Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Patch show-stopping security vulnerabilities #1946

Merged
merged 17 commits into from
Feb 17, 2014
Merged

Patch show-stopping security vulnerabilities #1946

merged 17 commits into from
Feb 17, 2014

Conversation

parkr
Copy link
Member

@parkr parkr commented Jan 14, 2014

Duplicate of #1944 for master (1944 patched v1-stable).

benbalter and others added 13 commits January 13, 2014 22:21
@benbalter @parkr
failing test
9e796d0 
Signed-off-by: Parker Moore <parkrmoore@gmail.com>
@benbalter @parkr
url escape before sanitizing
9b3068c 
Signed-off-by: Parker Moore <parkrmoore@gmail.com>
@benbalter @parkr
fix failing post count test
f49ee21 
Signed-off-by: Parker Moore <parkrmoore@gmail.com>
@benbalter @parkr
test multiple traversals
0acbe95 
Signed-off-by: Parker Moore <parkrmoore@gmail.com>
@benbalter @parkr
add symlink failing test
dfec551 
Signed-off-by: Parker Moore <parkrmoore@gmail.com>
@benbalter @parkr
unbreak tests
f570a93 
Signed-off-by: Parker Moore <parkrmoore@gmail.com>
@benbalter @parkr
fix symlink so tests fail
ce425ee 
Signed-off-by: Parker Moore <parkrmoore@gmail.com>
@benbalter @parkr
rebreak tests, move sanitization closer to write
323d148 
Signed-off-by: Parker Moore <parkrmoore@gmail.com>
@benbalter @parkr
test symlinkd dir, not file
4e318cd 
Signed-off-by: Parker Moore <parkrmoore@gmail.com>
@benbalter @parkr
patch symlink vuln and properly test
a799e41 
Signed-off-by: Parker Moore <parkrmoore@gmail.com>
@benbalter @parkr
escape relative post permalinks, cleanup
c84cb5c 
Signed-off-by: Parker Moore <parkrmoore@gmail.com>
@alindeman @parkr
Prevents disclosure of file existence
a8dd344 
Signed-off-by: Parker Moore <parkrmoore@gmail.com>
@benbalter @parkr
sanity check for pages permalink traversal
e3be74e 
Signed-off-by: Parker Moore <parkrmoore@gmail.com>
@mattr-
Copy link
Member

mattr- commented Jan 16, 2014

LGTM! We're not waiting on the fixes for Windows to merge this in, are we?

@parkr
Copy link
Member Author

parkr commented Jan 16, 2014

Yeah, these presently only function on Unix machines (where the root of the filesystem is /).

@parkr parkr mentioned this pull request Jan 25, 2014
Closed
@parkr parkr mentioned this pull request Feb 8, 2014
Closed
parkr added a commit that referenced this pull request Feb 17, 2014
@parkr
Merge pull request #1946 from jekyll/security-vuln-patches
3e91030
@parkr parkr merged commit 3e91030 into master Feb 17, 2014
parkr added a commit that referenced this pull request Feb 17, 2014
@parkr
Update history to reflect merge of #1946 [ci skip]
84471ba
parkr added a commit that referenced this pull request Feb 18, 2014
@parkr
Sanitize paths uniformly, in a Windows-friendly way.
85ed29d 
Fixes kinda a #1948 thing.
Related to #1946.
@parkr parkr mentioned this pull request Feb 18, 2014
Merged
parkr added a commit that referenced this pull request Feb 18, 2014
@parkr
Sanitize paths uniformly, in a Windows-friendly way.
d107ca2 
Fixes kinda a #1948 thing.
Related to #1946.
parkr added a commit that referenced this pull request Feb 20, 2014
@parkr
Sanitize paths uniformly, in a Windows-friendly way.
0d382c8 
Fixes kinda a #1948 thing.
Related to #1946.
parkr added a commit that referenced this pull request Feb 24, 2014
@parkr
Sanitize paths uniformly, in a Windows-friendly way.
57d0746 
Fixes kinda a #1948 thing.
Related to #1946.
@parkr parkr deleted the security-vuln-patches branch March 4, 2014 01:09
@jekyll jekyll locked and limited conversation to collaborators Feb 27, 2017
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Reviewers
No reviews
Assignees
No one assigned
Labels
fix frozen-due-to-age
Projects
None yet
Milestone
2.0
Development

Successfully merging this pull request may close these issues.

None yet
5 participants
@parkr @mattr- @jekyllbot @benbalter @alindeman