Cherry pick security fix (#274) to 2-6-stable

2026-01-01 15:55:40 +03:00 · 2014-01-10 11:22:28 -05:00
parent 442041206f
commit eb409ff237
3 changed files with 16 additions and 4 deletions
--- a/History.md
+++ b/History.md
@@ -3,7 +3,13 @@
 IMPORTANT: Liquid 2.6 is going to be the last version of Liquid which maintains explicit Ruby 1.8 compatability.
 The following releases will only be tested against Ruby 1.9 and Ruby 2.0 and are likely to break on Ruby 1.8.

-## 2.6.0 / 2013-11-25 / branch "2.6-stable"
+## 2.6.1 / 2014-01-10 / branch "2-6-stable"
+
+Security fix, cherry-picked from master (4e14a65):
+* Don't call to_sym when creating conditions for security reasons, see #273 [Bouke van der Bijl, bouk]
+* Prevent arbitrary method invocation on condition objects, see #274 [Dylan Thacker-Smith, dylanahsmith]
+
+## 2.6.0 / 2013-11-25

 * ...
 * Bugfix for #106: fix example servlet [gnowoel]
--- a/lib/liquid/tags/if.rb
+++ b/lib/liquid/tags/if.rb
@@ -15,6 +15,7 @@ module Liquid
    SyntaxHelp = "Syntax Error in tag 'if' - Valid syntax: if [expression]"
    Syntax = /(#{QuotedFragment})\s*([=!<>a-z_]+)?\s*(#{QuotedFragment})?/o
    ExpressionsAndOperators = /(?:\b(?:\s?and\s?|\s?or\s?)\b|(?:\s*(?!\b(?:\s?and\s?|\s?or\s?)\b)(?:#{QuotedFragment}|\S+)\s*)+)/o
+    BOOLEAN_OPERATORS = %w(and or)

    def initialize(tag_name, markup, tokens)
      @blocks = []
@@ -61,7 +62,8 @@ module Liquid
            raise(SyntaxError, SyntaxHelp) unless expressions.shift.to_s =~ Syntax

            new_condition = Condition.new($1, $2, $3)
-            new_condition.send(operator.to_sym, condition)
+            raise SyntaxError, "invalid boolean operator" unless BOOLEAN_OPERATORS.include?(operator)
+            new_condition.send(operator, condition)
            condition = new_condition
          end

@@ -71,8 +73,6 @@ module Liquid
        @blocks.push(block)
        @nodelist = block.attach(Array.new)
      end
-
-
  end

  Template.register_tag('if', If)
--- a/test/liquid/tags/if_else_tag_test.rb
+++ b/test/liquid/tags/if_else_tag_test.rb
@@ -157,4 +157,10 @@ class IfElseTagTest < Test::Unit::TestCase
    assert_template_result('yes',
                           %({% if 'gnomeslab-and-or-liquid' contains 'gnomeslab-and-or-liquid' %}yes{% endif %}))
  end
+
+  def test_operators_are_whitelisted
+    assert_raise(SyntaxError) do
+      assert_template_result('', %({% if 1 or throw or or 1 %}yes{% endif %}))
+    end
+  end
 end # IfElseTest