SECURITY: Upgrade Ember to fix CVE-2015-7565. Also upgrade Handlebars

Gemfile

@@ -46,7 +46,7 @@ gem 'active_model_serializers', '~> 0.8.3'
 gem 'onebox'
 
 gem 'ember-rails'
-gem 'ember-source', '1.12.1'
+gem 'ember-source', '1.12.2'
 gem 'barber'
 gem 'babel-transpiler'
 

Gemfile.lock

@@ -90,7 +90,7 @@ GEM
       ember-source (>= 1.1.0)
       jquery-rails (>= 1.0.17)
       railties (>= 3.1)
-    ember-source (1.12.1)
+    ember-source (1.12.2)
     erubis (2.7.0)
     eventmachine (1.0.8)
     excon (0.45.4)
@@ -415,7 +415,7 @@ DEPENDENCIES
   discourse-qunit-rails
   discourse_email_parser
   ember-rails
-  ember-source (= 1.12.1)
+  ember-source (= 1.12.2)
   excon
   fabrication (= 2.9.8)
   fakeweb (~> 1.3.0)

app/assets/javascripts/discourse/helpers/raw.js.es6

@@ -24,6 +24,5 @@ registerUnbound('raw', function(templateName, params) {
     Ember.warn('Could not find raw template: ' + templateName);
     return;
   }
-
   return renderRaw(this, template, templateName, params);
 });

app/assets/javascripts/discourse/helpers/register-unbound.js.es6

@@ -8,9 +8,9 @@ function resolveParams(ctx, options) {
     if (options.hashTypes) {
       Ember.keys(hash).forEach(function(k) {
         const type = options.hashTypes[k];
-        if (type === "STRING") {
+        if (type === "STRING" || type === "StringLiteral") {
           params[k] = hash[k];
-        } else if (type === "ID") {
+        } else if (type === "ID" || type === "PathExpression") {
           params[k] = get(ctx, hash[k], options);
         }
       });
@@ -23,7 +23,7 @@ function resolveParams(ctx, options) {
 
 export default function registerUnbound(name, fn) {
   const func = function(property, options) {
-    if (options.types && options.types[0] === "ID") {
+    if (options.types && (options.types[0] === "ID" || options.types[0] === "PathExpression")) {
       property = get(this, property, options);
     }
 

app/assets/javascripts/discourse/lib/ember_compat_handlebars.js

@@ -68,17 +68,6 @@
     RawHandlebars.JavaScriptCompiler.prototype.compiler = RawHandlebars.JavaScriptCompiler;
     RawHandlebars.JavaScriptCompiler.prototype.namespace = "Discourse.EmberCompatHandlebars";
 
-
-    RawHandlebars.Compiler.prototype.mustache = function(mustache) {
-      if ( !(mustache.params.length || mustache.hash)) {
-
-        var id = new Handlebars.AST.IdNode([{ part: 'get' }]);
-        mustache = new Handlebars.AST.MustacheNode([id].concat([mustache.id]), mustache.hash, mustache.escaped);
-      }
-
-      return Handlebars.Compiler.prototype.mustache.call(this, mustache);
-    };
-
     RawHandlebars.precompile = function(value, asObject) {
       var ast = Handlebars.parse(value);
 
@@ -99,6 +88,28 @@
 
     RawHandlebars.compile = function(string) {
       var ast = Handlebars.parse(string);
+
+      var visitor = new Handlebars.Visitor();
+      visitor.mutating = true;
+
+      visitor.MustacheStatement = function(mustache) {
+        if (!(mustache.params.length || mustache.hash)) {
+          mustache.params[0] = mustache.path;
+          mustache.path = {
+            type: "PathExpression",
+            data: false,
+            depth: mustache.path.depth,
+            parts: ["get"],
+            original: "get",
+            loc: mustache.path.loc,
+            strict: true,
+            falsy: true
+          };
+        }
+        return Handlebars.Visitor.prototype.MustacheStatement.call(this, mustache);
+      };
+      visitor.accept(ast);
+
       // this forces us to rewrite helpers
       var options = {  data: true, stringParams: true };
       var environment = new RawHandlebars.Compiler().compile(ast, options);