jekyll 1.5.0 → 1.5.1

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA1:
-  metadata.gz: b8c189cd18215658c44d8d3deb0e8e7f901e5706
-  data.tar.gz: e0744f3e95527b0bc9cf8686d40205d2b8a088c6
+  metadata.gz: 7774f515b69590f22a19d6d02f549f16176acfdc
+  data.tar.gz: a43d5a1e9ebd75da9f4d8445d6c738593ea11c9d
 SHA512:
-  metadata.gz: 63ad197d84528333ac9f09d5012ffc566b1567745d8085dccc4fbcb8d2bf10a4719dc4685161202fac7cf6f0bf7f66ea417e82ee9d8d2ff653fb7a2b40194069
-  data.tar.gz: 471a3dfac658531a67c19409e446112f0261fd011aca00616394c4eca662658385a4f0515c740000380870d97a6ba664397b718a004355580be64edd7d04613d
+  metadata.gz: 70cc97ba0736a056ceef606efec097fd966b4dc414780e643bd8f72f5881a276f74824e3faadd9fac0c02e96008662048935693a776386cfcf1112fcd4e336ae
+  data.tar.gz: a9f7b7f9a267a81f8de02195e1dad705f1452dd0639ffb623872d6602cf2fdab3b3130a0a72c41f30e86baece917ffa9fd6447f05e7a75e2d1bad0d49a49d295

data/History.markdown

@@ -10,6 +10,12 @@
 
 ### Site Enhancements
 
+## 1.5.1 / 2014-03-27
+
+### Bug Fixes
+
+* Only strip the drive name if it begins the string (#2176)
+
 ## 1.5.0 / 2014-03-24
 
 ### Minor Enhancements

data/jekyll.gemspec

@@ -4,9 +4,9 @@ Gem::Specification.new do |s|
   s.rubygems_version = '1.3.5'
 
   s.name              = 'jekyll'
-  s.version           = '1.5.0'
+  s.version           = '1.5.1'
   s.license           = 'MIT'
-  s.date              = '2014-03-24'
+  s.date              = '2014-03-28'
   s.rubyforge_project = 'jekyll'
 
   s.summary     = "A simple, blog aware, static site generator."
@@ -163,6 +163,7 @@ Gem::Specification.new do |s|
     site/_posts/2013-12-16-jekyll-1-4-2-released.markdown
     site/_posts/2014-01-13-jekyll-1-4-3-released.markdown
     site/_posts/2014-03-24-jekyll-1-5-0-released.markdown
+    site/_posts/2014-03-27-jekyll-1-5-1-released.markdown
     site/css/gridism.css
     site/css/normalize.css
     site/css/pygments.css
@@ -292,6 +293,7 @@ Gem::Specification.new do |s|
     test/test_new_command.rb
     test/test_page.rb
     test/test_pager.rb
+    test/test_path_sanitization.rb
     test/test_post.rb
     test/test_rdiscount.rb
     test/test_redcarpet.rb

data/lib/jekyll.rb

@@ -63,7 +63,7 @@ require_all 'jekyll/tags'
 SafeYAML::OPTIONS[:suppress_warnings] = true
 
 module Jekyll
-  VERSION = '1.5.0'
+  VERSION = '1.5.1'
 
   # Public: Generate a Jekyll configuration Hash by merging the default
   # options with anything in _config.yml, and adding the given options on top.
@@ -103,7 +103,7 @@ module Jekyll
   # Returns a pure and clean path
   def self.sanitized_path(base_directory, questionable_path)
     clean_path = File.expand_path(questionable_path, "/")
-    clean_path.gsub!(/\w\:\//, '/')
+    clean_path.gsub!(/\A\w\:\//, '/')
     unless clean_path.start_with?(base_directory)
       File.join(base_directory, clean_path)
     else

data/site/_posts/2014-03-27-jekyll-1-5-1-released.markdown

@@ -0,0 +1,26 @@
+---
+layout: news_item
+title: 'Jekyll 1.5.1 Released'
+date: 2014-03-27 22:43:48 -0400
+author: parkr
+version: 1.5.1
+categories: [release]
+---
+
+The hawk-eyed [@gregose](https://github.com/gregose) spotted a bug in our
+`Jekyll.sanitized_path` code:
+
+{% highlight ruby %}
+> sanitized_path("/tmp/foobar/jail", "..c:/..c:/..c:/etc/passwd")
+=> "/tmp/foobar/jail/../../../etc/passwd"
+{% endhighlight %}
+
+Well, we can't have that! In 1.5.1, you'll instead see:
+
+{% highlight ruby %}
+> sanitized_path("/tmp/foobar/jail", "..c:/..c:/..c:/etc/passwd")
+=> "/tmp/foobar/jail/etc/passwd"
+{% endhighlight %}
+
+Luckily not affecting 1.4.x, this fix will make 1.5.0 that much safer for
+the masses. Thanks, Greg!

data/test/test_path_sanitization.rb

@@ -0,0 +1,18 @@
+require 'helper'
+
+class TestPathSanitization < Test::Unit::TestCase
+  context "on Windows with absolute source" do
+    setup do
+      @source = "C:/Users/xmr/Desktop/mpc-hc.org"
+      @dest   = "./_site/"
+      stub(Dir).pwd { "C:/Users/xmr/Desktop/mpc-hc.org" }
+    end
+    should "strip drive name from path" do
+      assert_equal "C:/Users/xmr/Desktop/mpc-hc.org/_site", Jekyll.sanitized_path(@source, @dest)
+    end
+
+    should "strip just the initial drive name" do
+      assert_equal "/tmp/foobar/jail/..c:/..c:/..c:/etc/passwd", Jekyll.sanitized_path("/tmp/foobar/jail", "..c:/..c:/..c:/etc/passwd")
+    end
+  end
+end

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: jekyll
 version: !ruby/object:Gem::Version
-  version: 1.5.0
+  version: 1.5.1
 platform: ruby
 authors:
 - Tom Preston-Werner
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2014-03-24 00:00:00.000000000 Z
+date: 2014-03-28 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: liquid
@@ -493,6 +493,7 @@ files:
 - site/_posts/2013-12-16-jekyll-1-4-2-released.markdown
 - site/_posts/2014-01-13-jekyll-1-4-3-released.markdown
 - site/_posts/2014-03-24-jekyll-1-5-0-released.markdown
+- site/_posts/2014-03-27-jekyll-1-5-1-released.markdown
 - site/css/gridism.css
 - site/css/normalize.css
 - site/css/pygments.css
@@ -619,6 +620,7 @@ files:
 - test/test_new_command.rb
 - test/test_page.rb
 - test/test_pager.rb
+- test/test_path_sanitization.rb
 - test/test_post.rb
 - test/test_rdiscount.rb
 - test/test_redcarpet.rb
@@ -665,6 +667,7 @@ test_files:
 - test/test_new_command.rb
 - test/test_page.rb
 - test/test_pager.rb
+- test/test_path_sanitization.rb
 - test/test_post.rb
 - test/test_rdiscount.rb
 - test/test_redcarpet.rb