Release 1.5.1

Release 1.5.1

History.markdown

@@ -10,6 +10,44 @@
 
 ### Site Enhancements
 
+## 1.5.1 / 2014-03-27
+
+### Bug Fixes
+
+* Only strip the drive name if it begins the string (#2176)
+
+## 1.5.0 / 2014-03-24
+
+### Minor Enhancements
+
+  * Loosen `safe_yaml` dependency to `~> 1.0` (#2167)
+  * Bump `safe_yaml` dependency to `~> 1.0.0` (#1942)
+
+### Bug Fixes
+
+  * Fix issue where filesystem traversal restriction broke Windows (#2167)
+  * Lock `maruku` at `0.7.0` (#2167)
+
+### Development Fixes
+
+  * Lock `cucmber` at `1.3.11` (#2167)
+
+## 1.4.3 / 2014-01-13
+
+### Bug Fixes
+
+  * Patch show-stopping security vulnerabilities (#1944)
+
+## 1.4.2 / 2013-12-16
+
+### Bug Fixes
+  * Turn on Maruku fenced code blocks by default (#1830)
+
+## 1.4.1 / 2013-12-09
+
+### Bug Fixes
+  * Don't allow nil entries when loading posts (#1796)
+
 ## 1.4.0 / 2013-12-07
 
 ### Major Enhancements

README.markdown

@@ -2,10 +2,10 @@
 
 [![Gem Version](https://badge.fury.io/rb/jekyll.png)](http://badge.fury.io/rb/jekyll)
 
-[![Build Status](https://secure.travis-ci.org/mojombo/jekyll.png?branch=master)](https://travis-ci.org/mojombo/jekyll)
-[![Code Climate](https://codeclimate.com/github/mojombo/jekyll.png)](https://codeclimate.com/github/mojombo/jekyll)
-[![Dependency Status](https://gemnasium.com/mojombo/jekyll.png)](https://gemnasium.com/mojombo/jekyll)
-[![Coverage Status](https://coveralls.io/repos/mojombo/jekyll/badge.png)](https://coveralls.io/r/mojombo/jekyll)
+[![Build Status](https://secure.travis-ci.org/jekyll/jekyll.png?branch=master)](https://travis-ci.org/jekyll/jekyll)
+[![Code Climate](https://codeclimate.com/github/jekyll/jekyll.png)](https://codeclimate.com/github/jekyll/jekyll)
+[![Dependency Status](https://gemnasium.com/jekyll/jekyll.png)](https://gemnasium.com/jekyll/jekyll)
+[![Coverage Status](https://coveralls.io/repos/jekyll/jekyll/badge.png)](https://coveralls.io/r/jekyll/jekyll)
 
 By Tom Preston-Werner, Nick Quaranto, and many awesome contributors!
 
@@ -15,7 +15,7 @@ Jekyll is a simple, blog aware, static site generator. It takes a template direc
 
 * [Install](http://jekyllrb.com/docs/installation/) the gem
 * Read up about its [Usage](http://jekyllrb.com/docs/usage/) and [Configuration](http://jekyllrb.com/docs/configuration/)
-* Take a gander at some existing [Sites](http://wiki.github.com/mojombo/jekyll/sites)
+* Take a gander at some existing [Sites](http://wiki.github.com/jekyll/jekyll/sites)
 * Fork and [Contribute](http://jekyllrb.com/docs/contributing/) your own modifications
 * Have questions? Check out `#jekyll` on irc.freenode.net.
 
@@ -53,4 +53,4 @@ Jekyll is a simple, blog aware, static site generator. It takes a template direc
 
 ## License
 
-See [LICENSE](https://github.com/mojombo/jekyll/blob/master/LICENSE).
+See [LICENSE](https://github.com/jekyll/jekyll/blob/master/LICENSE).

