Release 💎 3.6.3

Merge pull request 7229

.rubocop.yml

@@ -1,6 +1,6 @@
 ---
 AllCops:
-  TargetRubyVersion: 2.0
+  TargetRubyVersion: 2.1
   Include:
     - lib/**/*.rb
   Exclude:
@@ -117,8 +117,6 @@ Style/Documentation:
     - !ruby/regexp /features\/.*.rb$/
 Style/DoubleNegation:
   Enabled: false
-Style/Encoding:
-  EnforcedStyle: when_needed
 Style/GuardClause:
   Enabled: false
 Style/HashSyntax:

Gemfile

@@ -30,7 +30,7 @@ group :test do
   gem "nokogiri", RUBY_VERSION >= "2.2" ? "~> 1.7" : "~> 1.7.0"
   gem "rspec"
   gem "rspec-mocks"
-  gem "rubocop", "~> 0.50.0"
+  gem "rubocop", "~> 0.51.0"
   gem "test-dependency-theme", :path => File.expand_path("test/fixtures/test-dependency-theme", __dir__)
   gem "test-theme", :path => File.expand_path("test/fixtures/test-theme", __dir__)
 

History.markdown

@@ -1,12 +1,30 @@
-## HEAD
+3.6.3 / 2018-09-19
+
+### Bug Fixes
+
+  - security: fix include bypass of EntryFilter#filter symlink check (#7229)
+
+## 3.6.2 / 2017-10-21
+
+### Development Fixes
+
+  * Update Rubocop to 0.51.0 (#6444)
+  * Add test for layout as string (#6445)
+
+### Bug Fixes
+
+  * Problematic UTF+bom files (#6322)
+  * Always treat `data.layout` as a string (#6442)
+
+## 3.6.1 / 2017-10-20
 
 ### Documentation
 
   * Doc y_day in docs/permalinks (#6244)
   * Update frontmatter.md (#6371)
   * Elaborate on excluding items from processing (#6136)
-  * Docs: Style lists in tables (#6379)
-  * Docs: remove duplicate "available" (#6380)
+  * Style lists in tables (#6379)
+  * Remove duplicate "available" (#6380)
 
 ### Development Fixes
 

docs/_docs/history.md

@@ -4,6 +4,39 @@ permalink: "/docs/history/"
 note: This file is autogenerated. Edit /History.markdown instead.
 ---
 
+## 3.6.2 / 2017-10-21
+{: #v3-6-2}
+
+### Development Fixes
+{: #development-fixes-v3-6-2}
+
+- Update Rubocop to 0.51.0 ([#6444]({{ site.repository }}/issues/6444))
+- Add test for layout as string ([#6445]({{ site.repository }}/issues/6445))
+
+### Bug Fixes
+{: #bug-fixes-v3-6-2}
+
+- Problematic UTF+bom files ([#6322]({{ site.repository }}/issues/6322))
+- Always treat `data.layout` as a string ([#6442]({{ site.repository }}/issues/6442))
+
+
+## 3.6.1 / 2017-10-20
+{: #v3-6-1}
+
+### Documentation
+
+- Doc y_day in docs/permalinks ([#6244]({{ site.repository }}/issues/6244))
+- Update frontmatter.md ([#6371]({{ site.repository }}/issues/6371))
+- Elaborate on excluding items from processing ([#6136]({{ site.repository }}/issues/6136))
+- Style lists in tables ([#6379]({{ site.repository }}/issues/6379))
+- Remove duplicate &[#34]({{ site.repository }}/issues/34);available&[#34]({{ site.repository }}/issues/34); ([#6380]({{ site.repository }}/issues/6380))
+
+### Development Fixes
+{: #development-fixes-v3-6-1}
+
+- Bump rubocop to use `v0.50.x` ([#6368]({{ site.repository }}/issues/6368))
+
+
 ## 3.6.0 / 2017-09-21
 {: #v3-6-0}
 
@@ -84,7 +117,6 @@ note: This file is autogenerated. Edit /History.markdown instead.
 - Bump rubies on Travis ([#6366]({{ site.repository }}/issues/6366))
 
