[DRE-commits] [jekyll] 01/01: Imported Upstream version 1.4.3
Youhei SASAKI
uwabami-guest at moszumanska.debian.org
Tue Jan 14 13:50:19 UTC 2014
This is an automated email from the git hooks/post-receive script.
uwabami-guest pushed a commit to annotated tag upstream/1.4.3
in repository jekyll.
commit cfd680a0bc306c2b45eca98cdb4d0f07e910a441
Author: Youhei SASAKI <uwabami at gfd-dennou.org>
Date: Tue Jan 14 22:46:30 2014 +0900
Imported Upstream version 1.4.3
---
History.markdown | 14 ++++-----
checksums.yaml.gz | Bin 267 -> 270 bytes
jekyll.gemspec | 10 ++++--
lib/jekyll.rb | 2 +-
lib/jekyll/core_ext.rb | 4 +++
lib/jekyll/page.rb | 2 +-
lib/jekyll/post.rb | 2 +-
lib/jekyll/tags/include.rb | 21 ++++++-------
lib/jekyll/url.rb | 2 ++
metadata.yml | 11 ++++---
.../2013-12-16-jekyll-1-4-2-released.markdown | 2 ++
.../2014-01-13-jekyll-1-4-3-released.markdown | 27 ++++++++++++++++
site/docs/history.md | 22 +++++++++++--
.../_posts/2014-01-06-permalink-traversal.md | 5 +++
test/source/exploit.md | 5 +++
test/test_generated_site.rb | 2 +-
test/test_page.rb | 10 ++++++
test/test_post.rb | 11 +++++++
test/test_tags.rb | 35 +++++++++++++++++++++
19 files changed, 153 insertions(+), 34 deletions(-)
diff --git a/History.markdown b/History.markdown
index 7781f16..41adaf7 100644
--- a/History.markdown
+++ b/History.markdown
@@ -10,6 +10,12 @@
### Site Enhancements
+## 1.4.3 / 2014-01-13
+
+### Bug Fixes
+
+ * Patch show-stopping security vulnerabilities (#1944)
+
## 1.4.2 / 2013-12-16
### Bug Fixes
@@ -17,17 +23,9 @@
## 1.4.1 / 2013-12-09
-### Major Enhancements
-
-### Minor Enhancements
-
### Bug Fixes
* Don't allow nil entries when loading posts (#1796)
-### Development Fixes
-
-### Site Enhancements
-
## 1.4.0 / 2013-12-07
### Major Enhancements
diff --git a/checksums.yaml.gz b/checksums.yaml.gz
index 9f02114..d4308b3 100644
Binary files a/checksums.yaml.gz and b/checksums.yaml.gz differ
diff --git a/jekyll.gemspec b/jekyll.gemspec
index 1306fed..a6466b0 100644
--- a/jekyll.gemspec
+++ b/jekyll.gemspec
@@ -4,9 +4,9 @@ Gem::Specification.new do |s|
s.rubygems_version = '1.3.5'
s.name = 'jekyll'
- s.version = '1.4.2'
+ s.version = '1.4.3'
s.license = 'MIT'
- s.date = '2013-12-16'
+ s.date = '2014-01-13'
s.rubyforge_project = 'jekyll'
s.summary = "A simple, blog aware, static site generator."