Rakefile

@@ -233,7 +233,7 @@ namespace :site do
         post.puts("title: 'Jekyll #{release} Released'")
         post.puts("date: #{Time.new.strftime('%Y-%m-%d %H:%M:%S %z')}")
         post.puts("author: ")
-        post.puts("version: #{version}")
+        post.puts("version: #{release}")
         post.puts("categories: [release]")
         post.puts("---")
         post.puts
@@ -252,8 +252,8 @@ end
 #############################################################################
 
 task :release => :build do
-  unless `git branch` =~ /^\* master$/
-    puts "You must be on the master branch to release!"
+  unless `git branch` =~ /^(\* master|\* v1-stable)$/
+    puts "You must be on the master branch or the v1-stable branch to release!"
     exit!
   end
   sh "git commit --allow-empty -m 'Release #{version}'"

features/markdown.feature

@@ -28,3 +28,40 @@ Feature: Markdown
     And I should see "Index" in "_site/index.html"
     And I should see "<h1 id=\"my_title\">My Title</h1>" in "_site/index.html"
     
+  Scenario: Maruku fenced codeblocks
+    Given I have a configuration file with "markdown" set to "maruku"
+    And I have an "index.markdown" file with content:
+       """
+       ---
+       title: My title
+       ---
+
+       # My title
+
+       ```
+       My awesome code
+       ```
+       """
+    When I run jekyll
+    Then the _site directory should exist
+    And I should see "My awesome code" in "_site/index.html"
+    And I should see "<pre><code>\nMy awesome code\n</code></pre>" in "_site/index.html"
+    
+  Scenario: Maruku fenced codeblocks
+    Given I have a configuration file with "markdown" set to "maruku"
+    And I have an "index.markdown" file with content:
+       """
+       ---
+       title: My title
+       ---
+
+       # My title
+
+       ```ruby
+       puts "My awesome string"
+       ```
+       """
+    When I run jekyll
+    Then the _site directory should exist
+    And I should see "My awesome string" in "_site/index.html"
+    And I should see "<pre class="ruby"><code class="ruby">\nputs &quot;My awesome string&quot;\n</code></pre>" in "_site/index.html"

features/support/env.rb

@@ -13,7 +13,7 @@ JEKYLL_PATH = File.join(File.dirname(__FILE__), '..', '..', 'bin', 'jekyll')
 
 def run_jekyll(opts = {})
   command = JEKYLL_PATH.clone
-  command << " build"
+  command << " build --trace"
   command << " --drafts" if opts[:drafts]
   command << " >> /dev/null 2>&1" if opts[:debug].nil?
   system command
@@ -21,7 +21,7 @@ end
 
 def call_jekyll_new(opts = {})
   command = JEKYLL_PATH.clone
-  command << " new"
+  command << " new --trace"
   command << " #{opts[:path]}" if opts[:path]
   command << " --blank" if opts[:blank]
   command << " >> /dev/null 2>&1" if opts[:debug].nil?

jekyll.gemspec

@@ -4,9 +4,9 @@ Gem::Specification.new do |s|
   s.rubygems_version = '1.3.5'
 
   s.name              = 'jekyll'
-  s.version           = '1.4.0'
+  s.version           = '1.5.1'
   s.license           = 'MIT'
-  s.date              = '2013-12-07'
+  s.date              = '2014-03-27'
   s.rubyforge_project = 'jekyll'
 
   s.summary     = "A simple, blog aware, static site generator."
@@ -23,13 +23,13 @@ Gem::Specification.new do |s|
   s.rdoc_options = ["--charset=UTF-8"]
   s.extra_rdoc_files = %w[README.markdown LICENSE]
 
