test_post.rb in jekyll-2.0.0.alpha.2

- old
+ new

@@ -36,11 +36,11 @@
         excerpt: "All the properties.\n\n",
         foo: 'bar',
         id: "/foo/bar/baz/2013/12/20/properties",
         layout: 'default',
         name: nil,
-        # path: "properties.html",
+        path: "_posts/2013-12-20-properties.text",
         permalink: nil,
         published: nil,
         tags: %w(ay bee cee),
         title: 'Properties Post',
         url: "/foo/bar/baz/2013/12/20/properties.html"
@@ -99,9 +99,20 @@
         @post.read_yaml(@source, file)
 
         assert_equal "my_category/permalinked-post", @post.permalink
         assert_equal "/my_category", @post.dir
         assert_equal "/my_category/permalinked-post", @post.url
+      end
+
+      should "not be writable outside of destination" do
+        unexpected = File.expand_path("../../../baddie.html", dest_dir)
+        File.delete unexpected if File.exist?(unexpected)
+        post = setup_post("2014-01-06-permalink-traversal.md")
+        do_render(post)
+        post.write(dest_dir)
+
+        assert !File.exist?(unexpected)
+        assert File.exist?(File.expand_path("baddie.html", dest_dir))
       end
 
       context "with CRLF linebreaks" do
         setup do
           @real_file = "2009-05-24-yaml-linebreak.markdown"