 
-
 ## 3.5.2 / 2017-08-12
 {: #v3-5-2}
 

docs/latest_version.txt

@@ -1 +1 @@
-3.6.0
+3.6.3

features/layout_data.feature

@@ -3,6 +3,26 @@ Feature: Layout data
   I want to be able to embed data into my layouts
   In order to make the layouts slightly dynamic
 
+  Scenario: Use custom layout data
+    Given I have a _layouts directory
+    And I have a "_layouts/999.html" file with content:
+      """
+      ---
+      ---
+      {{ content }} layout content
+      """
+    And I have an "index.html" page with layout "custom" that contains "page content"
+    And I have an "index.html" file with content:
+      """
+      ---
+      layout: 999
+      ---
+      page content
+      """
+    When I run jekyll build
+    Then the "_site/index.html" file should exist
+    And I should see "page content layout content" in "_site/index.html"
+
   Scenario: Use custom layout data
     Given I have a _layouts directory
     And I have a "_layouts/custom.html" file with content:

features/step_definitions.rb

@@ -156,7 +156,7 @@ end
 When(%r!^I run jekyll(.*)$!) do |args|
   run_jekyll(args)
   if args.include?("--verbose") || ENV["DEBUG"]
-    $stderr.puts "\n#{jekyll_run_output}\n"
+    warn "\n#{jekyll_run_output}\n"
   end
 end
 
@@ -165,7 +165,7 @@ end
 When(%r!^I run bundle(.*)$!) do |args|
   run_bundle(args)
   if args.include?("--verbose") || ENV["DEBUG"]
-    $stderr.puts "\n#{jekyll_run_output}\n"
+    warn "\n#{jekyll_run_output}\n"
   end
 end
 
@@ -174,7 +174,7 @@ end
 When(%r!^I run gem(.*)$!) do |args|
   run_rubygem(args)
   if args.include?("--verbose") || ENV["DEBUG"]
-    $stderr.puts "\n#{jekyll_run_output}\n"
+    warn "\n#{jekyll_run_output}\n"
   end
 end
 

lib/jekyll/commands/build.rb

@@ -96,7 +96,7 @@ module Jekyll
             )
           end
         end
-      end # end of class << self
+      end
     end
   end
 end

lib/jekyll/configuration.rb

@@ -206,7 +206,7 @@ module Jekyll
       rescue ArgumentError => err
         Jekyll.logger.warn "WARNING:", "Error reading configuration. " \
                      "Using defaults (and options)."
-        $stderr.puts err
+        warn err
       end
 
       configuration.fix_common_issues.backwards_compatibilize.add_default_collections

lib/jekyll/converters/markdown/redcarpet_parser.rb

@@ -47,7 +47,7 @@ class Jekyll::Converters::Markdown::RedcarpetParser
   end
 
   module WithRouge
-    def block_code(code, lang)
+    def block_code(_code, lang)
       code = "<pre>#{super}</pre>"
 
       "<div class=\"highlight\">#{add_code_tags(code, lang)}</div>"

lib/jekyll/entry_filter.rb

@@ -31,9 +31,12 @@ module Jekyll
 
     def filter(entries)
       entries.reject do |e|
-        unless included?(e)
-          special?(e) || backup?(e) || excluded?(e) || symlink?(e)
-        end
+        # Reject this entry if it is a symlink.
+        next true if symlink?(e)
+        # Do not reject this entry if it is included.
+        next false if included?(e)
+        # Reject this entry if it is special, a backup file, or excluded.
+        special?(e) || backup?(e) || excluded?(e)
       end
     end
 

lib/jekyll/renderer.rb

@@ -143,7 +143,7 @@ module Jekyll
     # Returns String rendered content
     def place_in_layouts(content, payload, info)
       output = content.dup
-      layout = layouts[document.data["layout"]]
+      layout = layouts[document.data["layout"].to_s]
       validate_layout(layout)
 
       used = Set.new([layout])

lib/jekyll/site.rb

@@ -444,6 +444,7 @@ module Jekyll
     def configure_file_read_opts
       self.file_read_opts = {}
       self.file_read_opts[:encoding] = config["encoding"] if config["encoding"]
+      self.file_read_opts = Jekyll::Utils.merged_file_read_opts(self, {})
     end
 