-  s.add_runtime_dependency('liquid', "~> 2.5.2")
+  s.add_runtime_dependency('liquid', "~> 2.5.5")
   s.add_runtime_dependency('classifier', "~> 1.3")
   s.add_runtime_dependency('listen', "~> 1.3")
-  s.add_runtime_dependency('maruku', "~> 0.7.0")
+  s.add_runtime_dependency('maruku', "0.7.0")
   s.add_runtime_dependency('pygments.rb', "~> 0.5.0")
   s.add_runtime_dependency('commander', "~> 4.1.3")
-  s.add_runtime_dependency('safe_yaml', "~> 0.9.7")
+  s.add_runtime_dependency('safe_yaml', "~> 1.0")
   s.add_runtime_dependency('colorator', "~> 0.1")
   s.add_runtime_dependency('redcarpet', "~> 2.3.0")
   s.add_runtime_dependency('toml', '~> 0.1.0')
@@ -39,7 +39,7 @@ Gem::Specification.new do |s|
   s.add_development_dependency('redgreen', "~> 1.2")
   s.add_development_dependency('shoulda', "~> 3.3.2")
   s.add_development_dependency('rr', "~> 1.1")
-  s.add_development_dependency('cucumber', "~> 1.3")
+  s.add_development_dependency('cucumber', "1.3.11")
   s.add_development_dependency('RedCloth', "~> 4.2")
   s.add_development_dependency('kramdown', "~> 1.2")
   s.add_development_dependency('rdiscount', "~> 1.6")
@@ -160,6 +160,10 @@ Gem::Specification.new do |s|
     site/_posts/2013-11-04-jekyll-1-3-0-released.markdown
     site/_posts/2013-11-26-jekyll-1-3-1-released.markdown
     site/_posts/2013-12-07-jekyll-1-4-0-released.markdown
+    site/_posts/2013-12-16-jekyll-1-4-2-released.markdown
+    site/_posts/2014-01-13-jekyll-1-4-3-released.markdown
+    site/_posts/2014-03-24-jekyll-1-5-0-released.markdown
+    site/_posts/2014-03-27-jekyll-1-5-1-released.markdown
     site/css/gridism.css
     site/css/normalize.css
     site/css/pygments.css
@@ -219,6 +223,7 @@ Gem::Specification.new do |s|
     test/source/_data/products.yml
     test/source/_includes/params.html
     test/source/_includes/sig.markdown
+    test/source/_includes/tmp
     test/source/_layouts/default.html
     test/source/_layouts/post/simple.html
     test/source/_layouts/simple.html
@@ -256,6 +261,7 @@ Gem::Specification.new do |s|
     test/source/_posts/2013-05-10-number-category.textile
     test/source/_posts/2013-07-22-post-excerpt-with-layout.markdown
     test/source/_posts/2013-08-01-mkdn-extension.mkdn
+    test/source/_posts/2014-01-06-permalink-traversal.md
     test/source/_posts/es/2008-11-21-nested.textile
     test/source/about.html
     test/source/category/_posts/2008-9-23-categories.textile
@@ -264,6 +270,7 @@ Gem::Specification.new do |s|
     test/source/contacts/index.html
     test/source/css/screen.css
     test/source/deal.with.dots.html
+    test/source/exploit.md
     test/source/foo/_posts/bar/2008-12-12-topical-post.textile
     test/source/index.html
     test/source/products.yml
@@ -286,6 +293,7 @@ Gem::Specification.new do |s|
     test/test_new_command.rb
     test/test_page.rb
     test/test_pager.rb
+    test/test_path_sanitization.rb
     test/test_post.rb
     test/test_rdiscount.rb
     test/test_redcarpet.rb

lib/jekyll.rb

@@ -63,7 +63,7 @@ require_all 'jekyll/tags'
 SafeYAML::OPTIONS[:suppress_warnings] = true
 
 module Jekyll
-  VERSION = '1.4.0'
+  VERSION = '1.5.1'
 
   # Public: Generate a Jekyll configuration Hash by merging the default
   # options with anything in _config.yml, and adding the given options on top.
@@ -97,4 +97,17 @@ module Jekyll
   def self.logger
     @logger ||= Stevenson.new
   end
+
+  # Get a subpath without any of the traversal nonsense.
+  #
+  # Returns a pure and clean path
+  def self.sanitized_path(base_directory, questionable_path)
+    clean_path = File.expand_path(questionable_path, "/")
+    clean_path.gsub!(/\A\w\:\//, '/')
+    unless clean_path.start_with?(base_directory)
+      File.join(base_directory, clean_path)
+    else
+      clean_path
+    end
+  end
 end

