Merge pull request #273 from Shopify/make-if-less-dangerous

Make if less dangerous
2026-01-01 15:55:40 +03:00 · 2013-10-28 06:39:05 -07:00
parent 9b910a4e6d 2f50a0c422
commit 71a386f723
2 changed files with 2 additions and 1 deletions
--- a/History.md
+++ b/History.md
@@ -10,6 +10,7 @@
 * Fix clashing method names in enumerable drops, see #238 [Florian Weingarten, fw42]
 * Make map filter work on enumerable drops, see #233 [Florian Weingarten, fw42]
 * Improved whitespace stripping for blank blocks, related to #216 [Florian Weingarten, fw42]
+* Don't call to_sym when creating conditions and use public_send for security reasons, see #273 [Bouke van der Bijl, bouk]

 ## 2.6.0 / not yet released / branch "2.6-stable"

--- a/lib/liquid/tags/if.rb
+++ b/lib/liquid/tags/if.rb
@@ -63,7 +63,7 @@ module Liquid
          raise(SyntaxError.new(options[:locale].t("errors.syntax.if"))) unless expressions.shift.to_s =~ Syntax

          new_condition = Condition.new($1, $2, $3)
-          new_condition.send(operator.to_sym, condition)
+          new_condition.public_send(operator, condition)
          condition = new_condition
        end