parkr
The hawk-eyed @gregose spotted a bug in our
Jekyll.sanitized_path code:
> sanitized_path("/tmp/foobar/jail", "..c:/..c:/..c:/etc/passwd")
=> "/tmp/foobar/jail/../../../etc/passwd"
Well, we can’t have that! In 1.5.1, you’ll instead see:
> sanitized_path("/tmp/foobar/jail", "..c:/..c:/..c:/etc/passwd")
=> "/tmp/foobar/jail/..c:/..c:/..c:/etc/passwd"
Luckily not affecting 1.4.x, this fix will make 1.5.0 that much safer for the masses. Thanks, Greg!
parkr
As work continues on Jekyll 2.0.0, we felt it was important to address two key
issues of Jekyll 1.4.3, namely the safe_yaml dependency below 1.0 and the
inability to use Jekyll 1.4.3 on Windows due to a fun issue with path sanitizing.
For a full changelog, check out our history page.
Now, back to work on 2.0.0!
benbalter
Jekyll 1.4.3 contains two critical security fixes. If you run Jekyll locally and do not run Jekyll in “safe” mode (e.g. you do not build Jekyll sites on behalf of others), you are not affected and are not required to update at this time. (See pull request.)
Versions of Jekyll prior to 1.4.3 and greater than 1.2.0 may allow malicious users to expose the content of files outside the source directory in the generated output via improper symlink sanitization, potentially resulting in an inadvertent information disclosure.
Versions of Jekyll prior to 1.4.3 may also allow malicious users to write
arbitrary .html files outside of the destination folder via relative path
traversal, potentially overwriting otherwise-trusted content with arbitrary HTML
or Javascript depending on your server’s configuration.
Maintainer’s note: Many thanks to @gregose and @charliesome for discovering these vulnerabilities, and to @BenBalter and @alindeman for writing the patch.
parkr
This release fixes a regression where Maruku fenced code blocks were turned
off, instead of the previous default to on. We’ve added a new default
configuration to our maruku config key: fenced_code_blocks and set it to
default to true.
If you do not wish to use Maruku fenced code blocks, you may turn this option off in your site’s configuration file.
mattr-
Another quick turnover, anyone? A critical bug in the reading of posts snuck itself into the 1.4.0 release.
To address this issue, we’re releasing v1.4.1 of Jekyll so that you can keep on writing without any problems.
As always, you can find the full list of fixes in this release in the change log!
mattr-
About a month after the release of Jekyll v1.3.0, we are releasing Jekyll v1.4.0. This release will be the last non-patch release to support Ruby 1.8.7 and our next release will be Jekyll 2.0.0.
Here are a few things we think you’ll want to know about this release:
TOML is now a supported markup language for config files.
Maruku has been updated to 0.7.0 which provides some new features and a ton of bugfixes over the previous 0.6.x releases.
Non-gem Plugins are now sorted alphabetically by filename before they’re
processed, which can provide a rudimentary way to establish a load order for
plugins.
For a full run-down, visit our change log!
As always, Jekyll wouldn’t be possible without the contributions from others in the Jekyll community. We’d like to thank the following people for contributing to this release: Anatol Broder, David Sawyer, Greg Karékinian, Jordon Bedwell, Matthew Iversen, Persa Zula, and Yi Zeng.
mattr-
Just in time for the US holiday Thanksgiving, we’re releasing version 1.3.1 of Jekyll to address some of the issues seen since the release of 1.3.0.
In addition to a couple of other smaller bug fixes, the biggest thing
we’ve fixed is an issue with the --watch option with Ruby 1.8.7. For a
full run-down, visit our change log!
Thanks to all the people who have contributed to this release! They are (in alphabetical order): Abhi Yerra, Anatol Broder, Andreas Möller, Greg Karékinian, Sam Rayner, Santeri Paavolainen, Shigeya Suzuki, Yihang Ho, albertogg, andrewhavens, maul.esel, and thomasdao
mattr-
It’s been about six weeks since v1.2.0 and the Jekyll team is happy to announce the arrival of v1.3.0. This is a huge release full of all sorts of new features, bug fixes, and other things that you’re sure to love.
Here are a few things we think you’ll want to know about this release:
You can add arbitrary data to the site by adding YAML files under a
site’s _data directory. This will allow you to avoid
repetition in your templates and to set site specific options without
changing _config.yml.
You can now run jekyll serve --detach to boot up a WEBrick server in the
background. Note: you’ll need to run kill [server_pid] to shut
the server down. When ran, you’ll get a process id that you can use in
place of [server_pid]
You can now disable automatically-generated excerpts if you set
excerpt_separator to "".