lib/jekyll/configuration.rb

@@ -45,6 +45,7 @@ module Jekyll
       'excerpt_separator' => "\n\n",
 
       'maruku' => {
+        'fenced_code_blocks' => true,
         'use_tex'    => false,
         'use_divs'   => false,
         'png_engine' => 'blahtex',

lib/jekyll/converters/markdown/maruku_parser.rb

@@ -8,6 +8,7 @@ module Jekyll
           @errors = []
           load_divs_library if @config['maruku']['use_divs']
           load_blahtext_library if @config['maruku']['use_tex']
+          enable_fenced_code_blocks if @config['maruku']['fenced_code_blocks']
         rescue LoadError
           STDERR.puts 'You are missing a library required for Markdown. Please run:'
           STDERR.puts '  $ [sudo] gem install maruku'
@@ -35,6 +36,10 @@ module Jekyll
           MaRuKu::Globals[:html_png_url] = @config['maruku']['png_url']
         end
 
+        def enable_fenced_code_blocks
+          MaRuKu::Globals[:fenced_code_blocks] = true
+        end
+
         def print_errors_and_fail
           print @errors.join
           raise MaRuKu::Exception, "MaRuKu encountered problem(s) while converting your markup."

lib/jekyll/core_ext.rb

@@ -78,6 +78,10 @@ class File
     def self.read_with_options(path, opts = {})
       self.read(path)
     end
+
+    def self.realpath(filename)
+      Pathname.new(filename).realpath.to_s
+    end
   else
     def self.read_with_options(path, opts = {})
       self.read(path, opts)

lib/jekyll/page.rb

@@ -133,8 +133,8 @@ module Jekyll
     #
     # Returns the destination file path String.
     def destination(dest)
-      path = File.join(dest, self.url)
-      path = File.join(path, "index.html") if self.url =~ /\/$/
+      path = Jekyll.sanitized_path(dest, url)
+      path = File.join(path, "index.html") if url =~ /\/$/
       path
     end
 

lib/jekyll/post.rb

@@ -86,7 +86,7 @@ module Jekyll
 
     # Get the full path to the directory containing the post files
     def containing_dir(source, dir)
-      return File.join(source, dir, '_posts')
+      File.join(source, dir, '_posts')
     end
 
     # Read the YAML frontmatter.
@@ -266,7 +266,7 @@ module Jekyll
     # Returns destination file path String.
     def destination(dest)
       # The url needs to be unescaped in order to preserve the correct filename
-      path = File.join(dest, CGI.unescape(self.url))
+      path = Jekyll.sanitized_path(dest, CGI.unescape(url))
       path = File.join(path, "index.html") if path[/\.html$/].nil?
       path
     end

lib/jekyll/site.rb

@@ -193,8 +193,10 @@ module Jekyll
     end
 
     def read_things(dir, magic_dir, klass)
-      things = get_entries(dir, magic_dir).map do |entry|
+      get_entries(dir, magic_dir).map do |entry|
         klass.new(self, self.source, dir, entry) if klass.valid?(entry)
+      end.reject do |entry|
+        entry.nil?
       end
     end
 

lib/jekyll/tags/include.rb

@@ -87,14 +87,13 @@ eos
       end
 
       def render(context)
-        dir = File.join(context.registers[:site].source, INCLUDES_DIR)
-        validate_dir(dir, context.registers[:site].safe)
+        dir = File.join(File.realpath(context.registers[:site].source), INCLUDES_DIR)
 
         file = retrieve_variable(context) || @file
         validate_file_name(file)
 
         path = File.join(dir, file)
-        validate_file(path, context.registers[:site].safe)
+        validate_path(path, dir, context.registers[:site].safe)
 
         begin
           partial = Liquid::Template.parse(source(path, context))
@@ -108,18 +107,16 @@ eos
         end
       end
 