@@ -23,7 +23,7 @@ Gem::Specification.new do |s|
s.rdoc_options = ["--charset=UTF-8"]
s.extra_rdoc_files = %w[README.markdown LICENSE]
- s.add_runtime_dependency('liquid', "~> 2.5.2")
+ s.add_runtime_dependency('liquid', "~> 2.5.5")
s.add_runtime_dependency('classifier', "~> 1.3")
s.add_runtime_dependency('listen', "~> 1.3")
s.add_runtime_dependency('maruku', "~> 0.7.0")
@@ -161,6 +161,7 @@ Gem::Specification.new do |s|
site/_posts/2013-11-26-jekyll-1-3-1-released.markdown
site/_posts/2013-12-07-jekyll-1-4-0-released.markdown
site/_posts/2013-12-16-jekyll-1-4-2-released.markdown
+ site/_posts/2014-01-13-jekyll-1-4-3-released.markdown
site/css/gridism.css
site/css/normalize.css
site/css/pygments.css
@@ -220,6 +221,7 @@ Gem::Specification.new do |s|
test/source/_data/products.yml
test/source/_includes/params.html
test/source/_includes/sig.markdown
+ test/source/_includes/tmp
test/source/_layouts/default.html
test/source/_layouts/post/simple.html
test/source/_layouts/simple.html
@@ -257,6 +259,7 @@ Gem::Specification.new do |s|
test/source/_posts/2013-05-10-number-category.textile
test/source/_posts/2013-07-22-post-excerpt-with-layout.markdown
test/source/_posts/2013-08-01-mkdn-extension.mkdn
+ test/source/_posts/2014-01-06-permalink-traversal.md
test/source/_posts/es/2008-11-21-nested.textile
test/source/about.html
test/source/category/_posts/2008-9-23-categories.textile
@@ -265,6 +268,7 @@ Gem::Specification.new do |s|
test/source/contacts/index.html
test/source/css/screen.css
test/source/deal.with.dots.html
+ test/source/exploit.md
test/source/foo/_posts/bar/2008-12-12-topical-post.textile
test/source/index.html
test/source/products.yml
diff --git a/lib/jekyll.rb b/lib/jekyll.rb
index 4d6af06..ed8ff22 100644
--- a/lib/jekyll.rb
+++ b/lib/jekyll.rb
@@ -63,7 +63,7 @@ require_all 'jekyll/tags'
SafeYAML::OPTIONS[:suppress_warnings] = true
module Jekyll
- VERSION = '1.4.2'
+ VERSION = '1.4.3'
# Public: Generate a Jekyll configuration Hash by merging the default
# options with anything in _config.yml, and adding the given options on top.
diff --git a/lib/jekyll/core_ext.rb b/lib/jekyll/core_ext.rb
index 54f7c9d..f3fa31b 100644
--- a/lib/jekyll/core_ext.rb
+++ b/lib/jekyll/core_ext.rb
@@ -78,6 +78,10 @@ class File
def self.read_with_options(path, opts = {})
self.read(path)
end
+
+ def self.realpath(filename)
+ Pathname.new(filename).realpath.to_s
+ end
else
def self.read_with_options(path, opts = {})
self.read(path, opts)
diff --git a/lib/jekyll/page.rb b/lib/jekyll/page.rb
index dd602a0..2690add 100644
--- a/lib/jekyll/page.rb
+++ b/lib/jekyll/page.rb
@@ -133,7 +133,7 @@ module Jekyll
#
# Returns the destination file path String.
def destination(dest)
- path = File.join(dest, self.url)
+ path = File.join(dest, File.expand_path(self.url, "/"))
path = File.join(path, "index.html") if self.url =~ /\/$/
path
end
diff --git a/lib/jekyll/post.rb b/lib/jekyll/post.rb
index da64af9..776baf3 100644
--- a/lib/jekyll/post.rb
+++ b/lib/jekyll/post.rb
@@ -266,7 +266,7 @@ module Jekyll
# Returns destination file path String.
def destination(dest)
# The url needs to be unescaped in order to preserve the correct filename
- path = File.join(dest, CGI.unescape(self.url))
+ path = File.join(dest, File.expand_path(CGI.unescape(self.url), "/"))
path = File.join(path, "index.html") if path[/\.html$/].nil?
