New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Patch show-stopping security vulnerabilities #1946

Merged
merged 17 commits into from Feb 17, 2014

Conversation

Projects
None yet
5 participants
@parkr
Member

parkr commented Jan 14, 2014

Duplicate of #1944 for master (1944 patched v1-stable).

benbalter and others added some commits Jan 7, 2014

failing test
Signed-off-by: Parker Moore <parkrmoore@gmail.com>
url escape before sanitizing
Signed-off-by: Parker Moore <parkrmoore@gmail.com>
fix failing post count test
Signed-off-by: Parker Moore <parkrmoore@gmail.com>
test multiple traversals
Signed-off-by: Parker Moore <parkrmoore@gmail.com>
add symlink failing test
Signed-off-by: Parker Moore <parkrmoore@gmail.com>
unbreak tests
Signed-off-by: Parker Moore <parkrmoore@gmail.com>
fix symlink so tests fail
Signed-off-by: Parker Moore <parkrmoore@gmail.com>
rebreak tests, move sanitization closer to write
Signed-off-by: Parker Moore <parkrmoore@gmail.com>
test symlinkd dir, not file
Signed-off-by: Parker Moore <parkrmoore@gmail.com>
patch symlink vuln and properly test
Signed-off-by: Parker Moore <parkrmoore@gmail.com>
escape relative post permalinks, cleanup
Signed-off-by: Parker Moore <parkrmoore@gmail.com>
Prevents disclosure of file existence
Signed-off-by: Parker Moore <parkrmoore@gmail.com>
sanity check for pages permalink traversal
Signed-off-by: Parker Moore <parkrmoore@gmail.com>
@mattr-

This comment has been minimized.

Member

mattr- commented Jan 16, 2014

LGTM! We're not waiting on the fixes for Windows to merge this in, are we?

@parkr

This comment has been minimized.

Member

parkr commented Jan 16, 2014

Yeah, these presently only function on Unix machines (where the root of the filesystem is /).

@parkr parkr referenced this pull request Feb 8, 2014

Closed

v1.4.3 is broken on Windows #1948

parkr added a commit that referenced this pull request Feb 17, 2014

@parkr parkr merged commit 3e91030 into master Feb 17, 2014

1 check passed

default The Travis CI build passed
Details

parkr added a commit that referenced this pull request Feb 17, 2014

parkr added a commit that referenced this pull request Feb 18, 2014

parkr added a commit that referenced this pull request Feb 18, 2014

parkr added a commit that referenced this pull request Feb 20, 2014

parkr added a commit that referenced this pull request Feb 24, 2014

@parkr parkr deleted the security-vuln-patches branch Mar 4, 2014

@jekyll jekyll locked and limited conversation to collaborators Feb 27, 2017

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.