Skip to content

Security: fix include bypass of EntryFilter#filter symlink check#7226

Merged
jekyllbot merged 2 commits intomasterfrom
entryfilter-symlink-fix
Sep 7, 2018
Merged

Security: fix include bypass of EntryFilter#filter symlink check#7226
jekyllbot merged 2 commits intomasterfrom
entryfilter-symlink-fix

Conversation

@parkr
Copy link
Copy Markdown
Member

@parkr parkr commented Sep 7, 2018

In EntryFilter#filter, we check for include? before we check for symlink?, which allows symlinks to be read in a build when they shouldn't be by just including them.

/cc #7224

@parkr parkr requested a review from a team September 7, 2018 17:32
@parkr parkr added the security label Sep 7, 2018
@ashmaroli ashmaroli changed the title master: EntryFilter#filter symlink fix EntryFilter: Reject all symlinks, even if explicitly included Sep 7, 2018
@parkr parkr changed the title EntryFilter: Reject all symlinks, even if explicitly included Security: fix include bypass of EntryFilter#filter symlink check Sep 7, 2018
@DirtyF
Copy link
Copy Markdown
Member

DirtyF commented Sep 7, 2018

👍 once we appease Rubocop

@parkr
EntryFilter#filter: reject all symlinks, even if included
d0dbd5a 
Previously, you could include the name of a symlinked file
and Jekyll would not filter it. This is considered a bypass
of the symlink checking, and thus a security bug.
@parkr parkr force-pushed the entryfilter-symlink-fix branch from 3dec37d to d0dbd5a Compare September 7, 2018 17:47
ashmaroli
ashmaroli approved these changes Sep 7, 2018
View reviewed changes
Copy link
Copy Markdown
Member

@ashmaroli ashmaroli left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

👍 LGTM!

@parkr
Copy link
Copy Markdown
Member Author

parkr commented Sep 7, 2018

@jekyllbot: merge +bug

@jekyllbot jekyllbot merged commit f1c87a9 into master Sep 7, 2018
@jekyllbot jekyllbot deleted the entryfilter-symlink-fix branch September 7, 2018 19:18
jekyllbot added a commit that referenced this pull request Sep 7, 2018
@jekyllbot
Update history to reflect merge of #7226 [ci skip]
874ec5c
parkr added a commit that referenced this pull request Sep 7, 2018
@parkr
Backport entryfilter-symlink-fix from #7226 to 3.8-stable [merge conf…
4f82510 
…licts]
@parkr parkr mentioned this pull request Sep 7, 2018
Merged
parkr added a commit that referenced this pull request Sep 7, 2018
@parkr
Backport entryfilter-symlink-fix from #7226 to 3.6-stable [merge conf…
31300cb 
…licts]
@parkr parkr mentioned this pull request Sep 7, 2018
Merged
@jekyll jekyll locked and limited conversation to collaborators Sep 7, 2019
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.

Reviewers

@DirtyF DirtyF DirtyF approved these changes

@ashmaroli ashmaroli ashmaroli approved these changes

Assignees

No one assigned

Labels

bug 🐛 fix frozen-due-to-age security

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@parkr @DirtyF @ashmaroli @jekyllbot