path
end
diff --git a/lib/jekyll/tags/include.rb b/lib/jekyll/tags/include.rb
index a261e6f..adcdedf 100644
--- a/lib/jekyll/tags/include.rb
+++ b/lib/jekyll/tags/include.rb
@@ -87,14 +87,13 @@ eos
end
def render(context)
- dir = File.join(context.registers[:site].source, INCLUDES_DIR)
- validate_dir(dir, context.registers[:site].safe)
+ dir = File.join(File.realpath(context.registers[:site].source), INCLUDES_DIR)
file = retrieve_variable(context) || @file
validate_file_name(file)
path = File.join(dir, file)
- validate_file(path, context.registers[:site].safe)
+ validate_path(path, dir, context.registers[:site].safe)
begin
partial = Liquid::Template.parse(source(path, context))
@@ -108,18 +107,16 @@ eos
end
end
- def validate_dir(dir, safe)
- if File.symlink?(dir) && safe
- raise IOError.new "Includes directory '#{dir}' cannot be a symlink"
+ def validate_path(path, dir, safe)
+ if safe && !realpath_prefixed_with?(path, dir)
+ raise IOError.new "The included file '#{path}' should exist and should not be a symlink"
+ elsif !File.exist?(path)
+ raise IOError.new "Included file '#{path}' not found"
end
end
- def validate_file(file, safe)
- if !File.exists?(file)
- raise IOError.new "Included file '#{@file}' not found in '#{INCLUDES_DIR}' directory"
- elsif File.symlink?(file) && safe
- raise IOError.new "The included file '#{INCLUDES_DIR}/#{@file}' should not be a symlink"
- end
+ def realpath_prefixed_with?(path, dir)
+ File.exist?(path) && File.realpath(path).start_with?(dir)
end
def blank?
diff --git a/lib/jekyll/url.rb b/lib/jekyll/url.rb
index 10e1cb5..813b9c8 100644
--- a/lib/jekyll/url.rb
+++ b/lib/jekyll/url.rb
@@ -50,6 +50,7 @@ module Jekyll
# Returns a sanitized String URL
def sanitize_url(in_url)
+
# Remove all double slashes
url = in_url.gsub(/\/\//, "/")
@@ -61,6 +62,7 @@ module Jekyll
# Always add a leading slash
url.gsub!(/\A([^\/])/, '/\1')
+
url
end
end
diff --git a/metadata.yml b/metadata.yml
index 3413174..9dbba01 100644
--- a/metadata.yml
+++ b/metadata.yml
@@ -1,14 +1,14 @@
--- !ruby/object:Gem::Specification
name: jekyll
version: !ruby/object:Gem::Version
- version: 1.4.2
+ version: 1.4.3
platform: ruby
authors:
- Tom Preston-Werner
autorequire:
bindir: bin
cert_chain: []
-date: 2013-12-16 00:00:00.000000000 Z
+date: 2014-01-13 00:00:00.000000000 Z
dependencies:
- !ruby/object:Gem::Dependency
name: liquid
@@ -16,14 +16,14 @@ dependencies:
requirements:
- - ~>
- !ruby/object:Gem::Version
- version: 2.5.2
+ version: 2.5.5
type: :runtime
prerelease: false
version_requirements: !ruby/object:Gem::Requirement
requirements:
- - ~>
- !ruby/object:Gem::Version
- version: 2.5.2
+ version: 2.5.5
- !ruby/object:Gem::Dependency
name: classifier
requirement: !ruby/object:Gem::Requirement
@@ -491,6 +491,7 @@ files:
- site/_posts/2013-11-26-jekyll-1-3-1-released.markdown
- site/_posts/2013-12-07-jekyll-1-4-0-released.markdown
- site/_posts/2013-12-16-jekyll-1-4-2-released.markdown
+- site/_posts/2014-01-13-jekyll-1-4-3-released.markdown
- site/css/gridism.css
- site/css/normalize.css
- site/css/pygments.css
@@ -587,6 +588,7 @@ files:
- test/source/_posts/2013-05-10-number-category.textile
- test/source/_posts/2013-07-22-post-excerpt-with-layout.markdown
- test/source/_posts/2013-08-01-mkdn-extension.mkdn
+- test/source/_posts/2014-01-06-permalink-traversal.md
- test/source/_posts/es/2008-11-21-nested.textile
- test/source/about.html
- test/source/category/_posts/2008-9-23-categories.textile
@@ -595,6 +597,7 @@ files:
- test/source/contacts/index.html
- test/source/css/screen.css
- test/source/deal.with.dots.html
+- test/source/exploit.md
- test/source/foo/_posts/bar/2008-12-12-topical-post.textile
- test/source/index.html
- test/source/products.yml
diff --git a/site/_posts/2013-12-16-jekyll-1-4-2-released.markdown b/site/_posts/2013-12-16-jekyll-1-4-2-released.markdown
index 6bc6471..afc9214 100644
--- a/site/_posts/2013-12-16-jekyll-1-4-2-released.markdown
+++ b/site/_posts/2013-12-16-jekyll-1-4-2-released.markdown
@@ -14,3 +14,5 @@ default to `true`.
