Join GitHub today
GitHub is home to over 28 million developers working together to host and review code, manage projects, and build software together.
Sign upPatch show-stopping security vulnerabilities #1944
Conversation
benbalter
and others
added some commits
Jan 7, 2014
ghost
assigned
mattr-
Jan 14, 2014
added a commit
that referenced
this pull request
Jan 14, 2014
parkr
merged commit 71bb028
into
v1-stable
Jan 14, 2014
1 check failed
added a commit
that referenced
this pull request
Jan 14, 2014
parkr
deleted the
vuln-patch
branch
Jan 14, 2014
parkr
referenced this pull request
Jan 14, 2014
Merged
Patch show-stopping security vulnerabilities #1946
parkr
referenced this pull request
Jan 25, 2014
Closed
[windows 1.4.3] mkdir error when generate target file in _site #1986
This comment has been minimized.
Show comment
Hide comment
This comment has been minimized.
shiyj
Jan 27, 2014
Have you test this on windows?
D:\appstore\rubyapp\shiyj-jekyll>irb
irb(main):001:0> url="/tags/aaa.html"
=> "/tags/aaa.html"
irb(main):002:0> File.expand_path(url,"/")
=> "D:/tags/aaa.html"
shiyj
commented on lib/jekyll/page.rb in 3901c88
Jan 27, 2014
|
Have you test this on windows? |
This comment has been minimized.
Show comment
Hide comment
This comment has been minimized.
shiyj
Jan 27, 2014
the result of expand_path is #{disk drive number} + #{url} on ruby1.93,windows.
so I'll get a path like "d:/jekyll/_site/d:/tags/aaa.html" after the destination method,
while the "d:/jekyll/_site/tags/aaa.html" is what i want.
shiyj
replied
Jan 27, 2014
|
the result of |
This comment has been minimized.
Show comment
Hide comment
This comment has been minimized.
parkr
Jan 27, 2014
Member
Yep, we're aware of this problem (#1948). Basically what we're trying to do is this:
- Get the inputted URL's absolute path (as though it were in a browser, relative to the base FQDN)
- Append it to the destination directory
Goal: Don't allow any URL's to be outside the destination directory.
This fix works for unix systems where / is the root of the filesystem, but not for Windows. How would you suggest fixing it? Remove (\w+:)\/?
|
Yep, we're aware of this problem (#1948). Basically what we're trying to do is this:
Goal: Don't allow any URL's to be outside the destination directory. This fix works for unix systems where |
parkr commentedJan 14, 2014
Two vulnerabilities found:
Post#destinationallows path traversal due to theCGI.unescapecalled prior to the post URL being used in the generation of the output file path. URL escaped characters can be used in a permalink to bypass the filtering provided byURL#sanitize_url. (@gregose)_includes. (@charliesome)GitHub Pages has already been patched. It is strongly recommended that any other Jekyll hosts upgrade to v1.4.3 when it lands (tonight).