-      def validate_dir(dir, safe)
-        if File.symlink?(dir) && safe
-          raise IOError.new "Includes directory '#{dir}' cannot be a symlink"
+      def validate_path(path, dir, safe)
+        if safe && !realpath_prefixed_with?(path, dir)
+          raise IOError.new "The included file '#{path}' should exist and should not be a symlink"
+        elsif !File.exist?(path)
+          raise IOError.new "Included file '#{path}' not found"
         end
       end
 
-      def validate_file(file, safe)
-        if !File.exists?(file)
-          raise IOError.new "Included file '#{@file}' not found in '#{INCLUDES_DIR}' directory"
-        elsif File.symlink?(file) && safe
-          raise IOError.new "The included file '#{INCLUDES_DIR}/#{@file}' should not be a symlink"
-        end
+      def realpath_prefixed_with?(path, dir)
+        File.exist?(path) && File.realpath(path).start_with?(dir)
       end
 
       def blank?

lib/jekyll/url.rb

@@ -50,6 +50,7 @@ module Jekyll
 
     # Returns a sanitized String URL
     def sanitize_url(in_url)
+
       # Remove all double slashes
       url = in_url.gsub(/\/\//, "/")
 
@@ -61,6 +62,7 @@ module Jekyll
 
       # Always add a leading slash
       url.gsub!(/\A([^\/])/, '/\1')
+
       url
     end
   end

site/_posts/2013-07-24-jekyll-1-1-1-released.markdown

@@ -9,10 +9,10 @@ categories: [release]
 
 
 Coming just 10 days after the release of v1.1.0, v1.1.1 is out with a patch for the nasty
-excerpt inception bug ([#1339][]) and non-zero exit codes for invalid commands
-([#1338][]).
+excerpt inception bug ([1339][]) and non-zero exit codes for invalid commands
+([1338][]).
 
-To all those affected by the [strange excerpt bug in v1.1.0][#1321], I'm sorry. I think we
+To all those affected by the [strange excerpt bug in v1.1.0][1321], I'm sorry. I think we
 have it all patched up and it should be deployed to [GitHub Pages][gh_pages] in the next
 couple weeks. Thank you for your patience!
 

site/_posts/2013-12-16-jekyll-1-4-2-released.markdown

@@ -0,0 +1,18 @@
+---
+layout: news_item
+title: 'Jekyll 1.4.2 Released'
+date: 2013-12-16 19:48:13 -0500
+author: parkr
+version: 1.4.2
+categories: [release]
+---
+
+This release fixes [a regression][] where Maruku fenced code blocks were turned
+off, instead of the previous default to on. We've added a new default
+configuration to our `maruku` config key: `fenced_code_blocks` and set it to
+default to `true`.
+
+If you do not wish to use Maruku fenced code blocks, you may turn this option
+off in your site's configuration file.
+
+[a regression]: https://github.com/jekyll/jekyll/pull/1830

site/_posts/2014-01-13-jekyll-1-4-3-released.markdown

@@ -0,0 +1,27 @@
+---
+layout: news_item
+title: 'Jekyll 1.4.3 Released'
+date: 2014-01-13 17:43:32 -0800
+author: benbalter
+version: 1.4.3
+categories: [release]
+---
+
+Jekyll 1.4.3 contains two **critical** security fixes. If you run Jekyll locally
+and do not run Jekyll in "safe" mode (e.g. you do not build Jekyll sites on behalf
+of others), you are not affected and are not required to update at this time.
+([See pull request.]({{ site.repository }}/pull/1944))
+
+Versions of Jekyll prior to 1.4.3 and greater than 1.2.0 may allow malicious
+users to expose the content of files outside the source directory in the
+generated output via improper symlink sanitization, potentially resulting in an
+inadvertent information disclosure.
+
+Versions of Jekyll prior to 1.4.3 may also allow malicious users to write
+arbitrary `.html` files outside of the destination folder via relative path
+traversal, potentially overwriting otherwise-trusted content with arbitrary HTML
+or Javascript depending on your server's configuration.
+
+*Maintainer's note: Many thanks to @gregose and @charliesome for discovering
+these vulnerabilities, and to @BenBalter and @alindeman for writing the patch.
+-@parkr*

