Bump version to 2.6.1

Merge pull request #300 from Shopify/cherry_pick_security_fix_to_2-6-stable
Cherry pick security fix to 2-6-stable
2026-01-02 08:15:41 +03:00 · 2014-01-10 13:21:05 -05:00 · 2014-01-10 10:20:41 -08:00 · 2014-01-10 11:22:28 -05:00
4 changed files with 17 additions and 5 deletions
--- a/History.md
+++ b/History.md
@@ -3,7 +3,13 @@
 IMPORTANT: Liquid 2.6 is going to be the last version of Liquid which maintains explicit Ruby 1.8 compatability.
 The following releases will only be tested against Ruby 1.9 and Ruby 2.0 and are likely to break on Ruby 1.8.

-## 2.6.0 / 2013-11-25 / branch "2.6-stable"
+## 2.6.1 / 2014-01-10 / branch "2-6-stable"
+
+Security fix, cherry-picked from master (4e14a65):
+* Don't call to_sym when creating conditions for security reasons, see #273 [Bouke van der Bijl, bouk]
+* Prevent arbitrary method invocation on condition objects, see #274 [Dylan Thacker-Smith, dylanahsmith]
+
+## 2.6.0 / 2013-11-25

 * ...
 * Bugfix for #106: fix example servlet [gnowoel]
--- a/lib/liquid/tags/if.rb
+++ b/lib/liquid/tags/if.rb
@@ -15,6 +15,7 @@ module Liquid
    SyntaxHelp = "Syntax Error in tag 'if' - Valid syntax: if [expression]"
    Syntax = /(#{QuotedFragment})\s*([=!<>a-z_]+)?\s*(#{QuotedFragment})?/o
    ExpressionsAndOperators = /(?:\b(?:\s?and\s?|\s?or\s?)\b|(?:\s*(?!\b(?:\s?and\s?|\s?or\s?)\b)(?:#{QuotedFragment}|\S+)\s*)+)/o
+    BOOLEAN_OPERATORS = %w(and or)

    def initialize(tag_name, markup, tokens)
      @blocks = []
@@ -61,7 +62,8 @@ module Liquid
            raise(SyntaxError, SyntaxHelp) unless expressions.shift.to_s =~ Syntax

            new_condition = Condition.new($1, $2, $3)
-            new_condition.send(operator.to_sym, condition)
+            raise SyntaxError, "invalid boolean operator" unless BOOLEAN_OPERATORS.include?(operator)
+            new_condition.send(operator, condition)
            condition = new_condition
          end

@@ -71,8 +73,6 @@ module Liquid
        @blocks.push(block)
        @nodelist = block.attach(Array.new)
      end
-
-
  end

  Template.register_tag('if', If)
--- a/lib/liquid/version.rb
+++ b/lib/liquid/version.rb
@@ -1,4 +1,4 @@
 # encoding: utf-8
 module Liquid
-  VERSION = "2.6.0"
+  VERSION = "2.6.1"
 end
--- a/test/liquid/tags/if_else_tag_test.rb
+++ b/test/liquid/tags/if_else_tag_test.rb
@@ -157,4 +157,10 @@ class IfElseTagTest < Test::Unit::TestCase
    assert_template_result('yes',
                           %({% if 'gnomeslab-and-or-liquid' contains 'gnomeslab-and-or-liquid' %}yes{% endif %}))
  end
+
+  def test_operators_are_whitelisted
+    assert_raise(SyntaxError) do
+      assert_template_result('', %({% if 1 or throw or or 1 %}yes{% endif %}))
+    end
+  end
 end # IfElseTest
Author	SHA1	Message	Date
Florian Weingarten	dcd21d3db3	Bump version to 2.6.1	2014-01-10 13:21:05 -05:00
Florian Weingarten	deeb813d53	Merge pull request #300 from Shopify/cherry_pick_security_fix_to_2-6-stable Cherry pick security fix to 2-6-stable	2014-01-10 10:20:41 -08:00
Florian Weingarten	eb409ff237	Cherry pick security fix (#274 ) to 2-6-stable	2014-01-10 11:22:28 -05:00