From e2d9907df280ee4099757bd57d240de44690d695 Mon Sep 17 00:00:00 2001
From: Clayton Smith <clayton.smith@shopify.com>
Date: Thu, 7 Mar 2019 14:01:10 -0500
Subject: [PATCH] Validate the character encoding in url_decode.

---
 lib/liquid/standardfilters.rb            | 7 ++++++-
 test/integration/standard_filter_test.rb | 4 ++++
 2 files changed, 10 insertions(+), 1 deletion(-)

diff --git a/lib/liquid/standardfilters.rb b/lib/liquid/standardfilters.rb
index 68ff2c5..0bddfa9 100644
--- a/lib/liquid/standardfilters.rb
+++ b/lib/liquid/standardfilters.rb
@@ -52,7 +52,12 @@ module Liquid
     end
 
     def url_decode(input)
-      CGI.unescape(input.to_s) unless input.nil?
+      return if input.nil?
+
+      result = CGI.unescape(input.to_s)
+      raise Liquid::ArgumentError, "invalid byte sequence in #{result.encoding}" unless result.valid_encoding?
+
+      result
     end
 
     def slice(input, offset, length = nil)
diff --git a/test/integration/standard_filter_test.rb b/test/integration/standard_filter_test.rb
index 98818eb..6090951 100644
--- a/test/integration/standard_filter_test.rb
+++ b/test/integration/standard_filter_test.rb
@@ -158,6 +158,10 @@ class StandardFiltersTest < Minitest::Test
     assert_equal '1', @filters.url_decode(1)
     assert_equal '2001-02-03', @filters.url_decode(Date.new(2001, 2, 3))
     assert_nil @filters.url_decode(nil)
+    exception = assert_raises Liquid::ArgumentError do
+      @filters.url_decode('%ff')
+    end
+    assert_equal 'Liquid error: invalid byte sequence in UTF-8', exception.message
   end
 
   def test_truncatewords