Only allow 'this' or '..' to lead a path

Paths like 'outer/../key' raise an exception when compiling.
author: Les Hill <leshill@gmail.com> 2013-01-20 20:22:56 -0800
committer: Les Hill <leshill@gmail.com> 2013-01-21 11:21:43 -0800
commit: 6ab92eee6d3fb4681a72682fadd114b788b2c5fc (patch)
tree: eb4a421722094a3e9e2b42c2bc6e7158f1ceb10f /lib/handlebars/compiler/ast.js
parent: 69d46e008b454139a6fc6077d66541e7b67145f8 (diff)
download: handlebars.js-6ab92eee6d3fb4681a72682fadd114b788b2c5fc.zip
handlebars.js-6ab92eee6d3fb4681a72682fadd114b788b2c5fc.tar.gz
handlebars.js-6ab92eee6d3fb4681a72682fadd114b788b2c5fc.tar.bz2
1 files changed, 5 insertions, 2 deletions
diff --git a/lib/handlebars/compiler/ast.js b/lib/handlebars/compiler/ast.js
index fd6cdc5..f448523 100644
--- a/lib/handlebars/compiler/ast.js
+++ b/lib/handlebars/compiler/ast.js
@@ -76,8 +76,11 @@ var Handlebars = require('./base');
     for(var i=0,l=parts.length; i<l; i++) {
       var part = parts[i];
 
-      if(part === "..") { depth++; }
-      else if(part === "." || part === "this") { this.isScoped = true; }
+      if (part === ".." || part === "." || part === "this") {
+        if (dig.length > 0) { throw new Handlebars.Exception("Invalid path: " + this.original); }
+        else if (part === "..") { depth++; }
+        else { this.isScoped = true; }
+      }
       else { dig.push(part); }
     }
author	Les Hill <leshill@gmail.com>	2013-01-20 20:22:56 -0800
committer	Les Hill <leshill@gmail.com>	2013-01-21 11:21:43 -0800
commit	6ab92eee6d3fb4681a72682fadd114b788b2c5fc (patch)
tree	eb4a421722094a3e9e2b42c2bc6e7158f1ceb10f /lib/handlebars/compiler/ast.js
parent	69d46e008b454139a6fc6077d66541e7b67145f8 (diff)
download	handlebars.js-6ab92eee6d3fb4681a72682fadd114b788b2c5fc.zip handlebars.js-6ab92eee6d3fb4681a72682fadd114b788b2c5fc.tar.gz handlebars.js-6ab92eee6d3fb4681a72682fadd114b788b2c5fc.tar.bz2