Permalink
Browse files

Restrict locals to valid variable names

Local keys are evaluated as ruby meaning all kinds of shenanigans are possible
unless the keys are filtered.  Restricting them to variable names seems safe
and reasonable.
  • Loading branch information...
1 parent e2c029b commit 3b6b9e25c6d3822c03b65ba2025ba36fd472f3a6 @thinkerbot thinkerbot committed Nov 29, 2012
Showing with 7 additions and 1 deletion.
  1. +1 −1 lib/tilt/template.rb
  2. +6 −0 test/tilt_template_test.rb
View
@@ -186,7 +186,7 @@ def precompiled_template(locals)
# source line offset, so adding code to the preamble does not effect line
# reporting in Kernel::caller and backtraces.
def precompiled_preamble(locals)
- locals.map { |k,v| "#{k} = locals[#{k.inspect}]" }.join("\n")
+ locals.map { |k,v| k.to_s =~ /\A[a-z]\w*\z/ ? "#{k} = locals[#{k.inspect}]" : nil }.join("\n")
end
# Generates postamble code for the precompiled template source. The
@@ -134,6 +134,12 @@ def precompiled_template(locals)
assert inst.prepared?
end
+ test "template_source with locals of invalid variable names" do
+ inst = SourceGeneratingMockTemplate.new { |t| '1 + 2 = #{Math::PI.to_i}' }
+ assert_equal "1 + 2 = 3", inst.render(Object.new, 'Math::PI' => '42')
+ assert inst.prepared?
+ end
+
class Person
CONSTANT = "Bob"

0 comments on commit 3b6b9e2

Please sign in to comment.