If you’re moving pages and posts, you can now check for URL
conflicts by running jekyll doctor.
If you’re a fan of the drafts feature, you’ll be happy to know we’ve
added -D, a shortened version of --drafts.
Permalinks with special characters should now generate without errors.
Expose the current Jekyll version as the jekyll.version Liquid
variable.
For a full run-down, visit our change log!
mattr-
Jekyll 1.3.0 is going to be a big release! In order to make sure we didn’t screw anything up too badly, we’re making a release candidate available for any early adopters who want to give the latest and greatest code a spin without having to clone a repository from git.
Please take this prerelease for a spin and let us know if you run into any issues!
parkr
Quick turnover, anyone? A recent incompatibility with Liquid
v2.5.2 produced a nasty bug in
which include tags were not rendered properly within if blocks.
This release also includes a better handling of detached servers (prints pid and
the command for killing the process). Note: the --detach flag and
--watch flags are presently incompatible in 1.2.x. Fix for that coming soon!
For a full list of the fixes in this release, check out the change log!
parkr
After nearly a month and a half of hard work, the Jekyll team is happy to announce the release of v1.2.0. It’s chock full of bug fixes and some enhancements that we think you’ll love.
Here are a few things we think you’ll want to know about this release:
jekyll serve --detach to boot up a WEBrick server in the background. Note: you’ll need to run kill [server_pid] to shut the server down.excerpt_separator to "".jekyll doctor.-D, a shortened version of --drafts.jekyll.version Liquid variable.For a full run-down, visit our change log!
parkr
Version 1.1.2 fixes a minor, but nonetheless important security vulnerability affecting several third-party Jekyll plugins. If your Jekyll site does not use plugins, you may, but are not required to upgrade at this time.
Community and custom plugins extending the Liquid::Drop class may inadvertently disclose some system information such as directory structure or software configuration to users with access to the Liquid templating system.
We recommend you upgrade to Jekyll v1.1.2 immediately if you use Liquid::Drop plugins on your Jekyll site.
Many thanks for Ben Balter for alerting us to the problem and submitting a patch so quickly.
mattr-
Version 1.0.4 fixes a minor, but nonetheless important security vulnerability affecting several third-party Jekyll plugins. If your Jekyll site does not use plugins, you may, but are not required to upgrade at this time.
Community and custom plugins extending the Liquid::Drop class may inadvertently disclose some system information such as directory structure or software configuration to users with access to the Liquid templating system.
We recommend you upgrade to Jekyll v1.0.4 immediately if you use Liquid::Drop plugins on your Jekyll site.
Many thanks for Ben Balter for alerting us to the problem and submitting a patch so quickly.
parkr
Coming just 10 days after the release of v1.1.0, v1.1.1 is out with a patch for the nasty excerpt inception bug (#1339) and non-zero exit codes for invalid commands (#1338).
To all those affected by the strange excerpt bug in v1.1.0, I’m sorry. I think we have it all patched up and it should be deployed to GitHub Pages in the next couple weeks. Thank you for your patience!
If you’re checking out v1.1.x for the first time, definitely check out what shipped with v1.1.0!
See the GitHub Release page for more a more detailed changelog for this release.
parkr
After a month of hard work, the Jekyll core team is excited to announce the release of Jekyll v1.1.0! This latest release of Jekyll brings some really exciting new additions:
docs subcommand to read Jekyll’s docs when offline. (#1046)include tag (#1204)related_posts (#1271)See the GitHub Release page for more a more detailed changelog for this release.
parkr
v1.0.3 contains some key enhancements and bug fixes:
gist tag (#1189)--force option to jekyll new (#1115)exclude and include with pre-1.0 Jekyll (#1114)File.basename and page:num (#1063)See the History page for more information on this release.
parkr
v1.0.2 has some key bugfixes that optionally restore some behaviour from pre-1.0 releases, and fix some other annoying bugs:
jekyll doctor command to check site for any known compatibility problems (#1081)server_port, match to port if port isn’t set (#1084)data-lang="<lang>" attribute to Redcarpet code blocks (#1066)See the History page for more information on this release.
parkr
Hot on the trails of v1.0, v1.0.1 is out! Here are the highlights:
language- class name prefix to code blocks (#1037)</div> to site template used by new subcommand, fixed typos in code (#1032)See the History page for more information on this release.
parkr
Hey! After many months of hard work by Jekyll’s contributors, we’re excited to announce the first major release of the project in a long while. v1.0.0 is finally here! While the list of improvements and bug fixes is quite lengthy, here are the highlights (thanks to @benbalter for the examples and for compiling this list):
Take a look at the Upgrading page in the docs for more detailed information.