layout: news_item title: ‘Jekyll 1.5.1 Released’ date: 2014-03-27 22:43:48 -0400 author: parkr version: 1.5.1
categories: [release]
The hawk-eyed @gregose spotted a bug in our
Jekyll.sanitized_path code:
{% highlight ruby %}
sanitized_path(“/tmp/foobar/jail”, “..c:/..c:/..c:/etc/passwd”) => “/tmp/foobar/jail/../../../etc/passwd” {% endhighlight %}
Well, we can’t have that! In 1.5.1, you’ll instead see:
{% highlight ruby %}
sanitized_path(“/tmp/foobar/jail”, “..c:/..c:/..c:/etc/passwd”) => “/tmp/foobar/jail/..c:/..c:/..c:/etc/passwd” {% endhighlight %}
Luckily not affecting 1.4.x, this fix will make 1.5.0 that much safer for the masses. Thanks, Greg!
若有收获,就点个赞吧
0 人点赞
