Security issue in Liquid::Template

January 18th, 2008

In XLsuite, we use Liquid templates in the CMS. Two days ago, I noticed a big problem: ERB code in the Liquid template ends up being eval’d. This is in direct contradiction with Liquid’s mission statement:

Ruby library for rendering safe templates which cannot affect the security of the server they are rendered on.

From Liquid Home Page

I’m reposting this here so this gets the attention it deserves.

If you are interested, you can view Liquid’s issue at: http://code.google.com/p/liquid-markup/issues/detail?id=6

2 Responses to “Security issue in Liquid::Template”

  1. court3nay Says:
    January 18th, 2008 at 05:55 PM

    I’m not seeing this bug—i responded on your ticket.

    Also, the formatting of xlsuite is all messed up in safari 3. See http://img.skitch.com/20080118-sgbfnp2ftyfp38i5w9meqepm2.jpg for details.

  2. James Golick Says:
    January 18th, 2008 at 08:06 PM

    That mission statement is a nice thought, but, it doesn’t seem all that practical to me.

    You want to let people run ruby code, but you don’t want them to be able to run ruby code. That seems like one of those DRM situations…

Leave a Reply

 

Search

A picture of me

I am François Beausoleil, a Ruby on Rails coder. During the day, I work on XLsuite. At night, I am interested many things. Read my biography

Tags

(4) (1) (1) (1) (1) (2) (1) (1) (1) (2) (2) (1) (2) (1) (3) (1) (2) (1) (1) (1) (1) (2) (14) (1) (1) (1) (1) (2) (1) (1) (2) (0) (1) (4) (1) (3) (1) (1) (1) (1) (1) (1) (0) (3) (2) (1) (2) (1) (3) (1) (5) (2) (10) (10) (11) (14) (2) (1) (3) (1) (1) (1) (1) (1) (0) (1) (2) (2) (2) (1) (1) (1) (4) (1) (3) (1) (4) (2) (2) (25) (2) (1) (1) (0) (1) (1) (1) (23) (25) (1) (1) (13) (1) (1) (1) (4) (5) (1) (1) (1) (4) (1) (2) (3) (4) (4) (1) (1) (1) (8) (3) (1) (5) (5) (2) (2) (2) (4) (8) (7) (1) (1) (1) (1) (2) (4) (1) (4) (12) (2) (1) (2) (4) (1) (1) (1) (2) (8) (2) (3) (2) (2) (1) (3) (1) (1)

Links

Projects I work on

Categories

Archives