem::Specification.new do |s|
161
161
  site/_posts/2013-11-26-jekyll-1-3-1-released.markdown
162
162
  site/_posts/2013-12-07-jekyll-1-4-0-released.markdown
163
163
  site/_posts/2013-12-16-jekyll-1-4-2-released.markdown
164
+ site/_posts/2014-01-13-jekyll-1-4-3-released.markdown
164
165
  site/css/gridism.css
165
166
  site/css/normalize.css
166
167
  site/css/pygments.css
@@ -220,6 +221,7 @@ Gem::Specification.new do |s|
220
221
  test/source/_data/products.yml
221
222
  test/source/_includes/params.html
222
223
  test/source/_includes/sig.markdown
224
+ test/source/_includes/tmp
223
225
  test/source/_layouts/default.html
224
226
  test/source/_layouts/post/simple.html
225
227
  test/source/_layouts/simple.html
@@ -257,6 +259,7 @@ Gem::Specification.new do |s|
257
259
  test/source/_posts/2013-05-10-number-category.textile
258
260
  test/source/_posts/2013-07-22-post-excerpt-with-layout.markdown
259
261
  test/source/_posts/2013-08-01-mkdn-extension.mkdn
262
+ test/source/_posts/2014-01-06-permalink-traversal.md
260
263
  test/source/_posts/es/2008-11-21-nested.textile
261
264
  test/source/about.html
262
265
  test/source/category/_posts/2008-9-23-categories.textile
@@ -265,6 +268,7 @@ Gem::Specification.new do |s|
265
268
  test/source/contacts/index.html
266
269
  test/source/css/screen.css
267
270
  test/source/deal.with.dots.html
271
+ test/source/exploit.md
268
272
  test/source/foo/_posts/bar/2008-12-12-topical-post.textile
269
273
  test/source/index.html
270
274
  test/source/products.yml
@@ -63,7 +63,7 @@ require_all 'jekyll/tags'
63
63
  SafeYAML::OPTIONS[:suppress_warnings] = true
64
64
 
65
65
  module Jekyll
66
- VERSION = '1.4.2'
66
+ VERSION = '1.4.3'
67
67
 
68
68
  # Public: Generate a Jekyll configuration Hash by merging the default
69
69
  # options with anything in _config.yml, and adding the given options on top.
@@ -78,6 +78,10 @@ class File
78
78
  def self.read_with_options(path, opts = {})
79
79
  self.read(path)
80
80
  end
81
+
82
+ def self.realpath(filename)
83
+ Pathname.new(filename).realpath.to_s
84
+ end
81
85
  else
82
86
  def self.read_with_options(path, opts = {})
83
87
  self.read(path, opts)
@@ -133,7 +133,7 @@ module Jekyll
133
133
  #
134
134
  # Returns the destination file path String.
135
135
  def destination(dest)
136
- path = File.join(dest, self.url)
136
+ path = File.join(dest, File.expand_path(self.url, "/"))
137
137
  path = File.join(path, "index.html") if self.url =~ /\/$/
138
138
  path
139
139
  end
@@ -266,7 +266,7 @@ module Jekyll
266
266
  # Returns destination file path String.
267
267
  def destination(dest)
268
268
  # The url needs to be unescaped in order to preserve the correct filename
269
- path = File.join(dest, CGI.unescape(self.url))
269
+ path = File.join(dest, File.expand_path(CGI.unescape(self.url), "/"))
270
270
  path = File.join(path, "index.html") if path[/\.html$/].nil?
271
271
  path
272
272
  end
@@ -87,14 +87,13 @@ eos
87
87
  end
88
88
 
89
89
  def render(context)
90
- dir = File.join(context.registers[:site].source, INCLUDES_DIR)
91
- validate_dir(dir, context.registers[:site].safe)
90
+ dir = File.join(File.realpath(context.registers[:site].source), INCLUDES_DIR)
92
91
 
93
92
  file = retrieve_variable(context) || @file
94
93
  validate_file_name(file)
95
94
 
96
95
  path = File.join(dir, file)
97
- validate_file(path, context.registers[:site].safe)
96
+ validate_path(path, dir, context.registers[:site].safe)
98
97
 
99
98
  begin
100
99
  partial = Liquid::Template.parse(source(path, context))
@@ -108,18 +107,16 @@ eos
108
107
  end
109
108
  end
110
109
 
111
- def validate_dir(dir, safe)
112
- if File.symlink?(dir) && safe
113
- raise IOError.new "Includes directory '#{dir}' cannot be a symlink"
110
+ def validate_path(path, dir, safe)
111
+ if safe && !realpath_prefixed_with?(path, dir)
112
+ raise IOError.new "The included file '#{path}' should exist and should not be a symlink"
113
+ elsif !File.exist?(path)
114
+ raise IOError.new "Included file '#{path}' not found"
114
115
  end
115
116
  end
116
117
 
