1.1.1 bump

HISTORY.md

@@ -1,3 +1,8 @@
+# 1.1.1 / 2011-1-11
+
+* Bug Fixes
+  * Critical shell escaping bug with syntax highlighting fixed.
+
 # 1.1.0 / 2010-10-28
 
 * Major Enhancements

gollum.gemspec

@@ -4,7 +4,7 @@ Gem::Specification.new do |s|
   s.rubygems_version = '1.3.5'
 
   s.name              = 'gollum'
-  s.version           = '1.1.0'
+  s.version           = '1.1.1'
   s.date              = '2010-10-28'
   s.rubyforge_project = 'gollum'
 
@@ -25,7 +25,7 @@ Gem::Specification.new do |s|
 
   s.add_dependency('grit', "~> 2.3")
   s.add_dependency('github-markup', [">= 0.4.0", "< 1.0.0"])
-  s.add_dependency('albino', "~> 1.0")
+  s.add_dependency('albino', "~> 1.1.1")
   s.add_dependency('sinatra', "~> 1.0")
   s.add_dependency('mustache', [">= 0.11.2", "< 1.0.0"])
   s.add_dependency('sanitize', "~> 1.1")

lib/gollum.rb

@@ -20,7 +20,7 @@ require 'gollum/markup'
 require 'gollum/albino'
 
 module Gollum
-  VERSION = '1.1.0'
+  VERSION = '1.1.1'
 
   SANITIZATION_OPTIONS = {
     :elements => [

lib/gollum/albino.rb

@@ -14,4 +14,17 @@ class Gollum::Albino < Albino
     html.sub!(%r{</pre></div>\Z}, "</pre>\n</div>")
     html
   end
+
+  # Hotfix for vulnerable versions of Albino
+  if !instance_methods.include?('shell_escape')
+    def convert_options(options = {})
+      @options.merge(options).inject('') do |string, (flag, value)|
+        string + " -#{flag} #{shell_escape value}"
+      end
+    end
+
+    def shell_escape(str)
+      str.to_s.gsub("'", "\\\\'").gsub(";", '\\;')
+    end
+  end
 end

lib/gollum/markup.rb

@@ -347,7 +347,7 @@ module Gollum
     #
     # Returns the placeholder'd String data.
     def extract_code(data)
-      data.gsub(/^``` ?(.+?)\r?\n(.+?)\r?\n```\r?$/m) do
+      data.gsub(/^``` ?([^\r\n]+)?\r?\n(.+?)\r?\n```\r?$/m) do
         id = Digest::SHA1.hexdigest($2)
         @codemap[id] = { :lang => $1, :code => $2 }
         id
@@ -362,12 +362,15 @@ module Gollum
     # Returns the marked up String data.
     def process_code(data)
       @codemap.each do |id, spec|
-        lang = spec[:lang]
         code = spec[:code]
         if code.lines.all? { |line| line =~ /\A\r?\n\Z/ || line =~ /^(  |\t)/ }
           code.gsub!(/^(  |\t)/m, '')
         end
-        data.gsub!(id, Gollum::Albino.new(code, lang).colorize)
+        if lang = spec[:lang]
+          data.gsub!(id, Gollum::Albino.new(code, lang).colorize)
+        else
+          data.gsub!(id, "<pre><code>#{CGI.escapeHTML(code)}</code></pre>")
+        end
       end
       data
     end

test/test_markup.rb

@@ -353,6 +353,18 @@ context "Markup" do
     compare(content, output)
   end
 
+  test "code block with invalid lang" do
+    content = "a\n\n``` ls -al;\n\tbooya\n\tboom\n```\n\nb"
+    output = "<p>a</p>\n\n\n\n<p>b</p>"
+    compare(content, output)
+  end
+
+  test "code block with no lang" do
+    content = "a\n\n```\n\tls -al;\n\t<booya>\n```\n\nb"
+    output = "<p>a</p>\n\n<pre><code>ls -al;\n&lt;booya&gt;</code></pre>\n\n<p>b</p>"
+    compare(content, output)
+  end
+
   #########################################################################
   #
   # Various