New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

3.6.x: security: fix `include` bypass of `EntryFilter#filter` symlink check #7229

Merged
merged 2 commits into from Sep 19, 2018

Conversation

Projects
None yet
7 participants
@parkr
Member

parkr commented Sep 7, 2018

Backports #7226 for the 3.6.x series of releases.

@parkr parkr changed the base branch from master to 3.6-stable Sep 7, 2018

@DirtyF

DirtyF approved these changes Sep 7, 2018

@oe

oe approved these changes Sep 7, 2018

@DirtyF

This comment has been minimized.

Member

DirtyF commented Sep 19, 2018

@jekyllbot: merge +bug

@jekyllbot jekyllbot merged commit caddaeb into 3.6-stable Sep 19, 2018

1 check passed

WIP ready for review
Details

@jekyllbot jekyllbot added bug fix labels Sep 19, 2018

@jekyllbot jekyllbot deleted the 3.6-stable-backport-7226 branch Sep 19, 2018

@bh-e

This comment has been minimized.

@parkr ,
I don't understand the need of this. Can you help me :)

This comment has been minimized.

Member

ashmaroli replied Oct 5, 2018

@bh-e This is a test file.
This is to test whether a symlink to an user's /etc/passwd can be rendered by Jekyll which is the "Security Issue" this patch is meant for..

This comment has been minimized.

bh-e replied Oct 5, 2018

Thanks @ashmaroli ,
I see that in test/test_layout_reader.rb. But why mentioning /etc/passwd in this directory which I don't understand.

This comment has been minimized.

This comment has been minimized.

bh-e replied Oct 5, 2018

@pathawks , oops I missed that .
Thanks.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment