New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Patch show-stopping security vulnerabilities #1944

merged 14 commits into from Jan 14, 2014


None yet
6 participants

parkr commented Jan 14, 2014

Two vulnerabilities found:

  1. Post#destination allows path traversal due to the CGI.unescape called prior to the post URL being used in the generation of the output file path. URL escaped characters can be used in a permalink to bypass the filtering provided by URL#sanitize_url. (@gregose)
  2. Arbitrary file reads via symlinks: it's possible to read anywhere on the filesystem by placing a symlink to a directory in _includes. (@charliesome)

GitHub Pages has already been patched. It is strongly recommended that any other Jekyll hosts upgrade to v1.4.3 when it lands (tonight).

benbalter and others added some commits Jan 7, 2014

failing test
Signed-off-by: Parker Moore <>
url escape before sanitizing
Signed-off-by: Parker Moore <>
fix failing post count test
Signed-off-by: Parker Moore <>
test multiple traversals
Signed-off-by: Parker Moore <>
add symlink failing test
Signed-off-by: Parker Moore <>
unbreak tests
Signed-off-by: Parker Moore <>
fix symlink so tests fail
Signed-off-by: Parker Moore <>
rebreak tests, move sanitization closer to write
Signed-off-by: Parker Moore <>
test symlinkd dir, not file
Signed-off-by: Parker Moore <>
patch symlink vuln and properly test
Signed-off-by: Parker Moore <>
escape relative post permalinks, cleanup
Signed-off-by: Parker Moore <>
Prevents disclosure of file existence
Signed-off-by: Parker Moore <>
sanity check for pages permalink traversal
Signed-off-by: Parker Moore <>

@ghost ghost assigned mattr- Jan 14, 2014

parkr added a commit that referenced this pull request Jan 14, 2014

@parkr parkr merged commit 71bb028 into v1-stable Jan 14, 2014

1 check failed

default The Travis CI build failed

parkr added a commit that referenced this pull request Jan 14, 2014

@parkr parkr deleted the vuln-patch branch Jan 14, 2014


This comment has been minimized.

shiyj commented on lib/jekyll/page.rb in 3901c88 Jan 27, 2014

Have you test this on windows?

irb(main):001:0> url="/tags/aaa.html"
=> "/tags/aaa.html"
irb(main):002:0> File.expand_path(url,"/")
=> "D:/tags/aaa.html"

This comment has been minimized.

shiyj replied Jan 27, 2014

the result of expand_path is #{disk drive number} + #{url} on ruby1.93,windows.
so I'll get a path like "d:/jekyll/_site/d:/tags/aaa.html" after the destination method,
while the "d:/jekyll/_site/tags/aaa.html" is what i want.

This comment has been minimized.


parkr replied Jan 27, 2014

Yep, we're aware of this problem (#1948). Basically what we're trying to do is this:

  1. Get the inputted URL's absolute path (as though it were in a browser, relative to the base FQDN)
  2. Append it to the destination directory

Goal: Don't allow any URL's to be outside the destination directory.

This fix works for unix systems where / is the root of the filesystem, but not for Windows. How would you suggest fixing it? Remove (\w+:)\/?

@parkr parkr referenced this pull request Oct 15, 2015


Jekyll fails finding files #3248

@jekyll jekyll locked and limited conversation to collaborators Feb 27, 2017

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.