The hawk-eyed @gregose spotted a bug in our
Jekyll.sanitized_path
code:
> sanitized_path("/tmp/foobar/jail", "..c:/..c:/..c:/etc/passwd")
=> "/tmp/foobar/jail/../../../etc/passwd"
Well, we can’t have that! In 1.5.1, you’ll instead see:
> sanitized_path("/tmp/foobar/jail", "..c:/..c:/..c:/etc/passwd")
=> "/tmp/foobar/jail/..c:/..c:/..c:/etc/passwd"
Luckily not affecting 1.4.x, this fix will make 1.5.0 that much safer for the masses. Thanks, Greg!