From e8a3fd10d497a2f5dbda71d224eb544bb63f34c9 Mon Sep 17 00:00:00 2001
From: Florian Weingarten <flo@shopify.com>
Date: Fri, 10 Jan 2014 11:17:31 -0500
Subject: [PATCH] Cherry pick security fix (#274) to 2-5-stable

---
 History.md                           | 8 +++++++-
 lib/liquid/tags/if.rb                | 6 +++---
 test/liquid/tags/if_else_tag_test.rb | 6 ++++++
 3 files changed, 16 insertions(+), 4 deletions(-)

diff --git a/History.md b/History.md
index a113d9d..15ab3c5 100644
--- a/History.md
+++ b/History.md
@@ -1,6 +1,12 @@
 # Liquid Version History
 
-## 2.5.4 / 2013-11-11 / branch "2.5-stable"
+## 2.5.5 / 2014-01-10 / branch "2-5-stable"
+
+Security fix, cherry-picked from master (4e14a65):
+* Don't call to_sym when creating conditions for security reasons, see #273 [Bouke van der Bijl, bouk]
+* Prevent arbitrary method invocation on condition objects, see #274 [Dylan Thacker-Smith, dylanahsmith]
+
+## 2.5.4 / 2013-11-11
 
 * Fix "can't convert Fixnum into String" for "replace", see #173, [wǒ_is神仙, jsw0528]
 
diff --git a/lib/liquid/tags/if.rb b/lib/liquid/tags/if.rb
index 7f23dde..4b4a3ac 100644
--- a/lib/liquid/tags/if.rb
+++ b/lib/liquid/tags/if.rb
@@ -15,6 +15,7 @@ module Liquid
     SyntaxHelp = "Syntax Error in tag 'if' - Valid syntax: if [expression]"
     Syntax = /(#{QuotedFragment})\s*([=!<>a-z_]+)?\s*(#{QuotedFragment})?/o
     ExpressionsAndOperators = /(?:\b(?:\s?and\s?|\s?or\s?)\b|(?:\s*(?!\b(?:\s?and\s?|\s?or\s?)\b)(?:#{QuotedFragment}|\S+)\s*)+)/o
+    BOOLEAN_OPERATORS = %w(and or)
 
     def initialize(tag_name, markup, tokens)
       @blocks = []
@@ -61,7 +62,8 @@ module Liquid
             raise(SyntaxError, SyntaxHelp) unless expressions.shift.to_s =~ Syntax
 
             new_condition = Condition.new($1, $2, $3)
-            new_condition.send(operator.to_sym, condition)
+            raise SyntaxError, "invalid boolean operator" unless BOOLEAN_OPERATORS.include?(operator)
+            new_condition.send(operator, condition)
             condition = new_condition
           end
 
@@ -71,8 +73,6 @@ module Liquid
         @blocks.push(block)
         @nodelist = block.attach(Array.new)
       end
-
-
   end
 
   Template.register_tag('if', If)
diff --git a/test/liquid/tags/if_else_tag_test.rb b/test/liquid/tags/if_else_tag_test.rb
index 1282c2d..19869fb 100644
--- a/test/liquid/tags/if_else_tag_test.rb
+++ b/test/liquid/tags/if_else_tag_test.rb
@@ -157,4 +157,10 @@ class IfElseTagTest < Test::Unit::TestCase
     assert_template_result('yes',
                            %({% if 'gnomeslab-and-or-liquid' contains 'gnomeslab-and-or-liquid' %}yes{% endif %}))
   end
+
+  def test_operators_are_whitelisted
+    assert_raise(SyntaxError) do
+      assert_template_result('', %({% if 1 or throw or or 1 %}yes{% endif %}))
+    end
+  end
 end # IfElseTest