shithub: hugo

Info  •  Files  •  Log  •  Branches

tpl: check slice bounds in slicestr

Fixes #1090

--- a/tpl/template_funcs.go

+++ b/tpl/template_funcs.go

@@ -139,7 +139,14 @@

 		return "", errors.New("too many arguments")

 	}

+	if len(startEnd) > 0 && (startEnd[0] < 0 || startEnd[0] >= len(aStr)) {

+		return "", errors.New("slice bounds out of range")

+	}

+

 	if len(startEnd) == 2 {

+		if startEnd[1] < 0 || startEnd[1] > len(aStr) {

+			return "", errors.New("slice bounds out of range")

+		}

 		return aStr[startEnd[0]:startEnd[1]], nil

 	} else if len(startEnd) == 1 {

 		return aStr[startEnd[0]:], nil

--- a/tpl/template_funcs_test.go

+++ b/tpl/template_funcs_test.go

@@ -291,6 +291,11 @@

 		{"abcdef", []int{2}, "cdef"},

 		{123, []int{1, 3}, "23"},

 		{123, []int{1, 2, 3}, false},

+		{"abcdef", []int{6}, false},

+		{"abcdef", []int{4, 7}, false},

+		{"abcdef", []int{-1}, false},

+		{"abcdef", []int{-1, 7}, false},

+		{"abcdef", []int{1, -1}, false},

 		{tstNoStringer{}, []int{0, 1}, false},

 	} {

 		result, err := Slicestr(this.v1, this.v2...)

--- a/tpl/template_test.go

+++ b/tpl/template_test.go

@@ -11,7 +11,11 @@

 	for i, this := range []struct {

 		data      string

 		expectErr int

-	}{{"{{apply .C \"first\" }}", 2}} {

+	}{

+		// Issue #1089

+		{"{{apply .C \"first\" }}", 2},

+		// Issue #1090

+		{"{{ slicestr \"000000\" 10}}", 2}} {

 		templ := New()

 		d := &Data{