     private

lib/jekyll/utils.rb

@@ -301,6 +301,9 @@ module Jekyll
     # and a given param
     def merged_file_read_opts(site, opts)
       merged = (site ? site.file_read_opts : {}).merge(opts)
+      if merged[:encoding] && !merged[:encoding].start_with?("bom|")
+        merged[:encoding] = "bom|#{merged[:encoding]}"
+      end
       if merged["encoding"] && !merged["encoding"].start_with?("bom|")
         merged["encoding"] = "bom|#{merged["encoding"]}"
       end

lib/jekyll/version.rb

@@ -1,5 +1,5 @@
 # frozen_string_literal: true
 
 module Jekyll
-  VERSION = "3.6.0".freeze
+  VERSION = "3.6.3".freeze
 end

test/source/_encodings/UTF8CRLFandBOM.md

@@ -0,0 +1,11 @@
+---
+layout: post
+title:  "UTF8CRLFandBOM"
+date:   2017-04-05 16:16:01 -0800
+categories: bom
+---
+This file was created with CR/LFs, and encoded as UTF8 with a BOM
+
+You’ll find this post in your `_posts` directory. Go ahead and edit it and re-build the site to see your changes. You can rebuild the site in many different ways, but the most common way is to run `bundle exec jekyll serve`, which launches a web server and auto-regenerates your site when a file is updated.
+
+To add new posts, simply add a file in the `_posts` directory that follows the convention `YYYY-MM-DD-name-of-post.ext` and includes the necessary front matter. Take a look at the source for this post to get an idea about how it works.

test/source/symlink-test/symlinked-file-outside-source

@@ -0,0 +1 @@
+/etc/passwd

test/test_document.rb

@@ -7,6 +7,15 @@ class TestDocument < JekyllUnitTest
     assert_equal(one[key], other[key])
   end
 
+  def setup_encoded_document(filename)
+    site = fixture_site("collections" => ["encodings"])
+    site.process
+    Document.new(site.in_source_dir(File.join("_encodings", filename)), {
+      :site       => site,
+      :collection => site.collections["encodings"],
+    }).tap(&:read)
+  end
+
   context "a document in a collection" do
     setup do
       @site = fixture_site({
@@ -529,4 +538,24 @@ class TestDocument < JekyllUnitTest
       assert_equal true, File.file?(@dest_file)
     end
   end
+
+  context "a document with UTF-8 CLRF" do
+    setup do
+      @document = setup_encoded_document "UTF8CRLFandBOM.md"
+    end
+
+    should "not throw an error" do
+      Jekyll::Renderer.new(@document.site, @document).render_document
+    end
+  end
+
+  context "a document with UTF-16LE CLRF" do
+    setup do
+      @document = setup_encoded_document "Unicode16LECRLFandBOM.md"
+    end
+
+    should "not throw an error" do
+      Jekyll::Renderer.new(@document.site, @document).render_document
+    end
+  end
 end

test/test_entry_filter.rb

@@ -5,7 +5,7 @@ require "helper"
 class TestEntryFilter < JekyllUnitTest
   context "Filtering entries" do
     setup do
-      @site = Site.new(site_configuration)
+      @site = fixture_site
     end
 
     should "filter entries" do
@@ -87,7 +87,7 @@ class TestEntryFilter < JekyllUnitTest
       # no support for symlinks on Windows
       skip_if_windows "Jekyll does not currently support symlinks on Windows."
 
-      site = Site.new(site_configuration("safe" => true))
+      site = fixture_site("safe" => true)
       site.reader.read_directories("symlink-test")
 
       assert_equal %w(main.scss symlinked-file).length, site.pages.length
@@ -99,11 +99,22 @@ class TestEntryFilter < JekyllUnitTest
       # no support for symlinks on Windows
       skip_if_windows "Jekyll does not currently support symlinks on Windows."
 
