Cherry pick security fix (#274) to 2-5-stable

2026-01-01 15:55:40 +03:00 · 2014-01-10 11:17:31 -05:00
parent e77b1a09b6
commit e8a3fd10d4
3 changed files with 16 additions and 4 deletions
--- a/History.md
+++ b/History.md
@@ -1,6 +1,12 @@
 # Liquid Version History

-## 2.5.4 / 2013-11-11 / branch "2.5-stable"
+## 2.5.5 / 2014-01-10 / branch "2-5-stable"
+
+Security fix, cherry-picked from master (4e14a65):
+* Don't call to_sym when creating conditions for security reasons, see #273 [Bouke van der Bijl, bouk]
+* Prevent arbitrary method invocation on condition objects, see #274 [Dylan Thacker-Smith, dylanahsmith]
+
+## 2.5.4 / 2013-11-11

 * Fix "can't convert Fixnum into String" for "replace", see #173, [wǒ_is神仙, jsw0528]

--- a/lib/liquid/tags/if.rb
+++ b/lib/liquid/tags/if.rb
@@ -15,6 +15,7 @@ module Liquid
    SyntaxHelp = "Syntax Error in tag 'if' - Valid syntax: if [expression]"
    Syntax = /(#{QuotedFragment})\s*([=!<>a-z_]+)?\s*(#{QuotedFragment})?/o
    ExpressionsAndOperators = /(?:\b(?:\s?and\s?|\s?or\s?)\b|(?:\s*(?!\b(?:\s?and\s?|\s?or\s?)\b)(?:#{QuotedFragment}|\S+)\s*)+)/o
+    BOOLEAN_OPERATORS = %w(and or)

    def initialize(tag_name, markup, tokens)
      @blocks = []
@@ -61,7 +62,8 @@ module Liquid
            raise(SyntaxError, SyntaxHelp) unless expressions.shift.to_s =~ Syntax

            new_condition = Condition.new($1, $2, $3)
-            new_condition.send(operator.to_sym, condition)
+            raise SyntaxError, "invalid boolean operator" unless BOOLEAN_OPERATORS.include?(operator)
+            new_condition.send(operator, condition)
            condition = new_condition
          end

@@ -71,8 +73,6 @@ module Liquid
        @blocks.push(block)
        @nodelist = block.attach(Array.new)
      end
-
-
  end

  Template.register_tag('if', If)
--- a/test/liquid/tags/if_else_tag_test.rb
+++ b/test/liquid/tags/if_else_tag_test.rb
@@ -157,4 +157,10 @@ class IfElseTagTest < Test::Unit::TestCase
    assert_template_result('yes',
                           %({% if 'gnomeslab-and-or-liquid' contains 'gnomeslab-and-or-liquid' %}yes{% endif %}))
  end
+
+  def test_operators_are_whitelisted
+    assert_raise(SyntaxError) do
+      assert_template_result('', %({% if 1 or throw or or 1 %}yes{% endif %}))
+    end
+  end
 end # IfElseTest