Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Patch show-stopping security vulnerabilities #1944

Merged
merged 14 commits into from Jan 14, 2014
Merged

Patch show-stopping security vulnerabilities #1944

merged 14 commits into from Jan 14, 2014

Conversation

parkr
Copy link
Member

@parkr parkr commented Jan 14, 2014

Two vulnerabilities found:

  1. Post#destination allows path traversal due to the CGI.unescape called prior to the post URL being used in the generation of the output file path. URL escaped characters can be used in a permalink to bypass the filtering provided by URL#sanitize_url. (@gregose)
  2. Arbitrary file reads via symlinks: it's possible to read anywhere on the filesystem by placing a symlink to a directory in _includes. (@charliesome)

GitHub Pages has already been patched. It is strongly recommended that any other Jekyll hosts upgrade to v1.4.3 when it lands (tonight).

benbalter and others added 13 commits January 13, 2014 17:22
@benbalter @parkr
failing test
823f875 
Signed-off-by: Parker Moore <parkrmoore@gmail.com>
@benbalter @parkr
url escape before sanitizing
a06dff4 
Signed-off-by: Parker Moore <parkrmoore@gmail.com>
@benbalter @parkr
fix failing post count test
827eed7 
Signed-off-by: Parker Moore <parkrmoore@gmail.com>
@benbalter @parkr
test multiple traversals
93a6d4d 
Signed-off-by: Parker Moore <parkrmoore@gmail.com>
@benbalter @parkr
add symlink failing test
0339710 
Signed-off-by: Parker Moore <parkrmoore@gmail.com>
@benbalter @parkr
unbreak tests
69b4399 
Signed-off-by: Parker Moore <parkrmoore@gmail.com>
@benbalter @parkr
fix symlink so tests fail
e7cf42b 
Signed-off-by: Parker Moore <parkrmoore@gmail.com>
@benbalter @parkr
rebreak tests, move sanitization closer to write
6277335 
Signed-off-by: Parker Moore <parkrmoore@gmail.com>
@benbalter @parkr
test symlinkd dir, not file
b1a7e14 
Signed-off-by: Parker Moore <parkrmoore@gmail.com>
@benbalter @parkr
patch symlink vuln and properly test
98b366e 
Signed-off-by: Parker Moore <parkrmoore@gmail.com>
@benbalter @parkr
escape relative post permalinks, cleanup
10d1f49 
Signed-off-by: Parker Moore <parkrmoore@gmail.com>
@benbalter @parkr
sanity check for pages permalink traversal
3901c88 
Signed-off-by: Parker Moore <parkrmoore@gmail.com>
@alindeman @parkr
Prevents disclosure of file existence
b55fb3d 
Signed-off-by: Parker Moore <parkrmoore@gmail.com>
@ghost ghost assigned mattr- Jan 14, 2014
parkr added a commit that referenced this pull request Jan 14, 2014
@parkr
Merge pull request #1944 from jekyll/vuln-patch
71bb028
@parkr parkr merged commit 71bb028 into v1-stable Jan 14, 2014
parkr added a commit that referenced this pull request Jan 14, 2014
@parkr
Update history to reflect merge of #1944
5325903
@parkr parkr deleted the vuln-patch branch January 14, 2014 01:43
@parkr parkr mentioned this pull request Jan 14, 2014
Merged
@parkr parkr mentioned this pull request Jan 25, 2014
Closed
@parkr parkr mentioned this pull request Oct 15, 2015
Closed
@jekyll jekyll locked and limited conversation to collaborators Feb 27, 2017
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Reviewers
No reviews
Assignees
No one assigned
Labels
frozen-due-to-age
Projects
None yet
Milestone
1.4.3
Development

Successfully merging this pull request may close these issues.

None yet
6 participants
@parkr @shiyj @mattr- @jekyllbot @benbalter @alindeman