Merge pull request #4710 from fenollp/safe-symlinks

Merge pull request 4710
2026-04-06 03:01:43 -04:00 · 2016-04-21 17:38:00 -07:00
parent 1ac9c21956 9347e90a67
commit 1d788203df
6 changed files with 29 additions and 18 deletions
--- a/lib/jekyll/collection.rb
+++ b/lib/jekyll/collection.rb
@@ -94,7 +94,7 @@ module Jekyll
        Dir.chdir(directory) do
          entry_filter.filter(entries).reject do |f|
            path = collection_dir(f)
-            File.directory?(path) || (File.symlink?(f) && site.safe)
+            File.directory?(path) || entry_filter.symlink?(f)
          end
        end
    end
@@ -135,7 +135,7 @@ module Jekyll
    # Returns false if the directory doesn't exist or if it's a symlink
    #   and we're in safe mode.
    def exists?
-      File.directory?(directory) && !(File.symlink?(directory) && site.safe)
+      File.directory?(directory) && !entry_filter.symlink?(directory)
    end

    # The entry filter for this collection.
--- a/lib/jekyll/entry_filter.rb
+++ b/lib/jekyll/entry_filter.rb
@@ -52,7 +52,11 @@ module Jekyll
    end

    def symlink?(entry)
-      File.symlink?(entry) && site.safe
+      site.safe && File.symlink?(entry) && symlink_outside_site_source?(entry)
+    end
+
+    def symlink_outside_site_source?(entry)
+      ! File.realpath(entry).start_with?(File.realpath(@site.source))
    end

    def ensure_leading_slash(path)
--- a/lib/jekyll/readers/data_reader.rb
+++ b/lib/jekyll/readers/data_reader.rb
@@ -4,6 +4,7 @@ module Jekyll
    def initialize(site)
      @site = site
      @content = {}
+      @entry_filter = EntryFilter.new(site)
    end

    # Read all the files in <source>/<dir>/_drafts and create a new Draft
@@ -26,7 +27,7 @@ module Jekyll
    #
    # Returns nothing
    def read_data_to(dir, data)
-      return unless File.directory?(dir) && (!site.safe || !File.symlink?(dir))
+      return unless File.directory?(dir) && !@entry_filter.symlink?(dir)

      entries = Dir.chdir(dir) do
        Dir['*.{yaml,yml,json,csv}'] + Dir['*'].select { |fn| File.directory?(fn) }
@@ -34,7 +35,7 @@ module Jekyll

      entries.each do |entry|
        path = @site.in_source_dir(dir, entry)
-        next if File.symlink?(path) && site.safe
+        next if @entry_filter.symlink?(path)

        key = sanitize_filename(File.basename(entry, '.*'))
        if File.directory?(path)