New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jekyll.sanitized_path: escape tildes before sanitizing a questionable path #4468

Merged
merged 2 commits into from Feb 8, 2016

Conversation

Projects
None yet
4 participants
@parkr
Member

parkr commented Feb 3, 2016

Fixes #4457.

/cc @benbalter

@parkr parkr added the fix label Feb 3, 2016

@parkr parkr added this to the 3.0.3 milestone Feb 3, 2016

@@ -153,8 +153,9 @@ def sites
def sanitized_path(base_directory, questionable_path)
return base_directory if base_directory.eql?(questionable_path)
questionable_path.insert(0, '/') if questionable_path.start_with?('~')

This comment has been minimized.

@parkr

parkr Feb 4, 2016

Member

@mastahyeti Hello! Could I borrow your 👀 for a quick moment? We're seeing issues with questionable paths which start with ~, such as ~$microsoftSwp.docx. This is an attempt to fix the ArgumentError. Is it safe? 🔒

>> File.expand_path('~$microsoftSwp.docx', '/')
ArgumentError: user $microsoftSwp.docx doesn't exist
    from (irb):1:in `expand_path'
    from (irb):1
    from /Users/parkr/.rbenv/versions/2.3.0/bin/irb:11:in `<main>'
>> File.expand_path('/~$microsoftSwp.docx', '/')
=> "/~$microsoftSwp.docx"

Figured I'd ask you before merging in Jekyll so we can get some extra reassurances. ❤️

@parkr

parkr Feb 4, 2016

Member

@mastahyeti Hello! Could I borrow your 👀 for a quick moment? We're seeing issues with questionable paths which start with ~, such as ~$microsoftSwp.docx. This is an attempt to fix the ArgumentError. Is it safe? 🔒

>> File.expand_path('~$microsoftSwp.docx', '/')
ArgumentError: user $microsoftSwp.docx doesn't exist
    from (irb):1:in `expand_path'
    from (irb):1
    from /Users/parkr/.rbenv/versions/2.3.0/bin/irb:11:in `<main>'
>> File.expand_path('/~$microsoftSwp.docx', '/')
=> "/~$microsoftSwp.docx"

Figured I'd ask you before merging in Jekyll so we can get some extra reassurances. ❤️

This comment has been minimized.

@mastahyeti

mastahyeti Feb 5, 2016

Contributor

Seems fine. Thanks for asking.

@mastahyeti

mastahyeti Feb 5, 2016

Contributor

Seems fine. Thanks for asking.

@parkr

This comment has been minimized.

Show comment
Hide comment
@parkr

parkr Feb 4, 2016

Member

@benbalter We can't in a PATCH release, but maybe for Jekyll v3.2, we ignore files that start with ~?

Member

parkr commented Feb 4, 2016

@benbalter We can't in a PATCH release, but maybe for Jekyll v3.2, we ignore files that start with ~?

@benbalter

This comment has been minimized.

Show comment
Hide comment
@benbalter

benbalter Feb 4, 2016

Contributor

@benbalter We can't in a PATCH release, but maybe for Jekyll v3.2, we ignore files that start with ~?

Is there a legitimate use case for publishing files starting for a ~?

Contributor

benbalter commented Feb 4, 2016

@benbalter We can't in a PATCH release, but maybe for Jekyll v3.2, we ignore files that start with ~?

Is there a legitimate use case for publishing files starting for a ~?

@parkr

This comment has been minimized.

Show comment
Hide comment
@parkr

parkr Feb 4, 2016

Member

Is there a legitimate use case for publishing files starting for a ~?

Considering I didn't catch this bug beforehand, I would say "no". If you have https://example.com/~benbalter/ that usually maps specially for your server to some /home/benbalter/public_html folder or something. That's what we did at McGill CS way back in the day. So no, generally ~ is considered "special."

Member

parkr commented Feb 4, 2016

Is there a legitimate use case for publishing files starting for a ~?

Considering I didn't catch this bug beforehand, I would say "no". If you have https://example.com/~benbalter/ that usually maps specially for your server to some /home/benbalter/public_html folder or something. That's what we did at McGill CS way back in the day. So no, generally ~ is considered "special."

@benbalter

This comment has been minimized.

Show comment
Hide comment
@benbalter

benbalter Feb 5, 2016

Contributor

👍

Contributor

benbalter commented Feb 5, 2016

👍

parkr added a commit that referenced this pull request Feb 8, 2016

Merge pull request #4468 from jekyll/escape-the-tildes
Jekyll.sanitized_path: escape tildes before sanitizing a questionable path

@parkr parkr merged commit c2a75de into 3.0-stable Feb 8, 2016

2 checks passed

continuous-integration/travis-ci/pr The Travis CI build passed
Details
continuous-integration/travis-ci/push The Travis CI build passed
Details

@parkr parkr deleted the escape-the-tildes branch Feb 8, 2016

@jekyll jekyll locked and limited conversation to collaborators Feb 27, 2017

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.