SECURITY: Upgrade Ember to fix CVE-2015-7565. Also upgrade Handlebars

Gemfile

@@ -40,7 +40,7 @@ gem 'active_model_serializers', '~> 0.8.3'
 gem 'onebox'
 
 gem 'ember-rails'
-gem 'ember-source', '1.12.1'
+gem 'ember-source', '1.12.2'
 gem 'barber'
 gem 'babel-transpiler'
 

Gemfile.lock

@@ -89,7 +89,7 @@ GEM
       ember-source (>= 1.1.0)
       jquery-rails (>= 1.0.17)
       railties (>= 3.1)
-    ember-source (1.12.1)
+    ember-source (1.12.2)
     erubis (2.7.0)
     eventmachine (1.0.7)
     excon (0.45.3)
@@ -406,7 +406,7 @@ DEPENDENCIES
   discourse-qunit-rails
   email_reply_parser
   ember-rails
-  ember-source (= 1.12.1)
+  ember-source (= 1.12.2)
   excon
   fabrication (= 2.9.8)
   fakeweb (~> 1.3.0)

app/assets/javascripts/discourse/helpers/raw.js.es6

@@ -19,6 +19,5 @@ registerUnbound('raw', function(templateName, params) {
     Ember.warn('Could not find raw template: ' + templateName);
     return;
   }
-
   return renderRaw(this, template, templateName, params);
 });

app/assets/javascripts/discourse/helpers/register-unbound.js.es6

@@ -8,9 +8,9 @@ function resolveParams(ctx, options) {
     if (options.hashTypes) {
       Ember.keys(hash).forEach(function(k) {
         const type = options.hashTypes[k];
-        if (type === "STRING") {
+        if (type === "STRING" || type === "StringLiteral") {
           params[k] = hash[k];
-        } else if (type === "ID") {
+        } else if (type === "ID" || type === "PathExpression") {
           params[k] = get(ctx, hash[k], options);
         }
       });
@@ -23,7 +23,7 @@ function resolveParams(ctx, options) {
 
 export default function registerUnbound(name, fn) {
   const func = function(property, options) {
-    if (options.types && options.types[0] === "ID") {
+    if (options.types && (options.types[0] === "ID" || options.types[0] === "PathExpression")) {
       property = get(this, property, options);
     }
 

app/assets/javascripts/discourse/lib/ember_compat_handlebars.js

@@ -67,17 +67,6 @@
   RawHandlebars.JavaScriptCompiler.prototype.compiler = RawHandlebars.JavaScriptCompiler;
   RawHandlebars.JavaScriptCompiler.prototype.namespace = "Discourse.EmberCompatHandlebars";
 
-
-  RawHandlebars.Compiler.prototype.mustache = function(mustache) {
-    if ( !(mustache.params.length || mustache.hash)) {
-
-      var id = new Handlebars.AST.IdNode([{ part: 'get' }]);
-      mustache = new Handlebars.AST.MustacheNode([id].concat([mustache.id]), mustache.hash, mustache.escaped);
-    }
-
-    return Handlebars.Compiler.prototype.mustache.call(this, mustache);
-  };
-
   RawHandlebars.precompile = function(value, asObject) {
     var ast = Handlebars.parse(value);
 
@@ -90,14 +79,34 @@
     };
 
     asObject = asObject === undefined ? true : asObject;
-
     var environment = new RawHandlebars.Compiler().compile(ast, options);
     return new RawHandlebars.JavaScriptCompiler().compile(environment, options, undefined, asObject);
   };
 
-
   RawHandlebars.compile = function(string) {
     var ast = Handlebars.parse(string);
+
+    var visitor = new Handlebars.Visitor();
+    visitor.mutating = true;
+
+    visitor.MustacheStatement = function(mustache) {
+      if (!(mustache.params.length || mustache.hash)) {
+        mustache.params[0] = mustache.path;
+        mustache.path = {
+          type: "PathExpression",
+          data: false,
+          depth: mustache.path.depth,
+          parts: ["get"],
+          original: "get",
+          loc: mustache.path.loc,
+          strict: true,
+          falsy: true
+        };
+      }
+      return Handlebars.Visitor.prototype.MustacheStatement.call(this, mustache);
+    };
+    visitor.accept(ast);
+
     // this forces us to rewrite helpers
     var options = {  data: true, stringParams: true };
     var environment = new RawHandlebars.Compiler().compile(ast, options);