117
- def validate_file(file, safe)
118
- if !File.exists?(file)
119
- raise IOError.new "Included file '#{@file}' not found in '#{INCLUDES_DIR}' directory"
120
- elsif File.symlink?(file) && safe
121
- raise IOError.new "The included file '#{INCLUDES_DIR}/#{@file}' should not be a symlink"
122
- end
118
+ def realpath_prefixed_with?(path, dir)
119
+ File.exist?(path) && File.realpath(path).start_with?(dir)
123
120
  end
124
121
 
125
122
  def blank?
@@ -50,6 +50,7 @@ module Jekyll
50
50
 
51
51
  # Returns a sanitized String URL
52
52
  def sanitize_url(in_url)
53
+
53
54
  # Remove all double slashes
54
55
  url = in_url.gsub(/\/\//, "/")
55
56
 
@@ -61,6 +62,7 @@ module Jekyll
61
62
 
62
63
  # Always add a leading slash
63
64
  url.gsub!(/\A([^\/])/, '/\1')
65
+
64
66
  url
65
67
  end
66
68
  end
@@ -14,3 +14,5 @@ default to `true`.
14
14
 
15
15
  If you do not wish to use Maruku fenced code blocks, you may turn this option
16
16
  off in your site's configuration file.
17
+
18
+ [a regression]: https://github.com/jekyll/jekyll/pull/1830
@@ -0,0 +1,27 @@
1
+ ---
2
+ layout: news_item
3
+ title: 'Jekyll 1.4.3 Released'
4
+ date: 2014-01-13 17:43:32 -0800
5
+ author: benbalter
6
+ version: 1.4.3
7
+ categories: [release]
8
+ ---
9
+
10
+ Jekyll 1.4.3 contains two **critical** security fixes. If you run Jekyll locally
11
+ and do not run Jekyll in "safe" mode (e.g. you do not build Jekyll sites on behalf
12
+ of others), you are not affected and are not required to update at this time.
13
+ ([See pull request.]({{ site.repository }}/pull/1944))
14
+
15
+ Versions of Jekyll prior to 1.4.3 and greater than 1.2.0 may allow malicious
16
+ users to expose the content of files outside the source directory in the
17
+ generated output via improper symlink sanitization, potentially resulting in an
18
+ inadvertent information disclosure.
19
+
20
+ Versions of Jekyll prior to 1.4.3 may also allow malicious users to write
21
+ arbitrary `.html` files outside of the destination folder via relative path
22
+ traversal, potentially overwriting otherwise-trusted content with arbitrary HTML
23
+ or Javascript depending on your server's configuration.
24
+
25
+ *Maintainer's note: Many thanks to @gregose and @charliesome for discovering
26
+ these vulnerabilities, and to @BenBalter and @alindeman for writing the patch.
27
+ -@parkr*
@@ -1,10 +1,26 @@
1
- ---
2
- layout: docs
1
+ ---
2
+ prev_section: contributing
3
3
  title: History
4
+ layout: docs
4
5
  permalink: /docs/history/
5
- prev_section: contributing
6
6
  ---
7
7
 
8
+ ## 1.4.3 / 2014-01-13
9
+
10
+ ### Bug Fixes
11
+
12
+ - Patch show-stopping security vulnerabilities ([#1944]({{ site.repository }}/issues/1944))
13
+
14
+ ## 1.4.2 / 2013-12-16
15
+
16
+ ### Bug Fixes
17
+ - Turn on Maruku fenced code blocks by default ([#1830]({{ site.repository }}/issues/1830))
18
+
19
+ ## 1.4.1 / 2013-12-09
20
+
21
+ ### Bug Fixes
22
+ - Don't allow nil entries when loading posts ([#1796]({{ site.repository }}/issues/1796))
23
+
8
24
  ## 1.4.0 / 2013-12-07
9
25
 
10
26
  ### Major Enhancements
@@ -0,0 +1,5 @@
1
+ ---
2
+ permalink: /%2e%2e/%2e%2e/%2e%2e/baddie.html
3
+ ---
4
+
5
+ # Test
@@ -0,0 +1,5 @@
1
+ ---
2
+ permalink: /%2e%2e/%2e%2e/%2e%2e/baddie.html
3
+ ---
4
+
5
+ # Test
@@ -14,7 +14,7 @@ class TestGeneratedSite < Test::Unit::TestCase
14
14
  end
15
15
 
16
16
  should "ensure post count is as expected" do
17
- assert_equal 36, @site.posts.size
17
+ assert_equal 37, @site.posts.size
18
18
  end
19
19
 
20
20
  should "insert site.posts into the index" do
@@ -101,6 +101,16 @@ class TestPage < Test::Unit::TestCase
101
101
  assert_equal @page.permalink, @page.url
102
102
  assert_equal "/about/", @page.dir
103
103
  end
104
+
105
+ should "not be writable outside of destination" do
106
+ unexpected = File.expand_path("../../../baddie.html", dest_dir)
107
+ File.delete unexpected if File.exist?(unexpected)
108
+ page = setup_page("exploit.md")
109
+ do_render(page)
110
+ page.write(dest_dir)
111
+
112
+ assert !File.exist?(unexpected)
113
+ end
104
114
  end
105
115
 