If you do not wish to use Maruku fenced code blocks, you may turn this option
off in your site's configuration file.
+
+[a regression]: https://github.com/jekyll/jekyll/pull/1830
diff --git a/site/_posts/2014-01-13-jekyll-1-4-3-released.markdown b/site/_posts/2014-01-13-jekyll-1-4-3-released.markdown
new file mode 100644
index 0000000..82a9134
--- /dev/null
+++ b/site/_posts/2014-01-13-jekyll-1-4-3-released.markdown
@@ -0,0 +1,27 @@
+---
+layout: news_item
+title: 'Jekyll 1.4.3 Released'
+date: 2014-01-13 17:43:32 -0800
+author: benbalter
+version: 1.4.3
+categories: [release]
+---
+
+Jekyll 1.4.3 contains two **critical** security fixes. If you run Jekyll locally
+and do not run Jekyll in "safe" mode (e.g. you do not build Jekyll sites on behalf
+of others), you are not affected and are not required to update at this time.
+([See pull request.]({{ site.repository }}/pull/1944))
+
+Versions of Jekyll prior to 1.4.3 and greater than 1.2.0 may allow malicious
+users to expose the content of files outside the source directory in the
+generated output via improper symlink sanitization, potentially resulting in an
+inadvertent information disclosure.
+
+Versions of Jekyll prior to 1.4.3 may also allow malicious users to write
+arbitrary `.html` files outside of the destination folder via relative path
+traversal, potentially overwriting otherwise-trusted content with arbitrary HTML
+or Javascript depending on your server's configuration.
+
+*Maintainer's note: Many thanks to @gregose and @charliesome for discovering
+these vulnerabilities, and to @BenBalter and @alindeman for writing the patch.
+- at parkr*
diff --git a/site/docs/history.md b/site/docs/history.md
index db10e10..2e98d9a 100644
--- a/site/docs/history.md
+++ b/site/docs/history.md
@@ -1,10 +1,26 @@
----
-layout: docs
+---
+prev_section: contributing
title: History
+layout: docs
permalink: /docs/history/
-prev_section: contributing
---
+## 1.4.3 / 2014-01-13
+
+### Bug Fixes
+
+- Patch show-stopping security vulnerabilities ([#1944]({{ site.repository }}/issues/1944))
+
+## 1.4.2 / 2013-12-16
+
+### Bug Fixes
+- Turn on Maruku fenced code blocks by default ([#1830]({{ site.repository }}/issues/1830))
+
+## 1.4.1 / 2013-12-09
+
+### Bug Fixes
+- Don't allow nil entries when loading posts ([#1796]({{ site.repository }}/issues/1796))
+
## 1.4.0 / 2013-12-07
### Major Enhancements
diff --git a/test/source/_posts/2014-01-06-permalink-traversal.md b/test/source/_posts/2014-01-06-permalink-traversal.md
new file mode 100644
index 0000000..c3f77d1
--- /dev/null
+++ b/test/source/_posts/2014-01-06-permalink-traversal.md
@@ -0,0 +1,5 @@
+---
+permalink: /%2e%2e/%2e%2e/%2e%2e/baddie.html
+---
+
+# Test
diff --git a/test/source/exploit.md b/test/source/exploit.md
new file mode 100644
index 0000000..c3f77d1
--- /dev/null
+++ b/test/source/exploit.md
@@ -0,0 +1,5 @@
+---
+permalink: /%2e%2e/%2e%2e/%2e%2e/baddie.html
+---
+
+# Test
diff --git a/test/test_generated_site.rb b/test/test_generated_site.rb
