liquid 2.5.4 → 2.5.5

checksums.yaml

@@ -1,15 +1,7 @@
 ---
-!binary "U0hBMQ==":
-  metadata.gz: !binary |-
-    M2NmZTM4YmY3NmI3ZmMxZDkxOGU4ZDFjNWNjYTg5ZWE3MzVhMDUzNw==
-  data.tar.gz: !binary |-
-    MDY1NTZhOTA3OTA2MDI1ODNkZGIwYzQxZWQ1M2M3ZmE1NmIzNmM5YQ==
+SHA1:
+  metadata.gz: 187e926592d08a1fdfe6c92a4438d2a28e3bef15
+  data.tar.gz: da01b50919773dac4c35363aecc4d10c991c4ed7
 SHA512:
-  metadata.gz: !binary |-
-    MGFjMWY1MjgwMDdiZThkODZjYzEwNWE0NmQ0ZmU1N2YyMWYyYWUxZWI1YTNj
-    ZmQzNTAwMzMwYTgyODIyMjc2ZWRkMTg2ZmE5MjJjM2NkNDRkNGExNzU1ZjZk
-    NDQ4NDJjMTU0MWE5OTUwNWMwYzZjYmQyNDMzNmNkZjFmMDgzZjM=
-  data.tar.gz: !binary |-
-    MzYzOWExZmQ5ODI2M2IwYmI4NzIwMDc0ZWU3ZjNmN2E4NThlYjczOTNkMGJi
-    YzRiODRiNWI4ZDFkZGZlYzUwYzNhMzE4MmZmY2M3ODQ0N2M2OTQ0NDA0MGYw
-    MjVjZmEzYzAzMTc2N2JiNTAyOWIxMjViYWEyNjhjMzI4ZDFjMjY=
+  metadata.gz: 0f676eb449b0af41596e80b8f9bbdc76ae101339a2a4cf97d65b1a75a1d9a1bd3ccdeb9787d53f61080d5f7c1c9456e3cec550e5c0d8f4f848d9c27acd7e5d37
+  data.tar.gz: c2c869dfd70ef5ecafb1c2095cc513e7b38d1a023bca6fb6ebfebee1374e07c6a3043f52396a55601c60dd71abe90ca6f71c0ff112d250285aaf70d9fe738023

data/History.md

@@ -1,6 +1,12 @@
 # Liquid Version History
 
-## 2.5.4 / 2013-11-11 / branch "2.5-stable"
+## 2.5.5 / 2014-01-10 / branch "2-5-stable"
+
+Security fix, cherry-picked from master (4e14a65):
+* Don't call to_sym when creating conditions for security reasons, see #273 [Bouke van der Bijl, bouk]
+* Prevent arbitrary method invocation on condition objects, see #274 [Dylan Thacker-Smith, dylanahsmith]
+
+## 2.5.4 / 2013-11-11
 
 * Fix "can't convert Fixnum into String" for "replace", see #173, [wǒ_is神仙, jsw0528]
 

data/lib/liquid/tags/if.rb

@@ -15,6 +15,7 @@ module Liquid
     SyntaxHelp = "Syntax Error in tag 'if' - Valid syntax: if [expression]"
     Syntax = /(#{QuotedFragment})\s*([=!<>a-z_]+)?\s*(#{QuotedFragment})?/o
     ExpressionsAndOperators = /(?:\b(?:\s?and\s?|\s?or\s?)\b|(?:\s*(?!\b(?:\s?and\s?|\s?or\s?)\b)(?:#{QuotedFragment}|\S+)\s*)+)/o
+    BOOLEAN_OPERATORS = %w(and or)
 
     def initialize(tag_name, markup, tokens)
       @blocks = []
@@ -61,7 +62,8 @@ module Liquid
             raise(SyntaxError, SyntaxHelp) unless expressions.shift.to_s =~ Syntax
 
             new_condition = Condition.new($1, $2, $3)
-            new_condition.send(operator.to_sym, condition)
+            raise SyntaxError, "invalid boolean operator" unless BOOLEAN_OPERATORS.include?(operator)
+            new_condition.send(operator, condition)
             condition = new_condition
           end
 
@@ -71,8 +73,6 @@ module Liquid
         @blocks.push(block)
         @nodelist = block.attach(Array.new)
       end
-
-
   end
 
   Template.register_tag('if', If)

data/test/liquid/tags/if_else_tag_test.rb

@@ -157,4 +157,10 @@ class IfElseTagTest < Test::Unit::TestCase
     assert_template_result('yes',
                            %({% if 'gnomeslab-and-or-liquid' contains 'gnomeslab-and-or-liquid' %}yes{% endif %}))
   end
+
+  def test_operators_are_whitelisted
+    assert_raise(SyntaxError) do
+      assert_template_result('', %({% if 1 or throw or or 1 %}yes{% endif %}))
+    end
+  end
 end # IfElseTest

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: liquid
 version: !ruby/object:Gem::Version
-  version: 2.5.4
+  version: 2.5.5
 platform: ruby
 authors:
 - Tobias Luetke
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2013-11-11 00:00:00.000000000 Z
+date: 2014-01-10 00:00:00.000000000 Z
 dependencies: []
 description: 
 email:
@@ -95,17 +95,17 @@ require_paths:
 - lib
 required_ruby_version: !ruby/object:Gem::Requirement
   requirements:
-  - - ! '>='
+  - - '>='
     - !ruby/object:Gem::Version
       version: '0'
 required_rubygems_version: !ruby/object:Gem::Requirement
   requirements:
-  - - ! '>='
+  - - '>='
     - !ruby/object:Gem::Version
       version: 1.3.7
 requirements: []
 rubyforge_project: 
-rubygems_version: 2.1.6
+rubygems_version: 2.0.3
 signing_key: 
 specification_version: 4
 summary: A secure, non-evaling end user template engine with aesthetic markup.