Patch show-stopping security vulnerabilities

[parkr]

Two vulnerabilities found:

1. Post#destination allows path traversal due to the CGI.unescape called prior to the post URL being used in the generation of the output file path. URL escaped characters can be used in a permalink to bypass the filtering provided by URL#sanitize_url. (@gregose)
2. Arbitrary file reads via symlinks: it's possible to read anywhere on the filesystem by placing a symlink to a directory in _includes. (@charliesome)

GitHub Pages has already been patched. It is strongly recommended that any other Jekyll hosts upgrade to v1.4.3 when it lands (tonight).

[shiyj]

Have you test this on windows?

D:\appstore\rubyapp\shiyj-jekyll>irb
irb(main):001:0> url="/tags/aaa.html"
=> "/tags/aaa.html"
irb(main):002:0> File.expand_path(url,"/")
=> "D:/tags/aaa.html"

[shiyj]

the result of expand_path is #{disk drive number} + #{url} on ruby1.93,windows.
so I'll get a path like "d:/jekyll/_site/d:/tags/aaa.html" after the destination method,
while the "d:/jekyll/_site/tags/aaa.html" is what i want.

[parkr]

Yep, we're aware of this problem (#1948). Basically what we're trying to do is this:

1. Get the inputted URL's absolute path (as though it were in a browser, relative to the base FQDN)
2. Append it to the destination directory

Goal: Don't allow any URL's to be outside the destination directory.

This fix works for unix systems where / is the root of the filesystem, but not for Windows. How would you suggest fixing it? Remove (\w+:)\/?