index 801675b..866f753 100644
--- a/test/test_generated_site.rb
+++ b/test/test_generated_site.rb
@@ -14,7 +14,7 @@ class TestGeneratedSite < Test::Unit::TestCase
end
should "ensure post count is as expected" do
- assert_equal 36, @site.posts.size
+ assert_equal 37, @site.posts.size
end
should "insert site.posts into the index" do
diff --git a/test/test_page.rb b/test/test_page.rb
index e319056..9829b00 100644
--- a/test/test_page.rb
+++ b/test/test_page.rb
@@ -101,6 +101,16 @@ class TestPage < Test::Unit::TestCase
assert_equal @page.permalink, @page.url
assert_equal "/about/", @page.dir
end
+
+ should "not be writable outside of destination" do
+ unexpected = File.expand_path("../../../baddie.html", dest_dir)
+ File.delete unexpected if File.exist?(unexpected)
+ page = setup_page("exploit.md")
+ do_render(page)
+ page.write(dest_dir)
+
+ assert !File.exist?(unexpected)
+ end
end
context "with specified layout of nil" do
diff --git a/test/test_post.rb b/test/test_post.rb
index a61fc67..2e7a32c 100644
--- a/test/test_post.rb
+++ b/test/test_post.rb
@@ -75,6 +75,17 @@ class TestPost < Test::Unit::TestCase
assert_equal "/my_category/permalinked-post", @post.url
end
+ should "not be writable outside of destination" do
+ unexpected = File.expand_path("../../../baddie.html", dest_dir)
+ File.delete unexpected if File.exist?(unexpected)
+ post = setup_post("2014-01-06-permalink-traversal.md")
+ do_render(post)
+ post.write(dest_dir)
+
+ assert !File.exist?(unexpected)
+ assert File.exist?(File.expand_path("baddie.html", dest_dir))
+ end
+
context "with CRLF linebreaks" do
setup do
@real_file = "2009-05-24-yaml-linebreak.markdown"
diff --git a/test/test_tags.rb b/test/test_tags.rb
index 0368c6d..bda7a80 100644
--- a/test/test_tags.rb
+++ b/test/test_tags.rb
@@ -347,6 +347,41 @@ CONTENT
end
context "include tag with parameters" do
+
+ context "with symlink'd include" do
+
+ should "not allow symlink includes" do
+ File.open("/tmp/pages-test", 'w') { |file| file.write("SYMLINK TEST") }
+ assert_raise IOError do
+ content = <<CONTENT
+---
+title: Include symlink
+---
+
+{% include tmp/pages-test %}
+
+CONTENT
+ create_post(content, {'permalink' => 'pretty', 'source' => source_dir, 'destination' => dest_dir, 'read_posts' => true, 'safe' => true })
+ end
+ assert_no_match /SYMLINK TEST/, @result
+ end
+
+ should "not expose the existence of symlinked files" do
+ ex = assert_raise IOError do
+ content = <<CONTENT
+---
+title: Include symlink
+---
+
+{% include tmp/pages-test-does-not-exist %}
+
+CONTENT
+ create_post(content, {'permalink' => 'pretty', 'source' => source_dir, 'destination' => dest_dir, 'read_posts' => true, 'safe' => true })
+ end
+ assert_match /should exist and should not be a symlink/, ex.message
+ end
+ end
+
context "with one parameter" do
setup do
content = <<CONTENT
--
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/pkg-ruby-extras/jekyll.git
More information about the Pkg-ruby-extras-commits
mailing list