site/_posts/2014-03-24-jekyll-1-5-0-released.markdown

@@ -0,0 +1,19 @@
+---
+layout: news_item
+title: 'Jekyll 1.5.0 Released'
+date: 2014-03-24 20:37:59 -0400
+author: parkr
+version: 1.5.0
+categories: [release]
+---
+
+As work continues on Jekyll 2.0.0, we felt it was important to address two key
+issues of Jekyll 1.4.3, namely the `safe_yaml` dependency below 1.0 and the
+inability to use Jekyll 1.4.3 on Windows due to a [fun issue with path sanitizing][].
+
+For a full changelog, check out our [history][] page.
+
+Now, back to work on 2.0.0!
+
+[fun issue with path sanitizing]: https://github.com/jekyll/jekyll/issues/1948
+[history]: /docs/history/#150__20140324

site/_posts/2014-03-27-jekyll-1-5-1-released.markdown

@@ -0,0 +1,26 @@
+---
+layout: news_item
+title: 'Jekyll 1.5.1 Released'
+date: 2014-03-27 22:43:48 -0400
+author: parkr
+version: 1.5.1
+categories: [release]
+---
+
+The hawk-eyed [@gregose](https://github.com/gregose) spotted a bug in our
+`Jekyll.sanitized_path` code:
+
+{% highlight ruby %}
+> sanitized_path("/tmp/foobar/jail", "..c:/..c:/..c:/etc/passwd")
+=> "/tmp/foobar/jail/../../../etc/passwd"
+{% endhighlight %}
+
+Well, we can't have that! In 1.5.1, you'll instead see:
+
+{% highlight ruby %}
+> sanitized_path("/tmp/foobar/jail", "..c:/..c:/..c:/etc/passwd")
+=> "/tmp/foobar/jail/etc/passwd"
+{% endhighlight %}
+
+Luckily not affecting 1.4.x, this fix will make 1.5.0 that much safer for
+the masses. Thanks, Greg!

site/docs/configuration.md

@@ -316,6 +316,7 @@ maruku:
   png_engine: blahtex
   png_dir:    images/latex
   png_url:    /images/latex
+  fenced_code_blocks: true
 
 rdiscount:
   extensions: []

site/docs/history.md

@@ -1,10 +1,42 @@
 ---
 layout: docs
 title: History
-permalink: /docs/history/
+permalink: "/docs/history/"
 prev_section: contributing
 ---
 
+## 1.5.0 / 2014-03-24
+
+### Minor Enhancements
+
+- Loosen `safe_yaml` dependency to `~> 1.0` ([#2167]({{ site.repository }}/issues/2167))
+- Bump `safe_yaml` dependency to `~> 1.0.0` ([#1942]({{ site.repository }}/issues/1942))
+
+### Bug Fixes
+
+- Fix issue where filesystem traversal restriction broke Windows ([#2167]({{ site.repository }}/issues/2167))
+- Lock `maruku` at `0.7.0` ([#2167]({{ site.repository }}/issues/2167))
+
+### Development Fixes
+
+- Lock `cucmber` at `1.3.11` ([#2167]({{ site.repository }}/issues/2167))
+
+## 1.4.3 / 2014-01-13
+
+### Bug Fixes
+
+- Patch show-stopping security vulnerabilities ([#1944]({{ site.repository }}/issues/1944))
+
+## 1.4.2 / 2013-12-16
+
+### Bug Fixes
+- Turn on Maruku fenced code blocks by default ([#1830]({{ site.repository }}/issues/1830))
+
+## 1.4.1 / 2013-12-09
+
+### Bug Fixes
+- Don't allow nil entries when loading posts ([#1796]({{ site.repository }}/issues/1796))
+
 ## 1.4.0 / 2013-12-07
 