106
116
  context "with specified layout of nil" do
@@ -75,6 +75,17 @@ class TestPost < Test::Unit::TestCase
75
75
  assert_equal "/my_category/permalinked-post", @post.url
76
76
  end
77
77
 
78
+ should "not be writable outside of destination" do
79
+ unexpected = File.expand_path("../../../baddie.html", dest_dir)
80
+ File.delete unexpected if File.exist?(unexpected)
81
+ post = setup_post("2014-01-06-permalink-traversal.md")
82
+ do_render(post)
83
+ post.write(dest_dir)
84
+
85
+ assert !File.exist?(unexpected)
86
+ assert File.exist?(File.expand_path("baddie.html", dest_dir))
87
+ end
88
+
78
89
  context "with CRLF linebreaks" do
79
90
  setup do
80
91
  @real_file = "2009-05-24-yaml-linebreak.markdown"
@@ -347,6 +347,41 @@ CONTENT
347
347
  end
348
348
 
349
349
  context "include tag with parameters" do
350
+
351
+ context "with symlink'd include" do
352
+
353
+ should "not allow symlink includes" do
354
+ File.open("/tmp/pages-test", 'w') { |file| file.write("SYMLINK TEST") }
355
+ assert_raise IOError do
356
+ content = <<CONTENT
357
+ ---
358
+ title: Include symlink
359
+ ---
360
+
361
+ {% include tmp/pages-test %}
362
+
363
+ CONTENT
364
+ create_post(content, {'permalink' => 'pretty', 'source' => source_dir, 'destination' => dest_dir, 'read_posts' => true, 'safe' => true })
365
+ end
366
+ assert_no_match /SYMLINK TEST/, @result
367
+ end
368
+
369
+ should "not expose the existence of symlinked files" do
370
+ ex = assert_raise IOError do
371
+ content = <<CONTENT
372
+ ---
373
+ title: Include symlink
374
+ ---
375
+
376
+ {% include tmp/pages-test-does-not-exist %}
377
+
378
+ CONTENT
379
+ create_post(content, {'permalink' => 'pretty', 'source' => source_dir, 'destination' => dest_dir, 'read_posts' => true, 'safe' => true })
380
+ end
381
+ assert_match /should exist and should not be a symlink/, ex.message
382
+ end
383
+ end
384
+
350
385
  context "with one parameter" do
351
386
  setup do
352
387
  content = <<CONTENT
metadata CHANGED
@@ -1,14 +1,14 @@
1
1
  --- !ruby/object:Gem::Specification
2
2
  name: jekyll
3
3
  version: !ruby/object:Gem::Version
4
- version: 1.4.2
4
+ version: 1.4.3
5
5
  platform: ruby
6
6
  authors:
7
7
  - Tom Preston-Werner
8
8
  autorequire:
9
9
  bindir: bin
10
10
  cert_chain: []
11
- date: 2013-12-16 00:00:00.000000000 Z
11
+ date: 2014-01-13 00:00:00.000000000 Z
12
12
  dependencies:
13
13
  - !ruby/object:Gem::Dependency
14
14
  name: liquid
@@ -16,14 +16,14 @@ dependencies:
16
16
  requirements:
17
17
  - - ~>
18
18
  - !ruby/object:Gem::Version
19
- version: 2.5.2
19
+ version: 2.5.5
20
20
  type: :runtime
21
21
  prerelease: false
22
22
  version_requirements: !ruby/object:Gem::Requirement
23
23
  requirements:
24
24
  - - ~>
25
25
  - !ruby/object:Gem::Version
26
- version: 2.5.2
26
+ version: 2.5.5
27
27
  - !ruby/object:Gem::Dependency
28
28
  name: classifier
29
29
  requirement: !ruby/object:Gem::Requirement
@@ -491,6 +491,7 @@ files:
491
491
  - site/_posts/2013-11-26-jekyll-1-3-1-released.markdown
492
492
  - site/_posts/2013-12-07-jekyll-1-4-0-released.markdown
493
493
  - site/_posts/2013-12-16-jekyll-1-4-2-released.markdown
494
+ - site/_posts/2014-01-13-jekyll-1-4-3-released.markdown
494
495
  - site/css/gridism.css
495
496
  - site/css/normalize.css
496
497
  - site/css/pygments.css
@@ -587,6 +588,7 @@ files:
587
588
  - test/source/_posts/2013-05-10-number-category.textile
588
589
  - test/source/_posts/2013-07-22-post-excerpt-with-layout.markdown
589
590
  - test/source/_posts/2013-08-01-mkdn-extension.mkdn
591
+ - test/source/_posts/2014-01-06-permalink-traversal.md
590
592
  - test/source/_posts/es/2008-11-21-nested.textile
591
593
  - test/source/about.html
592
594
  - test/source/category/_posts/2008-9-23-categories.textile
@@ -595,6 +597,7 @@ files:
595
597
  - test/source/contacts/index.html
596
598
  - test/source/css/screen.css
597
599
  - test/source/deal.with.dots.html
600
+ - test/source/exploit.md
598
601
  - test/source/foo/_posts/bar/2008-12-12-topical-post.textile
599
602
  - test/source/index.html
600
603
  - test/source/products.yml