python · python-liquidHeads-up
python-liquid DoS via malformed {% case %} tag
A malformed {% case %} tag without corresponding {% when %}, {% else %}, or {% endcase %} causes an infinite loop at parse time.
What changed
A malformed {% case %} tag without corresponding {% when %}, {% else %}, or {% endcase %} causes an infinite loop at parse time. Fixed in version 2.2.1 by correcting the liquid.TokenStream.eof attribute.
Who it affects
Users of Python Liquid who parse templates from untrusted sources, especially those allowing template authors to craft templates.
What to do today
Upgrade to version 2.2.1 or apply the provided workaround by manually correcting liquid.TokenStream.eof before parsing templates.
The trail
Collected→
Audited→
Written→
Published