 ### Major Enhancements

test/source/_includes/tmp

@@ -0,0 +1 @@
+/tmp

test/source/_posts/2014-01-06-permalink-traversal.md

@@ -0,0 +1,5 @@
+---
+permalink: /%2e%2e/%2e%2e/%2e%2e/baddie.html
+---
+
+# Test

test/source/exploit.md

@@ -0,0 +1,5 @@
+---
+permalink: /%2e%2e/%2e%2e/%2e%2e/baddie.html
+---
+
+# Test

test/test_generated_site.rb

@@ -14,7 +14,7 @@ class TestGeneratedSite < Test::Unit::TestCase
     end
 
     should "ensure post count is as expected" do
-      assert_equal 36, @site.posts.size
+      assert_equal 37, @site.posts.size
     end
 
     should "insert site.posts into the index" do

test/test_page.rb

@@ -101,6 +101,16 @@ class TestPage < Test::Unit::TestCase
         assert_equal @page.permalink, @page.url
         assert_equal "/about/", @page.dir
       end
+
+      should "not be writable outside of destination" do
+        unexpected = File.expand_path("../../../baddie.html", dest_dir)
+        File.delete unexpected if File.exist?(unexpected)
+        page = setup_page("exploit.md")
+        do_render(page)
+        page.write(dest_dir)
+
+        assert !File.exist?(unexpected)
+      end
     end
 
     context "with specified layout of nil" do

test/test_path_sanitization.rb

@@ -0,0 +1,18 @@
+require 'helper'
+
+class TestPathSanitization < Test::Unit::TestCase
+  context "on Windows with absolute source" do
+    setup do
+      @source = "C:/Users/xmr/Desktop/mpc-hc.org"
+      @dest   = "./_site/"
+      stub(Dir).pwd { "C:/Users/xmr/Desktop/mpc-hc.org" }
+    end
+    should "strip drive name from path" do
+      assert_equal "C:/Users/xmr/Desktop/mpc-hc.org/_site", Jekyll.sanitized_path(@source, @dest)
+    end
+
+    should "strip just the initial drive name" do
+      assert_equal "/tmp/foobar/jail/..c:/..c:/..c:/etc/passwd", Jekyll.sanitized_path("/tmp/foobar/jail", "..c:/..c:/..c:/etc/passwd")
+    end
+  end
+end

test/test_post.rb

@@ -75,6 +75,17 @@ class TestPost < Test::Unit::TestCase
         assert_equal "/my_category/permalinked-post", @post.url
       end
 
+      should "not be writable outside of destination" do
+        unexpected = File.expand_path("../../../baddie.html", dest_dir)
+        File.delete unexpected if File.exist?(unexpected)
+        post = setup_post("2014-01-06-permalink-traversal.md")
+        do_render(post)
+        post.write(dest_dir)
+
+        assert !File.exist?(unexpected)
+        assert File.exist?(File.expand_path("baddie.html", dest_dir))
+      end
+
       context "with CRLF linebreaks" do
         setup do
           @real_file = "2009-05-24-yaml-linebreak.markdown"

test/test_tags.rb

@@ -347,6 +347,41 @@ CONTENT
   end
 
   context "include tag with parameters" do
+
+    context "with symlink'd include" do
+
+      should "not allow symlink includes" do
+        File.open("/tmp/pages-test", 'w') { |file| file.write("SYMLINK TEST") }
+        assert_raise IOError do
+          content = <<CONTENT
+---
+title: Include symlink
+---
+
+{% include tmp/pages-test %}
+
+CONTENT
+          create_post(content, {'permalink' => 'pretty', 'source' => source_dir, 'destination' => dest_dir, 'read_posts' => true, 'safe' => true })
+        end
+        assert_no_match /SYMLINK TEST/, @result
+      end
+
+      should "not expose the existence of symlinked files" do
+        ex = assert_raise IOError do
+          content = <<CONTENT
+---
+title: Include symlink
+---
+
+{% include tmp/pages-test-does-not-exist %}
+
+CONTENT
+          create_post(content, {'permalink' => 'pretty', 'source' => source_dir, 'destination' => dest_dir, 'read_posts' => true, 'safe' => true })
+        end
+        assert_match /should exist and should not be a symlink/, ex.message
+      end
+    end
+
     context "with one parameter" do
       setup do
         content = <<CONTENT