Bump version to 2.6.3

Remove duplicate `index0` key in htmltags

History.md

@@ -3,7 +3,21 @@
 IMPORTANT: Liquid 2.6 is going to be the last version of Liquid which maintains explicit Ruby 1.8 compatability.
 The following releases will only be tested against Ruby 1.9 and Ruby 2.0 and are likely to break on Ruby 1.8.
 
-## 2.6.0 / 2013-11-25 / branch "2.6-stable"
+## 2.6.3 / 2015-07-23 / branch "2-6-stable"
+
+* Fix test failure under certain timezones [Dylan Thacker-Smith]
+
+## 2.6.2 / 2015-01-23
+
+* Remove duplicate hash key [Parker Moore]
+
+## 2.6.1 / 2014-01-10
+
+Security fix, cherry-picked from master (4e14a65):
+* Don't call to_sym when creating conditions for security reasons, see #273 [Bouke van der Bijl, bouk]
+* Prevent arbitrary method invocation on condition objects, see #274 [Dylan Thacker-Smith, dylanahsmith]
+
+## 2.6.0 / 2013-11-25
 
 * ...
 * Bugfix for #106: fix example servlet [gnowoel]

lib/liquid/htmltags.rb

@@ -43,7 +43,6 @@ module Liquid
             'index0'  => index,
             'col'     => col + 1,
             'col0'    => col,
-            'index0'  => index,
             'rindex'  => length - index,
             'rindex0' => length - index - 1,
             'first'   => (index == 0),

lib/liquid/tags/if.rb

@@ -15,6 +15,7 @@ module Liquid
     SyntaxHelp = "Syntax Error in tag 'if' - Valid syntax: if [expression]"
     Syntax = /(#{QuotedFragment})\s*([=!<>a-z_]+)?\s*(#{QuotedFragment})?/o
     ExpressionsAndOperators = /(?:\b(?:\s?and\s?|\s?or\s?)\b|(?:\s*(?!\b(?:\s?and\s?|\s?or\s?)\b)(?:#{QuotedFragment}|\S+)\s*)+)/o
+    BOOLEAN_OPERATORS = %w(and or)
 
     def initialize(tag_name, markup, tokens)
       @blocks = []
@@ -61,7 +62,8 @@ module Liquid
             raise(SyntaxError, SyntaxHelp) unless expressions.shift.to_s =~ Syntax
 
             new_condition = Condition.new($1, $2, $3)
-            new_condition.send(operator.to_sym, condition)
+            raise SyntaxError, "invalid boolean operator" unless BOOLEAN_OPERATORS.include?(operator)
+            new_condition.send(operator, condition)
             condition = new_condition
           end
 
@@ -71,8 +73,6 @@ module Liquid
         @blocks.push(block)
         @nodelist = block.attach(Array.new)
       end
-
-
   end
 
   Template.register_tag('if', If)

lib/liquid/version.rb

@@ -1,4 +1,4 @@
 # encoding: utf-8
 module Liquid
-  VERSION = "2.6.0"
+  VERSION = "2.6.3"
 end

test/liquid/standard_filter_test.rb

@@ -157,8 +157,10 @@ class StandardFiltersTest < Test::Unit::TestCase
 
     assert_equal nil, @filters.date(nil, "%B")
 
-    assert_equal "07/05/2006", @filters.date(1152098955, "%m/%d/%Y")
-    assert_equal "07/05/2006", @filters.date("1152098955", "%m/%d/%Y")
+    with_timezone("UTC") do
+      assert_equal "07/05/2006", @filters.date(1152098955, "%m/%d/%Y")
+      assert_equal "07/05/2006", @filters.date("1152098955", "%m/%d/%Y")
+    end
   end
 
 
@@ -248,4 +250,14 @@ class StandardFiltersTest < Test::Unit::TestCase
   def test_cannot_access_private_methods
     assert_template_result('a',"{{ 'a' | to_number }}")
   end
+
+  private
+
+  def with_timezone(tz)
+    old_tz = ENV['TZ']
+    ENV['TZ'] = tz
+    yield
+  ensure
+    ENV['TZ'] = old_tz
+  end
 end # StandardFiltersTest

test/liquid/tags/if_else_tag_test.rb

@@ -157,4 +157,10 @@ class IfElseTagTest < Test::Unit::TestCase
     assert_template_result('yes',
                            %({% if 'gnomeslab-and-or-liquid' contains 'gnomeslab-and-or-liquid' %}yes{% endif %}))
   end
+
+  def test_operators_are_whitelisted
+    assert_raise(SyntaxError) do
+      assert_template_result('', %({% if 1 or throw or or 1 %}yes{% endif %}))
+    end
+  end
 end # IfElseTest