liquid icon indicating copy to clipboard operation
liquid copied to clipboard
verified publisher icon Shopify

Rendering template whose name is stored in a variable issue

Open andrew-3 opened this issue 3 years ago • 2 comments 

{% liquid
	assign path = 'path/to/file'
	render ""'path'
%}

This code will try to render the template whose path is path/to/file. This is probably not intended. Credit for this find goes to Rich Lane from One Orange Cow.

andrew-3 avatar May 05 '22 19:05 andrew-3

Thanks @andrew-3 , the exploit code paste wasn't 100% correct. I have not had time but I suspect this could be used in a number of different ways to inject code where it shouldn't be

{% liquid
	assign path = 'path/to/file'
	render ''"{{path}}"
%}

This example renders the page using a variable

richxrich avatar May 10 '22 22:05 richxrich

@richxrich I omitted the curly braces because it works even without them.

andrew-3 avatar May 10 '22 22:05 andrew-3