-      site = Site.new(site_configuration)
+      @site.reader.read_directories("symlink-test")
+      refute_equal [], @site.pages
+      refute_equal [], @site.static_files
+    end
 
+    should "include only safe symlinks in safe mode even when included" do
+      # no support for symlinks on Windows
+      skip_if_windows "Jekyll does not currently support symlinks on Windows."
+
+      site = fixture_site("safe" => true, "include" => ["symlinked-file-outside-source"])
       site.reader.read_directories("symlink-test")
-      refute_equal [], site.pages
-      refute_equal [], site.static_files
+
+      # rubocop:disable Performance/FixedSize
+      assert_equal %w(main.scss symlinked-file).length, site.pages.length
+      refute_includes site.static_files.map(&:name), "symlinked-file-outside-source"
+      # rubocop:enable Performance/FixedSize
     end
   end
 

test/test_filters.rb

@@ -1,4 +1,3 @@
-# coding: utf-8
 # frozen_string_literal: true
 
 require "helper"

test/test_kramdown.rb

@@ -1,4 +1,3 @@
-# encoding: UTF-8
 # frozen_string_literal: true
 
 require "helper"

test/test_layout_reader.rb

@@ -31,5 +31,51 @@ class TestLayoutReader < JekyllUnitTest
         assert_equal LayoutReader.new(@site).layout_directory, source_dir("blah/_layouts")
       end
     end
+
+    context "when a layout is a symlink" do
+      setup do
+        FileUtils.ln_sf("/etc/passwd", source_dir("_layouts", "symlink.html"))
+        @site = fixture_site(
+          "safe"    => true,
+          "include" => ["symlink.html"]
+        )
+      end
+
+      teardown do
+        FileUtils.rm(source_dir("_layouts", "symlink.html"))
+      end
+
+      should "only read the layouts which are in the site" do
+        skip_if_windows "Jekyll does not currently support symlinks on Windows."
+
+        layouts = LayoutReader.new(@site).read
+
+        refute layouts.key?("symlink"), "Should not read the symlinked layout"
+      end
+    end
+
+    context "with a theme" do
+      setup do
+        FileUtils.ln_sf("/etc/passwd", theme_dir("_layouts", "theme-symlink.html"))
+        @site = fixture_site(
+          "include" => ["theme-symlink.html"],
+          "theme"   => "test-theme",
+          "safe"    => true
+        )
+      end
+
+      teardown do
+        FileUtils.rm(theme_dir("_layouts", "theme-symlink.html"))
+      end
+
+      should "not read a symlink'd theme" do
+        skip_if_windows "Jekyll does not currently support symlinks on Windows."
+
+        layouts = LayoutReader.new(@site).read
+
+        refute layouts.key?("theme-symlink"), \
+               "Should not read symlinked layout from theme"
+      end
+    end
   end
 end

test/test_tags.rb

@@ -1,4 +1,3 @@
-# coding: utf-8
 # frozen_string_literal: true
 
 require "helper"

test/test_utils.rb

@@ -1,4 +1,3 @@
-# encoding: utf-8
 # frozen_string_literal: true
 
 require "helper"
@@ -387,16 +386,21 @@ class TestUtils < JekyllUnitTest
     should "ignore encoding if it's not there" do
       opts = Utils.merged_file_read_opts(nil, {})
       assert_nil opts["encoding"]
+      assert_nil opts[:encoding]
     end
 
     should "add bom to encoding" do
-      opts = Utils.merged_file_read_opts(nil, { "encoding" => "utf-8" })
-      assert_equal "bom|utf-8", opts["encoding"]
+      opts = { "encoding" => "utf-8", :encoding => "utf-8" }
+      merged = Utils.merged_file_read_opts(nil, opts)
+      assert_equal "bom|utf-8", merged["encoding"]
+      assert_equal "bom|utf-8", merged[:encoding]
     end
 
     should "preserve bom in encoding" do
-      opts = Utils.merged_file_read_opts(nil, { "encoding" => "bom|utf-8" })
-      assert_equal "bom|utf-8", opts["encoding"]
+      opts = { "encoding" => "bom|another", :encoding => "bom|another" }
+      merged = Utils.merged_file_read_opts(nil, opts)
+      assert_equal "bom|another", merged["encoding"]
+      assert_equal "bom|another", merged[:encoding]
     end
   end
 end