Permalink
Browse files

restrict include filenames

  • Loading branch information...
1 parent d0fbfca commit 8a2a42ba7142f705bb2ef31ec204d0e3c3beef75 @mojombo mojombo committed Dec 22, 2008
Showing with 13 additions and 1 deletion.
  1. +1 −0 History.txt
  2. +12 −1 lib/jekyll/tags/include.rb
View
@@ -6,6 +6,7 @@
* Added new date filter that shows the full month name [github.com/mreid]
* Make post's YAML front matter available as post.data [github.com/remi]
* Merge Post's YAML front matter into its to_liquid payload [github.com/remi]
+ * Restrict includes to regular files underneath _includes
* Bug Fixes
* Change YAML delimiter matcher so as to not chew up 2nd level markdown headers [github.com/mreid]
* Fix bug that meant page data (such as the date) was not available in templates [github.com/mreid]
View
@@ -7,7 +7,18 @@ def initialize(tag_name, file, tokens)
end
def render(context)
- File.read(File.join(Jekyll.source, '_includes', @file))
+ if @file !~ /^[a-zA-Z0-9_\/\.-]+$/ || @file =~ /\.\// || @file =~ /\/\./
+ return "Include file '#{@file}' contains invalid characters or sequences"
+ end
+
+ Dir.chdir(File.join(Jekyll.source, '_includes')) do
+ choices = Dir['**/*'].reject { |x| File.symlink?(x) }
+ if choices.include?(@file)
+ File.read(@file)
+ else
+ "Included file '#{@file}' not found in _includes directory"
+ end
+ end
end
end

0 comments on commit 8a2a42b

Please sign in to comment.